Sunday, December 13, 2015

Blueprint: Predictions for 2016 and the Evolving Threat Landscape

by Derek Manky, Global Security Strategist, Fortinet

From the “just when you thought things couldn’t get worse” department…

2015 was not an easy year for cybersecurity, whether you worked for one of the countless organizations that got hacked, had to pay a ransom to decrypt files on your hard drive, or spent your days trying to stay ahead of increasingly sophisticated hackers and well-funded nation states. Unfortunately, 2016 looks to have more of the same in store, as well as new and emerging threats that will challenge both security vendors and the organizations and consumers they work to protect.

That IoT Thing

The Internet of Things (IoT) encompasses far more than just fitness trackers and fancy watches. To date, we’ve seen plenty of vulnerabilities in devices that range from surveillance cameras to industrial control systems to connected vehicles, but haven’t observed much in the way of actual attacks that exploit these vulnerabilities. One exception is Point of Sale (PoS) systems, malware for which now ranks in Japan’s top 10 list of malware in the wild and is a key platform for credit card theft.

However, in 2016, we expect connected devices to become strategic beachheads for attackers to “land and expand”, whether propagating malware among devices or, more likely, using the increasing number of IoT devices to gain entry to the corporate networks they access.  Because these corporate networks are already hardened against attack, new, less secure attack surfaces will be attractive targets for cybercriminals.

In many cases, this will require more sophisticated malware with ever smaller footprints, but we’ve already seen proofs of concept for malware that can persist and propagate on connected devices with miniscule amounts of available memory.  The notion of “headless worms on headless devices” is more than a catchy tag line. If we look back on the damage the Morris Worm was able to do back in 1989 with an attack surface of just 60,000 Unix servers (10% of which it was able to infect), imagine an attack surface of the 20 billion connected devices Gartner is predicting will be online by 2020.

Jailbreaking the Cloud

You’ve heard of jailbreaking your iPhone. Basically you install custom software to unlock all sorts of capabilities that are normally hidden from users. With this extra power comes a host of security risks, not to mention some dire warnings from Apple. This year, though, we expect to see malware begin “jailbreaking the cloud.”

What does that mean, exactly? Consider the Venom vulnerability that made headlines this year: attackers were able to exploit old floppy disk drivers to break out of the hypervisor on a virtualized system and gain access to the host operating system. Malware can (and will) be designed to crack the hypervisor on virtualized systems, making lateral movement to other guest operating systems and tenants much easier.

Because so many public and private clouds rely on virtualization to provide multitenancy, scalability, and agile infrastructure, this can have far-reaching impacts, both in corporate data centers and for cloud providers.

Additionally, many mobile applications, delivered both through public and corporate app stores, access cloud-based and virtualized systems. These systems may drive the user experience, provide data input and output on the back end, or capture data for a wide range of purposes. Compromised apps, then, as well as specific mobile malware, will become less of an annoyance or privacy concern and more of a vector for attackers seeking vulnerabilities in public and private clouds.

New Malware? Yes, Indeed

Vendors have gotten very good at detecting and blocking a range of malware. Standard client anti-virus applications can pick up known viruses and other malicious applications quickly, while cloud-based services and gateway antimalware provide extra layers of protection. The best are performing deep packet inspection to pick out not just known signatures but also suspicious behaviors, traffic associated with command and control servers, and other “indicators of compromise.”

Many companies are also adding sandboxing technologies to their networks that can observe the behavior of unknown or suspicious files in controlled environments before those files are allowed on a network. At the same time, malware authors are building in obfuscation and evasion technologies to make detection more difficult.

So-called “blastware,” for example, like the Rombertik virus that gained media attention this year, can render a vulnerable host computer unusable. This is really only a problem if Rombertik detects that it is being analyzed or altered and many of the headlines about the software were overly sensational, but the concept is important. Malware is getting smarter about the environment in which it is running.

We’ll see this play out more frequently in 2016 in “ghostware” and “2-faced malware”. Ghostware, as its name suggests, is designed to penetrate a system, steal particular types of data, and then leave without a trace, erasing itself and any indicators of compromise that security systems might detect. Without these indicators of compromise, organizations might not even know they had lost data, much less be able to conduct a forensic analysis to determine the extent or nature of the breach.

Two-faced malware detects when it is being examined in a sandbox and behaves like a benign file. When it clears the sandbox, it then completes whatever malicious action it was designed to execute. There are, appropriately, two major challenges associated with 2-faced malware:

  1. It’s very hard to detect, even with sophisticated sandboxing technology and
  2. Sandboxes generally feed threat intelligence back into a larger ecosystem and could result in a particular piece of 2-faced malware being automatically cleared by the system, enabling other instances to pass through security mechanisms unfettered.

Evolution, Not Revolution

2016, then, will be a year of evolving threats. Much of this we’ve seen before, if in less sophisticated forms. The arms race between the bad guys developing smarter and more effective malware and vendors creating more intelligent security products will continue and IoT will move from proof of concept vulnerabilities to a viable attack surface. As threats evolve, though, organizations will need to be increasingly mindful about their deployments, adoptions, and the devices and services on which they rely to conduct business.

About the Author

Derek Manky formulates security strategy with more than a decade of advanced threat research, his ultimate goal to make a positive impact towards the global war on cyber crime. Manky has presented research and strategy world-wide at premier security conferences. As a cyber security expert, his work has included meetings with leading political figures and key policy stakeholders, including law enforcement, who help define the future of cyber security. He is involved with several threat response and intelligence initiatives, including FIRST ( and is on the board of the Cyber Threat Alliance (CTA) where he works to shape the future of actionable threat intelligence. Manky’s areas of expertise include FortiGuard, Threat Intelligence, advanced threat research, global war on cyber crime, Cyber Threat Alliance, zero-day vulnerabilities, mitigation advice and threat forecasts.

About Fortinet

Fortinet (NASDAQ: FTNT) protects the most valuable assets of some of the largest enterprise, service provider and government organizations across the globe. The company's fast, secure and global cyber security solutions provide broad, high-performance protection against dynamic security threats while simplifying the IT infrastructure. They are strengthened by the industry's highest level of threat research, intelligence and analytics. Unlike pure-play network security providers, Fortinet can solve organizations' most important security challenges, whether in networked, application, wireless or mobile environments -- be it virtualized/cloud or physical. Nearly 250,000 customers worldwide, including some of the largest and most complex organizations, trust Fortinet to protect their brands. Learn more at, the Fortinet Blog or FortiGuard Labs.