Security Predictions

The New Norm: Trend Micro Security Predictions for 2020

Trend Micro Security Predictions for 2020
The Future Is
  • 01/Complex
  • 02/Exposed
  • 03/Misconfigured
  • 04/Defensible
  • Download PDF

The year 2020 will see a transition to a new decade. So will cybersecurity. Gone are the days of networks isolated behind a company firewall and a limited stack of enterprise applications. The current paradigm demands a wide variety of apps, services, and platforms that will all require protection. Defenders will have to view security through many lenses to keep up with and anticipate cybercrime mainstays, game changers, and new players.

Tried-and-tested methods — extortion, obfuscation, phishing — will remain, but new risks will inevitably emerge. The increased migration to the cloud, for instance, will exacerbate human error. The sheer number of connected assets and infrastructures, too, will open doors to threats. Enterprise threats will be no less complex, mixing traditional risks with new technologies, like artificial intelligence (AI) in business frauds.

Our security predictions for 2020 reflect our experts’ opinions and insights on current and emerging threats and technologies. Our report paints a picture of a possible future landscape driven by technological advances and evolved threats to enable enterprises to make informed decisions on their cybersecurity posture in 2020 and beyond. The future looks complex, exposed, and misconfigured — but it is also defensible.


The way the threat landscape has evolved over the years proves that threat actors remain undeterred from compromising systems for their own gain. They shift and adapt in their choice of attack vectors and tactics — prompting the need for users and enterprises to stay ahead.

Attackers will outpace incomplete and hurried patches.

System administrators will find themselves in a dual predicament: ensuring the timeliness as well as the quality of patches being deployed. Incomplete or defective patches can break and disrupt critical systems, but delaying their application can expose systems to threats. Previous cases have shown how incomplete patches can be bypassed to exploit the vulnerability the patch is trying to fix. Attackers will also capitalize on “patch gaps” — windows of exposure between a flaw in an open-source component being fixed and its patch being applied to the software that uses it.

Banking systems will be in the crosshairs with open banking and ATM malware.

Mobile malware targeting online banking and payment systems will be more active as mobile online payments in Europe thrive with the European Union’s (EU) Revised Payment Service Directive (PSD2). The Directive’s implementation will have cybersecurity implications for the banking industry — from flaws in application programming interfaces (APIs) to new phishing schemes.

In the underground scene, the sale of ATM malware will further gain ground. We foresee ATM malware families competing for dominance, where they will try to outdo each other in terms of malware features and price. Cutlet Maker, Hello World, and WinPot variants, for example, are already being sold in the underground.

Deepfakes will be the next frontier for enterprise fraud.

The use of deepfakes — AI-based forgeries of images, videos, or audio — will increasingly move from creating fake celebrity pornographic videos to manipulating enterprises and their procedures, such as deceiving employees into transferring funds or making critical decisions. This was exemplified when a fake, AI-generated voice of an energy firm’s CEO was used to defraud the company of US$243,000. The technology will be an addition to cybercriminals’ arsenal — and a shift from traditional business email compromise (BEC). The C-suite will find themselves as main targets for this kind of fraud since they are often in calls, conferences, media appearances, and online videos.

Attackers will capitalize on ‘wormable’ flaws and deserialization bugs.

More exploitation attempts on critical and high-severity vulnerabilities like the “wormable” BlueKeep will be disclosed. Widely used protocols like Server Message Block (SMB) and Remote Desktop Protocol (RDP) will be abused to compromise vulnerable systems, with the latter already a common vector for ransomware.

Flaws and weaknesses involving the deserialization of untrusted data will be a major concern, particularly in enterprise application security. Threats exploiting this class of vulnerabilities can alter data assumed safe from modification and allow the possible execution of attacker-controlled code. Rather than finding and chaining several vulnerabilities together to execute malicious code, attackers will instead increasingly exploit deserialization bugs to more easily gain control of systems, even in complex environments.


The converged future ushers in old and new attacks and techniques that expose information technology (IT) and operational technology (OT) assets.

Cybercriminals will home in on IoT devices for espionage and extortion.

Machine learning (ML) and artificial intelligence (AI) will be abused to listen in on connected devices like smart TVs and speakers to snoop on personal and business conversations, which can then provide material for extortion or corporate espionage.

As for other ways of monetizing IoT attacks, cybercriminals have yet to find a scalable business model to cash in on the wide attack surface of the internet of things (IoT). They will continue to explore ways to profit more from IoT attacks, primarily through digital extortion. These schemes will be tried on consumer devices first, with connected industrial machinery as the next logical target — a development we’ve seen in our recent forays in the underground.

Botnets of compromised IoT devices, such as routers, will be further peddled in the underground, along with access to webcam streams and smart meters with modified firmware.

5G adopters will grapple with the security implications of moving to software-defined networks.

