Cryptocurrency mining will become one of the major monetisation avenues for attackers as more and more attacks and malware include mining functionality to generate revenue. In particular a focus will be on in-browser mining that will be the result of website attacks. A simple few lines of Javascript can cause visiting browsers to ‘mine’ cryptocurrency while on the affected sites. This is occurring now, but isn't as widespread as it likely will be next year.
An increase in DDoS attacks
The return of mega DDoS attacks via IoT powered botnets is likely in 2018. These have been pretty silent compared to last year's attack against Dyn that took down many commonly used services but could come back in a more nefarious way. The next wave could potentially affect large swathes of Internet services either by design or as collateral damage from another entity being hit due to the sheer size of the attack. The wide attack surface of IoT devices makes them particularly attractive for botnets and this will only get bigger with the amount of home automation products sold over Christmas.
This malicious activity will be for political advantage as well as monetary gain. While ransomware and DDoS attacks are likely to get more targeted in the way that phishing evolved into spear phishing attacks.
Encouraging young talent into the industry
The skills gap is definitely still holding the industry back. As cyber warfare increases, governments need to upskill the next generation of defenders. Figures around the cyber skills shortage make for sobering reading. A report from Frost & Sullivan and (ISC)? found that the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020.
Both private and state schools need strong cyber programs and academies should look to develop cyber skills in children from disadvantaged backgrounds. This will hopefully prevent talented teenagers being sucked into the dark side.
Although at the same time that industry struggles to recruit talent, university graduates are finding it hard to start their careers in cyber security. We need to improve opportunities for entry level positions including internships, apprenticeships, more cyber classes in schools, and formal cyber programs. This also requires a look beyond STEM as careers in threat intelligence can better suit analytical degrees, due to the need to be able to research, analyse and draw conclusions, which can give them the edge over those with a scientific mind-set.
There are some bright new leaders in the industry that are focusing on education and engaging young talent in the industry and this has to continue.
Stealthy ‘fileless’ attacks will increase
There is likely to be a move towards more sophisticated ‘fileless’ attacks (malicious scripts that hijack legitimate software, without installing themselves). There has already been a sharp rise. Such attacks are very difficult to stop with existing endpoint security and organisations will need to move to next generation of defences.
The focus will likely be on other industries outside of Financial Services. As the banks become more resilient in their ability to profile and learn from actors, less well-protected organisations could be targeted, as we have seen that with Forever 21 and the recent Jewson attacks in the UK.
More integrated collaboration is required
The likes of NSC and GCHQ are being effective in their limited remits and are busy disrupting many adversary groups. But they need to move faster and cannot be limited to cyber crime. There must also be a focus on state sponsored, hacktivism and other sophisticated attacks, and levels of awareness and associated education should be increased concurrently.
Such government groups cannot defend alone, and should collaborate more with organisations themselves, as well as private groups such as the Cyber Defence Alliance and FS-ISAC, and continue to drive closed and industry collaboration.
Europe needs to catch up
The US market is incredibly mature when it comes to intelligence strategies. Their understanding of intelligence, how it can be leveraged and operationalised is 18 months ahead of the UK and other European countries. Defence is critical, but it should be well understood that black boxes no matter how complex will not stop attacks. The UK and Europe need to focus less on doing ‘just enough’ for compliance. If you are implementing privilege account management protections, you need to cover everything, not just the devices that get you a tick in the box. Intelligence lead strategies are critical to identifying compromise and exposing ‘indicators of attack’. As any Red Team person will tell you, intelligence-driven incident response starts by learning from the adversaries.