Saturday, December 15, 2012

Red Sky Weekly - Predictions for 2013

I’m going to do something a little different this morning.

Last year, I published (in limited distribution.. in case I was wrong!) predictions for 2012. This morning I’m publishing that list to the blog, with updates to my 2011 thoughts for 2012, moving forward into 2013, and a few positive trends.

A couple of highlights on the positive side:

  • Companies outside of the critical infrastructures are becoming aware of the dangers of targeted and advanced persistent cyber events.
  • Adoption of information sharing by companies large and small has taken off. This, not just a trend in Red Sky Alliance, but in others as well. We see this has a major deal --low cost, extremely high payoff.
  • More companies are looking to formalized models to build their information security programs and management processes.
  • Securing the Human has become widespread -not just in SANS, but also in practice. More companies are employing routine, randomized testing and education of their end user workforce.
  • Last, “Best in Breed” practices are beginning to emerge. This is a leading indicator of institutionalizing new practices and processes to deal with the new, emerging threat landscape.

Next, my 2011 thoughts.

Last year I outlined several trends. I’ve updated them for this year, and through work with the Red Sky Alliance members during the year, have extrapolated some of this information into predictions for 2013, and thoughts on a few new items:

A couple of key thoughts, and the highest of risks on my prediction list for 2013. These were added authored for 2012 predictions, and those shown in red have grown through the year, to become mainstream in 2013. For example:

  • Use of remote access and their associated legitimate (but stolen) credentials are a mainstream method of gaining access to company networks and intellectual property
  • Supply chain, including not only traditional supply chain, but also non-direct value add suppliers (i.e.: legal, outsourced HR functions, and finance) are high value targets for intelligence on not only ongoing operations, but futures.
  • Traditionally closed systems (physical security systems) are becoming more interconnected to allow remote work, higher order analysis and correlation, and storage. These systems continue to be targeted as PSIM is integrated with traditional infosec operations. These systems include primarily voice and video.
  • I'd also like to couch one of my positions. My belief is that the healthcare system will see an avalanche of PII related theft in the future. I've not tracked the healthcare system this year as much as I have in the past, but this is one of those secondary value add suppliers that, in my opinion, are in danger of massive losses. Every healthcare CISO I talk with worries about this. I left movement as neutral, but believe the risk is high. I'd offer the same advice on the legal industry. 

2013 will bring new challenges, mostly associated with Cloud, Big Data, and Mobility. This should be no surprise to readers, as companies find massive returns on renting server, infrastructure, applications, etc., from cloud providers, and BYOD
is both a massive opex reduction and makes end users happy at the same time (Win-win! right? WRONG.).

Key takeaways for 2013:

  • Not surprising but the natural progression of things suggests that more companies will realize the devastation of being targeted and not be able to kick intruders off their networks. We call this realization their “Oh Sh*t!” moment... and we believe this feeling will spread like wildfire during 2013.
  • Our inability to deal with the overwhelming needs will result in a knee-jerk reaction for government to over-regulate and demand reporting from respective supply chain companies.
  • I should have placed BYOD concerns on last years thoughts, but BYOD at the time, was largely an immature concept. The idea that “Mechanics use their own tools, why shouldn’t computer workers?” means companies will realize the ROI associated with allowing the use of personal devices will bring an entire new crop of security concerns --all of which will feed the target footprint for those targeted events that we just talked about moments ago. BYOD is going to bring infosec pain. Be ready.
  • Last, large repositories are always great targets. As companies move to cloud based systems and big data repositories, we’ll see discrete attacks used against these large data sets in undetectable new TTPs.

To wrap up, every week we publish a simple highlight of the fusion report we published during the week. We could publish dozens (hundreds) of these things if we chose, but we try and choose something important that we believe users need to know about. 

  • This week we published FR12-033, which details a variant of malware leveraged in coordinated APT attacks involving several threat groups. The report revealed new intrusion infrastructure and contained information indicating a nexus with possible ties to a Chinese university. The incident is believed to have targeted a Federally Funded Research and Development Center (remember the discussion about indirect value add supply chain companies?). 
  • In the portal this week, early warning indicators were provided for pending DDOS activity targeting the US Banking community, and
  • We continued the "name and shame" analysis with a completed persona profile of a known operator and malware developer.
Whew. This was a long post. I hope you find it useful.
Until next time,
Have a great week.