The basic belief is that the criminals are becoming better organized and more sophisticated; in short, they are better at adapting to new situations than users are at defending them. Apparently on the plus side, the development of new advanced malware is slowing down (according to telemetry); but in reality, warns Carl Leonard, senior security research Manager at Websense, "this is bad news for organisations." Criminals will instead "use lower volume, more targeted attacks to secure a foothold, steal user credentials and move unilaterally throughout infiltrated networks."
This new concentration on targeted attacks is a consistent theme in the predictions. "Attacks will get more and more personal," warns Greg Day, EMEA CTO at FireEye. The reason is increased targeting of low volume, high value intellectual property over high volume, low value personal data. Lior Arbel, CTO at Performanta Ltd, agrees almost verbatim: we "will see an increase in the targeting of specific intellectual properties rather than widespread attacks." Vijay Basani, co-founder, president and CEO of EiQ Networks, suggests, "Malware will become a lot more targeted [with] attacks that infiltrate networks and steal valuable data."
But before the network is targeted, the user must be breached. "We will see increasingly precise and sophisticated phishing attacks," warns Rodney Smith, director of field engineering at Guidance Software, "which result in a single person unwittingly handing over the keys to the corporate data kingdom with everything from intellectual property to customer data suddenly up for grabs." Matt Middleton-Leal, UK & Ireland regional director at CyberArk, agrees with this prognosis. "In 2014, expect social engineering to escalate [and] privileged and administrative credentials to be traded," he says, with "administrative passwords and privileged credentials... likely to become the most sought after items on the cyber black market."
Improving criminal sophistication is another recurring theme. Matt Hines, product manager at FireMon, points to the continuing evolution of botnets as an example. "While researchers and vendors have made a great deal of progress knocking down botnets with centralized command and control centers, the emerging P2P command model is proving harder to derail and as such we’ll likely see more use of this model in 2014 and subsequent years."
Lance James, head of intelligence at Vigilant by Deloitte, also sees a worrying future driven by such sophistication. The criminals will respond to law enforcement successes "by developing more sophisticated evasion and resilience techniques. We’ve seen the beginning of this with Cryptolocker which has (finally) pioneered the use of asymmetric encryption. More malicious campaigns will utilize Tor, leveraging its layered encryption and anonymous routing capabilities, to add a new layer of obfuscation. We will see more techniques similar to Dirt Jumper’s “-smart” feature, which attempts to detect and analyze mitigation attempts and bypass them. Though the potential of this new offensive may not be fully realized in 2014, it does portends a scenario in which hackers could execute an APT-style attack to gain access, spread malware laterally, and implant remediation detection sensors capable of taking retaliatory action that could cause significant enterprise-level escalation."
CryptoLocker is perhaps the nastiest variant of a nasty strain of malware seen in 2013: ransomware. And ransomware is not going away. "Although ransomware has been around for years," comments Tracey Pretorius, director, Trustworthy Computing at Microsoft, "to date, ransomware infections have been on a much smaller scale than other types of malware. But, given increased levels of success attackers have had with this type of extortion scheme in 2013, I predict more attackers will embrace this business model in 2014 and ransomware infections will rise."
"Ransomware isn’t going anywhere," warns Brian Contos, VP and CISO at Blue Coat. "In fact, it is growing, getting more sophisticated and going up in price." Fred Touchette, senior security analyst at AppRiver, agrees: " I think we’ll witness an epidemic of venomous ‘Ransomware’ following the success of Citadel and CryptoLocker in 2013... This has proved to be highly effective for cybercriminals and, when something works for the bad guys, they tend to stick with it." Sean Sullivan, security advisor at F-Secure, notes that the only thing holding back ransomware in the past has been the labor involved in getting paid. Cryptocurrencies will change that. "The more frictionless digital currencies become," he says, "the easier it will be to extort people over their data."
But not everything will be new next year. "Legacy problems will escalate," warns Catherine Pearce, security consultant at Neohapsis. "Whether it's the use of substandard security, or simply systems that were designed in a different age, legacy systems will ever-increasingly fall prey to attack... These systems include everything from abandoned parts of websites to critical national infrastructure and they will haunt us for decades to come."
The biggest legacy problem of all in 2014 is likely to be XP. "On April 8 2014," explains Tim Rains, director Trustworthy Computing at Microsoft, "support will end for Windows XP. This means Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates. This venerable platform, built last century, will not be able to keep pace with attackers, and more Windows XP-based systems will get compromised." It will still be possible to defend XP, warns F-Secure's Sullivan, "but once it is compromised it is very difficult to repair."
Throughout these predictions, the single dominant theme is that the attackers are getting more sophisticated. Garry Sidaway, global director of security strategy at NTT Com Security, warns that users must become equally sophisticated in their defenses. "As long as business are connected the internet, we will continue to see malcode develop," he says. "We have to shift our thinking away from trying to trap malcode at the perimeter and move this into cloud defenses. We are already seeing that unpacking potential threats within a virtual server is beginning to fail as malcode becomes more and more sophisticated. We have to look to software defined networks and perimeter to replicate exactly the corporate environment. From here we can start to determine what is good rather than trying still to determine what is bad. We will also see a focus on determining where the malcode has been within an organization. At present we can determine where and possibly how it got in and when and how it started calling home, but not what happened in between."