2020 global threat landscape – Deep and Dark Web – analysis
By Anna Chung, Principal Researcher at Unit 42, Palo Alto Networks
Within the Deep and Dark Web, ransomware attacks are expected to continue in 2020. This year, my team and I came across an increasing number of threat actors selling ransomware, ransomware-as-a-service, and ransomware tutorials. Underground products and services like these enable malicious threat actors who are not technically savvy to enter the game.
Threat actors will continue exploring new methods to monetise compromised IoT devices, beyond IoT botnets and IoT-based VPNs, due to the uncapped profit potential. IoT devices remain a popular target among hackers, mostly because IoT security awareness and education is not as prevalent as it should be, and the number of IoT devices will continue to grow at an exponential rate as 5G develops and becomes mainstream.
We’re continuing to see instances where the failure to configure containers properly is leading to the loss of sensitive information and as a result, default configurations are posing significant security risks to organisations.
Misconfigurations, such as using default container names and leaving default service ports exposed to the public, leave organisations vulnerable to targeted reconnaissance. The implications can vary greatly, as we’ve already seen simple misconfigurations within cloud services lead to severe impacts on organisations.
When a company is beginning to address or prepare for these types of attacks, it’s important they never expose a Docker daemon to the internet without a proper authentication mechanism. Note that by default the Docker Engine (CE) is not exposed to the internet. Key recommendations include:
- Incorporate Unix sockets – Using these allow you to communicate with Docker daemon locally or use SSH to connect to a remote docker daemon.
- Leverage the firewall – Whitelist incoming traffic to a small sets of sources against firewall rules to provide an extra added layer of security.
- Caution against the unknown – Never pull Docker images from unknown registries or unknown user namespaces.
- Employ always-on searches – Frequently check for any unknown containers or images in your system.
- Identify malicious containers and prevent cryptojacking activities – When a new vulnerability in the internal container environments is revealed, it is critical to patch it up quickly as attackers will be on a race to exploit any systems they can access. Having tools that actively scan your environment for known vulnerabilities and provide alerts on dangerous configurations can help to maintain the security of all container components consistently and over time.
- Integrate security into DevOps workflows – This will allow for your security teams to scale their efforts in an automated way. Developers have a lot of power in the cloud, and your security needs to be able to keep up.
- Maintain runtime protection – As your organisation’s cloud footprint grows, being able to automatically model and whitelist application behavior becomes a powerful tool for securing cloud workloads against attacks and compromises.
Many data breaches today are driven by financially motivated cyber threat actors, and this type of attack prefers targets that have rich personal identifiable information (PII), including financial institutes, hospitals, hotels, airlines, and almost all e-commerce sites.
From an underground economic perspective, this is data that can be quickly monetised and resold multiple times. Different data has different buyers, but overall speaking in regard to PII, payment information is preferred due to the card-not-present type of fraud. Therefore, sites that process and collect individual payment information typically are more attractive to attackers in this instance.
While we have seen a certain amount of cyber-offensive behavior using AI, such as identity impersonation by using deep faking, we are still in the very early stages of seeing the full potential of AI-enabled attacks. On the flipside, we are seeing an increase in cyber defenders using AI to detect and mitigate threats.
Businesses and CSOs should prioritise security awareness training for all employees, going beyond just explaining how cyber-attacks occur and how they may impact an organisation as a whole, but educating their workforce at individual level on proactive steps they can take to identify and prevent security attacks. Simple exercises like issuing phishing email detection tests or software update reminders, help raise security awareness among employees to make for more secure daily operations and help reduce the success rate of attacks.
One of the major security challenges facing today’s digital age is the fact that there are too many devices and security policies in place, making it difficult to monitor and maintain. Prioritising highly-automated security solutions that cover multiple environments will increase visibility and control over the entire operational environment by simplifying the management process, reducing costs and freeing up more time to identify the existing pain points and future roadmaps.