Our Proofpoint Threat Operations Center recently published its 2017 security predictions. In that report, we explained what we think the cyber threat landscape will look like in 2017 and how it might differ from previous years. In this post, I’d like to follow up with some practical advice on what to do about it.
Most cyber attacks of note in 2016 started the same way. Small or large, simple or sophisticated, cyber crime or state-sponsored espionage, they all targeted people. Here are some of the ways we think they’ll target people in 2017—and how you can protect them.
Join us on Tuesday, January 24, 2017 at 10 a.m. PT/1 p.m. ET for a 2017 Cybersecurity Predictions webinar.
1. Advanced threats will turn down the volume—but turn up the sophistication
Attackers work relentlessly to exploit the email communication channel because we depend on it so much. For example, attackers bombarded organizations in 2016 with Locky ransomware email campaigns. They targeted hundreds of millions of victims around the world and reaped millions in ransom.
But in 2017, small will be the new big. Attackers will return to smaller, more targeted sophisticated campaigns to send malware through email. High-volume email campaigns, when they occur, will be reserved mainly for less advanced malware.
Recommendation: As advanced attackers make this shift, work with a security vendor that has rich attack intelligence. This intel should span geographies, industries and attack groups. Use security solutions that combine static and dynamic techniques to detect new attack tools, tactics, and targets. And be sure the solution can learn from each attack to make the next one easier to catch.
2. Malicious email macros finally run out of gas
By April, document attachments embedded with malicious macros will grow less and less effective for email attacks. But cyber criminals won’t sit still. They’ll improve their spear-phishing techniques and turn to automation to fuel large-scale personalized campaigns. The result: more personal details that help boost the credibility of phishing emails and persuade victims to click.
Recommendation: Take a two-pronged strategy to stop email-based attacks. First, invest in solutions that effectively reduce the number of inbound malicious messages, whether they contain malware, phish credentials, or simply try to socially engineer the recipient into taking an action. A truly effective solution should also alert your organization to any malicious messages that have been delivered to a potentially vulnerable user. And second, develop a plan to enable your sec ops/incident response (IR) teams to assess the actions that user accounts take when they are compromised by malware free attacks like credential phishing.
3. Exploit kits will give way to “human kits”
Disclosed vulnerabilities and the exploits that target them will wane, thanks to two related trends. First, browsers and operating systems will grow more secure. At the same time, organizations will become more aware about security flaws and more disciplined about patching them.
That means big changes for the business of exploit kits. These off-the-shelf attack tools have made it easy for attackers to cash in on newly revealed software and hardware vulnerabilities. To stay effective in 2017, exploit kits will get a lot more personal. Rather than relying solely on technical flaws, they’ll lean heavily on social engineering, tricking users into infecting their own machines.
Recommendation: Create employee awareness programs and deploy an advanced email security solution, as email is likely to remain the vector of choice for “human kits”. To reduce human error, adopt solutions that can identify and quarantine spear-phishing emails before they ever reach employees’ inbox. Expand your visibility into potential social engineering vectors by examining your organization’s social media presences and your users’ mobile app usage. In addition, factor social engineering more heavily into your threat modeling.
4. Business email compromise (BEC) attacks will continue to evolve, and big losses will continue
Business email compromise (BEC) scams have resulted in more than $3 billion in losses and counting. Unlike most email threats, they do not feature malware and are sent in very low volumes. Their main goal: to trick users into wiring money or sending confidential data to criminals posing as a top executive, partner or vendor.
Total BEC losses will increase. But we expect fewer instances of big-dollar losses as businesses improve their fiscal controls and other processes.
Recommendation: Invest in a security solution that can classify email dynamically, not just by static rules. Build BEC-aware policies—similar to what you should already be doing for spam email. Be sure your people understand the value of the information they process and are aware of email attack tactics and dangers.
5. Social media “angler phishing” will be fully automated
We’ve discussed “angler phishing,” in which attackers create fake customer-support accounts on social media to prey on customers looking for help. These accounts redirect customers to a phony customer-support page where they can steal their login credentials.
In 2017, many of these attacks will become bigger and more sophisticated through automation. They’ll employ some form of natural-language processing, for instance, to scale up their operations.
