Password Spraying & Credential Stuffing
An often recurring question I get asked is: “When do you think passwords will disappear?”. Whatever we do we will have to tolerate passwords and PIN codes for many years to come. Attackers benefit from this by finding more platforms and protocols to try and guess the correct username and password.
My prediction is that even more platforms and protocols will experience forced attempts regarding usernames and passwords along with an increase in attacks using, for instance, 2FA through MITM (man-in-the-middle)
Zero Trust & Assume Breach
We need to build our network and IT architecture in such a way that even if an attacker can get into an individual client computer, they are unable to escalate their rights or get further without this being promptly discovered and investigated. This demands a continuous Threat Hunting effort and good solutions for Endpoint Detection and Response (EDR).
It is important to have a baseline over how your environment looks i.e how network traffic flows and where, which software should be installed, etc., to make it more difficult to access business-critical information. It is then, therefore, easier to identify any conspicuous pattern - assuming that the attacker is already in your networks.
Last year we saw countless closed platforms, On-Premise, such as Citrix NetScaler, Pulse Secure, Fortigate (see blogpost in Swedish, external link: https://kryptera.se/attacker-mot-ssl-vpns/). Since the hardening of these platforms is often neglected and the data logging inadequate, it is consequently difficult to carry out forensic investigations and detect intrusions.
And as such, these units are usually in a central point where many are connecting or a lot of traffic pass-through occurs, making it a gold mine for attackers. In addition to reading and modifying traffic passing through the unit, there is also the opportunity to attack connecting clients. In this area, I also include Supply Chain Cyber Security, because everything that is connected and plugged into your systems should be checked, defined, or isolated.
Note that firmware/software updates can have both favorable and adverse effects on your environment in terms of security.
This prediction is probably just wishful thinking on my part. Specifically, that more organizations are getting better at sharing IOCs and infringement information. With enhanced transparency and systems that enable automatic and rapid sharing of threat information, such as MISP (external link: https://www.misp-project.org/index.html) or TheHive (external link: https://thehive-project.org/).
If you work in a specific industry, I will argue that it is very important that you share your threat information – within your particular industry.
It would be serious malpractice if I did not mention MITRE's ATT&CK framework that is constantly evolving and making it easier to share issues that are not purely technical IOCs such as Tactics, Techniques, and Procedures (TTPs). An additional thought for your organization is to investigate how ATT&CK can be used in your security products such as antivirus software.
A continually recurring problem is all the connected gadgets (Internet of Things) where new vulnerabilities are discovered daily. This will most likely not decrease any time soon as more things are become connected. And perhaps 2020 be the year when we will see more security products with Artificial Intelligence (AI)?