TECHNOLOGY

The rising risk of encrypted malware

2018 IT SECURITY PREDICTIONS – METHODS FOR ATTACKS, INVESTMENT AREAS & CYBERSECURITY STRATEGIES By Morey Haber, VP, Technology, BeyondTrust It’s that time of year again when we look back at what has motivated the market for IT security solutions in the last year, in order to develop our plans for the next year. With so many public exploits, and data breaches, there’s certainly no shortage of material to leverage! I have grouped my predictions in to three categories: Methods for major hacks, breaches and exploits; The business of cybersecurity – focus and investments; and Offensive and defensive strategies. Category: Methods for major hacks, breaches and exploits Prediction #1 – The bigger they are, the harder they fall If we think the headlines, with news of major organizations getting breached, shocked us, we will learn that large organizations have poor cyber security hygiene, are not meeting regulations, and are failing to enforce the policies they developed, recommend, and enforce on others. Next year’s news will have even more high-profile names. Prediction #2 – Increase in mobile phone spam With there being more mobile phones in most countries than there are citizens in those countries, mobile phone spam will rise 10,000% due to automated spam and dialing ‘botnets’ that essentially render most phones unusable because they receive so many phone calls from unidentified numbers. This rise in phone spam pushes cellular carriers to start to require that end users adopt an “opt in” policy so only those in their contacts can call them. Prediction #3 – Major increase in ‘gaming deleteware’ infections ‘Gaming deleteware’ infections across most major platforms will increase as botnets continuously attack gaming networks and devices such as Steam, Xbox, PlayStation, and Nintendo systems with the sole intention of rendering the machine inoperable. The malware is downloaded as an embedded game add-on, causing millions of devices to need to be replaced. Prediction #4 – The first major Apple iOS virus hits within a popular “free” game As users click on the ‘ad’ to play a game for free, their iOS11 device will be compromised, leaking all data stored in the local Safari password storage vault. Prediction #5 – Continued growth in the use of ransomware and cyber-extortion tools 2017 has proven the model that vulnerabilities nearly 20 years old are being exploited in organizational networks (Verizon DBIR 2017), so the opportunity is too great and too easy for organized crime to ignore. Further, the commoditization of these tools on the deep web opens the door to anyone who feels the risk is worth the reward. This is likely to continue until organizations get the basics right and the risk/reward balance tips, making ransomware far less appealing. Prediction #6 – More end-user targeting Penetration through unpatched servers like in the case of Equifax will happen, but hackers will continue to target end users with more sophisticated phishing and targeted malware, taking advantage of unpatched desktops where clients have far too many privileges. Again, don’t take your eyes off the end users. Prediction #7 – Biometric hacking will be front and center Attacks and research against biometric technology in Microsoft Hello, Surface Laptops, Samsung Galaxy Note, and Apple iPhone X will be the highest prize targets for researchers and hackers. The results will prove that these new technologies are just as susceptible to compromise as touch ID sensors, passcodes, and passwords. Prediction #8 – Cyber recycling As we see a rise in the adoption of the latest and greatest devices, we will see devices, and now IoT, be cyber recycled. These devices, including mobile phones, won’t be destroyed however. They will be wiped, refurbished, and resold even though they are end of life (EOL). Look for geographic attacks against these devices to rise since they are out of maintenance. Category: The business of cybersecurity – focus and investments Prediction #9 – More money for security, but the basics still won’t be covered Organizations will continue to increase spending on security and new solutions, but will struggle to keep up with basic security hygiene such as patching. Hackers will continue to penetrate environments leveraging known vulnerabilities where patches have existed for quite some time. Regardless of whether it is an employee mistake, lack of resources, or operational priorities, we are sure to see this theme highlighted in the next Verizon Breach report. Prediction #10 – IAM and privilege management going hand-in-hand Identity Access Management (IAM) and privilege management adoption as a required security layer will continue. We will see more security vendors adding identity context to their product lines. Identity context in NAC and micro-segmentation technologies will increase as organizations invest in technologies to minimize breach impact. Prediction #11 – Greater cloud security investments Vendors will begin to invest more heavily to protect cloud specific deployments for customers migrating to the cloud. Supporting Docker/containers, DevOps use cases, and enforcing secure cloud configurations are some initiatives that will be driven by customers. Prediction #12 – Acceptance that “completely safe” is unobtainable As 2018 progresses and more and more organizations accept that breaches are inevitable there will be a shift toward containing the breach rather than trying to prevent it. This doesn’t mean abandoning the wall, but rather accepting that it isn’t perfect, can never be and shifting appropriate focus toward limiting the impact of the breach. Organizations will refocus on the basics of cybersecurity best practice to enable them to build effective solutions that impede hackers without impacting legitimate users. Prediction #13 – Chaos erupts as the GDPR grace period ends As organizations enter 2018 and realize the size of the task to become GDPR compliant by 25th May, there will be a lot of panic. This legislation seems poorly understood which has led to many organizations tabling it for ‘later’ and, for many, they will wait until the first prosecution is underway before they react. The EU gave over 2 years, after GDPR passed into law (27th April 2016), for organizations to become GDPR compliant, so there is likely to be little tolerance for non-compliant organizations which are breached after 25th May and, more than likely, some example setting. Those who completed their GDPR compliance ahead of the deadline will be right to feel smug as they watch their competitors flail. Category: Offensive and defensive strategies Prediction #14 – Increased automation in cybersecurity response The size of the cybersecurity threat continues to grow through 2018, with increasing numbers of attack vectors combined with increased incidence of attacks via each vector (driven by commoditization of attack tools) leading to massive increases in the volume of data being processed by cybersecurity teams. This demands improvement in the automation of responses in cybersecurity tools to do much of the heavy lifting, thereby freeing the cyber teams to focus both on the high-risk threats identified and in planning effectively for improvements in defences. Increased use of machine learning technologies and, from that, more positive outcomes will lead to a significant growth in this area. Prediction #15 – Richer cybersecurity vision As organizations’ needs for more comprehensive cybersecurity solutions grows, so will the need for effective integration between the vendors of those technologies. This will lead to more technology partnerships in the near-term and eventually to industry-standards for integration in the longer term. The ability for systems to work with relatively unstructured data will allow for more effective information interchange and, as a result, far richer and more rewarding views across our cyber landscapes. Prediction #16 – It is now law Governments will begin passing legislation around cybersecurity and the basic management of IoT devices required for safe and secure computing.