Full 5G implementation in 2020 will introduce new challenges: vulnerabilities simply on account of the newness of the technology and vendors’ unpreparedness for threats that may take advantage of it. Since 5G networks are software-defined, threats will stem from vulnerable software operations and the distributed topology. A threat actor that gains control of the software managing 5G networks can consequently hijack the network itself. Upgrades involving 5G will be much like updates to smartphones and will entail vulnerabilities. In fact, the exploitation of 5G vulnerabilities using low-cost hardware and software platforms have already been proven possible.

Critical infrastructures will be plagued by more attacks and production downtimes.

Critical infrastructures will be viable targets for extortionists. Ransomware will still be the threat actors’ weapon of choice given its destructive impact, but we’ll also see other cyberattacks: botnets mounting distributed denial-of-service (DDoS) attacks against operational technology (OT) networks; attacks on manufacturing systems that use cloud services; supply chain attacks where third-party vendors are compromised as springboards for threat actors to target critical sectors.

Various threat actors have targeted and reconnoitered several energy facilities across the world in their attempt to steal credentials of industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems. Apart from the utilities sector, we anticipate attacks on the food production, transportation, and manufacturing sectors, which increasingly use IoT applications and human-machine interfaces (HMIs).


Cloud and DevOps migrations present risks as well as rewards to adopters, underscoring the need for security throughout the deployment pipeline.

Vulnerabilities in container components will be top security concerns for DevOps teams.

The container space is fast-paced: Releases are quick, architectures are continually integrated, and software versions are regularly updated. Traditional security practices will not be able to keep up. An application may now require an organization to secure hundreds of containers spread across multiple virtual machines in different cloud service platforms. Enterprises need to take into account their security at different components of the container architecture — from container runtimes (e.g., Docker, CRI-O, Containerd, and runC) and orchestrators (e.g., Kubernetes) to build environments (e.g., Jenkins).

Serverless platforms will introduce an attack surface for misconfiguration and vulnerable codes.

Serverless platforms offer “function as a service,” allowing developers to execute codes without the organization having to pay for entire servers or containers. Outdated libraries, misconfigurations, as well as known and unknown vulnerabilities will be the attackers’ entry points to serverless applications. Increasing network visibility, improving processes, and better documenting workflows will be essential to running serverless applications. Serverless environments can also benefit from adopting DevSecOps, where security is integrated into the DevOps process.

Cloud platforms will fall prey to code injection attacks via third-party libraries.

Code injection attacks, either directly to the code or through a third-party library, will be prominently used against cloud platforms. These attacks — from cross-site scripting and SQL injection — will be carried out to eavesdrop, take control of, and even modify sensitive files and data stored in the cloud. Attackers will alternatively inject malicious code to third-party libraries that users will unwittingly download and execute.  Cloud-related data breaches will increase as software-, infrastructure-, and platform-as-a-service (SaaS, IaaS, PaaS) cloud computing models are widely adopted. Preventing cloud compromises will require due diligence from developers, careful consideration of providers and the platforms offered, and improvements in cloud security posture management.


The cybersecurity skills gap and poor security hygiene foment failure in protection; risk management and comprehensive threat intelligence are vital in creating a secure environment.

Attacks in 2020 and beyond will be more carefully planned and coordinated. The cybersecurity skills shortage and poor security hygiene, too, will still be significant factors in the upcoming threat landscape. Risks of compromise through advanced threats, persistent malware, phishing, and zero-day attacks can be mitigated if threat insights and protection are readily available. Actionable threat intelligence infused into security and risk management processes will enable organizations to defend their environments proactively by identifying security gaps, eliminating weak links, and understanding attacker strategies. For decision-makers and IT managers, the need to see a bigger picture of their online infrastructures can be addressed by experts, such as security operations center (SOC) analysts, who can correlate their findings with global threat intelligence. This means having better context beyond the endpoint, encompassing email, server, cloud workloads, and networks.

The ever-shifting landscape will require a cross-generational blend of multilayered and connected defense powered by security mechanisms such as the following:

  • Complete visibility. Provides prioritized and optimized examination of threats with tools and expertise that remediate impact and mitigate risks.
  • Threat prevention with effective mitigation. Automatically mitigates threats once visualized and identified, alongside employing antimalware, machine learning and AI, application control, web reputation, and antispam techniques.
  • Managed detection and response. Provides security expertise that can correlate alerts and detections for threat hunting, comprehensive analysis, and immediate remediation using optimized threat intelligence tools.
  • Behavior monitoring. Proactively blocks advanced malware and techniques and detects anomalous behaviors and routines associated with malware.
  • Endpoint security. Protects users through sandboxing, breach detection, and endpoint sensor capabilities.
  • Intrusion detection and prevention. Deters suspicious network traffic like command-and-control (C&C) communication and data exfiltration.

See what will shape the threat landscape in 2020 and how users and organizations can navigate it in our report, “The New Norm: Trend Micro Security Predictions for 2020.”

Download The New Norm: Trend Micro Security Predictions for 2020

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.