With 2019’s headlines of ransomware, malware and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against us. We hear from Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research and the McAfee Threat Labs team who talk us through some of the key threats of which CISOs need to be aware as we move into the new year.
Continuing advancements in Artificial Intelligence and Machine Learning have led to invaluable technological gains, but threat actors are also learning to leverage AI and ML in increasingly sinister ways. AI technology has extended the capabilities of producing convincing deepfake video to a less-skilled class of threat actor attempting to manipulate individual and public opinion. AI-driven facial recognition, a growing security asset, is also being used to produce deepfake media capable of fooling humans and machines.
Our researchers also foresee more threat actors targeting corporate networks to exfiltrate corporate information in two-stage ransomware campaigns.
With more and more enterprises adopting cloud services to accelerate their business and promote collaboration, the need for cloud security is greater than ever. As a result, the number of organisations prioritising the adoption of container technologies will likely continue to increase in 2020. Which products will they rely on to help reduce container-related risk and accelerate DevSecOps?
The threatscape of 2020 and beyond promises to be interesting for the cybersecurity community.
Broader deepfakes capabilities for less-skilled threat actors
The ability to create manipulated content is not new. Manipulated images were used as far back as World War II in campaigns designed to make people believe things that weren’t true. What’s changed with the advances in Artificial Intelligence is you can now build a very convincing deepfake without being an expert in technology. There are websites set up where you can upload a video and receive, in return, a deepfake video. There are very compelling capabilities in the public domain that can deliver both deepfake audio and video abilities to hundreds of thousands of potential threat actors with the skills to create persuasive phoney content.
Deepfake video or text can be weaponised to enhance information warfare. Freely available video of public comments can be used to train a Machine Learning model that can develop of deepfake video depicting one person’s words coming out of another’s mouth. Attackers can now create automated, targeted content to increase the probability that an individual or group falls for a campaign. In this way, AI and Machine Learning can be combined to create massive chaos.
In general, adversaries are going to use the best technology to accomplish their goals, so if we think about nation-state actors attempting to manipulate an election, using deepfake video to manipulate an audience makes a lot of sense. Adversaries will try to create wedges and divides in society. Or a cybercriminal can have a CEO make what appears to be a compelling statement that a company missed earnings or that there’s a fatal flaw in a product that’s going to require a massive recall. Such a video can be distributed to manipulate a stock price or enable other financial crimes
We predict the ability of an untrained class to create deepfakes will enhance an increase in quantity of misinformation.
Adversaries to generate deepfakes to bypass facial recognition
Computer-based facial recognition, in its earliest forms, has been around since the mid-1960s. While dramatic changes have since taken place, the underlying concept remains: it provides a means for a computer to identify or verify a face. There are many use cases for the technology, most related to authentication and to answer a single question: is this person who they claim to be?
As time moves on, the pace of technology has brought increased processing power, memory and storage to facial recognition technology. New products have leveraged facial recognition in innovative ways to simplify everyday life, from unlocking smart phones, to passport ID verification in airports and even as a law enforcement aid to identify criminals on the street.
One of the most prevalent enhancements to facial recognition is the advancement of Artificial Intelligence (AI). A recent manifestation of this is deepfakes, an AI-driven technique producing extremely realistic text, images and videos that are difficult for humans to discern real from fake.
Generative Adversarial Networks (GANs) is a recent analytic technology that, on the downside, can create fake but incredibly realistic images, text and videos. Enhanced computers can rapidly process numerous biometrics of a face and mathematically build or classify human features, among many other applications. While the technical benefits are impressive, underlying flaws inherent in all types of models represent a rapidly growing threat, which cybercriminals will look to exploit.
As technologies are adopted over the coming years, a very viable threat vector will emerge and we predict adversaries will begin to generate deepfakes to bypass facial recognition. It will be critical for businesses to understand the security risks presented by facial recognition and other biometric systems and invest in educating themselves about the risks as well as hardening critical systems.
Ransomware attacks to morph into two-stage extortion campaigns
In McAfee’s 2019 Threat Predictions Report, we predicted cybercriminals would partner more closely to boost threats; over the course of the year, we observed exactly that. Ransomware groups used pre-infected machines from other malware campaigns, or used remote desktop protocol (RDP) as an initial launch point for their campaign.
These types of attacks required collaboration between groups. This partnership drove efficient, targeted attacks which increased profitability and caused more economic damage. In fact, Europol’s Internet Organised Crime Threat Assessment (IOCTA) named ransomware the top threat that companies, consumers and the public sector faced in 2019.
