The risk and insurance community consistently ranks cyberrisk as its top area of interest and concern, and it’s no wonder—these days, every year is a banner year for cybersecurity. The more that stays the same, the more things change. Cyberrisk management and awareness continue to improve, but many companies still lag on even fundamental risk assessment and mitigation measures, and hackers are perpetually refining the tools in the cybercrime arsenal to stay several steps ahead, whether to steal data, sow discord, or simply stay profitable. As risk managers and cyberthreat actors get further entrenched in their roles, cybersecurity concerns have been maturing beyond stunt hacks and buzzword-laden headlines to become more nuanced. Managing this complex dynamic requires a deeper understanding of the tactics, tools and trends currently in the field and coming down the pike. Cybersecurity, risk management and legal experts expect these 10 trends will define the cyberrisk landscape in 2018:
Ransomware continues to dominate the cyberrisk landscape, and with lower execution costs, high returns and minimal repercussions for cybercriminals, it will remain a top concern in 2018. The threat also continues to broaden exponentially with the ready availability of ransomware as a service (RaaS) for sale on the Dark Web at a range of price points and levels of technical sophistication required to launch attacks. Researchers from cybersecurity firm Carbon Black report that ransomware sales on the Dark Web increased 2,500% last year to $6.2 million. Between January and September 2017, Accenture Security’s iDefense 2018 threat report notes 65 unique ransomware advertisements were made to underground criminal forums and marketplaces, offering 42 new and unique ransomware families, with an average purchase price of $530 for the ransomware source code or builder, and an average price of $259 to join an affiliate program or rent ransomware. Indeed, for a flat fee and, typically, a cut of the payouts, even the most elementary of budding cybercriminals can launch ransomware campaigns, with some services even offering technical support.
A number of the cybersecurity trends below include ties to ransomware, and a wide range of industries can expect to see different variations on the threat as this wildly successful means of monetizing malware spurs criminal creativity. For example, in addition to the traditional target of medical records, cybercriminals have been attacking health care enterprises to extort ransom payments. Cyber defense firm Cryptonite found that ransomware attacks on health care institutions increased by 89% from 2016 to 2017. The industry’s adoption of connected devices further increases the likelihood of the threat. “While 2017 was the year of ransomware, we are anticipating this already hard-hit sector will feel the wrath of cybercriminals targeting the hundreds of thousands of IoT devices already deployed in health care,” said Michael Simon, president and CEO of Cryptonite. “Internet of things (IoT) devices are now ubiquitous in health care—they are already present in intensive care facilities, operating rooms and patient care networks.”
Advances in ransomware may have an impact on critical infrastructure as well, whether at the hands of nation-states or financially-motivated attackers. While 2017’s WannaCry and NotPetya did not target industrial control systems, for example, “the fact that both campaigns reached critical infrastructure leads us to believe that more spillover will occur along with major disruption and financial loss, and threat actors will craft ransomware targeting industrial networks for economic warfare and extortion gains,” said Galiva Antova, co-founder of industrial control security firm Claroty.
Whether it is financial losses or data loss and exposure, the costs of cybercrime to consumers and economies are too great for regulators to allow businesses to continue with the status quo. Regulatory bodies around the world continue to move toward adopting and enforcing financial and criminal liability for cybersecurity failures. This trend is truly global, and compliance will become a more complex and costly proposition for companies that do not closely consider their security practices and the range of jurisdictions in which they operate, store or process data, and have customers. In 2018, rigorous new requirements will be implemented by regulators in the EU (GDPR), Australia, and New York State’s Department of Financial Services. A number of Asian countries, including South Korea, Singapore and Japan, have also updated their data protection laws, and South Korea has already imposed major fines for violations.
In addition, regulators are fueling more investment in proactive cyberrisk management efforts. Several jurisdictions with notable financial centers have enacted regulation that requires red-team testing—simulating real-world attack scenarios to evaluate existing defenses and refine security and response procedures. For example, the Hong Kong Monetary Authority enforced the Cybersecurity Fortification Initiative (CFI) last year, including its Intelligence-led Cyber-attack Simulation Testing framework, and EU financial market infrastructures will undergo testing through an EU red-team testing framework. Aon Cyber Solutions and cyberrisk management firm Stroz Friedberg predicted this trend would increase pressure on cybersecurity talent development as more firms move toward incorporating these more proactive measures into their risk assessment and mitigation efforts.
