The mission of defending an enterprise or organization today is a complex and challenging task. Our personal and professional attack surfaces have never been greater and they are only expected to grow as organizations and individuals continue to increase their reliance on the connected digital world for a variety of tasks. Security practitioners must protect not only their enterprise assets but also guard against threats to their supply chain and business ecosystem. This, coupled with the fact that the cyber-threat landscape continues to evolve in terms of actors, tactics and motivations, has created a perfect storm for organizations that must now move toward an intelligence-driven, holistic security approach in order to keep pace.

Throughout 2014, Verisign iDefense Security Intelligence Services (iDefense) witnessed cyber-criminals increasing their focus on attacking mobile devices and point-of-sale systems, and global events continuing to drive hacktivist activity and other operations in frequency and severity. In addition, end-of-life and legacy operating systems continued to plague organizations’ office automation and industrial control system networks, including ATMs. This fundamental shift in the tactics, techniques and procedures (TTPs) used for cyber-attacks, as well as new tools, delivered a powerful combination of blended attacks that includes distributed denial of service (DDoS) attacks, malicious code obfuscation and detection evasion. In 2015, the security community’s continued vigilance and agility toward these changing cyber-attacks must be strengthened by partnering and sharing real-time, actionable threat intelligence when detected.

Below is an overview of the key cyber security trends we expect to see in 2015. The majority of this year’s threats and trends reflect research on iDefense’s core focus areas of cyber-crime, cyber espionage and hacktivism. These Critical Intelligence Requirements (CIRs) cover public and Zero-Day vulnerabilities, threat tactics, DDoS attacks, threat actors, key infrastructure cyber security threats, strategic intent, malware tools, threat and vulnerability management, mitigations and countermeasures. By making this information available, we hope to inform cyber security and business operations teams of the critical cyber threats and trends affecting their enterprises, allowing them to anticipate and more effectively plan for forthcoming key cyber security issues.

