Académique Documents
Professionnel Documents
Culture Documents
THREAT PREDICTIONS
WHITE PAPER
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
Change is happening rapidly. It’s hard to believe that the new opportunities that this new digital society provides.
first smartphone was only introduced a little over a decade The proliferation of online devices accessing personal
ago, because universal connectivity is now literally affecting and financial information, and the growing connection
every aspect of our lives. The rising generation will never of everything – from armies of IoT devices and critical
know a time when the world around them wasn’t filled infrastructure in cars, homes, and offices, to the rise
with connected devices able to immediately solve their of smart cities – have also created new disruptive and
problems or meet their needs. destructive opportunities for cyber criminals and other
Individuals have a growing expectation for instant access threat actors.
to highly personalized information and services through a
THE GROWING THREAT LANDSCAPE
variety of interconnected devices. This demand is driving
the digital transformation of society. Businesses that want WAR OF THE AI
to succeed in this new digital marketplace need to create The cybercriminal marketplace has proven itself to be very
a culture of adaptability to stay ahead of demand from skilled at adopting the latest advances in such things as
both consumers and employees. Organizations still in the artificial intelligence in order to more effectively detect and
process of adopting virtualization and the cloud have had exploit vulnerabilities, evade detection, adapt to complex
to begin transforming their networks yet again with things network environments, and maximize profitability.
like machine learning and artificial intelligence in order
Supervised vs Unsupervised Learning
to accelerate their ability to see, predict, and respond to
market trends. Elon Musk has stated that whatever organization manages
to ‘master’ AI will have access to global control. That’s
And as with most technological and social change, there
not just hyperbole. Without proper controls in place, truly
is also a growing criminal element looking to exploit the
autonomous and self-learning artificial intelligence would
2
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
be able to move freely through our hyperconnected digital security fabric. Just as with AI, whoever can get the fabric-
world, adapt to new digital environments, and access based security system right, leveraging things like machine
virtually any digital resources. learning and AI, will have a highly aware and proactive
It sounds like something from a science fiction movie, but security defense system better able to keep pace with new
there are a growing number of experts who see real risks automated, self-learning AI-based attacks.
posed by AI, especially in a world where connectivity has Automation and Machine Learning
outpaced security, and they are calling for regulations
We’re not talking about future visions or something far
and controls.
down the road. Indeed, Black Hats are already leveraging
Part of the risk is related to the way that AI systems are automation and machine learning in their attack tactics,
able to learn. Highly supervised incubators can spend techniques, and procedures (TTP). We already see attacks
years carefully cultivating an artificial intelligence to perform with automated front ends mining for information and
specific tasks in a predictable way. These are usually then vulnerabilities, combined with AI-based analysis to correlate
integrated into a Centaur Model where humans work vast amounts of pilfered structured and unstructured data.
alongside automation and AI.
Of course, these sorts of strategies require massive
But even in a supervised environment, small errors amounts of computing power. Which is why cybercriminals
in learning models at the beginning can result in very are already using cloud services and public infrastructure
unexpected and even dangerous outcomes. A target to launch and manage attack campaigns. For example,
shooting comparison helps illustrate this point. If the barrel cybercriminals have been using stolen credit card
of a rifle being aimed at a target several hundred yards information to access cloud services for many years. Today,
away is off by even a fraction of a millimeter, the shot will most cybercriminal organizations use high performance
not only miss the bulls eye, but probably the entire target computing (HPC) for CPU-intensive attacks such as
itself. AI systems are orders of magnitude more complex, bit-coin mining or cloud password cracking. They also
and responsible researchers are willing to go slowly use distributed computing and processing modes to
because they are aiming for accuracy and predictability. autonomously discover and learn about weak spots in
Cybercriminals, however, are not so concerned. The security systems.
unsupervised learning models they are likely to use in We are now seeing the first attempts at automatically
developing AI-based attacks, where speed of development generating code in order to effectively strike at vulnerable
is more important than predictability, are especially targets using techniques such as fingerprinting and
dangerous and could potentially be devastating. In such blueprinting.
scenarios, things can go sideways quickly.
