2020 Outlook: Evaluating the Threat Landscape at the Dawn of a New Decade

The past decade has been one of unprecedented transformation, innovation, and uncertainty in the enterprise cybersecurity market. Five years ago, the Russian hacking group known as Sandworm succeeded in shutting down three power plants in Ukraine for several hours and demonstrated how targeted attacks could potentially disrupt the lives of regular citizens. The past decade has also witnessed the emergence of countless new threats, from banking trojans, infostealers, and ransomware to the introduction and adoption of detection techniques to thwart these attacks.

 As we kick off a new decade, it’s a good time to channel our inner soothsayer and contemplate what the coming decade might have in store as we prepare ourselves for the next wave of threats. VMRay surveyed some of its trusted technology partners including VMWare Carbon Black, ThreatConnect, Swimlane, and G DATA Cyberdefense to offer their perspective and expertise on what challenges and opportunities the coming decade might bring.

AI Powered Malware Remediation: Not (Quite) Ready for Primetime

Artificial Intelligence (AI) and especially Machine Learning (ML) have undoubtedly come a long way over the past couple of years, both in terms of its practical application in sifting through terabytes of data to identify patterns and its promise to reduce the time, money, and resources spent on detecting and responding to unknown threats. However, beyond the hype of how AI will transform threat detection and remediation is the sober reality that for the next couple of years, it will fall far short of replacing human analysts and rather will supplement their work.

As with other new technologies, ML shouldn’t be thought of as a silver bullet.

While ML based methods have become an invaluable tool for malware detection and analysis, the engines are only as good as the data being fed into them. Likewise, the ML models being used to make predictions are based on historical data – in essence, ‘they don’t know what they don’t know’ — nor can humans usually deconstruct the underlying pattern to understand the underlying reasoning. This limitation means that understanding and fixing common classification errors and malware evasion strategies will continue to present challenges in the immediate future.

Carsten Willems, Co-founder, VMRay

Cybercriminals Will Continue Their Frontal Assault on the Financial Services Vertical

 A survey of Incident Response firms conducted by Carbon Black for its annual Global Incident Response Threat Report found that more than three-quarters of respondents said the financial industry is most often targeted by attacks. Meanwhile, another industry survey reported that 79% of surveyed financial institutions said cybercriminals have become more sophisticated. Two types of sophisticated attacks that we anticipate seeing used more frequently against financial services in 2020 are ‘custom malware’ and ‘process hollowing’. As opposed to commodity malware which is widely available for purchase or for free on the Dark Web, custom malware is coded with a specific purpose in mind, indicating a higher level of sophistication and funding. Process hollowing refers to malware that tricks the operating systems and monitoring tools into thinking a legitimate process is running, when in fact the process’s memory has been hollowed out and replaced by a second, malicious program, helping to facilitate lateral movement for the attackers.

VMware Carbon Black Threat Analysis Unit (TAU)

Security Challenges of the California Consumer Privacy Act (CCPA) Come into Focus

California’s CCPA bill will create new consumer rights relating to personal information collected by businesses and is scheduled to take effect on January 1, 2020. Much like GDPR, the CCPA will impact businesses beyond its immediate geographic borders. Any company which serves California residents and has at least $25 million in annual revenue will need to comply with the law. This means that security teams will have to work closely with database administrators and that tools for dealing with the issue will need to have full visibility into data stored across a good portion of the internal corporate environment, while still ensuring that access to such data is properly secured. If the data is stored on the cloud, the problem becomes even more complicated.

Dan Cole, Director of Product Management, ThreatConnect

The SOAR Market Breaks Through

Security orchestration, automation and response (SOAR) solutions address a critical need in helping security operations teams manage the daily deluge of alerts and threats.  The combination of automation, orchestration and case management frees security teams from managing multiple point solutions to managing actual threats to the organization.

While we see a positive trend with automation and orchestration being applied across security products, a “good enough” fix will not address the challenge of aggregating, managing and enriching those solutions and processes. Only a dedicated SOAR solution provides the flexibility needed to optimize an organization’s unique needs, processes and tools. And as both SOAR and the organizations deploying it mature, automation and orchestration will be enabled across every facet of security within the organization.

Cody Cornell, Founder & CEO, Swimlane

Fileless Malware Continues its Ascendance

Fileless malware will increase significantly in the coming months. This is because cybercriminals are circumventing classic antivirus tools and significantly increasing their chances of success. Fileless malware often enters the network via macros in Word documents and carries out its harmful activities directly from the main memory. Current examples include Kovter, Powelike and Ryuk. Living-off-the-Land Binary (LOLBins) attacks also use Fileless malware – for example, attackers combine legitimate Microsoft tools with a malicious script so that they execute an attack themselves. In order to effectively ward off these threats, new technologies are needed that can identify such malware with an in-memory scan, for example.

Stefan Hausotte, Team Leader Automatic Threat Analysis at G DATA Cyberdefense