2015 Cyber Threats and Trends:

1. Global events continue to drive an increase in the frequency and severity of hacktivist operations: 2014 saw an increase in the convergence of the physical protests with digital ones. DDoS attacks were and still are the main method for attack among those in the hacktivist community, with the most common tool being the Low Orbit Ion Cannon (LOIC), or personally altered versions of the tool for each operation. Social engineering continued to play an increasingly large part in cyber-attacks, as experienced hacker groups focused their efforts on capturing credentials to compromise social media platforms and Domain Name System (DNS) records for major news, government and industry entities. As witnessed through several events globally in 2014, including protests focused on the Ferguson, MO police shooting, outcry over spending for the Brazilian World Cup, the Syrian civil war and others, hacktivist groups are taking up cyber arms against those who they perceive to be responsible, complicit, or the most visible billboards for their cause. We expect 2015 to yield even more instances as these types of events gain significant public attention and DDoS-as-a service grows in availability and popularity. Access to real-time actionable threat intelligence and the ability to act on it will be key for protecting against these threats.
2. Windows XP is still widely used and increasingly vulnerable to compromise: iDefense reported that the risk for Windows XP users would really start after the second Tuesday in May 2014, when Microsoft released bulletins and updates for the supported versions of Windows. As of Q1 2015, Windows XP is installed on an estimated 400 million computers globally. The continued use of this outdated operating system and others effectively invites malware developers and other cyber-criminals to exploit these networks. Worse still, Windows XP is used in more than 420,000 ATMs in the US, with half of those ATMs owned by the financial sector. This presents a significant upgrade challenge because of their custom software. Organizations need to allow sufficient time to upgrade legacy systems, allowing as many as 200 days for servers and 300 days for users and major application changes to be implemented.
3. State sponsored hacktivist activity ushers in a new era of the blended no-holds-barred cyber-attack: Despite similarities to previous attacks aimed at achieving a political goal via network based DDoS or DoS through destructive malcode, in late 2014 a fundamental shift in the three most common forms of cyber activity (hacktivism, cyber-crime and cyber-espionage) took place and we expect to see them become more pronounced in 2015. This type of attack combines the most destructive elements of each: complete data exfiltration and disclosure, global DoS (via destructive malcode), and public defacement with personally identifiable information (PII) and credential dumps. This attack type is made worse due to the custom malcode leveraged, technical acumen required and extralegal status of the responsible parties. iDefense has detected these types of attacks early, providing effective countermeasures to affected parties and iDefense customers. Threat mitigation requires an increased focus on actor intent for early identification, and implementation of proper security controls and recovery methods to help ensure survivability when faced with such a threat.
4. An increasing shift to poorly detected downloaders in the delivery stage of cyber-crime malware: In 2014, iDefense noticed a major change in how cyber-criminals deploy malware to victims. The majority of banking Trojans are now being deployed via downloaders, which are small in size and use custom obfuscation to evade anti-virus detection. Once executed on the victim machine, such downloaders establish connections to compromised websites and download malware payloads. This new methodology (as opposed to delivering the entire payload at once) provides the adversary with increased delivery and command and control flexibility, malcode reuse and more granular targeting controls. iDefense predicts there will be more use of downloader modules in 2015 rather than the actual malcode in the malicious attachments of phishing e-mails. Mitigations will require network and host-based detection along with an intelligence reporting and information sharing capability.
5. Public media’s coverage on major cyber-espionage groups purportedly based in the People’s Republic of China (PRC), Russia, and the Middle East will continue to increase: iDefense believes that the public media’s coverage of the security community’s research focused on cyber-espionage groups will persist throughout 2015. While this did serve to raise awareness surrounding this threat throughout 2014, an unfortunate side effect of this “rush to publish” approach was that multiple espionage campaigns were incorrectly attributed, potentially to the detriment of targeted organizations because scarce internal security resources may have been improperly allocated. This highlights the need for capable analysts with the ability to assess actual threats via sound tradecraft in order to avoid poor attribution or incident correlations.
6. DDoS attacks continue to increase in frequency, complexity and volume: During the course of 2014, Verisign DDoS Protection Services observed a steady increase in the size of DDoS attacks with attacks averaging well over six gigabits per second (Gbps). The largest attack that Verisign mitigated in 2014 peaked at around 300Gbps or 90 million packets per second (for more detail read the Verisign Q2 DDoS Trends Report). In 2015, iDefense expects these trends to continue as attack tools and mitigation resources will continue their arms race. Amplification attacks will remain popular with lower-skilled attackers, and higher-skilled attackers will evolve their TTPs in new directions, such as DDoS as a diversion, while they perpetrate other more lethal attacks. This will necessitate a move to hybrid DDoS protection solutions in 2015 and beyond to enable organizations to protect their Web servers, DNS servers, application servers, and most importantly their customers and reputation.
7. Critical infrastructure is increasingly targeted by hacktivists and nation states: iDefense fully expects an increased focus on critical infrastructure protection (CIP) initiatives in 2015 as adversaries continue to find weaknesses in industrial control systems (ICS) globally. The increased development and growth of critical infrastructure engineering, consumer services automation and commercial cyber-physical systems (CPSs) will bring about device-monitoring challenges (such as non-deterministic behavior), new vulnerabilities and new threat vectors. Attackers have access to tools used to search the Internet and locate sites on which ICS hardware runs openly (without encryption or authentication) on the Internet. Organizations will need to more thoroughly analyze their network device and service exposure to the Internet and either limit the exposure, or bolster the security and monitoring of the exposed devices and services.
8. Increased targeting of open-source software (OSS) vulnerabilities: The software landscape is saturated with many OSS products. Some of these products, or libraries, such as OpenSSL, are even integrated into another piece of software. This creates widespread vulnerabilities when exploits are developed. Though many OSS projects consist of many files and thousands of lines of code, a motivated reverse engineer can simply download a copy of the program and review its source code to identify flaws in the logic. Over the course of 2014 iDefense provided customers with-up-to-the-second intelligence on critical OSS vulnerabilities including “Heartbleed” and “Shellshock,” which both wreaked havoc on OpenSSL, as well as the Bash (Bourne Again SHell) command-line interpreter. Another example is Trojanized Apps targeting Android devices. iDefense expects this trend to continue in 2015 and will focus the efforts of the iDefense Vulnerability Discovery Lab and Vulnerability Contributors Program to provide proactive warning of OSS Vulnerabilities.
9. Bug Bounty programs and the crowdsourcing of security research are here to stay: In 2014 the security industry saw the wide spread adoption of bug bounty programs by multiple companies, including some not usually associated with vulnerability research. This increase in adoption of bug bounty programs is a testament to their effectiveness in meeting two goals: (1) getting security researchers to privately report vulnerabilities within software;and (2) ensuring that researchers are compensated for their time and effort, and hence are motivated to find vulnerabilities. iDefense believes that the bug bounty programs that software vendors and other companies offer are firmly here to stay and expects to see additional companies follow suit and announce their own bug bounty programs in 2015. iDefense has maintained and expanded its Vulnerability Contributor Program since its inception in 2002. The iDefense program currently accepts submissions for all major closed and open source software products. The other component to vulnerability management is for organizations to take a minimalist approach to software installed on devices: The more software installed, the more potential vulnerabilities and overhead incurred from patching third-party applications.

The mission of defending your company is a continuously evolving collection of threats, technology and business objectives, driving the requirement for a multi-layered intelligence-driven security approach. All stakeholders within a company’s supply and business ecosystem must be charged with the responsibility to serve as data custodians, as a data breach can easily occur based on any of these trusted relationships of shared access. In 2015, both governments and private industry will need to continue to bolster physical and cyber security defenses, including their staffing, policy, operation centers and intelligence services to protect interests and assets domestically and abroad.

To learn more about how Verisign iDefense Security Intelligence Services can help with this, visit www.VerisignInc.com/iDefense.