Cyber Management Alliance’s Amar Singh hosted an interesting and insightful webinar with David Emm, a Principal Security Researcher and member of Kaspersky's respected Global Research & Analysis Team (GReAT)
The webinar was titled Threat Intelligence and Predictions for 2017.
David and Amar discussed some of the most notable and sophisticated attacks of 2016 and then moved on to what's on the 2017 dashboard.
For 2016, some of the highlights included:
- The IoT DDoS attack that almost took parts of the Internet,
- X-Dedic a sophisticated underground economy and market,
- The almost billion dollar SWIFT heist,
- ProjectSauron APT
- Data dumps by ShadowBrokers.
During the webinar it was highlighted that the famous banking APT, Carbanak is now more sophisticated and it’s not just the banking industry that’s being targeted. Telecom organisations and the use of Swiss networks to infiltrate financial infrastructures are being attacked.
On xDedic, the underground market for cybercrime David and Amar Singh discussed the availability of credit card numbers, passports and online accounts but also of sophisticated tools tools and servers being offered for sale to help cyber criminals target businesses and organisations worldwide; a form of ‘access as a service’.
Finally, although not strictly from 2017, the attack on Ukraine's energy sector highlighted the fact that cyber threats can have significant impact on the real world, in this case, critical infrastructures.
Most recently was ProjectSauron where it was discovered that bespoke exploits had been used to attack individual victims, gathering a lot of knowledge over a period of time; almost 30 victims (countries/organisations) have been identified and most run-of-the-mill antivirus systems won’t be able to detect, or are less effective in detecting, these bespoke cyber-attacks. ProjectSauron is customised and highly modular attacks, acquiring information and leaking it out to their servers and has been ongoing since June 2011.
2017 Cyber Threat Predictions
David carried on his discussion on the ProjectSauron APT and stressed that this particular APT was going to be an ongoing issue in 2017 and that the traditional e IoC (or indicators of compromise) approach is going to be less effective against this level of customisation. In addition, he believes that in this and the coming years, the "P" may start to slowly disappear from the APT acronym as more and more cyber-criminals drop the persistence element to avoid increasing detection capabilities. Persistence is being traded in for stealth.
David and Amar agreed that the more persistent the malware, the more likely it is to be detected. So cyber-criminals are going to increasingly opt for ‘bodyless’ memory-resident malware with no binary. Stuart Coulson from CyberChallenge UK agreed via Twitter that the lack of persistence of APT makes detection far harder, suggesting Yara rules and UBA are used to help identify potential threats.
IoT devices are a hacker’s paradise. David predicts there will be a rise in DDoS attacks using IoT devices as they become more connected. Businesses need to improve detection of potential threats – static codes are no longer viable and a more heuristic approach needs to be adopted.
Ransomware is going nowhere
Ransomware alone rose significantly in 2016; 62 new families were discovered – a point also raised by Stuart Coulson via Twitter – as well as 44,000 modifications and a fifth of the attacks were targeting businesses. Sadly, ransomware is looking to diversify and creators of this type of malware are investing in new methods, new attacks and targeting web servers.
YARA all the Way!
Yara rules need to be adopted to identify and classify related malware, finding the characteristics that belong to something, i.e. APTs, the commonalities in code such as a text. Yara rules allow defenders to scan across an entire enterprise to discover binary traits, scanning memory for fragments of known attacks. For more information on Yara, David recommended viewing a podcast by Costin Raiu, Global Director of GReAT at Kaspersky Lab about “The Importance of Using Yara”.
Finally, both David and Amar agreed that businesses and organisations need to create a security culture, a mindset, that educates staff to report abnormal behaviour, take sensible precautions, encrypt sensitive data and use strong passwords that are not only easy to remember, but difficult to guess.
Get ahead of the security challenge and view our Threat Intelligence and Predictions 2017 webinar now, and find out more on David Emm’s cyber security predictions for the coming year.