Each year Trend Micro releases its annual Security Predictions Report. Good security predictions are very difficult to develop, and companies and consumers need to be selective about the security advice they take. What makes a good security prediction? Four key aspects:
1. It is the prime directive that any forecast must have information that you can take action on.
2. Something that already happened or will not happen anytime soon is not helpful. Whereas some action you can take within a timely manner, usually 1 to 2 years is within a timespan of utility. However, if it is too short notice, you cannot take major action either, especially if it requires any procurement or architecture changes.
If it is too far into the future not only will it be of low impact and actionability, but the margin of error increases over time: Technology and threat changes move too widely for any security predictions based to remain likely over the long term.
This timeliness and actionability maps together like this (with a flying car to illustrate the uncertain future – I’m still waiting for my jetpack!):
3. The higher the likelihood, the greater the impact of actionability. 1% likelihood predictions are not useful. 100% likelihood predictions are useful if they have impact on operations or are less obvious, whereas 100% likelihood of an obvious and continuing trend is not.
4. Fact Anchored. The recipe for Fact-Anchored is one part data to two parts of analysis. Analysis and data must be present for a security prediction to be meaningful. Predictions aren’t just statistical exercises, and statistics alone are data – not information. However, predictions must be from analysis based on some observation that is factual, even if anecdotal, and that analysis is what makes it likely, and thus actionable. The good news is that being a very large security vendor, with worldwide locations, and the greatest number of CVEs credited this year to an organization (yup, the biggest) we have a significant pool of data and observations to derive meaningful predictions.
The 2019 Security Predictions Report
This year’s security predictions span the categories of cloud, consumer, digital citizenship, security industry, SCADA/manufacturing, cloud infrastructure, and smart home. I won’t spoil your reading of it, but one of the predictions that jumped out for me was regarding Business Email Compromise (BEC) and how targeted threats will go lower down in the org chart. This makes a lot of sense given that CxOs are getting harder to exploit via BEC. They are becoming more aware of the threat and more BEC safeguards are deployed to protect them. An example of such a safeguard is machine learning to fingerprint executive writing styles, like our Writing Style DNA.
This prediction is quite actionable, especially given there are tools and techniques being deployed to protect the C-suite, that can be expanded to protect their direct reports as this threat pivots.
Give us your feedback on the report, as its value to us is only based upon its value to you.
A Bonus Prediction
Here’s my bonus prediction as an addition to the report and a reward for being a reader of this blog – and a marker that predictions are an ongoing task for us and not just at the end of a calendar year:
Exploits Derived From Reverse-Engineering Patches for Otherwise Undisclosed Vulnerabilities will Triple by 2020.
It is a common misunderstanding that patches related to security are always in response to a publicly disclosed vulnerability or CVE. This is not the case, as many product vendors that are made aware of a vulnerability either through internal means or via a restrictive bug bounty program will patch that vulnerability with little detail and no CVE.
Developing an exploit involves three key steps: Finding a vulnerability, then crafting a working proof of concept, and then an exploit. By reverse engineering patches, attackers can reduce the effort in the first and most resource intensive step, finding a flaw. When a patch related to a vaguely described security issue is made, attackers go from “is there a flaw somewhere?” to “there is a flaw, and there is a patch involving code I could potentially reverse engineer or examine to find it.” Patches are usually scoped to a component or feature, further easing the attacker’s work.
Ethical threat researchers are already employing this technique with considerable success, so it follows that threat actors will use similar techniques. The action to be taken involves providing greater emphasis to patching timeliness, and selecting IPS and AV solutions that have signatures based on reverse-engineering vulnerability sets.
For many hackers around the globe, ransomware infections have become a lucrative business. Although these types of malware samples have been around for years now, they continue to spur success – and high monetary profits – for attackers.
In fact, according to a statement from U.S. Deputy Attorney General Rod Rosenstein during the 2017 Cambridge Cyber Summit, ransomware attacks now impact over 100,000 endpoints on a daily basis. The severity of these infections and the frequency at which victims pay up on ransom demands has enabled attackers to rake in nearly $1 billion in successful payments, Government Technology reported.
However, not every attack is the same, and even in cases when victims pay hackers’ demands, access to data is not always returned.
To pay or not to pay?
