2014 was a year in which information security vaulted into the public eye, driven by a surge in both the number and the visibility of data breaches and compromises. This new attention will bring greater scrutiny in 2015, just as the nature and severity of threats continue to evolve for the worst.
Cyberextortion will be the most rapidly growing new threat family
Beginning with the rapid rise of CryptoLocker in late 2013, the threat from ransomware expanded rapidly in 2014, adding not only other “extortion malware” but also spreading to mobile platforms such as Android1. Paying the ransom remains arguably a popular option despite its risks, and the estimated $3 million in ransoms generated by CryptoLocker alone has shown cybercriminals the revenue potential of digital extortion schemes. These attacks are difficult to defend against and costly to recover from, and lead to business disruption that extends far beyond the loss encrypted data.
In 2015, Proofpoint expects these cyberextortion schemes to increase in scope, sophistication, and – following the example of the Destover malware – destructiveness. Attackers will become smarter and more targeted in their efforts to extract ransoms from the systems and organizations they have compromised by varying their ransoms based on the value of the system and data to the organization.
Not only will organizations have to adapt their backup and recovery programs to account for this threat, but they will need to become even more effective at detecting and rapidly responding to potential infections in their environment as soon as possible after they occur.
Cyberattackers will target a wider range of data and assets
2014 saw multiple instances where state-sponsored attackers seemed to break out of their traditional molds by going after new targets and new types of data. The most notable examples of this were the cases of intellectual property theft and industrial espionage attacks traced to Russian state- and quasi-state actors. In addition, cybercriminals are more aggressive about monetizing the intellectual property and other information found on infected systems, rather than simply going for a quick profit with credit card numbers and PII or PHI.
In 2015, profit motives combined with deteriorating global relations over Ukraine and Western sanctions will drive a continued expansion of cyberespionage by Russian and allied cybercriminal operations.
Organizations that today are focused on protecting the traditional targets of cybercriminals – credit card data, PII, PHI, bank accounts, etc – will have to think about the broader business impact of potential compromises, which will target intellectual property and business secrets.
Email-borne threats will become more social and lead to more data breaches
Phishing has been for years the favored vector for cybercriminals and state-sponsored actors2. Despite extensive user education efforts and the proliferation of automated defenses, phishing remains effective because there are few protection technologies that can overcome a single user armed with a mouse and a willingness to click. Proofpoint research has shown that 1 in 10 recipients in an organization click on a malicious link, and attackers are adept at finding new ways to exploit “the human factor.”
In 2015, cybercriminals will continue to ‘trickle down’ the social engineering techniques employed in highly-targeted spear-phishing emails – such as credible emails and malicious Office macros – to broad-based campaigns aimed at organizations in a particular vertical or region.
As a result, organizations that continue to rely on traditional hygiene-focused email solutions will suffer more, and more costly, data breaches. Organizations must instead move more aggressively to adopt email security solutions that include tightly integrated advanced threat detection and threat response capabilities.
Social media will be fertile ground for cybercriminals
Social media continue to expand as a marketing, sales, recruiting and customer service tool. Social media channels are growing more rapidly than business’ ability to manage and monitor them: Proofpoint research found that while the average Fortune 100 company has 320 authorized social media accounts, 40percent of the Facebook accounts claiming to represent a Fortune 100 brand are unauthorized, and 20 percent of the Twitter accounts posing as a Fortune 100 brand are unauthorized.3 The expansion of social media channels combined with the lack of established controls is driving a rapid growth in social media threats. Already in 2014, Proofpoint found a 650percent increase in social media spam compared to 2013, and 99percent of malicious URLs in inappropriate content led to malware installation or credential phishing sites.
In 2015, Proofpoint expects inappropriate or malicious social media content to grow 400percent as attackers target enterprise social media accounts to perpetrate confidence schemes, distribute malware, and steal customer data. For example, as of July 2014 each month enterprise social media accounts experienced more than 34 malicious posts; we expect that number to increase to more than 170 messages per month.
In order to manage this new challenge and mitigate the risk to their brand and their social media programs, organizations will need to extend their existing controls, response operations, and reporting to include social media channels.
Malvertising will continue to increase as a threat
Even as phishing remains the number one attack vector, cybercriminals will continue to shift more focus tomalvertising as a vector for infecting clients and spreading malware. With high opportunities and low costs, the growth of malvertising is facilitated by the distributed nature of advertising networks and represents a structural problem, rather than one of policing. A single malvertising incident analyzed by Proofpoint in 2014 revealed an infected ad network that exposed as many as 3 million users a day to potential infection.
