- An increase in hybrid attacks
A hybrid cyberattack involves more than just a single threat vector. For example, it can include deceptive email to deliver malware, and then DDoS to complicate recovery from a malware attack. This type of attack enables online criminals to carry out their crimes and then hide their tracks. We’ve seen this type of attack used within the last year on multiple occasions, including the attacks on the Ukranian power grid and Bangladesh Bank. These types of hybrid attacks are now ‘trickling down’ and we expect to see them used much more often by cybercriminals for ‘commercial’ attacks, e.g., ransomware and Business Email Compromise.
- An increased development of cyberattack insurance
Insurance companies will increasingly offer coverage against cyberattacks. As they gain an improved understanding of the risk models associated with various types of attacks vectors and techniques, the types of coverage will increase. Increased insurance involvement will go hand in hand with the development and deployment of security products corresponding to best practices. The prices of security products will increasingly be set as a function of the difference in premiums, and so, will become driven by actuarial insights. These developments will also herald in a more mature security marketplace, and increase enterprise awareness of product value. For years, established companies have emphasized traditional methods as a result of their own inertia. Tying product value to insurance premiums will spur the development and deployment of methods that are more focused on the current threat picture. There will be an increased demand for computer security experts with a good command of statistics, already in short supply. (College students, pay attention!)
- Nation-state attacks will set the tone for other attacks
Just ten years ago, Internet security abuses were almost synonymous with small-time crime, whether involving poorly spelled email messages used in attempts to steal banking credentials or computer viruses used to send Viagra spam to millions of consumers. The threat is very different these days.
Starting in 2007, nation states started using cyberattacks to accomplish political goals. In the first high-profile case, prompted by political tensions between Estonia and Russia, a series of cyberattacks took down the Internet in Estonia—including the Estonian parliament, banks, and news organizations. Georgia suffered similar attacks just a year later. In December 2015, in the midst of armed conflict between Ukraine and Russia, politically motivated hackers took down a large portion of the Ukranian power grid. Stuxnet is another example of a politically motivated cyberattack. Constructed by US and Israeli forces with the goal of sabotaging Iran’s nuclear program by corrupting SCADA and PLC systems, it was one of the first known covert cyberattacks.
While early politically motivated cyberattacks focused on destruction—whether related to the Internet, the power grid or uranium centrifuges—a more recent breed of politically motivated attacks have instead aimed at extraction of sensitive information. This is the likely motive behind the 2016 ransomware attacks mounted on members of the U.S. congress, and beyond doubt the reason for the 2014 attack on the Office of Personnel Management and the 2016 attack on the Democratic National Committee. Another form of attack based on extraction focuses on funds instead of information; an example of this is the 2016 attacks on the Swift infrastructure, epitomized by the heist on Bangladesh Bank. This attack straddled the fence between politics and profit by transferring massive amounts of funds to a politically ostracized regime.
Whether we are considering attacks aiming for destruction or extraction, it is indisputable that the sophistication of attacks has shot through the roof as groups sponsored by nation states have entered the playing field; however, at the same time, the principal attack vectors have remained the same. Namely, all the attacks described above involved malware, and most used deceptive emails—commonly for delivering Trojans, sometimes for stealing credentials.
Commercially targeted attacks will follow the tracks of the nation-state sponsored attacks by reusing the techniques that are most accessible and powerful; this suggests a continued use of emails for credential theft and malware installation, and an increased sophistication of the social engineering component of the attacks. The latter will be fed by data from breaches, increased use of compromised personal accounts related to the targeted organizations, and more accurate contextual information to increase the yield.