Saturday, December 28, 2013

Red Sky Weekly (12/28/13): Wrapping 2013 and moving into 2014

There seems to be a never ending line of experts reading tea leaves for 2014, and not wanting to be left out, I'm going to post my own momentarily.

First, I should tell you, I think of risk not only as a negative, but also, what offsetting factors are present. These are positives, and in many cases, positive influences also have risks. In all cases, risk is subjective and needs to be classified and prioritized. Where are you going to spend your money next year? (Of course I hope some of it is spent with Red Sky Alliance!) Regardless, I've ranked my 2014 thoughts in priority order based on presence of leading indicators, probability of the incident actually happening, impact if it does, and the kind of risk (i.e.: Technology, Operations, Enterprise, etc.). Some of these are higher level risks, some are technical, others focus on the actual operation of the business and effects posed by the government or competitors. I've not published the full detail here (because of blogger limitations), but will happily send it to you if asked:

BYOD Exploitation goes mainstream:  
  • High Confidence; Probability Imminent; Impact if successful: HIGH
  • Bring Your Own Device, while sound from a cost perspective creates massive security, and legal challenges. BYOD, especially in the SMB/supply chain enterprise space is a highly sought-after target for access to banking, espionage (military, corporate, competitive) information and infrastructures. BYOD targets are more likely creative or knowledge-based individual contributors. In fact, we in Red Sky see this every day. We track the exploitation of several BYOD targets who are victimized in the hopes their machines may be used for business as well as personal use. This is a LARGE opportunity for attackers to exploit the enterprise's weak link -the user at home where security messaging is often forgotten. 
Exploitation of non-routable space:  
  • High Confidence; Probability: Imminent; Impact if successful: HIGH
  • As users continue to click, code will continue to be installed in the enterprise. Virtual machines and proxy use will grow as a vector of direct log-in into organization networks. This is not new for those who've been dealing with APT/targeted attacks for the last few years, but for those of you reading VirusTotal today for the first time, wondering why that sample you submitted calls home to 8.8.8.5:53 (Google's DNS) and 10.0.0.1:137... well, sorry folks, you're about to earn your t-shirt.
Exploitation of DNS as a VPN:  
  • High Confidence; Highly Probable; Impact if successful: HIGH
  • VPNoverDNS, Iodine and other tools are creeping into the threat landscape and have been commercialized as mobile applications as well as more traditional tools. VPNoverDNS has been identified in multiple locations and touts it's ability to exfiltrate data when all other means are blocked. Companies who have high value information, and high levels of security, will always have DNS available to an attacker, and with tools available, the ability to exfiltrate data via DNS becomes a much stronger reality.
As the Cloud grows, so does its exploitation: 
  • High Confidence, Probability: High, Impact if successful: MEDIUM/HIGH
  • The only reason this doesn't carry a higher risk ratings is because not all have moved to the cloud. Cloud adoption by corporate users continues to grow. As such, so does exploitation of cloud.
Espionage moves to Sabotage:
  • High Confidence, Probability Medium, Impact if successful: TBD
  • Tools used for exploitation can, and have been used for sabotage. Stuxnet created an atmosphere where cyber as a means of destruction should be considered a normal part of the new threat landscape and organizations must be prepared. 
  • Add to this the fact that the need for a military to protect the masses in cyberspace no longer exists, and the idea of NGOs, hactivism organizations, and individuals have far greater cyber firepower than ever before. 
Exploitation of Controller Area Networks:
  • Moderate Confidence, Probability Medium, Impact if successful: TBD
  • Vehicles with OBD have accessible computer ports available today. Last year a DEFCON presentation discussed hacking an automotive CANBUS in the car; another (not at DEFCON) built a handheld device to unlock and start vehicles. This, we believe, is a strong pair of leading indicators, and the topic of vehicular controller area networks will only expand during the course of 2014 and beyond.
    • Areas of concern: Automotive, Aerospace, Trains, and Maritime vessels
The Gloves are off. Cyber is officially a form of warfare:
  • High Confidence, Probability: High, Impact in 2014: LOW/MEDIUM and growing
  • While still new, several countries have built or are building offensive cyber warfare capabilities. Earlier in the year, countries that had a cyber warfare programs in place were the US, UK, Canada, Israel, Germany, China, Iran, Pakistan, South Korea, DPRK, South Africa, and possibly Cuba (informally through partnerships with others).  As of this moment Brazil, Argentina, and Venezuela have begun developing their own cyber capabilities.  Russia is rapidly expanding its capabilities.  Singapore is currently developing theirs, but not much is known about it. It stands to reason that this escalation will continue, presumably at a much faster pace than the last few years. 
  • Countries will define cyber borders. BRIC nations (Brasil, Russia, India and China) formed a coalition to build isolated networks, and the Brazilians have taken to training other South American countries in the use of Cyber as an offensive tool. 
  • Bottom line: NSA, right or wrong, as well as the dozens of other organizations around the world collecting cyber and other technical intelligence (and there are MANY), have caused massive knee-jerk movements toward encryption, TOR, and other means of protecting communications and privacy in cyberspace. At the same time, countries and NGOs are taking stronger defensive positions and bolstering their ability to both attack and fend off attacks through active defensive measures.... this is going to get exponentially worse over the next few years.
Cyber becomes the business equalizer:
  • High Confidence, Probability High, Impact in 2014: Low, growing
  • As companies realize the escalation of formalized government and NGO sponsored offensive capabilities, criminal activities will also escalate and companies will realize the massive competitive equalizer that is cyber through these criminal activities. Several examples exist where companies are exploited by those who believe they can get away with stealing high tech data, money, etc. Again, a bit of a no-brainer, but this is going to get MUCH worse. Businesses as an operation must consider competitive forces in their cyber defense plans moving forward into '14 and beyond. 
  • Not only must the criminal impact be considered but the goodwill impact must also be considered. Goodwill actually carries value on the financials, and must include a company's ability to sell based on their investments in information security. Goodwill on the balance sheet will be impacted if the organization is blocked from working with a specific industry segment (government, banking, healthcare, etc.) because of their lack of security or activities. 
  • Need an example? Target is already subject to law suits for losses --and they've not even been quantified yet! Think Goodwill will be affected? Absolutely. While CFOs have not yet fully realized it, this is a new reality... 

