By Mohammed Abukhater, Regional Director for the Middle East and North Africa, FireEye
It has been said that “the future is uncertain,” but in the cyber security industry we know that certain types of attacks and crime will continue unabated. For more than a decade now, FireEye has been making predictions about the year ahead. While some of those predictions have come to fruition others such as ransomware, talent shortages and nation-state threats continue to be named as problems to expect when looking forward.
Rise in Politically Motivated Attacks
The region continues to be a hotbed of conflict and geopolitical complexities. As such, we expect to see an increased number of politically motivated cyber operations, typically surrounding global or regional conflicts. With cyberspace reflective of real-world developments and another front for carrying out operations, it’s only a matter of time before governments and organizations get caught in the crossfire.
The Threat of Financial Cybercrimes
2016 saw a notable incident in the form of a much-publicized hack against a major bank in Qatar. Furthermore, FireEye researchers detected hackers probing the defences of various banks in the region, during the first week of May. The attacks appeared to use unique and deceptive scripts, with multiple emails containing macro-enabled Excel (XLS) files being sent to employees working in the Middle East banking sector – files capable of gathering information on the user’s system, including user and administration passwords, and software running on the bank’s computers.
The EMEA experiences of 2016 around financial sector compromises, and continued focus of threat activity against relevant critical systems such as SWIFT, are a sobering reminder of the reach and capability of a determined and motivated cyber adversary. We will continue to see sophisticated financially motivated espionage actor groups focusing on these and other critical systems in 2017. Additionally, we will see credit and debit card fraud, illicit bank transfers, and ATM fraud.
The Skills Gap Will Continue to be a Concern
One other big concern for the EMEA region in 2017 is the talent shortage. This forces governments, private enterprises and security vendors to draw from the same talent pool, often with governments “losing out” as they cannot offer the same types of benefits as the private enterprises. This is troubling because digitalization is increasing in EMEA, with more communications, handling of sensitive information and storing of that data happening on the Internet rather than through filling out paper forms. If the public sector cannot find the right talent to protect that information and defend against other threats, governments will end up losing control of digitalized data. While one solution is to consider driving education in EMEA towards cyber security, another is for organizations to invest in automation.
An Organizational Drive Towards Simplification and Automation
Our discussions with CSOs and other security leaders throughout 2016 have a common theme: simplification. The past few years have seen organizations spending high dollar amounts on security technologies and other infrastructure that either do not work well together, or require a great deal of effort and personnel to follow and address the myriad alerts. Organizations seeking to simplify everything in 2017 will set their sights on integration. A single pane of glass for all security needs will drastically improve the organization’s security posture and show companies the true value of all the products they have acquired – something we refer to as security orchestration.
Automation will likely enter the mainstream as we move into 2017. As the talent shortfall continues, the cyber security industry will see more and more innovation in the form of automation, which will help organizations react to attacks with minimal human intervention. Automation enables organizations to more efficiently address critical needs, which is particularly useful for enterprises that are struggling to keep pace with an escalating threat landscape and constant advances in cyber attacks.
We also expect automation to help address the problem of the talent shortage, a problem that will likely begin to get worse as more and more “things” become connected.
The Internet of Things Presents New Opportunities for Attackers
According to IDC, Internet of Things (IoT) spending in the Middle East is expected to reach USD 3.2 billion in 2019. In general, the proliferation of cyber-physical systems and IoT will present new opportunities for adversaries to abuse their connectivity and cause disruption at scale for a bigger payoff. The combination of tools such as ransomware with more formalized illicit software-as-a-service franchised business models will become a more attractive and lucrative option for criminals with the proper skillsets and motivations. They will also help to lower the barrier to entry for criminals eager to reduce upfront costs and avoid pricey infrastructure setup.
The growth in IoT devices provides a newly available slew of poorly protected or monitored devices that can be coopted for malicious purposes. These range from enslaving IoT devices to launch distributed denial-of-service (DDoS) attacks or serve as command and control hop points, to enabling network credential theft or remote access Trojan (RAT) malware distribution.
The Threat to Critical Infrastructure and ICS
FireEye expects that threat actors will continue to focus on these critical systems in 2017. Most nations are heavily reliant on industrial control systems (ICS) for fundamental government services, utilities and commercial systems, yet our research in this report, and on the front lines of incident response and Red Team operations, highlight that these systems are usually poorly protected and often not patched. Perhaps most shocking is that security patches were not yet available for more than 30 percent of identified vulnerabilities. Additional risks exist for countries that rely heavily on the resource and industry sector, as ICS also plays a critical role in large commercial field and mining operations.
The lack of awareness of many industrial control system assets by relevant security personnel is worrying. These factors, coupled with the observed demand for vulnerable ICS systems by threat actors, will likely culminate in extortive and disruptive industrial system incidents across many countries and many ICS-reliant sectors in 2017, especially resource and heavy industry.
The Ransomware and Macro Malware Menace Will Persist
Ransomware and information-stealing malware will continue to be a menace to enterprises in the EMEA region in 2017. Ransomware activity continues to increase, likely due to low overhead and a high return on investment. While we expect ransomware attacks to continue in 2017, law enforcement has already made a dent in some groups by shutting down ransomware infrastructure and going after criminals. Law enforcement will continue to focus on this next year and for as long as it’s a problem. As organizations become more aware of the threat, they are taking action by creating and testing backups. They are also testing their security tools and controls to better prevent and detect ransomware.
Another threat to watch out for is the rise in prevalence of macro-based malware. This in particular will keep switching to unexpected formats as an evasion technique. As mentioned before, we observed a major operation against banks in the Middle East, with the attackers using macro-based malware to compromise bank employees. Other formats not widely exploited, such as PPTM files created in Microsoft PowerPoint, could be the next focus for threat actors.
We expect attackers to continue making their malware more stealthy and effective – a necessity given the success in security technology and vendor security controls. Organizations should be enforcing security awareness programs that aim to reduce the social engineering attack vector. Organizations should also focus some of their monitoring efforts on looking for anomalous user account activity. Finally, organizations should protect users from themselves by ensuring macros are disabled by default, and training staff to never enable them unless they are required to operate on a known-good document.
The Battle Ahead
Consumers must remain vigilant. The good news is that increased focus on secure operating systems and applications means consumers only have to perform basic security hygiene to remain reasonably protected. Other basic steps consumers can take to stay ahead of threats include enabling two-factor authentication on all of their systems and accounts, using password managers to protect their systems and accounts, and automatically backing up data in the event that they are affected by ransomware or their data becomes compromised by a threat actor.
Enterprises on the other hand will continue to be under attack in what seems to be an asymmetric battle. According to IDC, 80 per cent of regional firms lack the tools to detect and assess threats, while 42 per cent say that cybersecurity solutions are not enough to manage cyber risks.
One way to be prepared is to hold incident response tabletop exercises to simulate typical intrusion scenarios, thus exposing participants – such as executives, legal personnel and other staff – to incident response processes and concepts.
One sobering thought is that the threat activity we expect to hear about in 2017 may be taking place right now, with adversaries already inside many of the systems and networks necessary to be in for them to achieve their mission. We know that most cyber threat actors operate within environments for many months before they are discovered, and in some instances for longer than a year. Therefore, most of the events that will make headlines in 2017 – and the many that won’t – are already underway.
Finally, it is important to keep in mind that many organizations are still responding to cyber attacks from 2016. Moving into 2017, we expect there will be more actuarial data on the cost of breaches and the security products and technologies that are likely to be effective. This increased focus on numbers in 2016 will prove useful to the community at large. With this information, organizations will be able to make more informed decisions on what to protect, and how to protect it.