As the weeks remaining in 2011 dwindle and 2012 peaks out from
behind the last page of the calendar, it must once again be that time of
year for purposeful reflection and prediction. Or is that navel gazing
and star gazing?
The year still has a couple of weeks to rock on before we can
comprehensively summarize the events and trends of 2011. I’m sure there
will be a bunch of annual threat reports preempting the end of year –
extrapolating trends etc. in order to get the jump on reports that use
real data. At the highest level of navel gazing you could probably sum
up 2011 with one word – “More”. The bad guys got richer, more
successful, invented a few new attack vectors, and generally grew in
numbers; meanwhile the good guys got more efficient at causing the bad
guys pain, but continued to be outspent by the bad guys.
But let’s put that aside for now. What does 2012 hold in stall for us?
It’s easy enough to predict the future when you’re merely commenting
upon the trends of past years and projecting “more” of the same. While I
can offer no shortage of meaningful predictions for 2012 across a broad
range of threat and security categories, I thought it would be fun to
pick three topics that stole much of the limelight of 2011 – APT’s,
mobile malware and botnet takedowns.
So, without further ado, here are a handful of predictions for 2012.
APT Bonanza
The volume of persistent attacks directed at large corporations will
continue to increase and the victims will continue to feel as though
they have been specifically targeted. There will thus be a presumption
of sophistication to successful penetrations, which will lead to more
organizations concluding that they have been the victim of an APT –
which, after more detailed analysis and external input, will
increasingly be revealed as false claims.
- More attacks will be labeled as APT’s due to misunderstanding by the
victims, or because of an implied “get out of jail” tactic when public
disclosure of the breach is mandated by law.
- External analysts and security firms will dedicate more time and
resources to analyzing breaches that are disclosed as “APT’s”, and will
be more vocal in correcting false claims.
- A growing unease will be attributed to the “cry wolf” mentality of labeling breaches as APT’s throughout the year.
- Real APT attacks will increasingly be lost in the noise of
falsely-claimed APT’s, and the sophisticated attackers will be able to
further obfuscate the intent of their attacks.
Mobile Malware threats will continue to be misunderstood
Mobile malware will divide into two streams – Smartphone malware and
tablet crimeware. Both mobile malware streams will be similarly
unimpressive from a threat sophistication perspective, however their
criminal intent will direct their evolutionary changes. Tablet crimeware
will develop at a faster pace than Smartphone malware in 2012 as the
opportunities to defraud potential victims on tablet systems grow
quicker.
- The hype around mobile malware will continue to exceed the threat
and the cybercriminals capabilities in 2012 – but the cybercriminals and
security researchers will strive to meet that hype.
- As mobile systems become more usable for day-to-day financial
transactions and online stores tune their shopping portals for
larger-screened mobile devices, cybercriminals will increasingly target
these platforms. This crimeware (and injection vectors) will be more
“traditional” and a closer facsimile of current generation PC-based
crimeware capabilities than many have projected in the past.
- Smartphones, long seen as “the” mobile threat vector and with the
longest history of malware abuse (e.g. Symbian-based malware and
premium-rate fraud), will technically be susceptible to the same malware
as that affecting tablet systems – but will not be the primary target
of attack.
- Cybercriminals that develop malware specifically for Smartphones
will increasingly target the devices for propagation purposes – seeking
to infect other (traditional) corporate systems and to breach corporate
VPN’s.
- In the corporate realm, the Bring-Your-Own-Device (BYOD)
consumerization of IT will entice cybercriminals that target enterprise
networks to innovate new attack and propagation vectors. Throughout 2012
new vectors will be theorized and may be developed as proof-of-concept
tools, but the hype will be bigger than reality because there are
technical hurdles within the operating systems of the mobile devices
that have yet to be overcome.
- Security conferences of a Black Hat ilk throughout 2012 will uncover
and illustrate new vectors that subvert the underlying mobile device
operating systems that will be leveraged in the 2013 timeframe for the
targeted propagation of crimeware via BYOD
- The traditional invasive and “scary” mobile malware capabilities
(e.g. eavesdropping on the victims calls, tracking the device owner,
etc.) will not advance in 2012 and will continue to be potential
capabilities rather than primary objectives for attackers.
- The first generation of commercial “DIY” mobile crimeware
construction and attack tools will be developed and sold by enterprising
cybercriminals
- Large scale botnets will not exist on the mobile platforms in 2012.
There will be several “proof-of-concept” botnet implementations and
theoretical attacks but, from an overall global threat perspective, they
will be insignificant.
Botnet takedowns will be ineffective
Despite a number of public and media-hyped botnet takedowns in 2011,
and the prospect of increased takedowns in 2012, the overall impact on
cyber-criminal operations will decrease. In response to the 2011
takedowns, cybercriminals will change some of their management tactics,
further distribute their command-and-control (C&C) infrastructure,
and invest in improved and more diverse infection vector operations.
- Professional criminals who build and monetize botnets will invest in
more robust crimeware distribution technologies and services. The
capability to infect 10,000+ computers per day will be more important
than the marginal loss of 3-year old botnets with only a few hundred
thousand infected devices.
- Botnet C&C infrastructure will continue to become more agile –
flitting between domain names, IP addresses and physical locations at an
increasing pace. In 2011 this agility was measured in weeks; by the end
of 2012 it will be measured in hours.
- Botnet operators will add more layers between themselves and their
victims. In 2011 cybercriminals increasingly adopted the use of
commercial anonymous VPN services to connect to their C&C servers,
and deployed C&C proxies between the botnet victims and the real
C&C servers. In 2012 we can expect this trend to continue and there
is a high probability that multiple layers of C&C proxies will be
adopted to further protect the cybercriminals C&C investment.
- Noisy botnets (i.e. Spam botnets and DDoS) will continue to be the
focus of legal botnet takedowns. In response, cybercriminals will in
most cases reduce the noise of their botnets and will also further
segment their botnets to ensure that the entire botnet is not lost in a
single takedown operation.
- Botnet takedown attempts will become more “risky” as the takedown
entities become more comfortable with the process. Risk will be
introduced as the entities pursue remote clean-up and remediation of
victim devices.
- “Good guy” botnet remediation services will become a commercial
reality in 2012. As multiple security vendors and academic institutions
focus upon the botnet menace they will uncover more vulnerabilities
lying within the heart of both the botnet malware and the C&C portal
software. There will be growing pressure to exploit these
vulnerabilities for the purpose of usurping control of the botnet from
the cybercriminals hands and to issue appropriate shutdown and uninstall
commands directly from the compromised C&C servers.
I wonder how many of these predictions will come to fruition? I guess we’ll find out in 380 days.
– Gunter Ollmann, VP Research
Tags: 2012, APT, botnets, malware, mobile, prediction
This entry was posted
on Tuesday, December 13th, 2011 at 6:21 pm and is filed under Industry Commentary, Threat Research.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
As the weeks remaining in 2011 dwindle and 2012 peaks out from behind the last page of the calendar, it must once again be that time of year for purposeful reflection and prediction. Or is that navel gazing and star gazing?
The year still has a couple of weeks to rock on before we can comprehensively summarize the events and trends of 2011. I’m sure there will be a bunch of annual threat reports preempting the end of year – extrapolating trends etc. in order to get the jump on reports that use real data. At the highest level of navel gazing you could probably sum up 2011 with one word – “More”. The bad guys got richer, more successful, invented a few new attack vectors, and generally grew in numbers; meanwhile the good guys got more efficient at causing the bad guys pain, but continued to be outspent by the bad guys.
But let’s put that aside for now. What does 2012 hold in stall for us?
It’s easy enough to predict the future when you’re merely commenting upon the trends of past years and projecting “more” of the same. While I can offer no shortage of meaningful predictions for 2012 across a broad range of threat and security categories, I thought it would be fun to pick three topics that stole much of the limelight of 2011 – APT’s, mobile malware and botnet takedowns.
So, without further ado, here are a handful of predictions for 2012.