Recommendation: Understand your social media footprint and be aware of outside risks to users, especially fraudulent accounts that piggyback your brand. As fraudsters automate their attacks, you’ll need automation in your corner, too. While angler phishing is currently concentrated on Twitter, look for a solution that scans Facebook, Twitter, Google+, LinkedIn and other social media networks. It should discover, notify and report on all of your brand accounts—including accounts using your name or brand. A robust social media security solution will notify you within minutes if anyone, anywhere in the world, has created an account that poses as or hurts your brand. Finally, adopt a solution that proactively scans newly created web domains for early warning of phishing attacks, including angler phish.
6. Social media attack pace will increase and explore new frontiers
Social media is mushrooming and offers a significantly higher ROI on cybercrime.
In 2017:
- Social scams and phishing will grow by 100% vs. 2016
- Social media spam will grow more than 500% vs. 2016
- Fraud and counterfeiting using fake social accounts will soar
- Integrated fraud techniques—using a blend of social media accounts, fake mobile apps, fraudulent websites, and imposter emails—will also skyrocket
Until now, the popular chatting and photo app Snapchat has been free of major attacks. That will change in 2017. And as many social media entities have introduced payment models, many of those are ripe for some type of attack.
Recommendation: Look for a solution that scans not just Facebook, Twitter, Google+ and LinkedIn, but the newer chat apps such as Snapchat, WeChat, Signal, BBM and others. This step can provide insight into how others are talking about and using your brand name in new channels—and alert you when it’s being harmed.
7. Mobile threats: The genie is out of the bottle
2016 represented a watershed year in the mobile threat landscape. Risk spiked from three main factors:
- Malicious clones of popular apps (pirated apps with malicious code added to them)
- More users “sideloading” apps—downloading apps from sources outside of official app stores such as of the Apple’s App Store and Google’s Play Store
- Targeted attack tools built for mobile devices
In 2017, zero-day threats such as the “Pegasus” mobile device attack kit will no longer be confined to state-sponsored efforts targeting dissidents. They’ll also originate from garden-variety cyber criminals targeting businesses and people.
These attacks will use SMS and chat systems to deliver malicious URLs and even zero-day exploits. Attacks will run the gamut—everything from broad-based campaigns looking for banking credentials, to personalized, targeted attacks on company employees and executives.
You may already be aware of malicious and “risky” apps—apps that aren’t overtly malicious but still may leak your data. In 2017, you’ll see more fraudulent apps—malicious and spammy apps purporting to be from legitimate brands.
Recommendation: Invest in data-driven tools that work with your mobile device management (MDM) to reveal the behavior of apps in your environment. The tools should be able to tell you exactly what types of data apps are accessing and sending—and to where. It should offer data-driven assessment of app behavior and risk to personal data and your enterprise. In addition, if your organization uses mobile apps to engage with customers, consider deploying a solution to scan public app stores for fraudulent mobile apps targeting your customers.
8. State-sponsored attacks will increase and expand beyond hacking and data breaches
State-sponsored and organized cyber criminal groups are exploiting human nature across all sectors. In 2017, we expect a resurgence of state-sponsored cyber attacks. Sophisticated, stealthy intrusions from a wide range of countries will target all branches of the U.S. government. And more state-sponsored attacks will try to steal information and influence social media and news outlets to create discord.
Recommendation: Prioritize investments in your defenses that fight modern threats. And change your security controls to address how people work today. The most effective security technologies do this by combining three things:
- Actionable threat intelligence (a thorough understanding of the attackers’ techniques and tradecraft)
- The ability to leverage that intelligence to quickly update your defenses as quickly as attackers change their offense
- Comprehensive security across key email, mobile and social-media channels
Are you ready for 2017?
Advanced security approaches that are user-centered and data-centered is the best way forward—maybe the only way.
To meet the challenges of 2017, you need full coverage for the communications channels used to target your people. In today’s threat landscape, they need to be protected from any location, network or device.
Join us on Tuesday, January 24, 2017 at 10 a.m. PT/1 p.m. ET for a discussion on our 2017 Cybersecurity Predictions and best practices for approaching the year: https://www.proofpoint.com/us/webinars