[BreachExchange] The future of cyberwar: ​Weaponised ransomware, IoT attacks and a new arms race

Audrey McNeil audrey at riskbasedsecurity.com
Thu Nov 16 19:07:23 EST 2017


https://www.techrepublic.com/article/the-future-of-cyberwar-weaponised-
ransomware-iot-attacks-and-a-new-arms-race/

After at least a dozen years in the shadows, cyberwarfare is gradually
emerging into daylight. While cyber weapons were mostly developed and used
by intelligence agencies as part of secret missions, they are now becoming
an acknowledged military option during conflicts. Here are predictions
about how cyberwarfare will evolve over the next year.

The cyber arms race will accelerate

Having a cyberwarfare capability is the latest must-have for many nation
states, which has sparked a cyber arms race that shows no sign of slowing
down. NATO, for example, recently updated its strategy to include the
potential use of cyber weapons alongside traditional munitions. In the
short term, this will likely mean that researchers will find a ready market
for the zero-day exploits, as governments continue to build their
stockpiles. However, as intelligence agencies and the military spend more
on building up cyber weapons there will come, inevitably, pressure to prove
the worth of that investment.

Cyber weapons will become a standard feature of warfare

As NATO secretary general Jens Stoltenberg said recently, noting the use of
cyberweapons against ISIS in Iraq and Syria: "in any military conflict,
cyber will be an integrated part."

The actual type and sophistication of the attacks deployed will vary; an
opponent with little in the way of tech to disrupt will require a different
set of options to one with a sophisticated infrastructure to defend.

No doubt there will still be extremely sophisticated cyber weapons
developed and deployed against specific extremely high-value targets
(although we may not hear about them). But the use of more standard cyber
weapons and techniques will become commonplace. Cyberspace is now
considered just another part of the battlefield.

Stealthy cyberwar preparations will continue

There will be no let up for energy companies, high tech manufacturers and
government agencies; state-backed hackers (from many nations) will continue
to poke and pry at their systems, looking for access to those all-important
industrial control systems, which could be used to cause chaos at a later
date.

Some of these companies may still not even consider themselves to be
potential targets because, unlike a big bank, they don't have much worth
stealing. But these hackers aren't looking to steal money, but to break
things (like a power or a rail network), which means even organisations
involved in the least glamorous bits of our critical infrastructure need to
pay attention, fast.

Weaponised ransomware will be your next big headache

Ransomware has been at the heart of some of the biggest security stories of
this year, and it will be the same in 2018. But the motivation of
ransomware users is shifting in an even more dangerous direction. Up until
now most ransomware has been used to extract a ransom (usually in
all-but-untraceable Bitcoin) from those unlucky enough to be hit with it.

That's bad enough: there's already a trend towards using ransomware as a
weapon, where devices are encrypted, rendering data inaccessible, and the
perpetrators don't offer a key. It's not hard to see this weaponised
ransomware being utilised—perhaps by hackers loosely aligned with a
nation-state—to cause problems for rivals. The only problem is that these
kinds of attacks can rapidly spiral out of control: even if you aren't the
intended victim you might still get hit.

The IoT will be a cyberwar and cyber espionage gold mine

Unsecured Internet of Things devices (like webcams and routers) have
already press-ganged into a botnet - Mirai - which was then used to carry
out Distributed Denial of Service attacks against websites. But because
that secret double life didn't really affect the day-to-day performance of
these gadgets, owners probably barely noticed (and likely cared even less).
But it's easy to image a situation where the growing armada of IoT devices
could be used against us, too. Perhaps an attacker could switch on every
smart appliance at once in a bid to overload the power network, or simply
cause chaos by turning every smart lock into a useless (and unbudging)
piece of metal. IoT gadgets are also brilliant tools for cyber espionage:
we are literally filling our homes and offices with cameras and microphones
that are far too easy to hack. That's going to generate a fantastic trove
of data that could be used to locate or even blackmail high value targets.

Failure to patch will be the cause of another giant security disaster

Everyone gets very excited about zero-day exploits; previously undiscovered
holes in software that can be used to attack systems and against which
there is no defence. Stuxnet used at least four different ones.

But already-known vulnerabilities will continue to be by far the biggest
source of gaps in IT defences, and exploited by nation-state hackers and
criminals alike. New software vulnerabilities are being found on a daily
basis and vendors publish new patches and updates almost as regularly.
Keeping up with that flow is hard, especially if the patches are for key
systems and may need testing. This year demonstrated just what can happen
when users fall behind on keeping systems up to date: a patch for the
exploit that allowed the WannaCry ransomware to spread globally was
available 59 days before the crisis hit.

Unless you are being specifically targeted (in which case, good luck)
having the basics of security in place will be enough to make state-backed
hackers go and find an easier target.

Encryption will be your friend

Governments and politicians will continue their love-hate relationship with
encryption, wanting it as strong as possible for their own secrets and
communications, while simultaneously wanting to water it down for everyone
else. That dynamic is unlikely to change, but in the battle between
politics and mathematics there is only going to be one winner.

That's probably going to be good for all of us, for both privacy and
security. Particularly with the rise of the Internet of Things we are
sharing our homes and work places with more devices that record our words
and deeds. And as automatic systems (like driver-less cars) become
commonplace, we'll need to be able to trust the security of those systems
too. While governments would love to be able to access all communications,
they don't want other governments to have the same privilege, which means
banning encryption is off the table...for now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171116/d2e8f03a/attachment.html>


More information about the BreachExchange mailing list