What’s Next? 2020 Cybersecurity Predictions
2020 Predictions
The present caught up to the future in November 2019. The film "Blade Runner" takes place in 2019 Los Angeles, and watching the film says a lot about people predicting the future. Sure, they get some things right. AI assistants and smart homes? Hello, Alexa and Google. Video conference calls? WebEx all day long. But where’s our flying cars and human-like robots? (Do autonomous vehicles count?) And why wasn't Atari neon everywhere in 2019? Turns out, people aren’t all that good at predictions.
Let’s look back to look forward.
Breached-by-Mistake Happens
In this article, we’ll consider trends seen in 2019 and forecast where these may take corporate security in 2020. Some are very predictable. For example, VeraCode’s State of Security report’s retrospective on the past decade shows that we are surprisingly predictable in introducing vulnerabilities into software. Similarly, breached-by-mistake has been a common theme the last few years. Some trends are not as predictable. For example, with DevOps, we can now consistently make those mistakes faster. And with the growing IoT (Internet of Things) market, we can now make those same mistakes in new places on new smart devices. We can count on IT to continue to be vulnerable.
Money Still Top Motivating Factor for Cyber Crime
The primary adversary for corporate cybersecurity continues to be crime. And no wonder. It’s a lucrative market. Take business email compromises (BEC), which some studies show nets on average $130,000. Compare that to the poor bank robbers who only bring in around $3,000 per heist, and we can see why criminals are turning to technology attacks. The size of the problem is anyone’s guess, due to underreporting, international differences and more. The most recent information put out by the FBI reported $2.7 billion in annual losses as one data point we can look to. With those kind of stakes, we can count on criminals to continue exploiting vulnerable IT.
With those two trends as our guiding lights, let’s peer ahead into 2020.
Future Cyber Crime in 2020
Blending of Techniques
The past was about single tactic crimes. Attackers phished for passwords. Disgruntled insider threats damaged equipment. Support scammers called for credit card information. But people began to get street smart. For example, the 2019 Trusted Access Report found that fewer people are opening phishing emails, and fewer still are providing credentials. Microsoft has reported seeing a similar drop in the success of tech support scams. Which means criminals have to get better.
Expect to see more crimes that blend techniques. For example, criminals obtaining legitimate support information from companies using insider threats, then crafting more accurate pretexts, and leveraging a combination of email and telephone communication. The current level of security awareness is sufficient to thwart a basic support scam. But if the scammers call with your actual support contract number and support dates, would you be able to distinguish them from a legitimate support request? Likely not. And inside employees have been known to resell this information to the scammers. Thus greater security awareness will drive criminals to greater sophistication in 2020.
Blending of Technologies
The past was about single purpose malware. Take Magecart, which is inserted into shopping websites as a JavaScript. The malware has been around since 2010 but it saw a significant rise in use this past year. Why? Because as point-of-sale systems are hardened, it’s become more difficult for criminals to get in and stay in. Meanwhile, the websites are outside of these hardened and monitored environments. So attackers deploy to the weaker areas where they can stay in for weeks.
Another example is Emotet. It first appeared in 2014 as a banking trojan. This year saw Emotet developed into a modular platform which other criminals can build upon. So attackers repurpose and specialize in order to maximize their existing technology. Similar to the principles of open source software. Expect malware to follow a similar trajectory that software has, towards microservices and software-as-a-service.
Shifting Targets
Criminals began with larger organizations for the obvious reason: the larger score. In recent years, with ransomware and targets of opportunity, small organizations became prime targets. But, both the very small and the very large have been shoring up defenses the past couple years. The Security Bottom Line report found that “organizations in the middle with 1,000 to 9,999 employees are struggling the most to adequately secure their environments.”
While the Verizon DBIR 2019 data does not indicate medium-sized organizations are breached more than others, there are clear differences in tactics. These medium-sized organizations see higher rates of hacking than other sized organizations (73% versus 49%) and phishing (58% versus 17%) suggesting lower IT security and overall security awareness. Expect more criminal activity as the attackers route around the stronger defended organizations.
Future Defenses in 2020
The digital transformation of most organizations is well underway. Recent surveys show over 90% of organizations using public cloud infrastructure, over 50% using containerization technology. And while previous years allowed security leadership to avoid placing DevOps and cloud teams in scope, this will all but come to an end in 2020 as sensitive workloads move to these platforms. Expect increased use of the configuration automation found in DevOps such as Ansible for prevention. For detection and response, expect more organizations to implement SOAR (security orchestration automation and response) to improve reaction times with limited staff.
Another aspect of cloud computing has been the adoption of cloud apps and software-as-a-service. The primary control security teams have over these apps is identity and access control. Duo’s 2019 Trusted Access Report found that, “cloud integrations are up 56 percent year over year based on the number of customers authenticating to cloud apps, and up a whopping 189 percent year over year in terms of the number of customers using each cloud app.” Expect this trend to continue as organizations turn to IAM (identity and access management) as a front-line defense for the cloud apps they rely upon.
Changing Technologies
There are two technologies which will have a significant impact on defense in 2020: passwordless authentication and UEBA.
Passwordless authentication. This year saw the standardization of WebAuthn protocol and the tipping point for adoption of operating systems supporting passwordless; from desktop computer to phone to tablet. Considering the threat posed by stolen credentials, and the win-win of increased security with increased ease-of-use, passwordless will be a big theme in many organization’s security roadmap in 2020.
UEBA (user and entity behavior analytics). The UEBA product market has existed for some time. But challenges remain in trying to apply analytical models to an unpredictable workforce. 2020 will see UEBA shift from being a dedicated product to being a product feature. This move enables the analytics to be placed around specific activities rather than the generalized approach taken today. For example, placing UEBA on application workloads or on authentication workflows. With such a tight scope, there will be fewer false positives. Expect purpose-built UEBA to be more common and become a cornerstone of a zero-trust architecture.
Bonus
Hacktivism has been on the decline since its peak in 2015. There are a number of factors behind this decline, including the hacktivist tactics like DDoS (distributed denial-of-service) becoming less effective, hacktivist groups like Anonymous becoming less cohesive, and increases in law enforcement against hacktivists. 2019 saw the lowest number of hacktivist activities in the past five years.
Yet in 2019, the world witnessed a number of protests across the globe. Many are ongoing at the time of this article. We are in a period of worldwide unrest that is likely to continue for the first half of 2020. This creates fertile soil for a variety of new tactics, both on the ground and over the internet. We can expect hacktivism to return with a new set of tools and targets reflective of these groups.
Conclusion
My two favorite things in Blade Runner are the payphone and the Polaroid camera. Here we have futuristic video conferencing. But the hero places the call from a payphone. These are so rare these days that people photograph them and share telephone booths on social media. This gets me to the photos, a key plot-point in Blade Runner, which are physical media from what appears to be a high-tech Polaroid camera. They have space travel but no Instagram. It’s fantastic. And it is a reminder that predictions are a tricky business.
In this article, we’ve reviewed trend lines and forecasted where security challenges may take us. 2020 will sift the video conferences from the payphones.