Botnets, Breaches, and the End of Defense in Depth: Our 2017 Cybersecurity Predictions in Review
As 2016 closed out, Imperva once again peered into its crystal ball. As usual, there was much to foretell regarding the ever-changing cybersecurity realm in 2017.
We’ll be doing the same soon as we look ahead into 2018. But before we do, we like to assess how accurate we were against the predictions we made last year. Here’s how we scored ourselves against our 2017 predictions.
1. Botnet of Things (BoT)
We expected to see two distinct types of trends in this area in 2017; a surge in botnet numbers and sizes and even more botnet for hire activity.
Nailed it: We were right on both counts. Mirai was the big IoT botnet news last year. Starting in February, the IEEE reported that one variant ran a DDoS assault against a US college over two-and-a-half days. Also sharing Mirai’s code base, Persirai is an IoT botnet that launched this past April. And that same month researchers discovered yet another Mirai-like botnet, BrickerBot.
Also in April, Imperva researchers intercepted encoded communications from a botnet consisting of 80,000 compromised devices. Their investigation revealed the botnet was used for an innovative spam campaign built to circumvent security countermeasures.
The IEEE says developers have become increasingly more sophisticated in making their botnets more powerful, as well as in cloaking their activity. This past October The Hacker News reported about IoT_reaper (a.k.a., IoTroop), a malware that takes advantage of vulnerabilities in disparate IoT devices, subjugating them into a botnet network. Two million devices ranging from routers to cameras and network video recorders may have been affected. Security journalist Brian Krebs reports that while IoTroop isn’t yet at full attack strength, it takes advantage of nine or more acknowledged vulnerabilities spread across a dozen device manufacturers.
The intentions of another growing botnet discovered this year, Hajime, remain unknown. Ostensibly it’s run by a white hat hacker looking to secure vulnerable IoT devices on our behalf. But researchers are wary—remaining very active, its real purpose may not yet be known.
As we predicted, botnets for hire remain readily available (at the end of 2016 we were already seeing declining costs of DDoS-for-hire services). An amateur with no prior knowledge can run a short attack for a few hundred dollars. A few thousand lets anyone play “Master of the Universe.” There is also significant ’net chatter regarding free tips and help in creating an IoT botnet.
2. Ghosts from the Past
We predicted ghost hacks from prior years would continue to haunt us in 2017.
Solid A: Yahoo was perhaps the biggest of the bad ghosts. We learned this year that every single Yahoo account was hacked, not just those previously reported from the August 2013 theft – three billion in all.
While “ghosts from the past” more specifically referred to hacks that went unknowingly undetected for years, related were the breaches that simply happened in the past, but weren’t made known publicly until this year. Take the Uber breach. Hackers stole the personal data of 57 million customers and drivers and Uber concealed it for more than a year (and even paid hackers to delete the data).
While smaller in scale, there’s also the recently reported data breach at Stanford University. Student financial aid information and the personal information of 10,000 employees were hacked back in June 2016, but the school wasn’t aware of the breach until February 2017 when a business student found sensitive data on a public server and reported it. Disclosure of the breach occurred just now—December. And not coincidentally, the university’s chief digital officer is now out of a job. Adding insult to injury, the student who identified the breach also wrote a 378-page paper exposing the university’s misleading financial aid practices he was able to glean from the data.
The issue here is that, Uber being an exception, most “ghosts from the past” become public because corporate identifiable data is found by third parties and brought to people’s attention. It’s (sadly) fairly rare that companies identify their own breaches. The problem of ghosts will continue to occur as long as companies aren’t watching their data (hopefully GDPR will help here!). Unless they’re watching, how would they know for sure when someone took data they shouldn’t have? Almost never. Data security solutions have been available since the beginning of the last decade, and while we do see more and more companies adopting a data security strategy, many still don’t or have too late, so these ghosts may still come back to haunt them later.
3. The End of Defense in Depth
Too Early to Tell: In 2016 we found many organizations were buying trends rather than mitigating risks and continuing to use outdated solutions out of a commitment to a defense-in-depth strategy that no longer served them (antivirus for example). We predicted enterprises would try to improve usage of their existing security arsenal in 2017 and smarter organizations will rethink their strategy in general.
In 2017, discussions about data security became more frequent and were elevated broadly across many industries such that security experts are now often required to answer questions from senior management about how corporate data won’t be stolen or extorted. The dialogue is critical to begin the process of change within a traditional security defense in depth framework. Many of the organizations we spoke to throughout the year were ready to rethink their strategy, but it remained unclear what (outdated) solutions they might drop that are no longer serving them.
The good thing about the upcoming GDPR regulation (and the tightening and growth of regulatory controls in general) coming forth is that it’s helped create board level discussions with CIOs and CISOs about how they could avoid having the same problems as Yahoo, Uber and others. This has allowed for both budget allocation and a rethinking within the CISO team around how would they answer questions about where their organization’s personal data resides, who accesses that data and why. Thinking through those answers will help frame a security strategy—or possibly reframe an existing one.
And lastly, in 2017, the results of data breaches saw the ousting of some senior level security management professionals, further emphasizing the priority organizations are beginning to place on the responsibilities of data security professionals and the seriousness with which security is being taken in general.
There are as many possible solutions in the data security space as there are in the network security space, so the “solution” for each customer will be a bit different. Time will tell which technologies and practices work best to detect, if not prevent, breaches in the data core of an environment with more than the traditional layered network and endpoint security solutions used in defense in depth.