With the cyber security industrial complex in full swing and good business for all the major players, from governments and state sponsored groups, to criminal attackers and the vendors as well as their shareholders, we wonder what horrors this dystopian hell world will spew forth next.
It was arguably 2017’s devastating WannaCry and NotPetya ransomware variants that brought cyber security into mainstream focus, taking it from the idea of banking scams and into the realm of hobbling hospitals and businesses that depended on critical systems with real-world physical consequences.
Security abstract istock
Then 2018, just as GDPR came into effect, brought with it data breach after data breach, affecting millions of customers across industries, including customers of household names like Reddit, Facebook, Uber, British Airways and the Marriott hotel chain.
But it won’t be just consumers that pay the price of these incidents. When GDPR was implemented in May this year, the regulation meant companies that were found to have allowed a breach due to malpractice would face hefty fines.
State-sponsored breaches or attacks continued throughout the year, and it will be intriguing to see where these ‘advanced persistent threat’ groups head next – perhaps further underground, according to some commentators.
And while the majority of attackers are still going for the low-hanging fruit, there are methods of attack that are becoming increasingly more sophisticated.
Better, smarter IoT botnets
The first truly global case of a powerful internet of things (IoT) botnet was Mirai in 2016. It was achieved with a few lines of quite simple code, but was so effective because it targeted objects like IP cameras that were connected to the internet but rarely secured or updated, and managed to bring down a decent chunk of the internet.
The internet providers and DNS companies have buffeted their defences since Mirai, but the IoT market – which could reach $6.5 trillion by 2024 – is only going to increase dramatically. Some manufacturers may have sharpened up their products to be updatable but certainly not all will have, especially when these things become interwoven into the fabric of everyday life.
Malwarebytes’ lead malware analyst Chris Boyd notes that in 2018 several thousand MikroTik routers were compromised to quietly be transformed into crypto coin miners.
“This is only the beginning of what we will likely see in the new year, with more and more hardware devices being compromised to serve up everything from coin miners to malware,” he says. “Large-scale compromises of routers and IoT devices are going to take place and they are a lot harder to patch than computers. Even just patching does not fix the problem if the device is infected.”
Kaspersky adds that IoT botnets will keep growing at an “unstoppable” pace, in what is becoming a recurring warning that shouldn’t be underestimated.
Mike O’Malley, VP for carrier strategy and business development at Radware, adds that hackers will attempt to turn IoT devices into a ‘swarm’ network of self-sufficient bots that can make semi-autonomous decisions, pool their collective intelligence together to solve problems, or “opportunistically and simultaneously target vulnerable points in a network”.
“‘Hivenets’ take this a step further and are self-learning clusters of compromised devices that simultaneously identify and tackle different attack vectors,” he adds. “The devices in the hive can talk to each other and can use swarm intelligence to act together, and recruit and train new members to the hive.”
A ‘hivenet’ that can identify and compromise more devices would be able to grow “exponentially” and “thereby widen its ability to simultaneously attack multiple victims”.
“This is especially dangerous as we roll out 5G,” he adds, “as hivenets could take advantage of the improved latency and become even more effective.”
According to VP of IoT at Sectigo, Damon Kachur, it’s important to consider the role of digital certificates.
“From an end user perspective, the slow uptake of security in IoT devices has prompted governments to regulate,” Kachur says. “Nations and more US states will follow California’s lead and enact legislation requiring security for IoT networks. This is particularly important for healthcare, transportation, energy, and manufacturing sectors, which face the highest risk.
“The legislation stops short of prescribing strong forms of authentication, but thankfully consortium groups such as the Open Connectivity Foundation and AeroMACS have championed the use of strong certificate-based authentication in their best practice standards for IoT.
“The attack vectors and threat actors to the IoT are constantly evolving, warranting best practice device provisioning and the ability to quickly and proactively manage current cryptographic algorithms with those that will supersede them in the future. This will be vital within the lifespan of the devices being deployed to customers,” he added.
Attacks on critical national infrastructure
A recent parliamentary committee warned that critical national infrastructure is at risk from cyber attackers. The National Cyber Security Centre also recently warned that states hostile to Britain would likely target the infrastructure of Britain.
While high profile real-world examples of these sorts of attacks have been relatively scarce (especially in Britain – with only WannaCry and NotPetya coming close to date) some experts are warning that 2019 could see intra-state rivalries become more realised in the cyber realm.
Even taking hostile states out of the equation, attackers motivated by money might see weakness in the country’s current approach to critical national infrastructure and hit it for financial reasons before it’s fixed.
James Wickes, CEO and cofounder of Cloudview, said that attacks on infrastructure could also be linked to the increase in internet-connected devices.
By Tamlin Magee, Computer World, UK