Every year, Verisign iDefense customers anxiously await the iDefense Cyberthreats and Trends Report from our analysts, which details what they see as the most prominent cyberthreats and trends for the new year. While the full version is not available just yet, we were able to get a sneak peek at several topics that will be discussed in the 2014 report. Take a look and let us know which you think will be the most prominent, and make sure to check back soon to see the full report.
The Importance of Threat Intelligence in 2014
The last few years have seen an upsurge in the advocacy of cyberthreat intelligence; traditional mechanisms to defend an organization are no longer enough. Changes to the threat environment have pushed CISOs and CSOs to be not only technology leaders, but business leaders as well, protecting networks and computer systems, as well as the long-term business interests that rely on those systems. To do this, security organizations have matured their cyber intelligence functions and now take holistic, forward-looking views of the threat environment by combining strategic intelligence (e.g., security disruptors to long-term business objectives) with tactical intelligence (e.g., indicators of compromise) and operational intelligence (e.g., intelligence on actors, tools, tactics, techniques and intent). The increasing appreciation for cyber threat intelligence in 2014 has ramifications for both the consumers of that intelligence, as well as the producers of that intelligence (i.e., security vendors), including effectively sorting through available intelligence data to identify the most salient intel, and validation and implementation of that intelligence, to name a few.
Regionalization of Hacktivism and the Benefits to Threat Intelligence
Hacktivism in 2013 continued the trend of region-specificity that iDefense observed in 2012. To an even more pronounced extent than last year, 2013 saw the growth and development of regional hacktivism in Central and South America, South and South East Asia, and the solidification of MENA hacktivist groups/rally-issues. Western European and the US-based hacktivists maintained the characteristics that analysts have observed since 2011. Regionalization has driven an increase in region, group and language-specific hacktivist tools and tool-sets as well. Furthermore, it has facilitated the ability of the cyber security intelligence community to track hacktivist actors based on geolocation, a task that was far more difficult back when an amorphous ‘Anonymous’ was among the only visible groups in the space.
Hacktivism as an Increasingly Useful Tool for Nation-State Directed Efforts
An increase in the use of hacktivist-style attacks and operations in the context of state-directed, geopolitically-oriented activity occurred in 2013. In some key examples (North-South Korean hack-backs; Russian proxies attempts to undermine NATO; the continuing Syrian Electronic Army intrigue), hacktivism was either used as a veil or employed directly by agents of nation-states in the midst of geopolitical conflict. From a macro-level perspective, this trend is really a token of nation-states’ cyber capabilities expanding to now comprise a fully-developed set of tactics, techniques and procedures (TTPs).
The Effect of Increased Research and Attention on Cyber Espionage TTPs
In 2013, the volume of public reports associated with Advanced Persistent Threat (APT) activity increased dramatically. In the form of blogs, news articles and formal papers, these reports shed an immense amount of light not only on tools and infrastructure used by these groups, but in some cases on individual actors and units. In an apparent response to these public reports, iDefense observed changes in tactics and improved operational security demonstrated by attackers. In 2014, we expect espionage actors to continue monitoring sources of APT reporting and changing their tactics accordingly.
Off-The-Shelf RATs Gain Popularity with Espionage Actors
Cyber espionage actors have traditionally created their own malware and tools to establish a foot hold within a network and exfiltrate sensitive data. With their extremely low distribution, these tools are difficult for antivirus vendors to detect. However, as these tools came under more scrutiny, security researchers began using them to identify specific groups of actors. In 2013, iDefense observed an increase in the number of attacks using off-the-shelf remote administration tools (RATs) like PoisonIvy. The motivation for this change may be to evade attribution, as the tools are widely available, but the advantage comes with increased likelihood of detection by antivirus tools.
Trends and Insights on Vulnerabilities and Exploits
As Microsoft looks to end support for Windows XP in 2014, iDefense expects to see increased exploits making the many computers worldwide still running XP easy targets for any and all new cyber-attacks. Similarly, as iDefense Labs continues to receive an increasing number of IE-related submissions, we expect to see greater exploitation of Internet Explorer in 2014. Also, it seems that many researchers are finally successfully using IE-based fuzz techniques. Lastly, in 2014, iDefense believes exploitation of Java vulnerabilities will get more difficult as Oracle works on Java security updates and browser vendors lock down Java in the browser.
The Rise of Legitimate and Illegitimate Bitcoin Activity
In May of 2013, the electronic currency-of-choice for many cyber criminals, Liberty Reserve, was shut down by the U.S. government. In response, many criminals searched for a new electronic currency that was not susceptible to government takedowns. While multiple alternative currencies are common in underground markets, Bitcoin has gained significant traction despite its wildly fluctuating exchange rate. Simultaneously, the crypto-currency has started gaining acceptance as a currency for legitimate activities, with startups like BitPay and Coinbase making it easier for businesses to accept bitcoins for goods and services. These developments will likely lead to a regulatory challenge for governments looking to prevent abuse.
Point-of-Sale and ATM Attacks
In 2013, iDefense observed an increase in the potential for attacks against point-of-sale (POS) and ATM systems. While these systems may seem secure, they often run on top of commodity operating systems and are susceptible to malware attacks. Criminal forums have been buzzing with actors looking for malware and tools to target these systems, while malware like the Ploutus Trojan has displayed increasingly sophisticated mechanisms for stealing from ATMs.
The Rise of New Exploit Toolkits After Blackhole
In October 2013, the author of the Blackhole exploit toolkit was arrested in Russia. Blackhole was the most widely-used exploit toolkit and with its author out of the picture, criminals looking to distribute malware needed to find a new tool. Multiple exploit kits have risen in popularity since that time and some actors have fallen back on simpler distribution methods, including simply attaching malware to e-mails and relying on excellent social engineering. In 2014, we may see the rise of a new “king” of exploit kits, but for now nothing has truly replaced Blackhole.