Illusive Blog March 14, 2018

What to Expect When You Are Expecting Cyberthreat in 2018

By Ofer Israeli

As we survey the threat landscape, two things are certain—targeted attacks and advanced persistent threats (APTs) are here to stay, and organizations face increased risk from advanced attacks compared to the past two years. Several existing trends will continue, and we’re seeing attackers refine their tools in ways that will drive new trends in the coming months.

Attacks on Wire Transfer and Payment Networks Will Increase

Targeted attacks on banking wire transfer systems dominated news in 2016 and 2017:

  • The issue first grabbed headlines with an attack on SWIFT systems that resulted in a $81 million heist against Bank of Bangladesh
  • In 2016, attackers hit banks in Bangladesh, Vietnam, Ecuador, Turkey, Russia and a dozen other banks around the world
  • Wire transfer attacks hit Far Eastern International Bank in Taiwan, Nepal Rastra Bank, and NIC Asia Bank Ltd.
  • The MoneyTaker group, a previously unknown ring of Russian-speaking hackers, stole up to $10 million from U.S. and Russian banks, including 15 U.S. lenders.

…and the list goes on.


Attackers’ tools for breaching wire transfer systems have become commoditized, making it easier for other attackers to target financial institutions and wire transfer and payment systems. Expect to see attackers exploit systems such as Automated Clearing House (ACH), Fedwire Funds Service, other payment systems, clearinghouse systems, securities depositories, and securities settlement systems. An increasing number of third-party relationships across all industries adds complexity to transactions and increases the risk of fraud and error. They also expose organizations to a greater level of compliance, credit, and legal risk, increasing the urgency for organizations to take steps to be better prepared.


Active Directory Compromise Gains Momentum

For an attacker, the easier the access to valuable credentials, the faster he can move from system to system in the environment and ultimately access his main targets. Windows Active Directory (AD) is used almost universally in enterprise environments to manage user access to corporate resources. This makes AD a prime target for attackers. Stealing AD credentials might be an attacker’s primary goal because of their high value on the Dark Web. More often, obtaining AD credentials is a tactical step in executing a larger targeted attack campaign.


It’s no surprise that attackers are refining their tools in order to compromise AD as “silently” as possible. As if on cue, the New Year ushered in news of DCShadow, a sophisticated attack method that enables attackers to set up a rogue domain controller in the AD structure from which they can replicate access control information for their own purposes. We expect to see more techniques specifically aimed at compromising AD and—unfortunately—successful attacks being orchestrated with them. Before an attacker can compromise AD, he needs domain admin credentials. An attacker’s search for domain admin credentials is something that Illusive’s deception technology is designed to detect.


Mainframes as Targets

We expect cyber attackers to begin specifically targeting mainframes. Mainframe security often takes a back seat as security teams focus on protecting the latest mobile, cloud, or other innovation initiative. Mainframes remain the epicenter of financial services for thousands of global organizations, including 92 of the world’s top 100 banks. These systems support 29 billion ATM transactions a day and 87% of all credit card transactions, making them attractive high-value targets. Mainframes also can be pivotal in multiple different attack scenarios, particularly espionage. From a single location, an attacker could gather significant competitive or strategic intelligence.


Beyond Old-fashioned Data Theft

Aggressive nation states will continue to launch cyberattacks with significant impact. These attacks—and their methodologies—greatly influence other attacker groups who adopt these aggressive tactics for broader cybercriminal purposes. Expect to see more attacks designed to disrupt or destroy infrastructure, as we saw recently in the attack on the Olympic games. Attackers will target banking and healthcare companies for PII, health information, and payment information, but also to disrupt critical infrastructure.


Consider New Approaches to Protection

Changing cyberthreat tactics have stimulated momentum among vendors to innovate their approaches to cybersecurity. Security leaders are inundated with products from thousands of new cyber startups. They are understandably reticent to add more security tools to their already-complex SOCs. After all, the last thing anyone wants is more noisy alerts. But technologies that truly look at existing problems in new ways and are purpose-built to help companies deal with the unexpected can deliver significant efficiencies that reduce rather than add to the security burden. Distributed deception technology is certainly one of them.