The 2013 Security Threat Report recaps what happened in data security in 2012, and what trends are ahead in 2013. For more information, visit: http://bit.ly/VcLfLa
2. Sophos update
Protecting businesses for over 27 years
• First European-based vendor of security solutions for Businesses
• Headquarter in Oxford, UK
• Billings in excess of 400M US$ (300M €)
• Global with strong European base
• 100 millions users
• 1,600 employees worldwide
• 5 SophosLabs Centers, including 2 in the EU
Oxford, Budapest, Boston, Vancouver, Sydney
• 8 R&D Centers, including 6 in the EU
Oxford, Aachen, Budapest, Dortmund, Karlsruhe, Linz, Munich, Vancouver
• Dedicated to Businesses
2
3. Triple Leader
Endpoint Data UTM
Magic Quadrant for Magic Quadrant for Magic Quadrant for
Endpoint Protection Platforms Mobile Data Protection Unified Threat Management
Sources: Gartner: Magic Quadrantsfor Endpoint Protection Platforms (2 Jan 2013) , Mobile Data Protection (6 Sep 2012), and UTM (5 March 2012).
The Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.
3
4. Triple Champion
Endpoint Data UTM
Vendor Lanscape for Vendor Landscape for Vendor Landscape for
Endpoint Anti-Malware Endpoint Encryption Next Generation Firewalls
Sources: Info-Tech: Vendor Landscape for Endpoint Anti-Malware (October 2012) , Endpoint Encryption (December 2011), and UTM (October 2012).
The Vendor Landscape graphic was published by Info-Tech as part of a larger research note and should be evaluated in the context of the entire report.
4
6. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targeted Attacks
Long Tail
Perspectives for 2013
Conclusions
6
7. Threats continue to grow
SophosLabs analyze 250,000+ new malware samples every day
250,000
7
8. Spam is diminished but
not defeated
• Authorities are successfully fighting back
In July, the dismantling of Grum botnet Control and Command center in
the Netherlands, then in Panama and Russia succeeded in
reducing spam volume by 17%
• But targeted attacks such as spear phishing
are growing
8
9. Web is the new Email
Web is the the predominant mechanism to infect users
Spam 85%
Web
9
11. Drive-by downloads
Exploit kits make it trivial for anyone to exploit users over the web
• Exploit packs can be bought relatively cheaply
• No skill required
• Content created to target relevant browser and
application vulnerabilities
• „Silent‟ infection of victims
11
18. Toolkits & Polymorphism
• Blackhole attacks multiply thanks to widely spread Toolkits
• They make an extended use of JavaScript obfuscation
capabilities in their attempts to evade detection with
server-side Polymorphism
18
21. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targeted Attacks
Long Tail
Perspectives for 2013
Conclusions
21
22. Blackhole (v1.x)
Targets a large array of vulnerabilities, including a majority on Java
CVE Cible Description
CVE-2012-4681 Java Java forName, getField vulnerability
CVE-2012-0507 Java Java AtomicReferenceArray vulnerability
CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln
CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18)
CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02)
CVE-2010-3552 Java Skyline
CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP)
CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability
CVE-2010-0842 Java JRE MixerSequencer invalid array index
CVE-2010-0840 Java Java trusted Methods Chaining
CVE-2010-0188 PDF LibTIFF integer overflow
CVE-2009-1671 Java Deployment Toolkit ActiveX control
CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer
CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon
CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf
CVE-2007-5659 PDF collab.collectEmailInfo
CVE-2006-0003 IE MDAC
22
23. Instant exploit of vulnerabilities
What is the future of Java?
• August 2012
• CVE-2012-4681 zero-day
• Rapidly targeted
• Metasploit
• Exploit kits
“It took less than 12 hours from the time the proof of concept for the latest
Java zero-day vulnerabilities went public for exploits of those vulnerabilities
to be included in a commercial crimeware kit.”
23
24. Blackhole 2.0
September 2012 – New version of the exploit kit announced !
• Less predictable URLs
• Harder to track
• Harder to block via IDS
• More aggressive blacklisting
• “Monitor” mode
• Slimmer
• Less vulnerabilities
• Etc.
24
25. Blackhole (v2.x)
Reportedly slimming down volume of exploits targeted
CVE Cible Description
CVE-2012-4681 Java Java forName, getField vulnerability
CVE-2012-0507 Java Java AtomicReferenceArray vulnerability
CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln
CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18)
CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02)
CVE-2010-3552 Java Skyline
CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP)
CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability
CVE-2010-0842 Java JRE MixerSequencer invalid array index
CVE-2010-0840 Java Java trusted Methods Chaining
CVE-2010-0188 PDF LibTIFF integer overflow
CVE-2009-1671 Java Deployment Toolkit ActiveX control
CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer
CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon
CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf
CVE-2007-5659 PDF collab.collectEmailInfo
CVE-2006-0003 IE MDAC
26. Blackhole payloads
Payloads distributed by Blackhole between August-Sep 2012
Downloader
2%
Other
ZeroAccess
9%
6% Zbot
25%
Backdoor
6%
FakeAV
11%
Ransomware
18%
Sinowal
11%
PWS
12%
26
27. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targetd Attacks
Long Tail
Perspectives for 2013
Conclusions
27
28. Ransomware
The new scareware?
