Without a doubt, 2016 was the year of the DDoS. The year came to a close with a major DDoS attack on DNS provider Dyn, which took down several major internet sites on the Eastern US seaboard. This attack was different – not so much in terms of its volume or its technique, but in the fact that instead of being directed at its intended target, it was targeted at network infrastructure used by the target.
I think we are likely to see more DDoS attacks in 2017, both leveraging amplification attacks and direct traffic generated by the Internet of Things. However, we will also see a growing number of incidents in which not just the target experiences outages, but also the networks hosting the sources of the DDoS, as they also need to support significant outbound traffic volumes. This is likely to lead to increasing instability – until such a time as network operators start seeing DDoS as an issue they need to respond to. In this sense, the issue of DDoS is likely to increasingly self-correct over time.
The other main trends and developments that I foresee for the year ahead are as follows:
● I think we are likely to see the first few cases where attribution of nation states accountable for attacks starts to backfire. Over the past few years, corporations and nation states have published a lot of theories on espionage campaigns.
One issue with these incidents is the fact that often, contrary to human intelligence, the malware and tools that are used in these attacks leave the intent of the attack open to interpretation. Was the goal to spy on the development of a country and its international relations? Was it to steal information for economic gain? Or was the attack intended to result in sabotage? Those are the all-important questions that are not always easy to answer.
The risk of one country inadvertently misunderstanding an attack, and taking negative action in response, is increasing. When a nation’s critical infrastructure suddenly fails, after the country has been publicly implicated in an attack, was it a counterattack or a simple failure?
● In the new policy environment being introduced by President-elect Donald Trump, there is some risk that the United States may start to withdraw from the international policy engagement that has become the norm in cyber security. This would be unfortunate. Cyber security is not purely a domestic issue for any country, and that includes the United States.
Examples of great cyber security ideas hail from across the world. For instance, recent capture-the-flag competitions show that some of the best offensive cyber security talent hails from Taiwan, China and Korea. In addition, some tools such as Cyber Green, which tracks overall cyber health and makes international security measurable, originate in Japan rather than the United States.
Withdrawing from international cooperation on cyber security will have a number of negative implications. At a strategic level it is likely to lead to less trust between countries, and reduce our ability to maintain a good channel of communications when major breaches are uncovered and attributed. At a tactical level it is likely to result in less effective technical solutions and less sharing around attacks.
● Meanwhile, across the pond, Presidential elections in France, a Federal election in Germany, and perhaps a new president taking power in Iran will all lead to more changes in the geopolitical arena. In the past, events of major importance such as these have typically brought an increase in targeted attack campaigns gathering intelligence (as widespread phishing) and exploiting these news stories to steal user credentials and distribute malware.
● Companies will become more selective about what data they decide to store on their users. Historically, the more data that was stored, the more opportunities there were for future monetisation. However, major data breaches such as we have seen at Yahoo! and OPM have highlighted that storing data can lead to costs that are quite unpredictable. Having significant data can result in your government requesting access through warrants and the equivalent of national security letters. It can also mean that you become the target of determined adversaries and nation states. We have started seeing smaller companies and services, such as Whisper Systems, move towards a model where little data is retained. Over time, my expectation is that larger online services will at least become a little bit more selective in the data they store, and their customers will increasingly expect it of them.
● We will see significant progress in the deployment of TLS in 2017. Let’s Encrypt, the free Certificate Authority, now enables anyone to enable TLS for their website at little cost. In addition, Google’s support for Certificate Transparency will make TLS significantly more secure and robust. With this increased use of encryption, though, will come additional scrutiny by governments, the academic cryptography community, and security researchers. We will see more TLS-related vulnerabilities appear throughout the year, but overall, they will get fixed and the internet will become a safer place as a result.
● I expect that 2017 will also be the year when the security community comes to terms with the fact that machine learning is now a crucial part of our toolkit. Machine learning approaches have already been a critical part of how we deal with spam and malicious software, but they have always been treated with some suspicion in the industry. This year it will become widely accepted that machine learning is a core component of most security tools and implementations.
However, there is a risk here as well. As the scale of its use continues to grow, we will have less and less direct insight into the decisions our security algorithms and protocols make. As these new machine learning systems need to learn, rather than be reconfigured, we will see more false positives. This will motivate protocol implementers to “get things right” early and stay close to the specifications to avoid detection by overzealous anomaly detection tools.