“Under the burden of significant and ever-increasing regulatory pressures, industry organizations will push back on regulators, calling for the alignment of cyber regulations,” Aon Cyber Solutions forecasted in 2018 Cybersecurity Predictions. “Business bodies like the U.S. Chamber of Commerce have already begun lobbying the U.S. government to harmonize regulations with the voluntary framework developed in public-private collaboration under the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The DigitalEurope trade association has also called for ‘full consistency’ between the GDPR and other legislation in Europe.” This burden will only get worse before it improves, so the report advises, “Companies across sectors will therefore need to optimize their compliance programs by leveraging external experts, automation, analytics and other tools to drive actual, risk-based cybersecurity improvements.”
Of the new regulations set to be implemented in 2018, GDPR is perhaps the highest-profile yet most under-appreciated (see page 26). Once it goes into effect in May, many expect that regulators will be quick to look for GDPR violations to make a strong, prompt statement about enforcement. In addition to general predictions about the scramble toward compliance and likely levying of fines, some cybersecurity experts suggested a convergence of the two previous risks: ransomware and regulation.
According to Accenture Security’s iDefense 2018 threat report, “Threat actors who gain unauthorized access to confidential information may choose to extort organizations beholden to GDPR regulations rather than publicly dump or leak the breached data.” Because GDPR enforcement fines can be up to €20 million or 4% of annual global turnover, whichever is higher (an uninsurable loss under most countries’ laws), an organization facing cybercriminals’ threat of data access and distribution may be tempted to pay a ransom if the request is cheaper than the cost of non-compliance. Trend Micro also predicted that GDPR could drive an increase in breach attempts and ransom demands, noting, “Companies will have ransom prices associated with them that cybercriminals can determine by taking publicly available financial details and working out the respective maximum GDPR fines the companies could face.”
There are clear security and strategy advantages to be gained for companies that best prepare for GDPR implementation, however. On its face, the regulation aims to dramatically improve the security and privacy practices of enterprises and lays out concrete guidance on how to do better. What’s more, at a time when companies gather ever more personal data and user-generated content, such stringent measures force companies to seriously assess their practices and, potentially, distinguish themselves with their compliance as others draw headlines for failure. “GDPR makes 2018 a critical year for establishing how responsible businesses can pre-empt these issues, respecting users’ privacy, responsibly using consumer data and content to enhance services, and setting limits on how long they can hold the data,” said Vincent Weafer, vice president at McAfee Labs.
Many of the regulations going into effect this year include provisions mandating prompt notification by breached entities. The New York State Department of Financial Services rules and GDPR require that covered entities notify relevant authorities within 72 hours of discovering a cybersecurity event, and the National Association of Insurance Commissioners recently passed a model law that follows suit. In Australia, government agencies and businesses and nonprofit entities with annual turnover of more than $3 million (as well as some smaller entities with sensitive information related to health care, children, and credit reporting) will be required to provide prompt notification to both authorities and any individuals at likely risk of serious harm. The new law also requires that a full investigation of a potential breach be completed within 30 days of the organization becoming aware of the event. Serious or repeated “interference with the privacy of an individual” can result in penalties of up to $1.8 million for corporate entities.
While there are no federal or uniform state notification requirements in the United States, many experts expect to see such provisions included in new regulation, particularly in light of recent, high-profile breaches, like Equifax, where notification has dramatically lagged. Individual state legislatures continue to increase the rigor of security breach notification requirements, and in 2017, eight states amended their notification laws to expand definitions of “personal information,” specify the timeframe in which notification must be provided, and require businesses to implement adequate security practices regarding personal data. Heading into 2018, only two states (Alabama and South Dakota) remain without specific legislation requiring notification of a security breach involving personal information. Enforcement has also varied considerably by state, but attorneys general have continued to flex their muscles in response to serious breaches. This includes pursuing litigation against enterprises that fail to meet minimum standards like maintaining a written information security plan or notifying consumers in a timely manner.
Business Email Compromise
The threat is not new, but business email compromise schemes consistently succeed and the relatively simple social engineering and phishing skills required of fraudsters mean quick, easy paydays for them and losses for businesses that will only continue ballooning this year. Indeed, even if current growth remains flat, Trend Micro projects that global losses from BEC incidents will jump from $5.3 billion to more than $9 billion in 2018. “The simplicity of knowing a target organization’s hierarchy (which may even be publicly available on social media and corporate websites) and the brevity of the emails make a case for BEC as an efficient ploy to funnel money,” the firm explained. Trend Micro has also noted an increase in the number of BEC schemes involving impersonation of company executives to induce the wiring of money, such as CEO fraud.
In a December Email Security Risk Assessment report, email and data security firm Mimecast found that, while organizations view dangerous files and malware attachments as the main email-related security risk, impersonation attacks, including business email compromise schemes, increased by almost 50% quarter-over-quarter. What’s more, these impersonation attacks were missed by email security measures seven times as often. Indeed, a study by PhishMe found that approximately two out of three IT executives had dealt with a security incident originating from a deceptive email.
“Impersonation attacks are an easy and effective way to dupe unsuspecting victims by gaining trust through a combination of social engineering and technical means,” said Ed Jennings, Mimecast’s chief operating officer. “Cybercriminals know that many traditional email security services are improving their ability to stop email-borne malware, but remain ineffective against impersonation attacks.”
Bitcoin and other cryptocurrencies had a remarkable year in 2017. In December alone, the world’s best-known cryptocurrency exchange, Coinbase, overtook even Facebook to become the most-downloaded app in Apple’s app store, and bitcoin prices fluctuated wildly, including both a record high approaching $20,000 and a 22% crash. While many talk about the security of blockchain technology, cryptocurrency is hardly “hack-proof.” Hackers have successfully stolen money from individual cryptocurrency wallets and attacked entire exchanges, such as South Korean exchange YouBit, which shut down by year’s end after two attacks left it bankrupt.
The risks are not isolated to investors or service providers. As values have soared, the incentive to mine cryptocurrency has ballooned as well, but doing so requires dedicating significant amounts of computing power and, in turn, electricity. Cybercriminals have began spreading mining malware to source this power from the computers, smartphones or IoT devices infected. This “cryptojacking” can result in significant slowdown and electricity bills for users who may otherwise have no idea they have fallen victim. At an enterprise level, these costs could add up significantly. Businesses should also note the risks for individual users on networks they provide—as Motherboard recently reported, hackers planted miner code on the network of an Argentinian internet provider responsible for Wi-Fi at a number of Starbucks locations in Buenos Aires that infected connected laptops.
Internet of things (IoT) devices continue to be rapidly developed and deployed with insufficient security. While there are clear advantages to implementing some of this technology, doing so continues to amplify risk by adding vulnerabilities to the ecosystems of consumers and businesses. This has been clearly illustrated in direct, localized attacks on devices and at mass scale, such as with the Mirai and Persirai distributed denial-of-service (DDoS) attacks that hijacked unsecured IoT devices like routers and webcams to shut down domain name system provider Dyn. IoT devices will continue to pose risk at this broad range of scales, compounded by the exponential proliferation of devices, and will likely serve as an additional threat surface for a number of other cyberrisk trends. For example, Trend Micro expects to see cases of biohacking in 2018, exploiting the vulnerability of connected health care tools like wearables and medical devices. Such attacks could aim to access the data of fitness band users or to compel a ransom with the threat of hacking a pacemaker. Meanwhile, networked industrial devices could compel a ransom over the threat of business interruption.
“Looking at vulnerabilities in IoT access and management that have already been disclosed and putting them in the context of other attack trends and events, there is a picture of motive and opportunity for widespread ransoming of IoT devices,” said Thomas Fischer, global security advocate at data loss prevention software firm Digital Guardian. “While ransomware is easier to reverse on IoT devices than computers, timely and critical attacks will eliminate that advantage and victims, unable to counter the effects of the ransomware, will be more likely to pay the ransom.”
IoT also ties into vulnerabilities in the supply chain, both physically (e.g., suppliers that experience business interruption related to a shutdown of IoT devices) and technically (e.g., hackers getting access to a supplier’s network through unsecured devices, and even getting into their customers’ networks in turn). “As enterprises derive more efficiencies from working with small- to medium-sized businesses in 2018, hackers will pinpoint smaller businesses that utilize IoT platforms and devices to gain entry into larger businesses. For example, we will see criminals targeting ATM manufacturers and maintenance vendors working with large banks,” Aon Cyber Solutions predicted. “Additionally, organizations face risks from smaller service providers of printers or copy machines, security camera systems, and other connected endpoints through which client data can be exposed if hacked.” Ultimately, they believe, “large organizations will broaden third-party risk management programs and due diligence processes so that they account for weaknesses in vendor IoT security. SMBs bidding to work with them will be forced to improve and document their cybersecurity measures.”
As Experian noted in its Data Breach Industry Forecast 2018, companies implementing IoT technology in their daily operations—such as the 87% of retailers projected to deploy mobile point-of-sale devices by 2021—must begin incorporating IoT-specific risks in their incident response planning.
Third-Party Software Supply Chain
Much has been made of the vulnerabilities introduced by vendors and other third parties in the cyber supply chain, as so often illustrated by the compromise of an HVAC vendor leading to the Target breach. Leveraging service providers’ access to their customers’ systems and data is a fundamental strategy that continues to demand scrutiny with regard to vendor security practices and access management. Last year’s NotPetya attack illustrated another major form of third-party vulnerability: the software supply chain. Hackers were able to create a backdoor into many enterprises by injecting a tweaked file into updates of accounting software called M.E.Doc, and using that entry point to spread the malware through victims’ networks.