APT BonanzaThe volume of persistent attacks directed at large corporations will continue to increase and the victims will continue to feel as though they have been specifically targeted. There will thus be a presumption of sophistication to successful penetrations, which will lead to more organizations concluding that they have been the victim of an APT – which, after more detailed analysis and external input, will increasingly be revealed as false claims.
- More attacks will be labeled as APT’s due to misunderstanding by the
victims, or because of an implied “get out of jail” tactic when public
disclosure of the breach is mandated by law.
- External analysts and security firms will dedicate more time and
resources to analyzing breaches that are disclosed as “APT’s”, and will
be more vocal in correcting false claims.
- A growing unease will be attributed to the “cry wolf” mentality of labeling breaches as APT’s throughout the year.
- Real APT attacks will increasingly be lost in the noise of
falsely-claimed APT’s, and the sophisticated attackers will be able to
further obfuscate the intent of their attacks.
Mobile Malware threats will continue to be misunderstoodMobile malware will divide into two streams – Smartphone malware and tablet crimeware. Both mobile malware streams will be similarly unimpressive from a threat sophistication perspective, however their criminal intent will direct their evolutionary changes. Tablet crimeware will develop at a faster pace than Smartphone malware in 2012 as the opportunities to defraud potential victims on tablet systems grow quicker.
- The hype around mobile malware will continue to exceed the threat
and the cybercriminals capabilities in 2012 – but the cybercriminals and
security researchers will strive to meet that hype.
- As mobile systems become more usable for day-to-day financial
transactions and online stores tune their shopping portals for
larger-screened mobile devices, cybercriminals will increasingly target
these platforms. This crimeware (and injection vectors) will be more
“traditional” and a closer facsimile of current generation PC-based
crimeware capabilities than many have projected in the past.
- Smartphones, long seen as “the” mobile threat vector and with the
longest history of malware abuse (e.g. Symbian-based malware and
premium-rate fraud), will technically be susceptible to the same malware
as that affecting tablet systems – but will not be the primary target
of attack.
- Cybercriminals that develop malware specifically for Smartphones
will increasingly target the devices for propagation purposes – seeking
to infect other (traditional) corporate systems and to breach corporate
VPN’s.
- In the corporate realm, the Bring-Your-Own-Device (BYOD)
consumerization of IT will entice cybercriminals that target enterprise
networks to innovate new attack and propagation vectors. Throughout 2012
new vectors will be theorized and may be developed as proof-of-concept
tools, but the hype will be bigger than reality because there are
technical hurdles within the operating systems of the mobile devices
that have yet to be overcome.
- Security conferences of a Black Hat ilk throughout 2012 will uncover
and illustrate new vectors that subvert the underlying mobile device
operating systems that will be leveraged in the 2013 timeframe for the
targeted propagation of crimeware via BYOD
- The traditional invasive and “scary” mobile malware capabilities
(e.g. eavesdropping on the victims calls, tracking the device owner,
etc.) will not advance in 2012 and will continue to be potential
capabilities rather than primary objectives for attackers.
- The first generation of commercial “DIY” mobile crimeware
construction and attack tools will be developed and sold by enterprising
cybercriminals
- Large scale botnets will not exist on the mobile platforms in 2012.
There will be several “proof-of-concept” botnet implementations and
theoretical attacks but, from an overall global threat perspective, they
will be insignificant.
Botnet takedowns will be ineffectiveDespite a number of public and media-hyped botnet takedowns in 2011, and the prospect of increased takedowns in 2012, the overall impact on cyber-criminal operations will decrease. In response to the 2011 takedowns, cybercriminals will change some of their management tactics, further distribute their command-and-control (C&C) infrastructure, and invest in improved and more diverse infection vector operations.
I wonder how many of these predictions will come to fruition? I guess we’ll find out in 380 days.
– Gunter Ollmann, VP Research
Tags: 2012, APT, botnets, malware, mobile, prediction
This entry was posted on Tuesday, December 13th, 2011 at 6:21 pm and is filed under Industry Commentary, Threat Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.