Every year, the triumphs and failures reflected in cyber security stories not only leave us with valuable lessons but also hints of the foreseeable future. Looking closely, we get to pick pieces of the puzzle that we can use to build a vivid picture of what's to come. As 2015 comes to a close, it's time to look back at the year's events, and use the information to gain perspective on the future.
Much has been said about how cybercriminals creatively devise ways to lock in even the most unlikely of targets. The past year, however, has shown that cybercriminals don't need to use the most advanced technologies or sophisticated methods to succeed. Sometimes, simply understanding the psychology behind each scheme and its targets can be enough to make up for the lack of sophistication. In a nutshell, things are getting more "personal".
The past decade saw cyber extortionists banking the use of fear on its victims. This is evident from the first cases of ransomware to its fully-evolved and sophisticated form today. Fear will still be part of any successful extortion scheme, and the more personal they can get, the easier the victims will cave in on their demands.
The same impetus for stealing information goes for hacktivists as they set out to plot more destructive attacks aimed at damaging the integrity and reputation of their targets. Data breaches will be employed to mine data, but the operation may not necessarily be driven by financial gain, but to expose questionable corporate practices or get to other classified information.
The Fine Line: 2016 Trend Micro Security Predictions
Next generation technologies will also be seen as viable targets. The continuing growth of smart-connected home devices will drive cyber attackers to use unpatched vulnerabilities as a way to stage a full-blown attack. While there are no signs of a wide scale attack coming, the likelihood of a failure in consumer-grade smart devices resulting to physical harm is highly probable.
In the mobile arena, next generation payment methods will pique the interest of online criminals from EMV credit cards to mobile wallets, challenging supposed "safer" payment platforms. Mobile malware is expected to grow exponentially, given the lax user behavior and the availability of third-party app stores in China.
However, while threats continue to evolve and cybercriminals employ new tactics, we are bound to see concrete results of past efforts to curb cyber threats. User awareness and partnerships with law enforcement and private organizations will bring about success in the form of swift legislation, takedowns, arrests, and convictions.
How can the trends, events, and stories of 2015 be used to show what's to come in the future? How will these key developments shape tomorrow's threat landscape? Click on the button below to read the trends that we think will shape 2016.
Read our 2016 Predictions
Today, most organizations are realizing that cybersecurity has become increasingly important for defending against persistent, constantly-evolving threats. As the threats continue to mount, understanding and managing cybersecurity risks are becoming top priority for business and government decision makers, and a renewed willingness to invest in security is a notable measure of progress. Is your organization prepared for tomorrow's projected threats? Take the survey to determine to know if you're ready.
Although we shall witness strides in cybersecurity in 2016, a narrow margin still exists between these wins and the threats we're foreseeing. Advancements in existing technologies—both for crimeware and for everyday use—will bring forth new attack scenarios. It's best for the security industry as well as the public to be forewarned to avoid future abuse or any monetary or even lethal consequences.
The Fine Line
2016 Security Predictions
The buzzing of his phone on the nightstand shook him from sleep. Rick Davidson got up and reached for the smartphone lying next to his laptop and a badge that read, Quality Assurance Manager, Smart Life, Ltd. It was 3:00 in the morning, the tail-end of September, 2016. There were five new messages waiting in his inbox, one of which from an Eric Nielsen, Chief Operating Officer of JohnMeetsJane.com.
The message confirmed news of a breach by a group called Hackers United. It came with an attached screenshot of a website defaced with big, bold words in blood red: THE SECRET IS OUT. The carefully written apology expressed regret from the site's administrators. They were the third online dating service to go under in the last five months. The message ended with a promise of improved security and privacy for its members, and the hiring of a new Data Protection Officer. But none of this mattered to Rick.
A few beats passed before he took his eyes off the message. His hands were shaking. His account had been inactive for almost a year, but that didn’t matter. What mattered was that he was a married man, and his identity, including his illicit activities on that dating site, was now at the mercy of these hackers.
Rick knew how breaches like this were catnip for the press. Just a few months prior, a profanity-laced recording of a famous Hollywood celebrity became one of the most viral stories of the year. The damning audio snippet was just part of the millions of files stolen from a cloud storage platform. Those few minutes of malicious tongue-lashing had cost the actor a million-dollar endorsement deal. Ironically, it was for the new smart car model Rick’s company was releasing.
