Davey Winder | December 20, 2017

The A-Z of 2018 Threatscape Predictions

Here at IT Security Thing we end up travelling all over the world to listen to what the great and the good of the cybersecurity industry have to say. It’s a tough job, etc etc. If we’ve learned one thing from our globetrotting adventures then it is there are a hell of a lot of intelligent folk on the right side of the security fence, and when they speak it’s pretty stupid to ignore them. So it is that, as we approach the end of yet another year, it seems pertinent to listen to what the world of cybersec professionals are predicting will be facing us in the year to come. And so, without any further waffle, here’s the IT Security Thing A-Z of 2018 security predictions…



“2018 will see a rise in AI-based attacks as cybercriminals begin using machine learning to spoof human behaviours. The cybersecurity industry will need to tune their own AI tools to better combat the new threats…” Caleb Barlow, Vice President, IBM Security



“As cryptocurrencies grow in importance, with reports of 1.65 million computers mining Bitcoin in 2017 and threat actors using cryptocurrencies as ways of extracting revenue from cybercrime, Forcepoint predicts that during 2018, the systems surrounding such currencies will increasingly come under attack. Blockchain technology underpins the transaction ledgers used by most cryptocurrencies. Governments around the world are seeking to legislate and therefore control the providers and users of blockchain-based technologies. The U.S. Department of Defense (DoD) was recently tasked with investigating the potential impact of blockchain compromise following the passing of a bill by the U.S. Senate; its findings will increase demand for more robust security. We expect to see an increasing amount of malware targeting user credentials of cryptocurrency exchanges (websites that allow users to buy, sell or exchange crypto-currencies for other digital currency or traditional currency) in the vein of TrickBot in August 2017. We further anticipate that cybercriminals will turn their attention to vulnerabilities that exist in various systems which rely on blockchain-based technologies. While the principle of the blockchain makes the insertion of falsified transactions into historical blocks prohibitively difficult, compromising the systems used to make the transactions – for example the 2016 attack on The DAO, which exploited a flaw in the code of the smart contract underlying the organization – will be an attractive proposition for highly skilled attackers….” Luke Somerville, head of special investigations, Forcepoint



“One of the type of attacks that we will see gain more traction in 2018 is the website attack. With the growing use of online services (checking accounts, merchant accounts and Point-of-Sale systems now going through the web) the risk of attacks is large and has the potential to affect any institution using these services, as it opens access to institutions’ backend databases, document stores and applications all within easy reach. This type of attack is very hard to find, but it is incredibly easy for attackers to undertake. Because an attacker can gain access to the website via hijacking a user’s request, and then by simply making a small change to the code to redirect payment information their way while not stopping the correct path of the request, it makes it easy for attackers to get access to critical data without alerting any red flags…” Simon Bain, CEO of BOHH Labs



“DevOps is an increasingly popular development practice allowing organisations to increase the speed at which they produce apps and services. An unfortunate side effect of this process is that you might also be accelerating the production of insecure code and bugs, with the potential to cause a serious financial and reputational hit if not managed correctly. In an increasingly cloud and mobile-first world, it will become essential to also bake in security to this process: thus, DevOps becomes DevSecOps. Embracing an application lifecycle approach in this way will end up saving organisations time and money – because problems are always easier to solve when security is addressed as far left in the lifecycle as possible. It will not be an easy shift for many security professionals, but third-party expertise will help overcome cultural resistance and arm organisations with the right processes and automated toolsets to drive success…” Kai Grunwitz, Senior Vice President EMEA, NTT Security



“The web is moving to encrypted-by-default. Seventy of the Top 100 non-Google websites, accounting for 25 percent of all website traffic worldwide, are using HTTPS by default. Major search engines, social media networks and shopping sites are investing in the technology to make the web a safer place for everyone. It’s therefore no surprise that cybercriminals and nation state actors will adapt their tactics, techniques and procedures accordingly. Malware creators, or those controlling botnets, will continue to take advantage of any environments that are not using SSL/TLS decryption and inspection to hide communications using encrypted communication channels. We will also see other malware attempting to detect or thwart MiTM security techniques by using non-standard cryptography, certificate pinning and other techniques…” Audra Simons, Head of Forcepoint Innovation Labs, Forcepoint