In addition, services like Shodan make it easier than ever
Over the past year, for example, we have seen for cybercriminals to detect potential targets. Shodan is a
cybercriminals repeatedly weaponize millions of unsecured specialized search engine that searches for meta data from
IoT devices and use them as a blunt instrument to take out service banners provided by online servers and devices.
systems and networks, such as with Mirai or more recently, It primarily collects data from web servers on ports 80,
with Reaper. As those devices become more sophisticated, 8080, 443, and 8443 (http/https), but it also searches port
and attack methodologies become more intelligent, there 21 (ftp), 22 (SSH), 23 (telnet), 161 (SNMP), 5060 (SIP),
is the real potential to create swarms of compromised and 554 (RTSP). It then catalogues all devices with a
IoT devices that would wreak indiscriminate havoc – think remote interface, including web-enabled servers, network
Africanized bees. devices, home security systems, webcams, traffic signals,
If the best and the brightest of the cybersecurity research video projectors, routers, home heating systems, and
community are calling for regulation, you can bet it’s even SCADA systems. Since many of these devices are
because they see that the cybercriminal community is set to accept default logins, once a device is located it is
looking seriously at building these things, and are likely to often a fairly simple process to then own and compromise
release them unsupervised into the wild. that device.
3
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
4
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
Likewise, we predict that cybercriminals will begin to approach based on identifying potential attack vectors
replace traditional botnets with intelligent clusters of and engineering vulnerabilities out of a network. Simply
compromised devices built around swarm technology building in things like redundancy, automated backups,
to create more effective attacks. If you think about it, and distributed network segmentation can go a long way
traditional botnets are mindless slaves – they wait for towards effectively mitigating the impact of such attacks.
commands from the bot herder (master) in order to execute The next step is to replace existing security tools with an
an attack. But what if these nodes were able to make adaptive security fabric of integrated security devices.
autonomous decisions with minimal supervision, use their Unlike the separate and isolated security devices most
collective intelligence to solve problems, or simultaneously organizations have in place, a security fabric is able to:
target multiple vulnerability points in a network using a
nnSee every device across the distributed network
variety of penetration and exploit techniques?
nnDetect unknown threats, including the attack patterns
The result would be a Hivenet instead of a botnet. Such
used by swarmbots
a tool can leverage peer-based self-learning to effectively
target vulnerable systems at an unprecedented scale. nnShare and correlate threat intelligence in real time to
Hivenets will be able to use swarms of compromised harden systems and repel invaders
devices, or swarmbots, to simultaneously identify and nnDynamically segment the network to prevent the lateral
tackle different attack vectors. Hivenets are especially spread of infection across the network
dangerous because, unlike traditional botnet zombies,
nnIsolate compromised devices and systems
individual swarmbots are smart. They are able to of talk to
each other, take action based on shared local intelligence, nnRespond to attacks in a coordinated fashion, such
use swarm intelligence to act on commands without the as automatically shutting down attack vectors by
botnet herder instructing them to do so, and recruit and dynamically reconfiguring the fabric as attack patterns
train new members of the hive. As a result, as a Hivenet and methods become better defined through the real-
identifies and compromises more devices it will be able time correlation of threat intelligence
to grow exponentially, and thereby widen its ability to
simultaneously attack multiple victims.
While IoT-based attacks such as Mirai or Reaper are not
using swarm technology yet, they already have the footprint
necessary. Reaper is especially concerning because it
uses a Lua engine with additional Lua scripts. Lua is an
embedded programming language designed to enable
scripts to run, allowing an attacker to switch from one
attack to another fairly easily. Upgrading to this sort of code
to leverage emerging swarm behaviors and AI would have
devastating consequences.