Before Rick could even move on to the rest of his unopened messages, his phone rang. His supervisor was on the other end, sounding more exasperated than ever. News of another incident involving Zoom 2.1, their newest smart car model, just broke out. They've had previous reports over the last few months about owners getting locked inside their Zooms. These events had driven Rick's team to do further research. But this newest complaint was far more serious than anything they had seen before. If this piece of news went viral—Rick didn't even want to think about the consequences.
Another message popped up on his laptop just as he ended the call. Absentmindedly, he clicked on it. Red wallpaper ate up his screen. It was painted with a familiar warning message that made his blood run cold: "THE SECRET IS OUT: You have 72 hours to pay."
It was barely 4:00 in the morning. Could his day get any worse?
In 2016, online threats will evolve to rely more on mastering the psychology behind each scheme than mastering the technical aspects of the operation. Attackers will continue to use fear as a major component of the scheme, as it has proven to be effective in the past.
In the past decade, cyber extortionists have made use of ransomware to trick online users to make them fall for their tactics. This was done by exploiting one’s fears to coerce victims into paying the ransom. The rogue/fake AV trap was set up to target those who feared computer infection. Earlier variants of ransomware locked screens of users, tricking them into paying to regain access. Police Trojans threatened users with arrests and charges for violations. And finally, with crypto-ransomware, cybercriminals aimed for the most valuable part of one’s system, the data.
With this in mind, cyber extortionists will devise new ways to target its victim’s psyche to make each attack “personal”—either for an end user or an enterprise. Reputation is everything, and threats that can ruin an individual’s or a business’ reputation will prove to be effective and—more importantly—lucrative.
Businesses will also fall for elaborate tricks that use new social engineering lures. We will see a significant increase in successful ploys designed to persuade employees to transfer money to a cybercriminal-controlled account. Knowledge of ongoing business activities will camouflage these malicious schemes, done by intercepting communications between business partners just like the tactics used by cybercriminals behind HawkEye, Cuckoo Miner, and Predator Pain.
2015 saw incidents that involved hacked or insecure devices, ranging from baby monitors, smart TVs, and connected cars. Even as users have increasingly become aware of the security risks of connecting appliances and devices to the Internet, the public interest in smartifying just about everything will continue to peak.
Smart-connected home device shipments are projected to grow at a compound annual rate of 67% in the next five years, and are expected to hit almost 2 billion units shipped in 2019—faster than the growth of smartphones and tablet devices. Given the diversity of operating systems and lack of regulation for these smart devices, there remains to be no signs of a possibility of a large-scale hacking attack. WiFi and Bluetooth networks, however, will become polluted and clogged as devices fight for connections. This will, in turn, push mission-critical tasks to suffer.
However, the likelihood that a failure in consumer-grade smart devices will result in physical harm is greater. As more drones encroach on public air space for various missions, more devices are used for healthcare-related services, and more home and business appliances rely on an Internet connection to operate, the more likely we will see an incident involving a device malfunction, a hack, or a misuse that will trigger conversation on creating regulations on device production and usage.
Reports say that 3 out of every 4 apps in China are malware. Google, on the other hand, released a report that says less than 1% of apps found in the Google Play Store are potentially harmful. Based on the data gathered by Trend Micro, this distinction stands, showing that 13% of apps found in Chinese markets are found to be malicious while Google Play only registered 0.16% malicious apps.
Mobile malware will continue to affect users in China due to the availability of third-party platforms and channels that offer free app downloads. Google Play, for example, is available in China, but reaches only 21 million of the estimated 800 million Chinese mobile users. Given this user behavior, there is no stopping the exponential growth of mobile malware at a rate that's projected to reach the 20 million mark by the end of 2016.
This will not be felt in other countries where users typically turn to official app stores for their apps. However, despite the slow adoption rate, the introduction of next-generation mobile payment systems will inspire a renewed interest for threat actors to carry out real-world testing to steal information from new payment processing technologies like EMV credit cards, contactless RFID credit cards, and mobile wallets like Apple Pay and Google Wallet. In 2016, the improved security brought by these modes of payment will be challenged by online criminals.
