Explosion of Cross Platform Ransomware
Ransomware was a very profitable category of malware in 2015. It usually targeted end users directly working on Windows PCs. Usually the economics of ransom demands made sense, so often, users paid the ransom (cost of paying the ransom was less than the cost of cleanup/recovery without). Payments were often direct and relatively anonymous/secure for the attacker since they used crypto currencies such as bitcoins. Because of this, we see the use of Ransomware increasing and becoming problems for several new platforms (likely all major mobile platforms, MacOS, Linux, and possibly IoT).
Large-scale Extortion Campaigns Targeting Individuals and Organizations Increase
In 2015, several sites including Ashley Madison and Adult Friend Finder were breached and their entire user databases were made public. These public exposures had secondary effects as cyber criminals started using this data for extortion schemes. These schemes proved profitable and because of this we expect some websites to be breached for the sole purpose of mass personalized extortion schemes. Site's user data will be targeted for personal details, especially embarrassing ones for use in large scale extortion campaigns.
Online retailers and service providers will also be the target of extortion schemes, but they will be targeted in different ways. Attackers may attempt to steal large spools of email, chat logs, and sensitive (and likely embarrassing) documents for the purpose of public release if demands are not met. Threats of DDoS attacks unless ransoms are paid are also likely to continue.
Hacktivists and Cyber Vandals Seek to Damage/Destroy Companies’ Reputations
Not all villains are motivated by money. We see the same tactics used for extortion to be used to purposefully damage or destroy company's’ or individual’s reputations. Companies operating in contentious or controversial industries should expect their email spools, company chat logs, and documents targeted for public release with the goal of damaging the company's reputation or brand. This may catch some companies off guard since they may not consider all of their communications to be worth stealing.
IoT Exploitation, Consumer Grade Smart Device Malware and Automobile Hacking Leave the Lab and Get Used for Financial Gain
In 2015, there were public demonstrations of how vulnerable IoT gadgets, consumer smart devices, and connected automobiles are. Most of these demonstrations were conducted by security researchers. We expect that these technologies will be targeted in 2016, mainly for financial gain such as next generation ransomware or for novel ways to steal cash or for use in traditional botnets.
Credential Exposures Reach a Tipping Point that Causes Some Major Cloud Providers to Force Multi-Factor Authentication for All Users
2015 was the year of massive credential exposures (username and passwords posted either publicly or on Dark Web forums en mass). Credential exposures are a big deal due to rampant password reuse and lack of Multi-Factor Authentication (MFA) across many websites across the Internet. This trend will continue into 2016 and beyond and it will likely force many major SaaS providers (free email providers, free document authoring, social media, photo sharing, file sharing, etc) to force all users to use MFA. This will likely take the form of sending text messages or emails with one time codes as well as entering passwords when logging in, but a new and less inconvenient techniques may emerge because of this.
Legitimate SaaS Providers Will Increasingly be Used for C2 and Data Exfiltration to Bypass IP and Domain Reputation Services
Domain and IP reputation services are becoming more and more effective as well as some companies moving to a whitelist-only approach for online content. As deployment of these tools increases, expect malware to transition en mass to using legitimate SaaS providers and social media sites as channels for command and control (C2) as well as data exfiltration (exfil). Many of these sites are trusted, use strong encryption and are not looking for these types of subtle misuse so they are excellent platforms to use for this purpose.
Highly Likely that Critical Infrastructure/SCADA Systems Will be Targeted in a Cyber Terrorism Event
In 2015, there were hundreds of terrorist incidents, large and small, across the globe. All of these attacks were physical or kinetic. With the increasing emergence of transnational terrorist groups such as ISIS, we expect that they will attempt to attack a SCADA system or Critical Infrastructure using a cyber attack with the goal of either inflicting economic damages or inducing fear through mass casualties.
Increase in Companies Moving to Build-it-your-self and Open Source SIEMs Such as ELK
In 2015, many organizations we work with started down the path of building their own internal security infrastructure (SIEM/log management) using mostly open source tools such as Elasticsearch, Logstash, Kibana, and Kafka. We expect this trend to continue for organizations willing to maintain small engineering teams instead of making large capital expenditures.
Use of Automated Incident Response and Host Based Collection Tools Increase
More and more companies are realizing the benefits of focusing on breach detection and continuous incident response and we see this trend to increase dramatically over 2016 since this is becoming a very effective way to mitigate the effects of breaches and decrease adversary dwell times.
Malware Sandbox and Anti-Virus Evasion Increases
Automated Malware sandboxes are now a staple of most security teams and their use has made a major impact in speeding malware analysis and improving security. Because of this, we expect to see an increase in malware sandbox evasion techniques ranging in sophistication, but likely focusing on ones that are harder to detect.
Jason Trost is the VP of Threat Research at ThreatStream, Inc. and leads ThreatStream Labs, the research team. He has worked in security for more than ten years, and he has several years of experience leveraging big data technologies for security data mining and analytics. He is deeply interested in network security, DFIR, honeypots, big data and machine learning. He is currently focused on building highly scalable systems for processing, analyzing, and visualizing high speed network/security events in real-time as well as systems for analyzing massive amounts of malware. He is a regular attendee of Big Data and security conferences, and he has spoken at Blackhat, BSidesSF, BSidesLV, BSidesDC, FloCon, and Hadoop Summit. He has contributed to several security and big data related open source projects including the Modern Honey Network (MHN), BinaryPig, ElasticSearch, Apache Accumulo, and Apache Storm. He has held senior technical positions with the U.S. Department of Defense, Booz Allen Hamilton, and Endgame Inc. He holds a M.S. in Information Security from Georgia Institute of Technology and a B.S. in Computer Science from Florida State University.