Botnet of Things:
The lion’s share of growth in connected devices is related to IoT – cameras, smart watches, fitness bracelets, smart shoes, smart TVs and other connected appliances. In fact, we discussed the issue of botnets and the Internet of Things (IoT) at the end of 2015. These simple devices, with embedded computing and communication capabilities, are characterized by having no professional system or software management and relatively high mobility. They’ll never be properly secured because default passwords are rarely changed, and they experience high rates of compromise. This gives attackers the opportunity to create larger botnets that go undetected for long periods of time. We have seen the impact of such botnets this year with the outbreak of the Mirai code which was used to infect and enslave many video capture devices which were often IP cameras or their respective DVRs. Moreover, the mobility of these devices would give their enslavers the chance to attack secure networks from within – using physical proximity.
Depending on the adoption pace of IoT, I expect to see two distinct types of trends:
In 2017, we will see a surge in the number and size of the botnets. From a research perspective, we see these botnets as “home routers” as most IoT devices are not directly exposed to the web, but rather reside within home networks.
We should see a few internal compromise incidents that would ultimately be traced back to a compromised IoT device brought (accidentally) to the proximity of the compromised network.
Ghosts from the past:
If there’s one thing we learned in 2016, it is that breaches, even the largest of them, can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped on the Dark Net in 2016, which likely means that at least some of this data has been circulating through the Dark Net for years. The incidents related to LinkedIn, Dropbox and Yahoo! user databases teach us a couple of things:
Attackers are still ahead of enterprises, even the larger companies when it comes to covering their tracks. (which we have pointed to at the end of 2015). The alleged breaches were only detected once the leaked information surfaced on the web. The recent Madison Square Garden incident is an example of this state of affairs, when once again, a breach was detected only once compromised information was put to use by attackers.
In these mega breaches, time is still a factor. While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords. If the enterprises had promptly detected the breaches a lot of the potential damage could have been avoided.
We can expect the ghost hacks from 2013 and 2014 to continue to haunt us in 2017, and likely in even bigger numbers than we’ve seen so far (in terms of incidents, not in terms of records). While enterprises should attempt to avoid exfiltration of sensitive information– especially when the attack is entirely from remote sources – more emphasis must be given to the timely detection of incidents.
Over the last five-six years, enterprise security personnel has been fighting an uphill battle against cybercrime and cyber espionage. Each year the intensity of attacks increase, attackers show more operational sophistication and new attack vectors develop. Additionally, the increased use of automation and organization of attackers drag more and more enterprises into the ring of fire. Once thought to be the reserved for high-end financial and defense organizations, the attention of attackers is now drawn to smaller organizations in all markets.
Security personnel, as well as upper management, are tired of completing one security project just to learn that there’s a new threat which requires yet another new technology to be deployed. These solutions are often provided by small nascent companies that shower their prospects with more apocalyptic scenarios involving enterprises, data and black hats.
The collective effect of Sisyphean, understaffed projects, endless chatter from new vendors and a constant stream of breach headlines is driving enterprises into fatigue and numbness. Enterprises who frantically looked for new technologies and solutions in 2015 are retreating into their existing shells.
I’d expect many enterprises to try to improve the effective use of their existing cyber security arsenal in 2017. The smarter ones will rethink security strategy in general, finally getting rid of some of the dated technologies and emerging with plans to tackle business threats rather than technical attacks vectors. Early adopters have already gone through this process in 2016, and will emerge in 2017 with new buying patterns.