“In an online world dominated by FAMGA (Facebook, Amazon, Microsoft, Google and Apple), I expect to see very few actively exploited vulnerabilities in newly created and distributed software from these mature technology vendors. The hegemony of these companies will ensure a highly secure operating environment within each of their areas of dominance. Occasional issues will surface, of course, but on the whole, the computing environment for the average person will have a marked lack of classic software vulnerabilities. However, this lack of new bugs will not put cyber criminals out of business. They will continue to spend their efforts on much softer targets. These would include older software stacks that rarely see regular software updates – multifunction printers, home and enterprise switches and routers, and Internet of Things devices that ship old and unpatchable software. I also expect to see continued sophistication on the part of attackers in their ability to trick, scam, and phish credentials out of users, where either no bugs, or old bugs, are required for successful exploitation…”  Tod Beardsley, Research Director, Rapid7



“An increase in Nation state cybersecurity breach activity as cold war like activity continues to escalate. Where countries and organizations (i.e. ISIS) will actually invest more into both defensive and offensive tech and skills to gain access to information that can be leveraged in numerous ways. I think we have only seen the early days of what’s possible and likely here…” Frank Price, vice president, product, Webroot

“Discoveries of election meddling and social media tweaking will be an economic drag on some of the biggest tech giants in the industry – and because for further scrutiny on securing devices, networks, and communications channels and verifying identity. The tradeoffs between free speech and open digital access and convenience will become ever more apparent…” Hal Lonas, chief technology officer, Webroot

“State-sponsored service breach of critical infrastructure leading to loss of life and an extended timeframe to return to normal operations…” Paul Barnes, senior director product strategy, Webroot



“Building on sophisticated attacks like Hajime and Devil’s Ivy or Reaper, we predict that cybercriminals will replace botnets with intelligent clusters of compromised devices called hivenets to create more effective attack vectors. Hivenets will leverage self-learning to effectively target vulnerable systems at an unprecedented scale. They will be capable of talking to each other and taking action based off of local intelligence that is shared. In addition, zombies will become smart, acting on commands without the botnet herder instructing them to do so. As a result, hivenets will be able to grow exponentially as swarms, widening their ability to simultaneously attack multiple victims and significantly impede mitigation and response. Although these attacks are not using swarm technology yet, because they have the footprint in their code, adversaries could convert it to act with more self-learning behaviour. Adversaries will use swarms of compromised devices, or swarmbots, to identify and target different attack vectors all at once enabling enormous speed and scale, but where the speed of development removes predictability needed to combat attack…” Derek Manky, Global Security Strategist, Fortinet



“The Internationalised domain name (IDN) homograph technique uses similar characters in non-Latin alphabets in order to appear similar to the targeted Latin alphabet domain. The non-Latin characters are interpreted by the Latin web browsers as Punycode. As an example, the punycode of ‘xn--oogle-qmc’ resolves to ‘google’ – note the two different types of ‘g’. Recently we have observed this technique being employed on a larger scale, though this technique has been a proof of concept and sparingly used for a number of years, attackers can use a vast amount of subtle letter swaps using this technique. We predict this technique to increase in early 2018 if web browsers continue converting the Punycode domain into the Unicode domain, thus appearing to be the legitimate domain to the end user…” Dr Adrian Nish, Head of Threat Intelligence at BAE Systems Applied Intelligence



“Brand hijacking in both emails and spoofed websites will only continue to grow in the next year, and both companies and consumers need to be on the guard, educated and ready for these threats to come around. Domain spoofing has been increasing rapidly and will continue to grow through 2018. Spoofing is a type of impersonation attack that tricks the victim into thinking that a criminal is someone else. Criminals use domain spoofing to impersonate a company or a particular company employee. The criminals often send emails to customers or partners of the company in order to steal credentials and gain access to company accounts.This is often the beginning of a multi-stage strategy to steal data and commit fraud with organizations that is quickly becoming the costliest cyber-attacks out there today. There has been a stark increase in volume of mass phishing attacks where cybercriminals are spoofing popular e-commerce and consumer brand names and websites aimed to both steal information. The actual names of the brands these attackers impersonate is less important than the tactic, as criminals quickly change brand names with new attempts. The goal is to convince the unsuspecting to either download malicious documents or login into a fake account resulting in surrendered account credentials – which then leads to all sorts of hurtful behaviour. Attackers can take user credentials and retrieve credit card information, additional personal information, and learn more about their victim’s online behaviour for future social engineering attacks. They will actually build websites that mimic actual brand name websites in the hopes to siphon victims during high times of shopping. Even though these counterfeit sites are not identical to these actual sites of the impersonated big brands, attackers are counting on the fact that most consumers do not buy from these brands directly, and therefore won’t recognize what their homepage actually looks like…” Fleming Shi, SVP of Technology, Barracuda



