‘Indicators of compromise’ no longer effective: Kaspersky Lab’s Threat Predictions for 2017

• Print

Details

Published: Thursday, 17 November 2016 13:51

Kaspersky Lab’s discovery in 2016 of an APT able to create new tools for each victim has effectively killed off ‘indicators of compromise’ (IoCs) as a reliable means of detecting malware infection, according to the company’s Threat Predictions for 2017.

The predictions are prepared annually by the company’s expert Global Research and Analysis Team (GReAT).  The list for 2017 includes the impact of bespoke and disposable tools, the growing use of misdirection in terms of attacker identity, the fragility of an indiscriminately Internet-connected world, and the use of cyberattacks as a weapon of information warfare:

The decline of IoCs

Indicators of compromise (IoCs) have long been an excellent way of sharing traits of known malware, allowing defenders to recognise an active infection. The discovery by GReAT of the ProjectSauron APT changed this. Analysis of the group revealed a bespoke malware platform where every feature was altered for each victim, rendering IoCs unreliable for detecting any other victim, unless accompanied by another measure, such as strong Yara rules.

The rise of ephemeral infections

In 2017, Kaspersky Lab expects to see the appearance of memory-resident malware that has no interest in surviving beyond the first reboot that will wipe the infection from the machine memory. Such malware, intended for general reconnaissance and the collection of credentials, is likely to be deployed in highly sensitive environments by stealthy attackers keen to avoid arousing suspicion or discovery.

Attribution will flounder among false flags

As cyberattacks come to play a greater role in international relations, attribution will become a central issue in determining a political course of action – such as retaliation.  The pursuit of attribution could result in the risk of more criminals dumping infrastructure or proprietary tools on the open market, or opting for open-source and commercial malware, not to mention the widespread use of misdirection (generally known as false flags) to muddy the waters of attribution.

The rise of information warfare

In 2016, the world started to take seriously the dumping of hacked information for aggressive purposes. Such attacks are likely to increase in 2017, and there is a risk that attackers will try to exploit people’s willingness to accept such data as fact by manipulating or selectively disclosing information.

Alongside this, Kaspersky Lab expects to see a rise in vigilante hackers: hacking and dumping data, allegedly for the greater good.

Growing vulnerability to cyber-sabotage

As critical infrastructure and manufacturing systems remain connected to the Internet, often with little or no protection – the temptation to damage or disrupt them could prove overwhelming for cyber attackers, particularly those with advanced skills, and during times of rising geopolitical tension.

Device Integrity in an over-crowded Internet

As IoT-device manufacturers continue to pump out unsecured devices that cause wide-scale problems, there is a risk that vigilante hackers could take matters into their own hands and disable as many devices as possible.