The balkanization of the internet and the movement of data to the cloud will define the 2017 cybersecurity landscape, according to researchers—and we should brace for a major compromise of a cloud provider.
Cloud-based methods of persistence and compromise have been presented at many security conferences, including BlackHat and Defcon this past year.
“In 2017, we expect to see the leading security organizations begin to catch malicious actors breaching their cloud management infrastructure,” said Aaron Shelmire, principal threat researcher at Anomali, via email. “Additionally, we expect to see malware purpose-built to capture cloud services credentials, similar to the banking trojans that are able to intercept two-factor Authentication input. After the malicious actors gain access to cloud infrastructure, we will see new methods of persistence established via the cloud management profiles. This activity will present a significant challenge for understanding Intrusion timelines.”
Vendors will be in the sites too, he added. Thus far, none of the large cloud storage/infrastructure companies have detailed a breach since the Aurora attacks on Google in 2009.
“In an environment where as many as 89% of healthcare organizations experienced a data breach in 2015, we aren’t hearing much about data breaches in the cloud and infrastructure companies that host the healthcare industry’s data and systems,” Shelmire said. “In 2017, we expect that a major cloud vendor will be in the news for a significant security breach.”
Even as data is moving to the cloud, many countries are focusing inward rather than on open-border and free-trade strategies. This includes recent advances in tax-policy, where previous approaches to multi-national corporate governance have come under the microscope of the world’s treasurers. Further initiatives are expanding in the internet realms, with new operating system initiatives being pursued to remove dependency upon foreign software, and foreign hosted SaaS offerings being excluded from other countries such as the Russian LinkedIn Ban.
Additionally, multiple governments are enhancing their surveillance initiatives, such as the Russian government’s requirement to hold all cryptography keys to decrypt internet traffic.
“We believe this will continue resulting in an increasingly balkanized and separated internet,” Shelmire said. “Governments are likely to require that their country’s data stays within their own law enforcement’s reach, rather than relying upon Mutual Legal Assistance Treaties (MLATs) for data access.”
And, as the nation-states balkanize the internet, internet border collections systems will be enhanced.
“This will take forms similar to the Great Dam in China or the border initiatives in other countries. Russia has publicly announced efforts that can only be realized through these types of systems,” added Shelmire. “Corporations and activists will become even more sensitive to the implications of bulk traffic interception, decryption and collection. Confidentiality concerns will become a mainstay threat to both corporations and threat actors alike. Threat actors will subsequently encrypt more C2 channels by default.
On a related note, Shelmire pointed out that APT actors have been using cloud services for C2 channels for a few years now. In 2017, he expects to see continued development of malicious software using cloud services. “Security companies will not report on this activity for fear of losing potential clients,” he predicted.
And finally, Shelmire said that he expects nation-state hacking to continue to be high-profile.
“Over 60 countries have intelligence based cyber initiatives,” he said. “Thus far, very few of those countries’ operations have been publicly detailed. A handful of countries were clients of surveillance as a service [NP2] vendors such as HackingTeam and Gamma International. In western countries, the focus has most recently been on Russian and US operations, as Chinese APT operations have fallen out of the news. Chinese security companies have recently been exposing suspected US operations in actor reports. Over this next year, we believe a previously un-exposed countries operations will be discovered and exposed. After this group is exposed many security companies will dig into their data repositories creating a years-long timeline of that group’s activity.”
Photo © BLUR LIFE 1975