“Attackers will seek opportunities to not just steal data, but to undermine data integrity. In 2018, we may see the very first attack that attempts to disrupt the integrity of patient care laboratory results or alter financial statements for a financial services company. We think about the impact of identity theft as a primary purpose, because identities have financial significance. But we rarely think as well about the potential for attacks directly against data integrity. A complete breach of confidence may result, and then we will all need to rethink how and why we connect to the internet and compute…” The Wombat Security Team



“The value of large data lakes will increase as security companies turn to machine learning based solutions. The most valuable of these datasets will be hand-curated labelled datasets that can be used to train supervised machine learning models…” Adam Hunt, Chief Data Scientist, RiskIQ



“Manipulating the markets via hack or Twitter bot. To-date there have been few cases of criminals looking for ways to target and exploit the stock market system online. In theory, these could be attractive targets, as playing the market is ‘out-of-band’ from the hack itself.
We predict that, in 2018, we’ll see a repurposing of ‘fake-news’ Twitter bots to push market relevant information
This could be used in pump-and-dump style attacks, or could be targeted at algorithmic trading bots…” Dr Adrian Nish, Head of Threat Intelligence at BAE Systems Applied Intelligence



“In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. For example, we found open access to around 1,500 devices used to process patient images. In addition, we found that a significant amount of connected medical software and web applications contains vulnerabilities for which published exploits exist. This risk is heightened because cyber-villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back. The threats to healthcare will increase as ever more connected devices and vulnerable web applications are deployed by healthcare facilities. Connected healthcare is driven by a number of factors, including a need for resource and cost efficiency; a growing requirement for remote, home-based care for chronic conditions like diabetes and ageing populations; consumer desire for a healthy lifestyle; and a recognition that data-sharing and patient monitoring between organisations can significantly enhance the quality and effectiveness of medical care. Attacks targeting medical equipment with the aim of extortion, malicious disruption or worse, will rise. The volume of specialist medical equipment connected to computer networks is increasing. Many such networks are private, but one external Internet connection can be enough for attackers to breach and spread their malware through the ‘closed’ network. Targeting equipment can disrupt care and prove fatal – so the likelihood of the medical facility paying up is very high…” Denis Makrushin, security researcher at Kaspersky Lab



“The biggest danger facing enterprises in 2018 is organised threat actors. 2017 showed us that businesses are facing criminal organisations, hackers backed by competitors and even nation states. We’ve long suspected this would be the case, but it’s becoming increasingly clear that the level of sophistication and tenacity shown by these attackers is far beyond the opportunistic hacking many enterprises are currently prepared to defend against. Because attribution is so hard and proving who the attackers are is nearly impossible for most organisations, the hacks will be more brazen as the year goes by…” Jay Coley, Senior Director Security Services, Akamai



“Westerners born in 2016 will be the last adults to need passwords. By the time people born in this year start using authentication features, biometrics will have replaced Internet passwords. Cash machines and card payments will remain the last bastion of PINs…” Shaun Collins, CEO, CCS Insight



“The 2007 financial crisis brought to light just how interconnected today’s economy really is. All areas of business were affected, with exposure to debt being shared. The cybersecurity industry is no different. Security ‘debt’ is a liability or obligation to pay or render something. Technical Debt is already a well-understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. This translates well into security; not as the potential downside resulting from a decision to compromise, but as the direct, concrete, real-time and quantifiable cost of a trade-off between the best possible approach to securing something and the more attractive, practical, convenient or affordable approach. Security debt can be compared to monetary debt. If the debt is not repaid, it can accumulate ‘interest’ and grows over time until it is repaid. It sits on a business’ balance sheet in big red letters for all the world to see, speaking to the very heart of the business – its value. If a business has more liabilities in the form of security and other debt than it has assets, then you’re bankrupt and eventually, you must fail. In 2018 we may see the damaging effects of security debt that has been stacking up in the form of legacy code, 3rd party libraries and dependencies, and even architectures used by companies. This has been building up for the past 30 years and may be catastrophic if the right set of circumstances come to pass. Companies have been living on borrowed security for too long, and 2018 may the year when those debts get collected…” Charl van der Walt, Chief Security Strategy Officer at SecureData



“We will see exponential growth of the ransomware plague, especially the as-a-service strains. The massive ransomware attacks of 2017 aren’t going anywhere. Instead, they will grow exponentially and mutate to gain further traction. We’ll see a rise in ransomware attacks that also exfiltrate data, allowing cybercriminals a second way to ransom data through the threat of exposure. Additionally, ransomware-as-a service will continue to grow and will be the source of a significant percentage of attacks. Custom-made ransomware attacks will be reserved only for very high-value targets. Extortion scams will have a long tail. It’s bad enough to have your data held hostage until you pay a ransom 48 or 72 hours later. As we move into 2018, scams are going to extend that timeline, creating long-term or lingering extortion situations that are an ongoing nightmare for organisations and individual internet users alike. An example of this would be a ransomware attack that demands nude photos of the victim as payment, opening the door for continued blackmail…” Stu Sjouwerman, KnowBe4 Founder and CEO



“Network segmentation will move to the services level. With the rise of containerisation, the notion of segmentation moves from the network to the realm of containers. Containers provide more flexibility; however, because they can exist anywhere, it’s not possible to block them off with traditional network segmentation…” Reuven Harrison, Chief Technology Officer, Tufin



“The skills gap is definitely still holding the industry back. As cyber warfare increases, governments need to upskill the next generation of defenders. Figures around the cyber skills shortage make for sobering reading. A report from Frost & Sullivan and (ISC)² found that the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020. Both private and state schools need strong cyber programs and academies should look to develop cyber skills in children from disadvantaged backgrounds. This will hopefully prevent talented teenagers being sucked into the dark side. Although at the same time that industry struggles to recruit talent, university graduates are finding it hard to start their careers in cyber security. We need to improve opportunities for entry level positions including internships, apprenticeships, more cyber classes in schools, and formal cyber programs. This also requires a look beyond STEM as careers in threat intelligence can better suit analytical degrees, due to the need to be able to research, analyse and draw conclusions, which can give them the edge over those with a scientific mindset. There are some bright new leaders in the industry that are focusing on education and engaging young talent in the industry and this has to continue…” Travis Farral, Director of Security Strategy at Anomali



“The eastern European conflict areas in the Ukraine will continue to be an area of digital disruption like we’ve seen with NotPetya and BadRabbit. Actors might also fall back to physical attack as seen with the attack on Ukraine in 2015 and 2016 after the waves of ransomware and wiper malware…” Yonathan Klijnsma, Threat Researcher, RiskIQ



“Vulnerabilities in Internet of Things (IoT) devices and supervisory control and data acquisition (SCADA) systems will lead to physical – not just digital – damage of some type in 2018. Hopefully the scale of damage will limit casualties to controller components. Unlike Stuxnet and Flame targets, IoT and SCADA devices are leveraging common open-source frameworks that are easy to fingerprint and hard to patch after installation, making them prime targets…” Ronald Sens, Director EMEA Marketing, A10 Networks



“One of the reasons for shortage of resources in cybersecurity is down to the lack of females working in the industry. Women have historically turned away from what has been seen as an extremely male-dominated industry. It is estimated that just 11% of the total cybersecurity workforce is made up by women. There has, however, been an increase in the number of women holding senior C-level positions in cyber security. These women will influence more women over the coming year and beyond to turn to cybersecurity. Along with some active initiatives in the sector there should be a huge increase in the number of women in cyber security roles in 2018. Female-focused initiatives will help see the industry turn to more women to fill the knowledge/skill shortages. At UK universities, there are initiatives to increase the number of women taking up STEM subjects (Science, Technology, Engineering, Maths) with the aim of encouraging a future generation of females to opt to take up careers in cybersecurity in what is traditionally a male-dominated industry…” Chris Farrelly, General Manager, HANDD Business Solutions



“Security software will have a target on its back. In 2018, cybercriminals will target and exploit more security software. By targeting trusted programs and the software and hardware supply chain, attackers can control devices and wholeheartedly manipulate users. Hackers will leverage and exploit security products, either directly subverting the agent on the endpoint, or intercepting and redirecting cloud traffic to achieve their means. As these events become more publicly known, the public and business perception of security software, particularly that of antivirus solutions (AV), will further deteriorate…” Marcin Kleczynski, CEO of Malwarebytes



“Brexit, and fear of the unknown will drive companies to reconsider where the best place is for their data to be stored. Do you keep data in the country where it’s collected? Or do you keep it centrally where it’s processed? Or do you put all your data in the cloud? It’s a challenging question for international businesses and one that’s become a hot topic as they think about how to cope with the fallout of Brexit. If the UK leaves data protection and data transit regulation behind when it leaves the EU, what does that mean for companies doing business there? And, until we know what’s going to happen, what’s the best option? It’s a decision that’s made even more pressing for global companies that have often put their EMEA headquarters in the UK for language and transportation reasons. Do you pull your HQ out of the UK? And, if so, where do you put your EMEA servers..?” Mark Weeks, MD EMEA, Akamai



“As attacks escalate and all organisations are now a target, IT teams will begin to explicitly allow users to access systems, requiring policies and processes to be re-assessed…” Rory Duncan, Head of Security Business Unit, UK&I, Dimension Data

Read the article on IT Security Thing