The next five years in security: more zero-days, more ransomware and more espionage with AI deployed on both sides, warns LME CISO Russell Wing

GDPR won't just mean potential fines for IT security compromises, warns Wing, it will provide a 'guide price' for cyber criminals

Russell Wing, the head of information security at the London Metal Exchange, has warned that the next five years in IT security will bring greater risks in the form of zero-day threats, increasingly sophisticated ransomware and espionage - and with artificial intelligence likely to be deployed in both attack and defence.

Wing was presenting the keynote speech at Computing's second Cybersecurity Strategy Summit in London.

"I got into security about the time that the Nimda worm [in 2001] took off," said Wing. "The company I was working for at the time had a very 'flat' network and struggled to contain it. It completely floored the business for a couple of days. That was a real wake-up call.

"It was the same with Slammer [in 2003]. But these two worms were relatively crude and noisy compared with what we have to fight today. Things really started to change with Stuxnet, which was found in 2010, and APT1 in 2013," said Wing.

Stuxnet, continued Wing, was "incredibly advanced technology". It was, it is clear now, developed by US intelligence agencies and specifically designed to disrupt Iran's nuclear programme. However, it inadvertently achieved much wider circulation and, hence, discovery.

Uncovered by Kaspersky - who attributed it to the so-called Equation Group, which is widely acknowledged to be a front for the US National Security Agency - it had been designed for initial propagation by memory stick, and to then traverse networks in search of Step-7 Siemens industrial control-systems software.

It used this embedded understanding of the SCADA software that ran the Siemens centrifuges used by the Iranian programme to make them spin just 10 per cent faster - fast enough to cause the equipment to spin out of control and break, but not necessarily so fast that it aroused immediate suspicion.

It is believed to have been released in 2005 - and only discovered ten years later. However, Kaspersky claims that Equation Group has been active since at least 1996.

But it has been ransomware and the ability to exfiltrate valuable data that has made IT security a mainstream business concern, said Wing, combined with malware tools for sale or rent that has put malicious software in the hands of relatively unsophisticated actors - and that has largely happened in just the past five years.

In the past, said Wing, security "was just about 'what are we going to do?' And then doing it, and then sticking in a protection component, typically a firewall, which was historically the only part that we did. Then we bought something from a vendor, which promised to do something amazing for us. We didn't test them, and we didn't spend so much time on 'detect and respond'".

Today, organisations need to be much more thorough, he said.

First, an organisation needs to realistically appraise its risk and understand its likely 'enemies'. It needs to ask, what are the expectations for the next five years?

For Wing, the expectation is that attacks will get faster, with zero-days becoming more frequent and attacks stealthier. There will be more attacks against critical infrastructure and more attempts at monetising attacks, either with ransomware or similar forms of extortion - especially with the forthcoming General Data Protection Regulation (GDPR) putting a monetary value on compromises in the form of big fines.

So, it's important to work out who the likely threat actors might be and get some decent threat intelligence on them and the technical threats you're likely to face, advised Wing. Also, information sharing is key, so join the Certified Information Systems Security Professionals (CiSSP) and be prepared to share information with your peers.

Reconnaissance and command-and-control systems are key to many attack vectors which, ipso facto, can also provide evidence of compromise.

Wing recommends CISOs familiarise themselves with Lockheed Martin's Cyber Kill-Chain model (PDF). "[This] gives us a way of considering the attack phases and, therefore, how we can protect against them in our environments," said Wing.

GCHQ's National Cyber Security Centre, meanwhile, lists 20 critical security controls every organisation needs to get right. The top-five alone, suggested Wing, should reduce the majority of an organisation's vulnerabilities. These are:

The threat model, said Wing, obviously needs to start with the most likely attacks, which will be almost certainly email borne, or seek to take advantage of browser vulnerabilities (and, probably, user foolishness).

In response, suggested Wing, users need to consider 'browser isolation', endpoint detection and response (EDR), network traffic analysis and look closely at how machine learning technologies can be deployed to automate as much of the tedious network traffic analysis as possible.

Finally, suggested Wing, for most organisations the best advice when considering threats is to 'follow the money' - for any organisation unlikely to be of interest to the NSA, GCHQ or Russia's SNB, money is likely to be the primary motive of most attacks.