Light Dark
December 23, 2020 By Mike Elgan 4 min read
Intelligence & Analytics
Security Services

As we bring 2020 to a close, it’s time to look at 2021 and a new chapter in the book of cybersecurity.While there are no doubt a multitude of possible attacks, here are five types of attacks that are becoming more popular and more common among attackers using Internet of things (IoT) threats.

1. Built-In IoT Threats

As entities embrace the IoT, they still lag in the defense and guidelines departments. And, threat actors will take advantage of the gap between the risks posed by IoT and how prepared people are to address those risks.

IoT devices are insecure by nature. They’re connected, meaning the bad guys can access them. But IoT devices lack the processing power for basic protection like encryption. They also tend to be highly valuable and inexpensive, making it easy for users to deploy large numbers of them (possibly 35 billion IoT devices worldwide by the end of 2021).

IT may not have authorized, or may not even know about, these devices. In many cases, the employer doesn’t even own them.

It’s likely that IoT will become the preferred target for ransomware attacks. Botnets, advanced persistent threats, distributed denial of service (DDoS) attacks, identity theft, data theft, man-in-the-middle attacks, social engineering attacks and others are also likely choices.

IoT threats, including those hitting databases, intersect with other 2021 trends, too. In a world of increased automation, many attacks focus on supply chain and manufacturing. IoT is used a lot in these fields, and updating equipment is not always a top priority. As we encounter more novel attacks on IoT networks, one question is especially important. Can we update aging firmware to give it the defenses it needs?

2. AI in IoT Threats

It’s likely 2021 will be the year of AI-powered IoT threats. And, that’s not surprising.

AI-based attacks have been taking place since 2007, mostly for social engineering attacks (simulating human chat) and for enhancing DDoS attacks. The malicious use of AI showed up on everyone’s radar in 2018, when a ground-breaking study on the threat was published.

Over time, more refined algorithms will get better at mimicking normal users on a network to foil detection systems looking for strange behavior. The biggest recent development in the use of AI in cyberattacks is democratization of tools for building and using AI systems. Threat actors can build AI tools now that just a few years ago only researchers could build.

AI systems are better than humans at performing many of the elements of IoT threats, such as repetitive tasks, interactive responses and processing very large data sets. In general, AI will help the bad guys scale up their IoT threats, automate them and make them more flexible.

And, don’t just look for exotic new AI-based IoT threats in 2021. Instead, look for the usual network breaches and other attacks, but deployed faster, at larger scale and with more flexibility, automation and customization than in the past.

3. Deepfakes for IoT Threats

Attackers will use the same tools behind deepfake videos for IoT threats, such as brute force attacks and spoofing biometrics. For example, university researchers have demonstrated generative adversarial network (GAN) techniques can brute-force fake, but functional, fingerprints. They do it in the same way passwords are brute-forced by trying thousands of attempts.

We have, in fact, already seen the use of deepfake technology in malicious attacks. The first wave of these involved faked voices. The attackers taught a computer system to sound like a CEO, who then called employees to order money transfers and the like.

Audio and image deepfakes have now been basically perfected, which is to say you can create voices and photographs that most humans can’t tell are fake.

The holy grail of deepfakes is video. Today, videos made this way still look uncanny. But it’s only a matter of time before attackers perfect deepfake video as well, enabling convincing video-call social engineering attacks. They could also use faked video for network breaches, extortion and blackmail.

4. More Specialized Cyber Crime

The entire history of cyber crime has involved increasing refinement on the part of the attackers. It often mirrors trends in honest business. And this long-standing trend in IoT threats will continue, as we can expect far more specialization and outsourcing in 2021. Threat actors will be going after bigger paydays. Rather than one person or one gang running an entire job, expect groups to offer break-in services for pay. So, a single attack may involve multiple groups, each of which is expert at performing their part.

For example, one group may specialize in reconnaissance at scale, then offer their knowledge on the dark net for a price. Another group may purchase this, then hire another group to breach the victim with a social engineering attack. That group may, in turn, hire native language speakers and graphics designers to craft more convincing emails. Once they gain access, the client may hire multiple specialist gangs for ransomware, bitcoin mining, extortion and other attacks.

In the same way that businesses have specialized, diversified and benefited from outsourcing, the people building IoT threats do, too.

5. Breakdowns Between State-Sponsored and Criminal Attacks

The organizational trends described above — the specialization and outsourcing — will further blur the line between state-sponsored attacks and gang attacks. And, this makes sense. Already many of the so-called state-sponsored cyberattacks are actually performed by criminal gangs linked to government agencies, including military and spy agencies.

With increased specialization and outsourcing, nation-states will be offered the fruits of cyberattacks, such as IoT threats, for money more and more. And nation-states will hire otherwise unaffiliated cyber gangs to do specific malicious attack jobs, or specific parts of them.

Even today, it’s difficult to tell whether a detected attack was state-sponsored or not. In the future, starting in 2021, it may become nearly impossible. The year 2021 will no doubt prove to be another exciting year in the realm of cybersecurity. Look for these five trends in IoT threats as areas to focus on.

 | 
Mike Elgan

More from Intelligence & Analytics
November 27, 2024

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

September 5, 2024

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

August 21, 2024

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature