Saturday, December 31, 2016

2017 and beyond?

I've been a little lazy about running metrics and probabilities on my 2017 predictions. The reason?  It's actually kind of boring! The idea of writing predictions for 2017 is very much like saying "it'll be dark until morning and then it'll be light".  As I look at 2017, I really calling this a no-brainer. My belief? 100% probability on each.

  • Ransomeware is being called out in just about every other predictive out there. No-brainer. Where there's easy money there'll be simple criminals; and since the vast majority of the attackers out there are simple criminals, ransomware poses a low-risk high payoff activity, and yes, it will cost you money --either to fix, or to pay them off. The upside? There are some tools out there that can help. Cybereason and others have published endpoint tools that watch for anomalous behavior, and claim to be able to stop Ransomeware before it begins. You tell me.
  • Voter manipulation??  Folks, you've seen only the tip of the iceberg. We've been talking about this stuff here for the last two years. A blog first appearing here was the reason for a story in the Christian Science Monitor two years ago, that received very little attention. Georgia, Ukraine, Bulgaria, more.  The NCCIC IOC list listed Carberp and BlackEnergy V2 and V3; tools we reported on in 2014 as we watched other elections unfold and those elections get tampered with. If you think this is new, you're missing the boat, and if you think this is going to stop because 35 Russian Spies and their families are booted from the country, you're mistaken.  Every country in the world will be using cyber as the equalizer. Russian breaches into Wordpress sites run by the DNC are easy targets, ripe for, at a minimum, understanding what's to come. 
  • Internet of Things? I think more about unprotected Cable Boxes! It's funny. Yes, I think about the Nest thermostat in my home and the fact Alexa (I got one for my birthday last year) listens all the time bothers me slightly, but that swarm of IoT devices doesn't bother me nearly as much as the idea that every cable modem gets deployed with the same user name and password; and then, even though the wireless is protected from the inside out using some form of WEP, WPA, etc., that generic user name and password can be logged into and used to turn off any security --all without the homeowner (or business owner) knowing, or being alerted. Worried about swarm attacks? You should be. That cable modem is likely one of the contributing factors. And it's only going to get worse in 2017 (and beyond). Cable modems. Really Stutzman? That all ya got? No, but the fact is,  users need higher bandwidth devices that will provide comms pathways for IoT, ICS, and tons of applications that will run through these little grey chokepoints, and those little grey chokepoints have nearly no protection. I think about this alot.
  • Hackless hacking is the idea that key logged systems are ubiquitous, and logging in with legitimate user credentials has become easier than ever. Shells, old DoS net commands, and legitimate credentials are not new, but they're making a reappearance and they're easy as hell to deploy and use. Drop in on a VPN to a local IP, use a legitimate user's name and password and viola, you're in. 
  • APT? It's still out there, but its pushed down from focusing on the big companies who've learned to defend themselves over the last few years into the smaller companies who can't. We signed our first small DIB Supply Chain company into the Red Sky Alliance this week. The CEO of a 20 person high tech manufacturing company came into the portal. He knows all about APT, but only from what the press has told him. Small defense companies around the world are in trouble --they manufacture low cost very cool things that keep the prices of new tech down, and at the same time create many of the innovations. Houston, we have a problem.. and it's not just in the US. The idea that state sponsored espionage can steal or manipulate your data by reaching into a smaller third party, partner, or supplier is not just a prediction, it's happening now.
  • Cyber Warfare --yes, I went there. I don't think I've EVER called this out before because I don't believe that there truly was ever (to date) a cyber war, but I believe we'll see the next great war fought in cyberspace using unmanned drones, robots, and turning on and off (and destroying, degrading, disrupting, etc.) critical targets via wire. I believe the cyber cold war has already begun with countries cordoning themselves off from the Internet and Vermont Electric companies finding evidence of alleged Russian hacking (now of course proven false --although it passed the Washington Post test!) and Iranian use of cyber, and don't forget us. To the rest of the world, the US is the APT. So yes, I believe we'll see rapid escalation of rhetoric and cyber warfare posturing --pre-warfare activities; we used to call it IPB --Intelligence Preparation of the Battlespace --shaping and preparing the battlespace to allow forces to operate effectively; identifying Order of Battle (OOB) --inventorying enemy forces; and looking for ways to both access, and measure damages.  
The upsides?
  • Cloud? Interestingly enough, cloud providers seem to be getting the message. While contracts still don't take responsibility for security, and the stacks are different from provider to provider, they do seem to be building more and more security controls --both customer controlled and baked into the cloud environments. I see this as a very positive sign. One really good thing I see? Containers are being built that (maybe) will help with security in cloud and software defined computing. I'm not even close to being called an expert in cloud or SDN, but the opportunities are ripe for new types of penetrations and the idea that folks are thinking about this as they build containers is a positive sign.
  • Training! One of the coolest things that happened this year is Ron Gula's new gig, Cybrary. I wish I'd thought of it. Training is available for free and I've got every one of my folks running through a curriculum --some are learning python, others more in-depth. If you've followed my blog, you know we built a small veteran training program. They're all in a Cybrary training pipeline --A+, Net+, Security+, and Python. This is a very good thing.
  • Intelligence is as old as he hills. It doesn't mean buy a list of aggregated data, pull it in using STIX/TAXII, and dump it straight into a red (or green, or blue) box. The upside? We're seeing (and hearing) from many many CISOs that they want intelligence, and they actually know the difference between the aggregated feed and intelligence. Even those who've never been exposed are coming around asking questions about what's effecting them. We love this.  
Unfortunately 2016 was the year where I scratched my head and asked myself, how the hell did we get here? We spend billions of dollars protecting our networks and the information we hold most dear, but every piece of tech is nothing more than another layer of stuff, built on the same operating systems and network architectures that got us here in the first place! 

Moving into 2017, what can you expect to see from us? 

We're hosting a "Big Broadcast" on Jan 11th. It'll be a conversational forum moderated by an old friend, Jay Healey, talking about issues we see coming in 2017.  Care to join us? Sign up here.

As well, Red Sky members will be seeing some changes that I think you're going to like. More on that later. 

Is all lost? No. But we need to figure out how to get our arms around some of the easy stuff. Where's the big red switch that changes all the passwords on the cable modems, and the basic authentication and security for those internet of things devices? How do I make Alexa stop listening? APT? Better be ready. This train isn't slowing down, it's speeding up. 

So, on that note... Happy New Year!