Botnets, Insider Threats, and Russian Hackers: Our 2016 Cyber Security Predictions in Review

6a01156f8c7ad8970c01bb096206ab970d

At the end of 2015 we offered several predictions regarding the evolving cyber security landscape for 2016. We’ll be releasing our 2017 predictions soon, but before we do, we thought we’d see how accurate our crystal ball was for cybersecurity in 2016. How did we do? Read on to find out.

1. BoT: The Botnet of Things

Nailed it. One of the biggest cyber security events of 2016 occurred in October, when Dyn, a major DNS infrastructure service, suffered a massive distributed denial of service (DDoS) event affecting Twitter, SoundCloud, Spotify, Shopify, and many other websites. All evidence suggests IoT devices were used to carry it out. Approximately 150,000 devices, infected by freely available Mirai code, were herded by botnet operatives who used multiple attack vectors. Mirai malware infects IoT devices, such as IP cameras and DVRs, using them as a DDoS launch platform.

And the Dyn assault occurred only weeks after a IoT/Mirai event plagued the KrebsOnSecurity website.

2. Rise of the Insider Threat

Nailed it. Internal users—and their compromised credentials—can wreak havoc on an organization’s data security as proven by Verizon’s 2016 Data Breach Investigations Report (DBIR). The report shares that 63% of confirmed data breaches involved leveraging weak, default or stolen passwords—and 70% of breaches involving insider misuse took months or years to discover. Users reusing the same password for many sites and apps, whether personal or business (the “bring your password to work” trend), has only amplified the compromised credentials issue as we head into 2017.

3. Cyberattack on Major Infrastructure

Nailed it. Again the large scale Dyn attack (above) falls into this category, DNS services playing a critical role in the operation of the internet.

Another involves the San Francisco Municipal Transportation Authority ransomware attack. We believe that it was likely collateral damage of a (probably random) ransomware campaign that got out of hand.

There’s also the alleged interference with the US electoral system. In terms of strategic influence, hacks against election results and processes would rank among the biggest, most far-reaching and history-changing attacks of all time.

And although it doesn’t comprise “major” infrastructure, hackers used a DDoS attack to disable the heating in apartment buildings in a town in Finland. Of course, if you’ve ever experienced a Finnish winter, then you know it definitely qualified as major for those apartment dwellers!

4. Contractors Get a Cyber Pat Down

To be determined. Considering some significant breaches from the past happened because of a compromised contractor (Target) and third party firm gaining unauthorized access (JP Morgan), corporations are still taking a look at security in this area. We know of numerous organizations that are helping enterprises qualify the risk posed by contractors and third parties, and many CRO’s in particular who find this to be a pressing issue.

On the cyber insurance front, one firm in the UK says insurance claims for data breaches were made at a rate of more than one a day in 2016. But will an increase in liability/indemnity result in the maturity of the cyber insurance market? That is still to be determined.

5. Subversion of Free SSL Certificates for Malware

Nailed it. Here we were precognizant, in that this prediction came true as our forecast was being issued. As reported in early January by The Hacker News, free Let’s Encrypt HTTPS certificates let cyber criminals infect malware on innocent users’ computers. Trend Micro discovered that, in one example of malware pushed through a phony subdomain using a free certificate, Japanese users were being infected by a Trojan coded to raid their bank accounts.

Percya.com reported another story where WoSign, a large Chinese root certificate authority, had issued bogus certificates on account of a vulnerability. The service let anyone get a certificate for a base domain if they were able to prove authority over a subdomain.
Four (maybe four and a half) out of five. Not bad. What do you think…any examples we missed?