Hackers will find alternative means of malware delivery and installation beyond spearphishing, wateringholes, etc. i.e.: light, sound, NRF, S-link, etc.
  • This is actually the softball that I'll toss into the mix. The idea that hackers will continue to innovate should surprise noone, but the ways that they're doing it are actually, IMO, kind of cool! The idea that RSA keys can be cracked over acoustic readings via wireless takes the idea of MASINT to a whole new level. And the thought that computers can be hacked via the speaker and mic on a system shouldn't probably be surprising, and much more complex to do than to think about, but I have a feeling you'll be seeing computer accessories built/sold to cover the mic and speakers.
Enough negativity for now. There are some positives:

First, you've heard me say this before. Now you'll hear it again.. what's old is new again!
  • Companies are learning to protect their jewels! Find what's important to your company, and wrap moats around it. It doesn't always work, but it's a mandatory first step.
  • Risk based models are (finally) popular! Nearly every CISO I talk to is working on processes to integrate threat intelligence into their operation. Why? Because it helps them assess risk! While they may not know it, Infosec is about assessing risk, and risk is derived through threat intelligence (one source obviously). I see this as a VERY positive sign. The security community is changing to intelligence-driven risk modeling!
Highlights from previous years? I've had a few... some right and some wrong.. here are some of the ones I called out last year:
  • I called for heavy VPN usage for exploitation. This has not only come true, but expanded to VPN over DNS, loading virtualized VPN servers in the enterprise, and rent-a-VPN from dozens of service providers around the world.
  • Growth of cross credential usage. Sadly, users still use one password for many accounts. With token and PKI exploitation growing daily, the ability to credential systems is growing harder and companies, because of costs, complexities, and the lack of understanding stick with what they know --passwords... of course the least secure of all. 
  • Growth of government concern and the need for SOX-like reporting. Whadya know.. the DFAR rule came out this year!
  • BYOD was on the radar, as well as Android exploitation. Both are discussed above. 
I'll close out with this... 2014 is going to bring some amazing challenges. One of the things we've been talking about (a lot) are the most common exploitation vectors, the TTPs associated with them, and targeting associated. If you're interested in having this discussion --prioritizing your work, understanding common attack vectors, etc., or would like a copy of previous years predictions, drop me a note.

...until next year...

From the team at Red Sky Alliance and Wapack Labs,
We wish you all a very happy, prosperous and secure New Year!
Jeff

No comments: