Looking Back at LogRhythm Labs' 2018 Predictions for Security - How Did We Do?

About this time every year, the LogRhythm Labs team watches bird flights, performs divination rituals, and contemplates what might happen in the world of information security in the coming year. Last year, we started a new tradition of examining our past predictions. Now it’s time to look at our predictions for 2018 and see how we did!

1. A new record for the largest breach settlement will be set.

It’s not a surprise that we got this one right! The cost of ineffective cybersecurity is growing every year. And as the loss of data grows, the financial exposure grows. Remember that these settlements are for breaches from the past several years. Some of this year’s notable settlements include:

  • Anthem’s $16 million settlement (breaking the record of $5.5 million paid to the Office for Civil Rights by Advocate Health) following its massive data breach that violated Health Insurance Portability and Accountability (HIPAA) violations. This doesn’t count the additional $115 million settlement following a class action lawsuit last year.
  • Yahoo’s $50 million settlement following its breach of personally identifiable information (PII), which exposing over 200 million user records.
  • Uber’s $148 million settlement for exposing customers’ PII.

There are several more massive breaches still working their way through the courts, including the first General Data Protection Regulation (GDPR) cases (e.g., those against Facebook and Google), so it’s a safe bet that in 2019, these records will get broken again!

Our assumption here was that GDPR and resulting breach settlements would drive the U.S. government to pass new legislation. We optimistically assumed a fast pace. GDPR fines have yet to appear, but British Airways is likely the first major test case.

At the federal level, new GDPR-like legislation hasn’t been introduced yet; however, the Senate has started talking about it. AT&T, Google, Amazon, Twitter, and other technology leaders provided testimony to support the initial discussions. Watch this archived webcast for a fascinating look at both the pro- and anti-legislation arguments.

At the state level, however, California led the way with Bill 375 (i.e., the California Consumer Privacy Act of 2018). This law, which goes into effect in 2020, is very similar to GDPR. And as we’ve seen before with the state’s legal efforts regarding emissions regulations, the state’s legislative activities can have a national influence. It could provide the core of what may eventually become U.S. law. Even if that turns out to be the case though, you should expect some legal challenges against the law throughout 2019.

3. Cyberwar campaigns between North Korea and the U.S. will emerge from the shadows and directly impact the public.

Although we expected more public exposure around this prediction, North Korea definitely made the news for cyberwar. Top incidents this year include the following:

4. Internet of Things (IoT) devices will become a more frequent target for ransomware attacks and cyber extortion.

This is another prediction that unsurprisingly came true! Cyberattacks against IoT devices exploded in 2018, including many variants that created botnets for ransomware or other criminal activities. Some notable statistics from the year include:

5. DDoS as a Service (DDoSaaS) will become a “thing” and will result in another major DDoS attack against critical infrastructure.

In some ways, this prediction came true prior to 2018 with Mirai, other similar massive IoT-powered attacks, and existing stresser/booter services. This year, however, we saw more DDoSaaS attacks with takedowns of sites like WebStresser. We also experienced the full effects of the 2017 introduction of IOTroop/Reaper and variants; there are indicators linking several Reaper-based botnets to an advanced persistent threat (APT) group. There is also evidence that the botnets are available as a “for hire” service, selling DDoS attacks for $20 per target!

6. Drones will be exploited much more often as a cybersecurity threat vector.

We were a bit ahead of ourselves on this one. After seeing articles in 2017 on new drone projects, potential drone-based man in the middle attacks, and more, we thought for sure someone would cyber-weaponize a drone this year. And while they were definitely a physical threat vector in 2018 — as evidenced by a nice collection of drone-related security incidents — we haven’t reached a verdict as to whether drones will be exploited for cybersecurity.

7. Bitcoin wallet exploits will result in massive losses of personal wealth.

We nailed this one! This was the year of attacks on cryptocurrency wallets and exchanges. Several exchanges suffered attacks and lost millions of dollars in cryptocurrency, including Bithumb ($30 million loss), Coinrail ($37.2 million loss), BitGrail ($195 million loss), and Coincheck ($534 million loss). Other noteworthy cryptocurrency happenings include the following:

  • Exchanges like Bitcoin Gold, Verge, and Electroneum got hit with what are called 51% attacks. They’re also known as double-spend or Equihash PoW consensus attacks. In these instances, perpetrators gained majority control of the resources that approve transactions, thus compromising the exchanges.
  • Strangely, we also saw physical attacks in this space. Attackers targeted cryptocurrency infrastructure and currency owners, using cryptocoin as payment for physical ransom, home invasions, ATM attacks, and more!

8. Kim Jung Un’s PlayStation account will be hacked.

This was a stretch because, well, we can’t even confirm that Kim Jung Un has a PlayStation account! What we do know is that takeovers of PlayStation Network (PSN) accounts continued to be quite common in 2018. Most of the hacks were based on standard phishing techniques or PII compromises inspired by large breaches seen by companies like Equifax and Yahoo. However, another recent attack was more similar to box bricking, with a malicious message sent via chat.

Conclusion

So far, 2018 has produced many interesting events in cybersecurity. Looking back at our predictions, when we were right, we underestimated the impact. We don’t think anyone was expecting was expecting a year with multiple settlements over $100 million! When we were half-right, it was mostly a case of being a little too optimistic. Drones are definitely not going away any time soon, and governments in both the U.S. and abroad will pass more privacy legislation! When we were wrong, well, it’s hard to say what really goes on in the Democratic People’s Republic of Korea.

Stay tuned for our upcoming 2019 cybersecurity predictions, and may your last few months of 2018 be secure!