Cyber has been a dynamic, ever-changing, never a dull moment industry for more than a decade. 2017 was not different and 2018 will remain true to this nature. At the center of this innovation is constantly evolving attacker TTPs, forcing the cyber industry to adapt to new strategies; making everything about cyber – new always. We experienced this evolution in intrusion methodologies and malware innovation this year in two huge ransomware attacks placed only 30 days apart. The WannaCry ransomware worm and NotPetya exploited the same vulnerability in unusual ways and evaded intrusion detection in large-scale attacks that affected millions of systems worldwide.
The question for Merek Security Solutions is how will cyber shape up in 2018 to meet an increasingly volatile threat landscape?
1. AI – Less Hype, More Real
All through 2017, AI has been making news; cyber is no exception. There are limited use cases in Cyber that applies AI; including phishing, natural language processing of threat news, spam filtering, and fraud detection. But it is still not largely deployed. So, what will change in 2018? There are three factors that are important for AI to take off – availability of large security datasets, technology to process the large datasets, and easy availability of AI platforms.
With the rampant increase in attacks and breaches, datasets are not a scarce resource anymore. The maturity of big data technologies and stacks based on an Apache eco-system provides the horsepower to process large datasets. Big data stacks also come in-built with languages and libraries for machine learning, including MLlib, Scala, and R.
AI platforms have emerged. Google Tensorflow, IBM Watson, Intel BigDL, and Azure AI all provide the framework for deep learning algorithms. This makes it easy to apply deep learning algorithms for large security datasets. With the emergence of such ecosystems, we will see several use cases getting deployed using AI in cybersecurity. 2018 might as well be a watershed for AI in Cyber. Here is a link to a quick read on the application of AI in Cyber: https://paladion.net/5-minute-guide-to-ai-in-cyber-security/
2. Hybrid Attacks – a New Threat Vector
We have seen organizations move from a data-centric world to a hybrid world that has IT infrastructure distributed between data centers and cloud. Very few organizations can claim to be in a pure datacenter world today. Even if they have not officially embraced the cloud, many employees are already using cloud services. Shadow IT is here to stay.
Most organizations live in a hybrid world of cloud services from Azure, AWS, Cloud apps intertwined with conventional data centers. Cybercrime syndicates have already started exploiting the weak links in the hybrid world to breach organizations. As part of our Managed Detection and Response (MDR) operations for the cloud, we are already seeing an increase in targeted attacks on cloud consoles and Office 365 services.
Breach of Azure/AWS console provides the keys to the kingdom. Attackers can potentially replace workloads with malware blended ones and use this to infiltrate corporate networks. There is a significant increase in attacks from Nigeria (Nigerian Scam 2.0) and related suspicious geographies on Office 365 leading to compromise of mailboxes. The compromised mailboxes are used for spreading malware to other users and for CEO fraud. This will call for organizations to have a good strategy to monitor and respond to such attacks.
3. Visibility – Shine the Torch on Smart Devices
The proliferation of smart devices (IoT or Industrial) is a key trend across industries including manufacturing, financial services, telco, and healthcare. But, unmanaged proliferation has resulted in huge risks. Most organizations today are blind to infected smart devices in their manufacturing plants, unauthorized wireless access points in data centers, orphaned systems beaconing to risky websites, medical devices running with open vulnerabilities, etc. It is therefore not surprising that we have already seen Dyn type of massive DDOS attacks from infected devices.
The Solution is to increase visibility on such unmanaged devices. This is not something we can achieve with conventional asset tracking. The industry needs to adopt creative ways for increasing visibility. Using analytics on proxy, netflow, firewall, and other access logs is one way of doing it. As an example, applying data science algorithms to detect anomalous traffic in netflow or beaconing patterns in proxy logs leads to increased visibility on such devices. Cybersecurity teams will focus on reducing these risks by increasing visibility on IT, IoT, and industrial environments.
Still interested, feel free to contact us at (800) 479-1741 for more information.