Individuals have a growing expectation for instant access to highly personalized information and services through a variety of interconnected devices. This demand is driving the digital transformation of both business and society. Keeping pace requires things like machine learning and artificial intelligence in order to accelerate the ability to see, predict, and respond to market trends.
There is also a growing criminal element looking to exploit these new technologies. The proliferation of online devices accessing personal and financial information, and the growing connection and interconnection of everything – from armies of IoT devices and critical infrastructure in cars, homes, and offices, to the rise of smart cities – have created new disruptive opportunities for cybercriminals.
The cybercriminal marketplace is adept at adopting the latest advances in areas such as artificial intelligence to create more effective attacks. We anticipate this trend to accelerate into 2018, enabling the destructive trends mentioned below.
Prediction: The rise of Hivenets and Swarmbots
Predictive analysis using billions of nodes of constantly updating data represents an entirely new paradigm for how computing resources will transform our world. It’s a short hop to simply having these individual nodes share information with each other. It’s the basis for swarm technology.
Which is why it is easy to predict that cybercriminals will eventually replace botnets built with mindless zombie devices with intelligent clusters of compromised devices to create more effective attacks. This would be a hivenet instead of a botnet. It would be able to use millions of interconnected devices, or swarmbots, to simultaneously identify and tackle different attack vectors, enabling attacks at an unprecedented scale.
Such hivenets are especially dangerous because, unlike individual zombies, individual swarmbots are smart. They are able to of talk to each other, take action based on shared local intelligence, use swarm intelligence to act on commands without the botnet herder instructing them to do so, and recruit and train new members of the hive. As a result, as a hivenet identifies and compromises more devices it will be able to grow exponentially, and thereby widen its ability to simultaneously attack multiple victims.
While IoT-based attacks such as Mirai, or the most recent Reaper are not using swarm technology yet, they already have the footprint. A code upgrade would enable them adopt emerging swarm behaviors and intelligence to ratchet their threat potential up to eleven.
FortiGuard Labs recorded 2.9 billion botnet communications attempts all in one quarter earlier this year, adding some context to the severity of what hivenets and swarmbots could cause. In terms of IoT, almost one in five organizations reported malware targeting mobile devices during this same period. IoT devices continue to present a challenge because they don’t have the level of control, visibility, and protection that traditional systems receive.
Prediction: Ransom of Commercial Services is Big Business
Although the threat magnitude of ransomware has already grown 35X over the last year with ransomworms and other types of attacks, there is more to come.
The next big target for ransomware is likely to be the ransom of commercial services such as cloud service providers. The financial opportunities are clear. Cloud computing is expected to grow to $162B by 2020, with a compound annual growth rate (CAGR) of 19%. In addition, successfully taking down a cloud provider is a one-to-many opportunity. The complex, hyperconnected networks that cloud providers have developed can produce a single point of failure for dozens or even hundreds of businesses. (Think Mirai taking out a DNS hosting provider.)
Cloud services are centralized and present a huge potential attack surface. Rather than hacking businesses individually, criminals that are able to infiltrate a single cloud environment would potentially have access to data from dozens or hundreds of organizations, or be able to wipe out an entire range of services with a single attack.
And it’s not just businesses that would be affected. Government entities, critical infrastructure, law enforcement, healthcare, and a wide range of industries of all sizes all use the cloud – and many of them use the same cloud provider. If a cyberterrorist is able to take down a single major cloud service provider, the implications could be devastating.
As a result, we predict that cybercriminals will begin to combine AI technologies with multi-vector attacks to scan for, detect, and exploit weaknesses in a cloud provider’s environment. Successfully crippling a service that generates millions of dollars a day for the provider, while disrupting service for potentially millions of customers, would not just represent a massive payday for a criminal organization. It would also undermine the fragile trust that many organizations already have when it comes to cloud-based computing, and could have a devastating effect on digital transformation and our digital economy.
Prediction: Next-gen Morphic Malware
The cybercriminal marketplace is very good at adopting the latest advances to more effectively detect and exploit vulnerabilities, evade detection, adapt to complex network environments, and maximize profitability.
Adversaries will begin to leverage automation and machine learning in their attack tactics, techniques, and procedures (TTP). This isn’t a surprise, as security researchers already use sandbox tools, bolstered with machine learning, to quickly identify previously unseen threats and dynamically create protections. There is no reason why this same approach won’t be used in the other direction: for mapping networks, finding attack targets, determining where those attack targets are weak, blueprinting a target to conduct virtual PEN testing, and then building and launching a custom attack. All done at the AI level, and all fully automated.