When a ransomware notification appears on-screen, there are numerous questions and considerations that immediately jump to mind. How will the organization support daily operations? How will users access important files and data? Are there backups in place that the business can fall back on?
One of the top questions, though, is whether or not to pay the ransom.
In 2016, the FBI, which is keeping a close eye on the spread and severity of ransomware infections, noted that victims shouldn’t give in to demands and should not pay attackers’ ransoms, Forbes reported. As demonstrated by Kaspersky Labs’ data, this advice is sound, as approximately one in every five companies that fall victim to an attack and pay the ransom do not receive the promised decryption key.
In other words, businesses are out money and are not returned access to their critical applications, files and data.
“Unfortunately, however, as is the case with most ransomware attacks, the stakes of losing years worth of important data is always quite high and the ransom demanded usually very small, leading most victims to give in to the attacker’s demands before even reaching out to law enforcement,” explained Forbes contributor Harold Stark.
Let’s examine a few real-world ransomware infection cases, and what can happen when victims do decide to pay attackers.
Numerous businesses who fall victim to cyberattacks don’t often get the promised description key.
Indiana hospital pays $55,000 after SamSam infection
According to ZDNet, an Indiana-based hospital, Hancock Health, elected to pay $55,000, or the equivalent value of 4 Bitcoin at the time, after its systems were seized by ransomware sample SamSam. Despite immediate awareness and notification by employee end users, the hospital’s IT team wasn’t able to stem the spread of the pervasive ransomware sample.
All told, the infection impacted nearly all of the hospital’s key IT systems, and users were locked out of email, the electronic health record system and other internal platforms. This includes more than 1,400 files, which were encrypted by attackers and renamed as “I’m sorry.”
The sample used in this case, SamSam, seeks out vulnerable servers, and is able to spread to other machines within the network, enabling a quick and widely-scoped attack. And as ZDNet contributor Charlie Osborne pointed out, hackers will make decisions about the ransom amount based on how far SamSam spreads within the victim’s infrastructure.
“Known for use in targeted rather than opportunistic attacks, SamSam can be used in web shell deployment, batch script usage for running the malware on multiple machines, remote access and tunneling,” Osborne explained.
After the initial infection and ransom demand, hospital administrators were given a week to pay the ransom or risk losing their files and data forever. Although the organization did have backups in place – a key data security best practice – it elected to pay the ransom. IT administrators at the hospital explained that while the backups could have been leveraged to recover data and files decrypted by hackers, this process would have taken days, or even weeks. What’s more, after shifting certain work activity to a manual, pen-and-paper basis for two days, the hospital simply needed a quick resolution.
Unfortunately, the hospital is far from the only organization to be infected with the pervasive SamSam sample – in the spring of 2018, Trend Micro reported on a case involving the city of Atlanta. During that attack, the city’s local services, including citizen-facing platforms used to pay bills or access court data, were made unavailable. In this instance, hackers demanded $6,800 to decrypt a single computer or $51,000 for a full decryption. City officials worked with their internal IT team and Microsoft to restore access.
Kansas hospital hit with second infection after paying ransom
While the Indiana hospital infected by SamSam was able to regain its files and data after paying hackers’ ransom, not every organization is so lucky.
According to HealthcareITNews contributor Bill Siwicki, Kansas Heart Hospital in Wichita was the victim of a ransomware attack in mid-2016. While patient data contained within the hospital’s electronic health records system was not impacted and daily operations were able to continue, officials decided to pay the ransom.
Unlike the Hancock Health case, though, access to files and data was not returned, even after the “small amount” in ransom was sent to attackers. Instead, hackers demanded a second ransom and systems impacted by the initial infection remained locked.
“Kansas Heart Hospital did not pay the second ransom request and said that along with consultants it did not think that would be a wise move, even though attackers still appear to have some of their data locked,” Siwicki wrote.
This hospital’s experience isn’t as unique as it might seem, though. Health care security expert Ryan Witt told Siwicki that hackers will often take part in a “tried and tested dance” wherein they demand a small ransom amount, and then demand a second, higher amount once the first is paid.
“Demands for funds are soaring, and the problem is organizations are paying,” Witt noted. “Ransomware will get worse before it gets better.”
As these cases have shown, paying up in the hopes that a ransomware attack will end is not the best strategy. It’s imperative that organizations have backups of all of their critical files and data, and that these are stored in the cloud or another separate, off-site location. In this way, should an attack take place, IT admins can recover using the company’s backups.
In addition, Trend Micro has established a solution specifically to address the issue of ransomware attacks: the Trend Micro Ransomware File Decryptor. This tool works to decrypt and restore files and data impacted by certain ransomware families. As of May 2017, limited decryption support was added for WannaCry, following the widespread impact of the sample.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, understand how Trend Micro Deep Security service will be integrating with AWS Security Hub. Also, learn how to prevent risks and secure machine-to-machine communications over Message Queuing Telemetry Transport and Constrained Application Protocol.
Quora, one of the largest question-and-answer portals on the Internet, announced that hackers gained access to its servers and stole information on about 100 million of its users, which is approximately half of the site’s total userbase.
You’d be hard pushed to find any organization today not involved in digital transformation projects. But the manufacturing sector was arguably one of the first to the game. Back in 2011, the German government first coined the term Industry 4.0 to describe the opportunities stemming from use of emerging technologies like cloud, IoT, big data, AI and robotics.
Yet security has always been a major challenge to such projects. In a smart factory environment, the operational technology (OT) — such as the IoT devices, connected systems, and human-machine interfaces (HMIs) used for manufacturing and production — is tightly integrated with traditional IT systems like cloud platforms. This is a problem because although IT security has achieved a certain degree of maturity, the same can’t be said of OT. Thanks to their connectivity, these systems become vulnerable to cross-pollinated cyber threats.
As we’ve found at Beyonics, the answer is to build tightly integrated, layered security across endpoints, networks and servers — with each component sharing threat intelligence to make the whole more secure.
The risks to high-precision manufacturing
Founded in 1981, Beyonics has been a leader in precision-engineered manufacturing for almost four decades. It offers complex integrated manufacturing services such as precision metal stamping, innovative mold design and fabrication capabilities, precision plastic injection molding, aluminum die casting and machining, and electronics sub-assembly.
Operating seven factories in Malaysia, Thailand, China, and Singapore — a total of 1.4 million square feet of manufacturing floor — we’re constantly on the lookout for leading cybersecurity technologies to integrate into and protect our operations.
Precision manufacturing is at the mercy of cyber-attacks. Deliberate data corruption could cause components to be produced with a deviation of a few microns. This might be totally invisible to the naked eye, but when you’re dealing in measurements of a thousandth of an inch, even the slightest change can result in faulty products. When deployed in applications like vehicles and medical devices, the consequences could be life-threatening.
There are also risks related to the manufacturing environment itself. If industrial control systems are hacked, production processes may be hit which could also result in workplace injuries. Just consider heavy duty equipment like the 200-ton aluminum die castings we operate, handling molten aluminum at 800 degrees. That’s not something you want being remotely controlled by hackers.
The power of Connected Threat Defense
Yet this is just the tip of the iceberg. As Beyonics increasingly adopts Industry 4.0 best practices, we also need to be aware of the cyber risks that can stem from interconnected OT and IT systems. We’ve already deployed IoT devices to monitor and measure various metrics on the manufacturing floor, such as cycle time, movements, and production rates. These could become an attractive, internet-connected target to attackers.
That’s why we’ve taken a comprehensive, layered cybersecurity approach covering all aspects of the business.
First, we sandboxed our wireless network into four zones: one for corporate operations; one for BYOD devices; one for guests; and one for any IoT devices deployed in the manufacturing environment. Next, we made sure our security solutions are integrated with one another. Previously we had separate point solutions covering endpoint protection, system protection, and firewalls. But siloes between these separate elements can lead to dangerous gaps in protection.
That’s why we’ve deployed an ecosystem of integrated cybersecurity solutions, covering endpoints and networks — which are almost always the initial malware entry points — as well as our server infrastructure. Specifically, we put in place a dual firewall configuration with two different products and layered on top a suite of Trend Micro solutions, including the network-layer Trend Micro Deep Discovery Inspector, server product Trend Micro Deep Security, and OfficeScan XG for endpoint security.
More importantly, we set up these Trend Micro solutions to “talk” to each other and our firewall. This has created Connected Threat Defense: providing 360-degree protection, so that if a threat is detection and blocked at one layer, alerts and protective actions will be shared throughout.
