Anup Ghosh on Cybersecurity in 2012: Let’s break the security insanity cycle

Editor’s note: the post below by Anup Ghosh first appeared on the Invincea blog and is republished here with the author’s permission. bg

Prediction 2012: Hackers Will Find New Fertile Ground to Pharm

Posted by Anup Ghosh on November 29, 2011

Invincea is on record that the year 2011 will go down as the year the fundamental underpinnings of Internet security fell. In fact, it is the bloodiest year on record for Internet security. Not only did we witness compromises of Certificate Authorities to forge digital certificates, the compromise of the market-leading two-factor authentication product, and SSL, but also the rise of the Hacktivist in taking down major corporations publicly.

Once again, it’s that time of year where we not only reflect on the year behind us, but also contemplate what the future holds.

The 2011 List
In thinking about 2012, it’s worth a look-back to what we predicted for 2011:

1. Malware: The explosive growth trend of Malware will continue on an exponential growth trend from 2010 levels. Current signature-based approaches will continue to encourage the production of massive amounts of new malware variants. Web-based exploits will continue to be the primary attack vector, focusing on trust-based exploits to get users to infect themselves on the one hand, while drive-by exploits on the other will focus on Java and plug-ins/extensions.

Ok, admittedly this was a lay-up. McAfee reports over 80,000 new variants of malware generated each day – a 400% increase in the rate of malware production since 2007. While the number of Java-based browser exploits did rise significantly, one interesting trend we saw was an increase in thread-injection attacks from browser exploits against operating system services. This tactic evades most anti-virus and application white-listing techniques by never hitting disk on the one hand and compromising existing white-listed programs on the other.

2. Blame the User: The “blame the user” mentality will continue to grip the Security industry as users continue to be infected by trust-exploiting malware that leverage social networks. Many will call for enhanced user training; many will draw the conclusion that the endpoint cannot be protected. These parties will find themselves the victims of continuous intrusions. A new breed of security company will emerge as the answer to the malware scourge.

Security Ops teams continue to blame the user for infections. Users are the target of cyber adversaries because they are improperly put in the position of making security decisions – decisions they are not equipped to make. As long as we continue to design systems that depend on users to make correct security decisions, we will continue to blame users and wonder why our networks get compromised. Making matters worse, these companies tend to adopt a victim mentality, refusing to disclose breaches publicly unless forced to do so, and then refusing to disclose the methods of the attacks. The truth is we’re all victims of cyber exploits. It’s time to remove the stigma and disclose what’s going on if we are to ever going to force change in the industry.

3. Reactive Approaches to Security Will Continue to Fail: Complaints about the ineffectiveness of anti-virus solutions will continue…yet organizations will continue to renew their subscriptions and anti-virus companies will continue to report how the problem is getting worse without mentioning how ineffective they are against addressing the threat.

No doubt – reactive approaches still dominate security technology. The security industry won’t change as long as customers still re-up their security subscription even when it isn’t working for them.

4. Major Breaches in Sectors with Intellectual Property: Another large scale Google-esque breach will occur – millions more will occur but never be disclosed or publicized. Nation state actors will continue to evolve their focus towards America’s corporations and the intellectual property that drives their success. Pharmaceutical will be a big target for Nation state attacks.

Operation ShadyRAT, Nitro, NASDAQ…need we say more?

5. Hacktivists Will Bask in Their New Found Glory: More hacktivist attacks and counter-attacks in 2011 – including DDoS and website defacing against corporations and government agencies as a response to globalization, political unrest, and perceived unfair corporate practices.

Anon, LulzSec, Anti-Sec found their sea legs – buoyed by a perceived greater cause the ease with which large corporations could be brought to their knees. Meanwhile, the industry trembled before them.

6. Critical Infrastructure Attacks: Critical infrastructures have been given adequate notice. Attacks against critical infrastructure systems will become more common since the methods of StuxNet have become publicly available. Expect electric grid outages, chemical, gas, oil and energy plant infections to be on the rise.

Duqu, public utility hacks, SCADA control systems…it is fashionable to go after an easy target – and preps the battlefield for cyberwarfare.

7. Hello Android: The emergence of Android-based attacks will become bigger news as Android begins to take larger market share from iPhone and users rush to download new apps that are not vetted by Google – some of which will be malicious, others just vulnerable to attack. Attacks against the Google browser on Android will become more common.

DroidDream compromised over 250,000 phones with a rootkit. With no vetting of the apps published to the Android marketplace, users are forced to decide on their own which apps are malicious or may infringe on their privacy.

8. Windows Kernel Exploits: More attacks against the Windows operating system kernel will emerge to exploit application sandboxes in desktop software applications running Firefox, Chrome, IE or Adobe Reader X.

While numerous critical vulnerabilities were discovered in browsers in 2011, significantly enough, Duqu leveraged a previously unknown Windows kernel exploit.