By Omar Yaacoubi, CEO, Barac

The financial sector has long been a prime target for cybercriminals. The kudos associated with breaking into a financial organisation, coupled with lure of harvesting and selling on high-value customer data, means the industry finds itself under near-constant attack. According to the Government’s 2018 Cyber Security Breaches Survey, some 57 percent of financial services companies experienced a cybersecurity breach or attack in the previous year. Across all business sectors, the figure was considerably lower, at 43 percent.

Omar Yaacoubi

Omar Yaacoubi

Financial firms understand that they are being singled out by the criminal underworld and spend a small fortune protecting their networks from these attacks. Encryption, in particular, has emerged as a key defence. It ensures that, even if a hacker does penetrate a network, they cannot access or make use of the sensitive data.

Moving to the cloud and the introduction of stricter compliance regulations and privacy laws – most notably, GDPR – has accelerated the adoption of encryption solutions. Google estimates that, this year, some 80 percent of internet traffic will be encrypted as organisations attempt to avoid the large fines associated with non-compliance and, of course, protect their sensitive data from external threat actors.

Encryption poses new security risks

While encryption undoubtedly plays a critical role in protecting financial and customer data, its growing popularity has spawned a new risk for the financial sector: encrypted malware.

Just as encrypted traffic makes it harder for hackers to access valuable data, it also makes it more difficult for organisations to identify and block malware. PWC estimates that by the end of 2019, some 60 percent of all malware will be hidden inside encrypted traffic flows. Many organisations have seen this first-hand. A CIO survey by Vanson Bourne found that 90 percent of organisations had experienced – or expect to experience – a network attack using the commonly deployed Secure Sockets Layer (SSL) encryption or its successor, Transport Layer Security (TLS) encryption during the course of this year.

The biggest example is Equifax where hackers used the cover of SSL and encrypted traffic to exfiltrate the valuable data in order to avoid detection by the company’s security tools.

Why encrypted malware is hard to spot

Encrypted malware has become the hacker’s attack vector of choice because traditional security tools have become ineffectual in protecting against it. Simply put, many of today’s popular cybersecurity solutions are unable to see inside encrypted traffic. To check for malicious code, they first have to decrypt all of the network traffic, before performing a scan, re-encrypting it and then forwarding the data packets on to the intended recipient. This process is the most commonly used approach to catch hidden malware, yet it comes with many flaws.

The decryption process is extremely compute intensive and can negatively affect the performance of the network, limiting the capabilities of nearly all firewall and Intrusion Prevention Solutions (IPS) available on the market today. Growing volumes of encrypted traffic mean there are more and more data packets to decrypt, scan and re-encrypt. These increased loads can stop devices from functioning altogether. As a result, some organisations give up following this process, and allow encrypted traffic flows onto their networks without scanning for malware.

The same decryption process could also be placing financial institutions in breach of the very compliance regulations that encryption was deployed to address. In decrypting the traffic, there will be a short period when the data is in plaintext and visible to all, putting a mass amount of sensitive data at risk.

Decryption might not even be technically possible for too much longer. The introduction of the new Transport Layer Security (TLS) 1.3 protocol – which, includes stronger encryption processes in order to prevent hackers from snooping on sensitive data – will also prevent the decryption of traffic to search for malware. Whilst the previous TLS 1.2 protocol allowed for clients and servers to decrypt and scan traffic, the newer version, introduced in August 2018, has stricter regulations meaning this ‘passive mode’ encryption is no longer possible.

 New problems require new solutions

Banks need to find alternatives to decryption as a way of protecting against the hidden threat of encrypted malware. While many organisations are aware of the critical importance of investing in new technology for the future, it’s another thing to bite the bullet and adopt these types of solutions. Indeed, Accenture’s 2018 State of Cyber Resilience Report found that although 83 percent of organisations agree that new technology is an essential tool, only two out of five are investing in AI, machine learning and automation technologies.

Yet encrypted malware is one threat that can already be nullified by these new technologies.

Using machine learning techniques and behavioural analytics to scan the metadata of encrypted traffic (rather than the actual contents), new tools are emerging that learn the difference between ‘good’ and ‘bad’ traffic. This provides financial organisations with the ability to block encrypted malware without the need for decryption, all in real-time and with no concerns over compliance or network performance.

To Top