As researchers from Cybereason noted in listing supply chain attacks first in The Year of the Defender: Five Predictions for Cybersecurity in 2018, these attacks were more often seen last year in software used by IT and development teams as these groups often have administrative rights and access to secure assets, but “any business that uses a specific, dominant platform or software is at risk for becoming an attacker choke-point.”
Supply chain attacks shift the economics of cybercrime by enabling hacking at scale: Attackers can target one organization and, in the process, gain a foothold to compromise hundreds or thousands more. This can also be particularly useful with hard-to-reach targets, such as those within the defense industry, and because they usually include a backdoor to legitimate software, they are less likely to be detected by enterprise security tools. “Plus, supply chain attacks are the gift that continues to give: as long as they are not revealed, they provide ongoing access to new targets without investing in a new toolset,” Cybereason noted. “Compared to other common infection mechanisms like spearphishing and compromising passwords, the impact of a supply chain attack is widespread and continuous.”
Geopolitical conflict has long encompassed the cyber battlefront, but these activities have been coming out into the open more frequently. Tensions on the Korean peninsula, Russia’s targeting of both Ukraine and Western democracies, and conflict between Iran and Saudi Arabia have and will continue to define many of the largest nation-state cyber offensives. As many of the most active nations have already been sanctioned and have faced few repercussions (at least on the public stage) for state-sponsored cyberattacks, they will likely only continue to grow in scale and impact. “The lack of response to 2014 threat activity probing U.S. critical infrastructure and European targets, and the 2015 and 2016 Ukraine attacks empowered repeat activity from multiple nation-states in 2017,” Antova said, predicting more of the same this year.
Notable advances in tradecraft demand attention from the public and private sectors alike, particularly given attacks on critical infrastructure in recent years, such as the successful shutdown of the Ukrainian power grid in 2016 and, as was revealed in December 2017, the disruption of industrial control systems at an enterprise in the Middle East, specifically thought to be a plant in Saudi Arabia. The malware, dubbed Triton by cybersecurity researchers at FireEye, shut down plant operations and had the ability to manipulate safety systems to cause physical damage.
This was only the third strain of malware to successfully disrupt industrial processes, following Stuxnet (deployed by the U.S. and Israel against Iran in 2010) and CrashOverride/Industroyer (used against Ukraine in 2016 and widely attributed to Russia).
Many attribute Triton to nation-state actors from Iran, which has grown more active recently and could soon broaden its scope. “We have observed Iran investing significant resources in advancing its cyber capabilities over the past seven years,” said Dmitri Alperovitch, co-founder and chief technology officer of cybersecurity giant CrowdStrike. “These attacks are likely to continue and potentially escalate into 2018. If the U.S. pulls out of the Joint Comprehensive Plan of Action nuclear agreement and attempts to reinstitute financial sanctions against Iran, they may expand those attacks to include even the U.S. financial and energy sectors.”
With escalating tensions and decreasing resources due to sanctions, North Korea’s cyber efforts have grown bolder and more overt. Most nation-state attacks are not financially motivated, but with a lack of access to the global financial system and finite need for fiat currency, the nation has perpetrated a number of large-scale cash grabs, such as the worldwide WannaCry ransomware attack last year.
LogRhythm Labs believes 2018 will be the year cyberwarfare will escalate. “The U.S. and North Korea have been carrying out cyberattacks against each other for years and ramping up their digital aggression, largely in private. Tensions will continue to escalate and the public will be impacted for the first time,” the firm’s researchers predict.
The country’s unique geopolitical position creates strong incentives for more brazen cyberattacks with fewer deterrents. “North Korea will continue to use cyberattacks to gain access to much-needed hard currency,” said Oliver Tavakoli, chief technology officer at Vectra. “North Korea showed the world its cyber skills when hackers successfully stole $81 million from the New York Federal Reserve in 2016 and when hackers launched the WannaCry outreach in May 2017. The army of hackers is 6,000 strong, demonstrating that the country poses a devastating threat to any targets it chooses. Further, North Korea’s lack of electronic infrastructure makes it less susceptible to retaliatory cyberattacks than most nations. Even more concerning, the lines between nation-state cyberwarfare and cybercrime will become increasingly blurred.”
Alperovitch expects the finance industry to face particular risk. “Due to North Korea’s lack of dependence on the global financial system and the importance of it to U.S. and Western economies, as well as past history of intrusions into major banking institutions by DPRK, the financial sector is one that will likely suffer the brunt of these attacks, should the North Koreans determine that a kinetic attack against them is imminent,” he said.