2018 is officially in the history books. That means everyone’s starting to look to the year ahead, wondering what 2019 will bring.
A few weeks back, F-Secure’s Cyber Security Sauna host Janne Kauhanen invited several experts to reflect on what happened in 2018 and discuss what they think we’ll see in 2019. You can listen to the podcast or read the transcript. But here’s a few highlights about what F-Secure’s Laura Kankaala, Artturi Lehtio, Adam Sheehan, Andy Patel, and Tom Van de Wiele will be looking for in 2019.
Supply chain attacks will increase.
F-Secure Service Technology Lead Artturi Lehtio thinks supply chain attacks have become more prominent in recent years. And he’s only expecting this trend to continue in 2019. Perhaps the best known example of a supply chain attack is 2017’s NotPetya ransomware attack. But Artturi points out that supply chain attacks are incredibly diverse. Compromising a service provider to steal a particular customer’s data is another kind of supply chain attack. Manipulating otherwise legitimate information that people normally trust is another kind of supply chain attack. It could be a simple change to an online service that brings security risks users don’t really understand.
“We’re putting large parts of our lives in the hands of others, where we don’t always realize how much we’re relying on others or trusting others. And we don’t really have a way of verifying that they are still worthy of that trust,” Artturi explains in the podcast.
Tom and Laura both agree, pointing out that everything from cloud computing to the increasing use of code repositories by developers is creating interdependencies that companies might not fully appreciate.
“The way attackers breach your organization may not be something that’s directly under your control, or something that you’ve thought of as being your responsibility,” is Artturi’s key takeaway.
Reinforcement learning will take a big leap forward
Artificial intelligence (AI) is something everyone’s talking about these days. It’s an important part of cyber security and technology. Andy Patel, Senior Researcher at F-Secure’s Artificial Intelligence Center of Excellence, thinks that reinforcement learning is where the big advances in AI will happen in 2019.
Andy describes reinforcement learning as teaching an algorithm to learn by rewarding it when it makes positive progress. He explains it to Janne in more detail in the podcast. And as an example, he describes how someone could use it to teach a computer to play a game.
Andy says Facebook is using reinforcement learning to figure out when users should receive notifications. Other companies are using it to train financial trading models, video streaming, and more. And based on some research presented at this year’s Black Hat conference, Andy thinks we’ll see this type of AI in cyber security in 2019.
“…there are many other similar applications in cyber security, mostly on the penetration testing or fuzzing side that are interesting. Like password guessing, or like application fuzzing, things like that. So I would imagine that people might actually publish, even if it’s just academic, but maybe publish something that uses reinforcement learning for these sorts of things,” Andy says.
Automation, detection and response will make attacks more expensive
It might surprise listeners to hear that F-Secure Principal Security Consultant Tom Van de Wiele thinks that we can look forward to positive security developments in 2019. Tom thinks that targeted attacks will start costing adversaries more money as more companies take advantage of advances in automation and detection and response. Tom, who often performs red teaming tests for F-Secure’s customers, says that this is based on what he sees happening with the companies he works with.
“…we see a definite trend at customers where more and more software and services are being introduced because they are being hit by certain attacks, or because their competitors are being hit. And that increase in automation when it comes to detection, is of course discouraging some attackers and making it more difficult for other attackers to try and slip into companies in an undetected way,” according to Tom.
Organizations are going to start thinking about WHY they get hacked
Adam Sheehan, F-Secure Behavioral Science Lead, thinks that more companies will be interested in what he describes as the next level of analysis – why their organizations have their security problems.
“I think for too long there’s been an assumption that if Organization A has a high click rate, let’s say on email phishing, and Organization B has the same observable high click rate on email phishing, that they should be offered more or less the same solution,” Adam says. He goes on to explain why this is an assumption worth challenging.
IoT will grow, and so will interest from attackers
It’s no secret that internet-connected devices, particularly internet of things (IoT) devices are spreading like wildfire. That’s a trend F-Secure Security Consultant Laura Kankaala says will have security implications in 2019. She’s expecting to see more exploitation of these devices in the new year.
But on a more positive note, she’s hoping that the increase in exploitation will result in a GDPR-like regulation covering IoT devices, or possibly just more device vendors introducing bug bounties for their products.
“I think GDPR-wise, the GDPR could be extended to actually cover the IOT devices or some other regulation could come in place that would extend the GDPR to actually cover these IOT devices as well,” Laura explains.
Tom thinks that something needs to push both consumers and device vendors to get serious about securing these devices. So far, there hasn’t been much incentive for either group. Bug bounties and regulations could both help.
But like many things, we’ll have to wait and see what happens. Check out the podcast to hear more about the cyber security trends they’re expecting to arrive in the new year.