Top 2014 trends in security focused primarily on what is still the greatest threat to organizations — malware — and attackers’ efforts to stay one step ahead of even the most advanced prevention and detection techniques. Another increasingly common theme this year was defense evasion.
Attackers are increasingly able to quickly develop new malware variants to defeat existing countermeasures by cashing in on source code leaks that can make it far easier to exploit vulnerabilities in affected applications. This had already been seen, with the source code breach at Adobe Systems touted as the worst such heist in history.
Top 2014 Trends
Other malware trends for 2014 included an increased use of old-school techniques that require attackers to develop more manual and time-consuming approaches as they attempt to bypass advanced detection and mitigation solutions.
Staying on the malware theme, another one of the top 2014 trends was malware researcher evasion, with attackers using a range of techniques to avoid detection by malware researchers. This way, the researchers cannot develop countermeasures for new vulnerabilities being exploited.
Other predictions for 2014 included the growing importance of the mobile channel for attackers. While one-time passwords delivered over SMS are increasingly being used as an authentication method for mobile users, SMS-forwarding malware is now being widely used, as well, making such an authentication method all but useless. Attackers were also looking to take over victims’ devices using remote access technologies in order to bypass security controls such as device fingerprinting. This makes subsequent transactions appear legitimate.
What’s in Store for 2015?
According to Etay Maor, a senior fraud prevention strategist at IBM Trusteer, while most of the predictions made for 2014 were nearly spot-on, they were not exactly daring.
On Jan. 14, Maor will present IBM’s vision for 2015 trends in a webinar titled “2015 Cybercrime Trends — Things Are Going to Get Interesting.” First, he will look at the major security stories from 2014, how they are in line with IBM’s predictions and how they demonstrate attackers’ increasing ingenuity. He will then take a look at what the events seen in 2014 portend and what will likely be seen in 2015.
According to Maor, given today’s complex and sophisticated threat landscape — with multiple external forces affecting crime and fraud — security teams and chief information security officers can no longer limit themselves to looking only at what is happening within their own backyards. While new, specific attack methods, techniques and protocols will be used against PC and mobile platforms, security practitioners need to open up and think more strategically. They shouldn’t just limit themselves to focusing on how specific tools such as firewalls and intrusion prevention systems are tuned to filter threats.
Rather, security teams need to better understand threats by taking into account the context of attacks and how new technology developments will affect security. Among the predictions he will make is how geopolitical forces will play an increasingly important role in attackers’ motivations and force security practitioners to think much more strategically about how attacks are perpetrated. Newer technology delivery mechanisms, including mobile platforms, the Internet of Things and mobile payment mechanisms, will continue to rise in importance throughout 2015 as well. They will require organizations to ensure their security controls reach out to the extended enterprise. Endpoints are the new perimeter, and efforts must be focused here.
Finally, Maor will discuss how criminals are increasingly operating behind a veil of anonymity. Recent revelations regarding the extent of government surveillance of electronic communications and law enforcement crawling anonymous networks will cause criminals to look for more ways to be covert. This is an extension of the 2014 trends pointing toward the use of more advanced techniques to evade detection.
Last year saw some major security breaches that drove home just how damaging security incidents can be. In 2015, there will not only be more online fraud and malware, but it will be more complex, more sophisticated and ever stealthier. Organizations need to think more strategically about their security defenses.
Senior Analyst, Bloor Research