Based on what McAfee Advanced Threat Research (ATR) is seeing in the underground, we expect criminals to exploit their extortion victims even more moving forward. The rise of targeted ransomware has created a growing demand for compromised corporate networks. This demand is met by criminals who specialise in penetrating corporate networks and sell complete network access in one-go.
For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks. In the first stage cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage, criminals will target the recovering ransomware victims again with an extortion attack but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.
During our research on Sodinobiki we observed two-stage attacks, with cryptocurrency miners installed before an actual ransomware attack took place. For 2020, we predict that cybercriminals will increasingly exfiltrate sensitive corporate information prior to a targeted ransomware attack to sell the stolen data online or to extort the victim and increase monetisation.
DevSecOps will rise to prominence as growth in containerised workloads causes security controls to ‘shift left’
Container-based cloud deployments are growing in popularity due to the ease with which DevOps teams can continuously roll out micro-services and interacting, reusable components as applications. As a result, the number of organisations prioritising the adoption of container technologies will continue to increase in 2020. Gartner predicts that by 2022, more than 75% of global organisations will be running containerised applications in production – a significant increase from fewer than 30% today.
Container technologies will help organisations modernise legacy applications and create new cloud-native applications that are scalable and agile.
Containerised applications are built by assembling reusable components on software defined Infrastructure-as-Code (IaC) which is deployed into cloud environments. Continuous Integration/Continuous Deployment (CI/CD) tools automate the build and deploy process of these applications and IaC, creating a challenge for pre-emptive and continuous detection of application vulnerabilities and IaC configuration errors.
To adjust to the rise in containerised applications operating in a CI/CD model, security teams will need to conduct their risk assessment at the time of code build, before deployment. This effectively shifts security ‘left’ in the deployment lifecycle and integrates security into the DevOps process, a model frequently referred to as DevSecOps.
Additionally, threats to containerised applications are introduced not only by IaC misconfigurations or application vulnerabilities, but also abused network privileges which allow lateral movement in an attack. To address these run-time threats, organisations are increasingly turning to cloud-native security tools developed specifically for container environments.
Cloud Access Security Brokers (CASB) are used to conduct configuration and vulnerability scanning, while Cloud Workload Protection Platforms (CWPP) work as traffic enforcers for network micro-segmentation based on the identity of the application, regardless of its IP. This approach to application identity-based enforcement will push organisations away from the five-tuple approach to network security which is increasingly irrelevant in the context of ephemeral container deployments.
When CASB and CWPP solutions integrate with CI/CD tools, security teams can meet the speed of DevOps, shifting security ‘left’ and creating a DevSecOps practice within their organisation. Governance, compliance and overall security of cloud environments will improve as organisations accelerate their transition to DevSecOps with these cloud-native security tools.
Application programming interfaces (API) will be exposed as the weakest link leading to cloud-native threats
A recent study showed that more than three in four organisations treat API security differently than web app security, indicating API security readiness lags behind other aspects of application security. The study also showed that more than two-thirds of organisations expose APIs to the public to enable partners and external developers to tap into their software platforms and app ecosystems.
APIs are an essential tool in today’s app ecosystem including cloud environments, IoT, microservices, mobile and web-based customer-client communications. Dependence on APIs will further accelerate with a growing ecosystem of cloud applications built as reusable components for back-office automation (such as with Robotic Process Automation) and growth in the ecosystem of applications that leverage APIs of cloud services such as Office 365 and Salesforce.
Threat actors are following the growing number of organisations using API-enabled apps because APIs continue to be an easy – and vulnerable – means to access a treasure trove of sensitive data. Despite the fallout of large-scale breaches and ongoing threats, APIs often still reside outside of the application security infrastructure and are ignored by security processes and teams. Vulnerabilities will continue to include broken authorisation and authentication functions, excessive data exposure and a failure to focus on rate limiting and resource limiting attacks. Insecure consumption-based APIs without strict rate limits are among the most vulnerable.
Headlines reporting API-based breaches will continue into 2020, affecting high-profile apps in social media, peer-to-peer, messaging, financial processes and others, adding to the hundreds of millions of transactions and user profiles that have been scraped in the past two years. The increasing need and hurried pace of organisations adopting APIs for their applications in 2020 will expose API security as the weakest link leading to cloud-native threats, putting user privacy and data at risk until security strategies mature.
Organisations seeking improvement in their API security strategy should pursue a more complete understanding of their cloud service APIs through comprehensive discovery across SaaS, PaaS and IaaS environments, implement policy-based authorisation and explore User and Entity Behaviour Analytics (UEBA) technology to detect anomalous access patterns.