5
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
6
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
begin weaponizing cybercrime tools, converting them are also beginning to see business and public sector
into militarized malware, or ‘Milware,’ designed to cause systems start to overlap to ensure that things like energy,
maximum damage to things like critical infrastructure. And water, or other critical infrastructure systems are able to
once the AI singularity takes place, offense vs. defense more effectively and efficiently respond to the needs of
(time to breach vs time to protect) will be reduced to a manufacturing floors, agriculture, or energy production.
matter of milliseconds rather than the hours or days it does And at the same time, cyberterrorism and business-
today. oriented cybercrime are also beginning to converge as their
The security these cloud systems currently have in place tools and techniques overlap. For example, disrupting a
will not be enough, which is why it is imperative that business can have political implications and vice-versa.
organizations migrate to advanced security systems built Which is why expert security systems need to be
around quality intelligence, and adopt an integrated security developed further to enable the critical sharing of
fabric strategy that can see across the distributed network, intelligence, allowing security architectures to work
counter the sophisticated attack systems being developed in concert to root out and stop advanced threats. In
and deployed by attackers, implement consistent security addition to integrating multi-cloud and mobile devices,
policy everywhere, and easily integrate advances in both unsegmented and unsecured networks need to be actively
collaboration and AI. monitored and secured. To make this happen, isolated
security devices will need to be identified and replaced
with those designed to operate as part of a more complex,
RESPONSE: SYSTEMS WILL BECOME MORE integrated system.
INTELLIGENT AND INTEGRATED – THE RISE OF
One of the biggest challenges will be the last mile of
“EXPERT SYSTEMS” security – finding the will and the way to automate basic
One critical response to advancements in malware and security hygiene, such as patch and replace, hardening
cybercriminal technologies is the development of “expert systems, and implementing two-factor authentication.
systems.” An expert system is a collection of integrated Complex, multi-cloud ecosystems and hyperconverged
software and programmed devices that use artificial networks that span physical and virtual environments
intelligence techniques to solve complex problems. For make performing these basic security practices extremely
example, expert systems use databases of knowledge to difficult to resolve. AI and automation need to fill this gap
offer advice, perform medical diagnoses, or make educated by replacing basic security functions and day-to-day tasks
decisions about trading on the stock exchange. currently being performed by people with an integrated
These expert systems cannot effectively operate expert security system that is able to:
independently. Part of their success depends on different nnDetermine device vulnerabilities, track and patch
systems operating together to solve complex challenges. devices, and apply security protocols or an IPS policy
We have already begun to see this sort of advancement in to protect vulnerable devices until a patch is available or
military applications. For example, new software designed they can be replaced
to function as an expert system now allows individual nnDevice misconfiguration is another huge problem.
fighter jets to integrate with each other in order to more
Expert systems need to be able to configure both
effectively carry out complex missions or respond to threats
security and network devices, monitor those
with orchestrated countermeasures. These advanced
configurations, and make appropriate changes as the
flight and targeting technologies enable them to make
network environments they operate in continue to shift.
autonomous and semi-autonomous decisions about
nnAutomatically rank devices based on levels of trust,
locating a target, evading an attack, or out-maneuvering an
dynamically segment traffic, especially from the growing
opponent.
number IoT devices, even in highly elastic environments.
Smart cities operate in much the same way, coordinating
They then need to be able to identify and isolate
critical resources to respond to things like traffic,
compromised devices to stop the spread of infection
emergency services, or even energy consumption. We
and initiate remediation.
7
WHITE PAPER: TITLE…
GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990
Tel: +1.408.235.7700
www.fortinet.com/sales
Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common
law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance
and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether
express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to
change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. 141670 0 A4 EN November 20, 2017 12:21 PM
Macintosh HD:Users:wbrandthiatt:Documents:Egnyte:Shared:CREATIVE SERVICES:Team:Whitney-Brandt-Hiatt:White-Paper-FortiGuard-2018-Threat-Predictions-EMEA:WP-FortiGuard-2018-Threat-Predictions-A4