Current polymorphic malware, for example, has been around for decades. It already uses pre-coded algorithms to take on a new form to evade security controls, and can produce more than a million virus variations per day. But so far, this process is just based on an algorithm, and there is very little sophistication or control over the output. Next-gen polymorphic malware built around AI, however, will be able to spontaneously create entirely new, customized attacks that will not simply be variations based on a static algorithm. Instead, they will employ automation and machine learning to design custom attacks to quickly compromise a targeted system and effectively evade detection. The big difference is the combination of discipline and initiative.
FortiGuard Labs recorded 62 million malware detections in one quarter in 2017. Out of these, we saw nearly 17,000 malware variants from over 2,500 different malware families. The increased automation of malware will only make this situation more urgent in the coming year.
Prediction: Critical Infrastructure to the Forefront
Of all the industries that could potentially be affected by advances in cybercrime techniques, healthcare and critical infrastructure providers continue to be at the top of the list in terms of risk. Most critical infrastructure and OT networks are notoriously fragile, and originally designed to be air-gapped and isolated. But the need to respond at digital speeds to employee and consumer demands has begun to change that, making everything exposed (think cloud-enabled SCADA services.) Applying security as an afterthought once a network designed to operate in isolation is connected to the digital world is rarely very effective.
Because of the high value of these networks, and the potential for devastating results should they be compromised or knocked offline, critical infrastructure and healthcare providers are now finding themselves in an arms race with cybercrime organizations. This puts them in a difficult position because while they need to trust new connected systems that provide both increased intelligence and security in order to survive, the risks are real.
The security these systems currently have in place will not be enough, which is why it is imperative that organizations migrate to advanced security systems built around quality intelligence and an integrated security fabric that can see across the distributed network, counter the sophisticated attack systems being developed and deployed by attackers, and easily integrate advances is collaboration and AI.
Prediction: The Dark Web and Cybercrime Economy Offer New Services Using Automation
As the world of cybercrime evolves, so does the dark web. We expect to see new service offerings from the dark web as Crime-as-a-Service organizations use new automation technology for their offerings. We are already seeing advanced services being offered on dark web marketplaces that leverage machine learning. For example, a service known as FUD (fully undetected) is already part of several offerings. This service allows criminal developers to upload attack code and malware to an analysis service for a fee. Afterwards, they receive a report as to whether security tools from different vendors are able to detect it.
To shorten this cycle, we will see more machine learning used to modify code on the fly based on how and what has been detected in the lab in order to make these cybercrime and penetration tools more undetectable. This allows them to quickly refine their technology in order to better circumvent security devices used by the targeted company or government agency.
In order to perform such sophisticated scanning and analysis, however, criminal service providers have had to create computing clusters leveraging hijacked compute resources. Infected machines leveraging Coinhive is a latest example – browser plugins that infect end-user machines to hijack their CPU cycles to mine for virtual currency. This process is rapidly accelerating the time from concept to delivery of new malware that is both more malicious and more difficult to detect and stop. Once true AI is integrated into this process, offense vs. defense (time to breach vs time to detect/protect) will be reduced to a matter of milliseconds rather than the hours or days it does today.
What You Can Do
Organizations need to respond by insisting on more and better security controls being implemented in devices by manufacturers. Security solutions need to be able to evolve into expert systems built around integrated security technologies, actionable threat intelligence, and dynamically configurable and interactive security fabrics. As much as possible, security also needs to be able to operate at digital speeds, which means automating security responses and applying AI and self-learning so that networks can make effective and autonomous decisions. Basic security hygiene also needs to become part of our basic security protocols, with patch and replace protocols happening on all devices automatically. And we need to replace organically developed accidental network architectures with intentional design that can withstand serious and sustained attacks.
The best defense against such intelligent and automated threats is an integrated, collaborative, and highly adaptive security fabric. Just as with AI, whoever gets the fabric-based security system right, leveraging things like machine learning and AI, will have a highly aware and proactive security defense system better able to keep pace with the next generation of automated, AI-based attacks. Like it or not, this is a winner-takes-all scenario. Organizations that fail to prepare now may not be able to catch up once it moves to the next level of sophistication.
(Derek Manky is the Global Security Strategist at Fortinet).