Getting board-level buy-in
To create effective cybersecurity, it’s also vital to have sponsorship from senior levels. We’re lucky at Beyonics to have a C-suite very much aware of the cyber risks we’re faced with as a manufacturer expanding into Industry 4.0. We often discuss security during management workshops and meetings, ensuring the management team is kept abreast of any developments and that cybersecurity and business processes are aligned.
With management’s support, we’re also working with practitioners from tertiary institutions to provide both academic and hands-on training to our employees. Tools and technology are vital to good security, but so too are people, and our staff need to know they play a crucial role in our cyber defenses.
As Industry 4.0 accelerates, the manufacturing sector needs to focus on two areas.
Firstly, organizations need to be proactive in dealing with cybersecurity — to strengthen their defenses in anticipation of attack. They cannot afford to be reactive.
Secondly, OT and IoT will open up new avenues for attacks, and they could have life-threatening repercussions in the physical world. Therefore, we need to approach OT and IoT security with the same — if not higher — level of urgency as we do IT.
If we don’t, then there could be some major bumps in the road ahead for manufacturers. As Stephane Nappo said: “It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
This year marks 30 years of Trend Micro. That’s three decades of working to make the world safe for exchanging digital information in a constantly changing technology and cyber threat environment.
Our founders often reference the humble beginnings of the company – starting from a garage in California – to highlight just how far we’ve come. Today, Trend operates in 60 countries around with world with more than 6,000 employees, helping make the digital world more secure for more than 500,000 businesses and millions of individuals.
Throughout these three decades, our focus has never changed, despite the changes to our increasingly connected world. Every “Trender” is inspired to help our customers stay one step ahead of the bad guys. Ultimately, knowing that our customers are safe and that we are making a difference in the increasingly connected world is what drives us forward.
Celebrating 30 Years
To celebrate our 30th anniversary, we’ve focused on two main things: Telling our story and sharing our culture with our employees, customers and partners through global birthday celebrations; and expanding our understanding of the latest technological innovations that are taking cybersecurity to a new level. The latter has primarily revolved around artificial intelligence (AI) – but not in the overhyped, buzzword sense of the term too often used in industry marketing hyperbole. We’re looking at AI in terms of how it can further improve how we protect our customers. AI is a necessary technique for dealing with the massive amounts of data generated in today’s connected world. In security, we use it to automatically detect unknown threats and deliver actionable intelligence, augmenting our decision-making and helping us respond better and faster to the highest risk threats.
Machine learning is at the heart of AI. We began using machine learning more than 10 years ago, so this approach is not new for us, but we’re constantly looking to expand our use of the most effective tools out there. Here are a few highlights from our journey with machine learning:
2005: Spammers used misspelled words to evade rule-based filters, so we added machine learning to see through their tricks
2008: The Smart Protection Networks – the first cloud-based global threat intelligence mechanism – was introduced, using machine learning to make sense of global threat data
2009: Machine learning was used to rapidly categorize websites (gambling, porn, malware). This was applied to web-based script analyzers in 2010 to detect Adobe Flash exploits, as well.
2016: High-fidelity machine learning – which includes the combination of pre-execution and run-time machine learning – was added to enhance detection of unknown threats like ransomware
2018: Writing Style DNA uses machine learning to detect email impersonation of company executives
Commitment to learning
To build a global team with deep understanding of AI and its applications for cybersecurity, we challenged the entire company – not just the 2,000 in R&D – to refine and grow their AI skills. Teams built algorithms and applied AI technologies to solve game challenges.
The idea was to make the whole process fun and educational for those who took part. By gamifying the whole experience, we have helped more of our Trenders will get familiar with AI and machine learning. Now they can use this experience to find new ways to solve security problems and/or design solutions to help with their daily jobs.
Commitment to our team
The contest started with a six-week preliminary competition that challenged teams to not only refine their understanding of key AI concepts, but also practically apply these concepts to win various challenges. More than 2,392 people from 14 countries participated in the contest among nearly 500 teams.
Out of this preliminary competition, 1,550 Trenders qualified for the finals, which was hosted this week at an internal event in Fukuoka, Japan.
Commitment to partnership
One of the critical factors in making this a successful AI experience was to create a dynamic cloud environment to enable our teams to leverage any uses of AI technology. In this, we’ve been able to harness the power of Trend Micro’s long-standing technical collaboration with Amazon Web Services (AWS). Thanks to AWS we can grow or shrink infrastructure resources dynamically as needed based on changing requirements. Using an AI development setting means teams can deploy hundreds of GPUs dynamically in a short amount of time to power their machine learning algorithms.