9. Organized Crime Rises: The glory days of hacking for fun are over. Organized cyber crime will grow in strength and sophistication, especially in recruiting human mules to pull money out of the system from illegal bank transfers from banking malware. Banks will begin to take serious losses to make consumers whole and as business win court cases against banks for negligence in banking system security – including the business systems of customers.

Organized crime dominates most cyber exploits today because of the sheer economics of cyber crime. In Operation Ghost Click, the FBI disclosed that over 4 million users were compromised and the Estonian crime ring, which consisted of six individuals, netted over $14m.

10. Congress Will Rear Its Head: Major Cyber legislation will be passed by Congress that increases security costs substantially for regulated industries (e.g. public companies. govt contractors, critical infrastructure providers, ISPs, etc.) without a commensurate reduction in security breaches.

Fortunately, this hasn’t come to pass yet – but it hasn’t stopped Congress from threating cyber security legislation to be imposed on industry or the White House from putting out policy positions on cyberwarfare.

The 2012 List
Our predictions for 2011 weren’t too far off the mark and with 20/20 hindsight, it all seems obvious. In thinking about 2012, there isn’t much we’d take off the list – largely because there isn’t much we changed as an industry. We are stuck in a cycle of penetrate, remediate, patch – or as we call it – wash, rinse, repeat security. We should expect to see more of the same. However, repeating 2011′s list is not interesting. So here is our list of predictions for the coming year. We believe that 2012 will be the year that hackers grow bored of tilling the same old fields that are largely compromised anyway. As a result, they will go in search of interesting targets and high-value/high-consequence targets.

1. Toxic Clouds: Perhaps the most significant move in 2011 was the adoption of cloud computing in a meaningful scale. The adversarial side of security is as much of a business (and perhaps more profitable) than the defense side of security. As corporations and government migrate their data from their desktops and internal servers to the cloud, the adversary will follow suit. How perfect is that? Now all of the data is gathered in one place – ready to hack – and not scattered across various machines on a network that requires time and effort to find and more machines to compromise along the way. Much as corporations have moved to the cloud, we should expect hackers/Hacktivists to use the cloud for their own take-down efforts and command and control networks.

2. Critical Infrastructure Attacks: Up until now, attacks against critical infrastructures have been both few and far between and hard to confirm. The lesson learned from StuxNet by the adversarial community is critical infrastructures are now in play – fair game if you will. The bad news for critical infrastructure providers is they can no longer hide from the threat and pretend they aren’t aware of what’s happening. 2012 will see concerted attacks against power and utility plants, among other critical infrastructures.

3. Cyber Physical Systems Compromise: In the search of more interesting devices to hack, the adversary is going to transition from traditional IT networks to embedded systems – which we normally think of as physical systems. Things like your car, TVs, your house, your office building and mass transit systems. In other words, systems that are networked and run a lot of software will be fertile ground for hackers. Give a hacker a network interface with software listening behind it and he’ll own it.

4. Smartphones, Tablets…Hand-held Exploits: Exploit development for handhelds is still in its nascent stages. Even hackers have to learn skills when it comes to Android and Objective C. However, cyber crime and exploit development are driven by economics. The growth of Android and other handhelds will create a surge in demand for exploits against Android and the Apple iOS operating systems. The device manufacturers, operating system vendors, and the mobile-device management industry segments are not prepared to address vulnerabilities in software on these platforms, nor the malicious apps written to compromise them.

5. Cyberwarfare: For a long time, the use of the term “cyberwarfare” was verboten among the cyber literati as it was playing into the war machine hyperbole. With StuxNet breaking previously unwritten rules in targeting critical infrastructures and Duqu – “The Son of StuxNet” – collecting information from SCADA vendor systems, the groundwork is being laid for cyberwarfare operations. Expect more sabre rattling from the major cyber powers and non-attributable offensive operations against strategic targets.

If 2011 was a watershed year in cyber security, how will 2012 be remembered?

Perhaps as the year the Digital Pearl Harbor comes to pass? We hope not, but let’s not wait for it. The equivalent of death by a thousand cuts is what we face every week. One side effect of the dramatic headlines in cyber nearly every week is desensitization. At what point will we become numb to what is going on in the network?

One of the risks that may become apparent in 2012 is that dramatic attacks like compromising 4 million users will be passé – another day in the life on the network. Hacking a power company, an act which results in brown-outs, will become part of the routine. Let’s hope that instead, 2012 is the year we commit to changing the way we approach security. We must adopt security architectures that proactively prevent intrusions rather than reacting to the breach after the fact, spending time, effort and countless dollars to assess how bad the damage is.

Let’s break the security insanity cycle in 2012.

Original post

Leave a Comment

Leave a comment

Leave a Reply