2020 is slated to be an interesting year in general. From the technology right around the horizon to the countless innovations which are being made leading up to the new year, this year has been a trip and next year will be one too. The cybersecurity arms race has been on for some time, but there are some cards in the mix which make this upcoming year primed for excitement.
It’s been a quiet few months, so I expect 2020 to be much noisier for ransomware and other attacks, especially fileless malware and more complicated malware variants. This will be further exacerbated by the upcoming Windows 7 end of life. With the advancement of cloud computing, I expect network topology to come into play more. The continued growth of connected devices and the general Internet of Things (IoT) will further add vectors for these attacks. To round all of it off, we have Kevin Mitnick’s favorite, good old social engineering, except this time technology has added deep fakes into the mix.
We have a perfect storm brewing. Things are about to get interesting.
Malware
2019 saw things like CrySIS and Dharma and Sodinokibi, which range from the newest iteration of classic ransomware to something completely new and out there. Both were a mix of traditional methodologies with novel attack vectors. Sodinokibi is evil because it is truly capable of being fileless malware. Modern CrySIS or Dharma use smash and grab tactics with targeted zero days and attack kits.
Neither are fun for different reasons. Neither have been noisy lately either. It feels almost like the attacks were just testing the waters of what they had with how short and sweet they were. 2020 is where the real fun begins.
Windows 7 and Server 2008: End of Life
It’s no coincidence that the attacks have died down. Best not to show your hand when the opponent is about to have to show theirs. Windows 7 and all Server 2008 derivatives (including R2) are reaching end of life on January 15, 2020. We’ve seen things quiet down because malicious actors know that even though a lot of Windows 7 and Server 2008 (R2) machines are going away by then, a lot aren’t. They also know if those machines aren’t upgraded by the end of life, they probably won’t be until the hardware can’t keep up or physically dies. “If it ain’t broke, don’t fix it,” may apply to some things, but it doesn’t apply to security at all.
The Windows 7 end of life spells out a massive issue for network security. You have to either schism the network or take other precautions to protect yourself from these agents which should be trusted. Just like with Windows XP, they will remain for compatibility and weaken the overall network as older protocols have to remain in place for compatibility. Anything they have access to may as well be considered compromised by the end of Q1 2020. It’s just a matter of time before a zero-day hits them en masse.
That vulnerable Windows 7 machine is ready to be weaponized on your network. With a flat network topology, its attack will spread like fire. The Windows 7 machine which “wasn’t a big deal” as far as the client was concerned just had someone log on with domain credentials which are now compromised. Oops. Now the whole site is down and the shares are encrypted.
Network Topology and the Cloud
Cloud computing is revolutionary at the scale its reached. A desktop environment with server power in a data center all for the amortized price of a single server was unheard of. Now, it’s so commonplace it’s become a commodity.
With Anything as a Service and the alphabet soup of SaaS, PaaS, and IaaS, it’s hard to know how a given solution needs to fit into your company’s network. Each comes with its own technical challenge for the setup and implementation and unfortunately, a lot of times, security misses the mark. It’s easy to simplify the network to the point of insecurity for maintainability. It doesn’t help that a lot of companies churn through solutions without proper research.
Network Topology plays a critical role in containment of a threat and overall security. The harder it is for a given computer to communicate with the rest of the network, the harder it is for a given attack to propagate. I’ve seen countless cloud environments on completely flat networks with no consideration for security. The cloud is just someone else’s computer, and you have no way to know whether the black box you use is secure or not.
The cloud environment itself may not be the problem, but the complete disregard for security is. What else is being missed for the sake of convenience? Cloud computing and XaaS has made it easy to offload many parts of a traditional business network, but this move is often done at the expense of security even though it doesn’t have to be. Flat networks make it easy to just drop a new service in and not worry about the routing, but they make it easy to sink the business too.
Internet of Things
The Internet of Things (IoT) is already on a bit of shaky ground. The IoT is even more volatile from a security perspective due to the increase in cheap, off brands of IoT devices with no long-term assurance of support, and with services orphaning devices left and right as it is. Vendors keep cutting support for perfectly good devices because they want you to buy the new one.
There are TV’s which are losing their “smart” status for all intents and purposes as app after app pulls support. These devices are expensive cornerstones of a home which can’t just be thrown out and replaced because the vendor decides to abandon them, but it keeps happening. History repeats itself. These devices are an affront on privacy and on security, and most aren’t segmented off the network, so they make great jump boxes for attackers.
Even when the vendor supports them, they may not receive much from a security standpoint. These devices are slated to get more and more prolific throughout households and businesses alike. I expect to see them become used more and more as jump-off points for attacks, ways to gain persistence in an environment, as well as be weaponized like Mirai.
Social Engineering in the 21st Century
Deepfakes aren’t that new (as far as tech is concerned), but deepfakes to pull off a heist are. The saddest part is that this is just the tip of the iceberg. No matter how much automation you throw at security, the human already sitting inside the network doesn’t really change.
Training can help, but expect deepfakes to reach the point they don’t even make it to the front page anymore. Why target the strong point when you can just catch the company idiot? This is part of why network topology plays such an important role in security. If the company idiot can’t reach it, then the exercise is all in vain. You are only as strong as your weakest link in the chain of security, but you can always put the less desirable links in spots which bear less weight with some clever shuffling.
Verification tools will become more and more essential. If you call your bank, they verify your information. What does your business do? How do you know you’re talking to who you think you are? With deepfakes where they are, you have to be sure. Verification tools and 2FA will become more and more essential.
Mitigation
To stop malware, you need security. Security at just an endpoint level isn’t enough, especially not for new attacks. Endpoint security, network security, and alerting make up the trinity which stops an attack from being effective. Backup and recovery is also extremely important as breaches aren’t an “if”, they’re a “when”. This isn’t a revolutionary concept, but it is the foundation of modern security. The tricks may change, the principles don’t.
Deprecated systems need to be schismed off from the network or secured in a way which doesn’t expose the company’s belly to them. Making a separate domain for legacy systems is a great, (relatively) easy way to prevent crossover. Limiting how they interact with the rest of the network affects whether an attack can propagate through them or not. Read only access can be another great way to prevent ransomware from using them.
The cloud and the IoT all present their own challenges, but treat them like you would any other system. You don’t just throw an XP box on the internal network and expect it to be safe. If they aren’t supported by the vendor, they’re basically threats. Anything which can talk to the outside world can theoretically be used to reach inside. The cloud and IoT devices are no different.
Automation and EDR solutions can help stem the flow of an attack. The options for remediation are as varied as the attacks. Sometimes, a combination of tools ranging from AV and response at an endpoint level to network alerting and segmentation are necessary to really round out security at a site. Users can always be fooled, but it’s a non-point if they can’t access certain things.
Conclusion
Attackers are getting smarter, but so are security solutions. The arms race will continue along on its way, but with a little planning and prep, you can make your organization much harder to hit. Most attacks start from a small vulnerability rather than anything too fancy. Secure yourself from popular attack vectors and you and your organization will be invisible to the majority of attackers. Make it hard for users to have wholesale access to your network and you make it harder for an attack to propagate.
2020 is almost upon us, but it’s not too late to get ready. The perfect storm is brewing, but it needn’t affect you much with some attention to detail. Prepare for new generation malware, shore up deprecated assets, and focus on network security and a lot of the problems will go sailing by.
Featured image by Pete Linforth from Pixabay