In 2015, attackers will become more refined in their ability to infect sites, target users and deliver payloads while evading detection by most common scanning and gateway tools. At the same time, businesses beyond just the owners of infected sites, such as advertising firms and the companies whose ad creative are stolen, will start to wake up to the risks malvertising – which often employs stolen ad creative – poses to their brands.
Organizations with stolen ad creative will put increased pressure on site owners and ad network operators to proactively detect malware in their ad streams. At the same time, protecting end users from URLs – even in legitimate email messages – linking to malvertising-infected sites will become an essential defense measure for all organizations.
Increased volume of alerts will make automated incident response a priority
While many organizations have recognized the danger posed by advanced threats and have purchased and deployed solutions designed to detect them, few have succeeded in managing the increasing volume of alerts that these and other security solutions generate. Instead, critical signs of a compromise become lost in the noise of thousands of alerts: in the case of the Neiman Marcus breach, for example, the attackers generated 60,000 alerts over a three month period, a seemingly large number until one considers that these were only 1 percent of their daily endpoint log events. Add to this the volume of alerts from network, server, and other security solutions and the fact that 83 percent of enterprises lack the skills and resources to protect their IT assets4 and organizations are faced with a perfect storm that leaves them unable to respond to everything they are detecting today, much less look for things that their sensors have not detected (i.e., undetected breaches).
In 2015, Proofpoint expects that there will be widespread adoption of automated incident response solutions by organizations spanning a range of industries and sizes. Ignoring even 1 percent of potential incidents is no longer acceptable, especially when incidents have an impact so quickly, so organizations will automate their incident response in order to manage the overwhelming volume of alerts.
Adoption of automated incident response will have a significant impact on the way that information security is practiced, shifting focus from tools to processes, and will result in more rapid identification and containment of data breaches.
The breaches of 2014 will breed new regulations in 2015
2014 has been widely recognized to be the Year of the Data Breach. It was an annus horribilis in which a steady parade of disclosures exposed more than 1 billion user records, thorough compromises of critical infrastructure, and increasingly serious losses due to business disruption. Rather than inure the public to these reports, however, the breaches of 2014 are changing the climate in the public and among political leaders and created momentum to assign consequences to organizations that fail to adequately protect public and private data.
The shock waves of 2014 will continue to ripple through 2015 as lawmakers take action to draft and pass national laws not only for data breach reporting, but also mandating privacy and data protection standards and controls, with legal and financial repercussions for organizations that fail to meet them. Moreover, we expect to see this trend to play out globally, resulting in a patchwork of international regulatory regimes by the end of 2015 that businesses will spend 2016 deciphering.
The result for organizations will be a need to move beyond spot solutions and adopt a combination of technologies for detecting advanced threats and the presence of intruders in their environments, and solutions and processes for rapidly responding to incidents in order to mitigate both the damage and the legal and financial consequences of breaches.
Social media will fall subject to aggressive regulation
As noted above, the rapid growth of social media as a platform for communication has also made it a target for cybercriminals. The growth in social media communications volume is increasing social media compliance risk. In 2014, an average of 48 messages containing regulated data were posted to active enterprise social media accounts per month, a number that will increase in 2015 to nearly 200 messages per month. At the same time, enterprise social media messages containing regulated data (patient healthcare information, social security numbers, etc.) to grow by 300 percent in 2015.
2014 saw the introduction of a plethora of new regulations and industry guidance from FINRA, FFIEC, FDA, SEC, and the FCA in the UK. In 2015, regulators will continue their heightened focus on social media in emphasizing that it is subject to the same set of regulations that govern the use of email and other established forms of communication, and are likely to increase both the size and frequency of regulatory inquiry and sanction.
The result for organizations will be a need to quickly select and implement security and compliance solutions that are purpose-built for social media, but that can be easily integrated within the management and reporting framework of their existing information security solutions. Currently operating outside the boundary of many existing regulations and practices and facing new regulations, organizations and IT security leaders will be forced to reach across internal silos to create a comprehensive security strategy and plan that addresses the threats to traditional and new communication channels.
1 F-Secure H1 2014 Threat Report, p. 8.
2 Verizon 2014 Data Breach Investigations Report, p. 40.
3 Proofpoint, Inc., Security Threats to the Social Infrastructure of the Fortune 100, p. 2.
4 ISACA 2014 APT Survey.