In 2016, we will see more hacktivists going the route of “destructive” attacks by going after data that can potentially damage their target’s integrity. Cybercriminals will see the impact of data breaches on high-profile targets like Sony, Ashley Madison, and even the Hacking Team.
In the past, the hacktivist’s playbook primarily consisted of default tactics like web defacement and DDoS attacks to disrupt targets. However, the recent success of high-impact breaches, driven by a common goal of exposing incriminating information like questionable corporate practices, classified messages, and suspicious transactions will drive cybercriminals to add data breach methods to their arsenal of tactics.
Threat actors will continue to upload stolen data publicly to make investigations and containment trickier. We will also see secondary infections that bank on a target’s web presence and turn it against consumers, similar to watering hole attacks we have seen in the past. Data that has already been lost will also be used to lay the groundwork for other attacks.
Enterprises will finally realize the need for a job designation that focuses solely on ensuring the integrity of data within and outside the enterprise. Whether the company creates a separate Data Protection Officer, Chief Risk Officer or includes this among the tasks of the Chief Information Security Officer depends on company size, budget and other factors, but the set of responsibilities will be the same.
The iron cage put up by the EU Data Protection directive will mandate a high standard of protection on data and the role of the DPO/CISO will be vital in ensuring the integrity of data and compliance with rules and regulations of countries where company data is stored. DPOs and CISOs must be experts in data protection and data security regulations and must how these should be effectively implemented.
However, not all enterprises will be up to the task. In a survey, 22.8% of respondents admitted to not knowing anything about the law, while 50% said that there were no plans to review policies in line with the new regulation.
Awareness around data protection will pave the way to a significant shift in the enterprise mindset and strategy against cyber-attacks. We will see more enterprises taking on the role of the ‘hunter’ instead of the ‘hunted’, in that they will begin to make use of threat intelligence and next-generation security solutions with custom defense to detect intrusions earlier.
The growing aversion of online users to unwanted ads, combined with the spike in malvertising attacks seen throughout the 2015, have given vendors reason to push ad-blocking options in their products and services.
This explains the seemingly heightened sense of awareness among consumers who want to block ads. Users are no longer just “annoyed” by unwanted ads, they are fully aware of the kind of risks these pose. In fact, the PageFair and Adobe 2015 Ad Blocking report shows that more consumers are doing so, with a 41% increase in global ad blocking software use in 2015.
In the U.S. alone, the number has increased to 48%, with monthly active users during the second quarter expanding to 45 million. This figure seeks to shake the very foundation by which advertising business models operate, which will, in turn, propel advertisers to seek new ways to advertise online. Likewise, cybercriminals will find other ways to get closer to victims, effectively delivering a blow to malvertisements.
The next 12 months will see more concrete changes as a result of efforts to fight cybercrime. The good guys will see more indicators of success, be it in faster legislation, successful takedowns, more cybercriminal arrests, and convictions.
Governments and authorities will be more responsive to cyber offenses. We have seen it in the continued arrests and sentencing of various individuals like the Russian national behind the CITADEL malware and another Russian cybercriminal who pleaded guilty of targeting payment processors, both in September 2015. This year, the cloak of anonymity that hid underground forums was removed, allowing law enforcement agencies to take down the hacking forum Darkode.
Cooperation and partnership will also flourish, as shown by the concerted efforts of Trend Micro, INTERPOL, the Cyber Defense Institute and other security firms that resulted in the SIMDA botnet takedown in April. Just recently, we have seen multiple servers used by the online credential-stealing DRIDEX botnet shut down by the FBI as a result of its partnership with security researchers. We will also see enhanced international cooperation, as spearheaded by major regions like the US and Europe, in their recent data-sharing agreement on investigations.
The Internet has operated with very lax regulations for years. 2016 will see a significant shift in the mindset of governments and regulators to take on an even more active role in protecting the Internet and safeguarding its users. Cybercrime laws will be in discussion, and changes to outdated cybersecurity standards will be mandated to bolster an improved stance on security.