Bringing employees together in a way that celebrates our culture of innovation, as well as a significant milestone in the company’s history, makes this a successful process for us. Whether this competition helps uncover more innovative use cases for AI and machine learning in our products or merely helps more of our employees understand and appreciate a technology that’s changing the world around us — it’s sure to have been a valuable exercise. Here’s to the next 30 years of Securing the Connected World.
Have you ever heard of the MQTT or CoAP protocols? No? Well the device on your wrist, and so many devices around you, could be using them right now. MQTT and CoAP are machine-to-machine or M2M protocols. With the rise of the internet of things (IoT) and operational technology (OT), there’s increased security focused on M2M protocols.
This is rough terrain for threat research because it takes some investment and time to investigate IoT, OT and M2M. But Trend Micro does what it takes when it comes to research, and our new report concludes that these M2M protocols are fragile and ripe for targeted attacks.
Not only are the protocols different, but so are the architectures that support them. MQTT has a broker that receives messages between agents, making it an interesting target for the bad guys. The report summarizes the exploit opportunities against a non-concurrent communication point that serves as the broker and includes specifics of the protocol and denial-of-service implications. CoAP is a client-server protocol that is not yet standardized. Not limited to consumer and general machinery, the report also addresses medical devices that use these, such as infusion pumps.
It’s likely that your current security products don’t support the analysis of MQTT and CoAP. Since simply worrying doesn’t help, the report provides guidance on what weaknesses are present and can therefore be monitored.
Most security attacks that occur today just ride on top of protocols rather than exploiting the protocols themselves. The bad news about MQTT and CoAP: Protocol weaknesses are the highest severity of attack because the hosts themselves don’t have to be compromised to attack a protocol vulnerability. Protocol weaknesses have mostly been an issue with cryptography, since the most commonly used protocols, such as the TCP/IP family, are well established and less vulnerable. And that, of course, is a core issue in OT security. These aren’t widely used or understood protocols, most aren’t TCP/IP based, and certainly only a few have had security researchers beat at them with hammer and tongs.
So, even if you aren’t responsible for SCADA and OT, M2M protocols are in consumer IoT devices and can be used as a path for lateral attacks into a corporate network.
To paraphrase Kent Brockman, “I for one welcome our new machine overlords.”
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how Trend Micro software can aid in safely securing containers on the AWS Cloud. Also, how the dark web has become a new advertising medium for practitioners of law.
One of the biggest challenges in maintaining your security posture is visibility. You have security controls deployed throughout the stack, and each fo these tools is generating its own set of data points and has its own view of your deployment.
Managing the multitude of alerts and events from these tools can quickly get overwhelming. Enter AWS Security Hub.
Announced at AWS re:Invent 2018, this service is available to all aws users as a public preview. Trend Micro is product to be a supporting launch partner by allowing customers to send high value findings from Deep Security to this exciting new service.
Each data source provides various findings relevant to the tool. Amazon Macie will send findings related to data within Amazon S3 buckets it monitors, Amazon GuardDuty will provide findings based on the assessments it runs on your Amazon EC2 Instances, and so forth.
AWS Security Hub not only brings together this information across your AWS accounts but it prioritizes these findings to help you spot trends, identify potential issues, and take the relevant steps to protect your AWS deployments.
By providing technical controls like intrusion prevention, anti-malware, application control, and others, Deep Security lets you roll out one security tool to address all of your security and compliance requirements.
As it sits protecting the instance, Deep Security generates a lot of useful security information for compliance, incident response, and forensics. With the integration with AWS Security Hub, high priority information generated by Deep Security will be sent to the service in order to centralize and simplify the view of your deployment’s security across multiple AWS services and APN solutions.
This complements the suite of existing AWS security services and existing Deep Security integrations with AWS WAF, Amazon GuardDuty, Amazon Macie, and Amazon Inspector helping to bring together all of your critical AWS security data in one, simple to use service.
The Deep Security integration with the AWS Security Hub is available today on GitHub. This simple integration runs as an AWS Lambda function in your account, sending high priority security events to the new service.
Get started today in just a few minutes with a few easy steps!