January 12, 2015 By Fran Howarth 3 min read

Top 2014 trends in security focused primarily on what is still the greatest threat to organizations — malware — and attackers’ efforts to stay one step ahead of even the most advanced prevention and detection techniques. Another increasingly common theme this year was defense evasion.

Attackers are increasingly able to quickly develop new malware variants to defeat existing countermeasures by cashing in on source code leaks that can make it far easier to exploit vulnerabilities in affected applications. This had already been seen, with the source code breach at Adobe Systems touted as the worst such heist in history.

Top 2014 Trends

Other malware trends for 2014 included an increased use of old-school techniques that require attackers to develop more manual and time-consuming approaches as they attempt to bypass advanced detection and mitigation solutions.

Staying on the malware theme, another one of the top 2014 trends was malware researcher evasion, with attackers using a range of techniques to avoid detection by malware researchers. This way, the researchers cannot develop countermeasures for new vulnerabilities being exploited.

Other predictions for 2014 included the growing importance of the mobile channel for attackers. While one-time passwords delivered over SMS are increasingly being used as an authentication method for mobile users, SMS-forwarding malware is now being widely used, as well, making such an authentication method all but useless. Attackers were also looking to take over victims’ devices using remote access technologies in order to bypass security controls such as device fingerprinting. This makes subsequent transactions appear legitimate.

What’s in Store for 2015?

According to Etay Maor, a senior fraud prevention strategist at IBM Trusteer, while most of the predictions made for 2014 were nearly spot-on, they were not exactly daring.

On Jan. 14, Maor will present IBM’s vision for 2015 trends in a webinar titled “2015 Cybercrime Trends — Things Are Going to Get Interesting.” First, he will look at the major security stories from 2014, how they are in line with IBM’s predictions and how they demonstrate attackers’ increasing ingenuity. He will then take a look at what the events seen in 2014 portend and what will likely be seen in 2015.

According to Maor, given today’s complex and sophisticated threat landscape — with multiple external forces affecting crime and fraud — security teams and chief information security officers can no longer limit themselves to looking only at what is happening within their own backyards. While new, specific attack methods, techniques and protocols will be used against PC and mobile platforms, security practitioners need to open up and think more strategically. They shouldn’t just limit themselves to focusing on how specific tools such as firewalls and intrusion prevention systems are tuned to filter threats.

Rather, security teams need to better understand threats by taking into account the context of attacks and how new technology developments will affect security. Among the predictions he will make is how geopolitical forces will play an increasingly important role in attackers’ motivations and force security practitioners to think much more strategically about how attacks are perpetrated. Newer technology delivery mechanisms, including mobile platforms, the Internet of Things and mobile payment mechanisms, will continue to rise in importance throughout 2015 as well. They will require organizations to ensure their security controls reach out to the extended enterprise. Endpoints are the new perimeter, and efforts must be focused here.

Finally, Maor will discuss how criminals are increasingly operating behind a veil of anonymity. Recent revelations regarding the extent of government surveillance of electronic communications and law enforcement crawling anonymous networks will cause criminals to look for more ways to be covert. This is an extension of the 2014 trends pointing toward the use of more advanced techniques to evade detection.

Last year saw some major security breaches that drove home just how damaging security incidents can be. In 2015, there will not only be more online fraud and malware, but it will be more complex, more sophisticated and ever stealthier. Organizations need to think more strategically about their security defenses.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today