• Malware that locks/encrypts user data
• Pay ransom to access files
Simple Medium Complex
• Password • XOR • RC4
protected archives • shift • Public key crypto
Recover data?
28
32. Ransomware: Matsnu
File encryption
Manifest file
original_filename1.ext
new_filename1.ext
key
original_filename2.ext
new_filename2.ext
key
… …
• Recovery tool?
• No!
• Decryption/recovery requires:
• Grab data value from HTTP request
• B64 decode (->MASTER_KEY)
• Grab machine ID from HTTP request
• RC4 decrypt the MASTER_KEY with this
• Append constant string
• RC4 decrypt manifest file with machine ID key
• DWORD transposition
• RC4 decrypt this using the MASTER_KEY
• Locate file you wish to decrypt in the manifest file
• Grab RC4 key for file, append constant string
32 • RC4 decrypt file
33. Agenda
Web
Blackhole
Java
Ransomware
Nothing
ZeroAccess to see
here
Mac OS X
Android
Cloud
Targeted Attacks
Long Tail
Perspectives for 2013
Conclusions
33
34. ZeroAccess
ZeroAccess is a Rootkit family
typically dropped in the system by a Blackhole attack
Nothing
to see
here
34
35. Hiding
ZeroAccess evolves its hiding techniques depending on the OS
32 bit 64 bit
Global Assembly
Malicious driver Injected DLL
Cache
Encrypted Linked
file system Hide ‘in plain sight’
folder
35
38. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targeted Attacks
Long Tail
Perspectives for 2013
Conclusions
38
39. After Fake AV for Mac ...
MacDefender, MacSecurity and more
39
40. Flashback (OSX/Flshplyer)
Flashback on a malware epidemic on Mac OSX
• 600,000 Mac OS X systems infected in spring 2012
• These systems have been exploited in a very large scale botnet
• First appearance at the end of 2011
• Pretended to be a Flash installer
• Passive and silent download
• Exploited several Java vulnerabilities on Mac OS X
• In March, exploit of a vulnerability corrected only in April by Apple
• 2.1% of Mac systems were infected at the infection peak
(Estimation based on Sophos free antimalware for Mac)
40
41. Morcut (OSX/Morcut-A)
More sophisticated and potentially more dangerous
• Designed for spying
• Monitors virtually every way a user communicates
• First appearance in July 2012
• Posed as a Java Archive file (JAR)
• Pretended to be signed by Verisign
• Deployed kernel driver components to hide and run
without administrator‟s authentication
• Reflects an extremely thorough understanding of Mac
programming techniques, capabilities, and potential weaknesses
• Perfect tool for targeted attacks
41
42. And more ...
Distribution of the 4,900 malwares for Mac OS X
that spread in the first week of August 2012
42
43. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targeted Attacks
Long Tail
Perspectives for 2013
Conclusions
43
44. Mobile Malware
60,000 54,900
50,000
40,000
30,000
20,000
10,000
0
2011 2012
Jan Apr Jul Oct Jan Apr Jul Oct
44
45. Threat Exposure Rate
In the USA and Australia, this rate exceeds those of PCs
45
46. Why Android?
• Adding applications to marketplace is easy
• Repackaged apps
• Alternative Android application markets
• Forums and file sharing sites
• “Cracked” apps
• Alternative markets
• Android app landscape similar to Windows
46
48. Andr/Boxer & Andr/Fake
Premium SMS Trojans
Andr/Boxer Andr/Fake
Percentage in total 56.8% 17.5%
Number of
>3 0-4
Premium SMS
Russia, Ukraine and
Targeted Countries Russia
Kazakhstan
• Determine premium • Download and
number based on the install applications
Other Functionalities Mobile Country Code • Access website
• Access website • masquerade as a
legitimate app
48
50. Andr/FkToken-A - mTAN
Mobile transaction authentication number sent
by banks to authenticate online bank transactions
• Catch SMS message
• Send SMS message
• Delete SMS message
• Contact remote sites to get
list of info like attack‟s phone
number and websites
• Also it looks like it will A trial sample detected as Andr/FkToken-A
download and install apk
50
51. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targeted Attacks
Long Tail
Perspectives for 2013
Conclusions
51
52. Storage in the Cloud
Which solution(s) other than email are you using to exchange professional data?
Portable Devices (USB keys …) 77%
A corporate solution (FTP server …) 38%
Online storage services (Dropbox…) 27%
Remote access solution (VPN …) 16%
Other 4%
Source: Sophos online poll - 1,005 total count
When you ask your IT department for help, how long are you willing to wait before looking for
a solution on your own?
Less than 5 minutes 22%
Between 5 and 30 minutes 40%
Between 30 minutes and 1 hour 13%
Between 1 hour and 1 day 14%
1 day 5%
I never move without their answer, however long 7%
Source: Sophos online poll - 1,005 total count
52
53. Do you worry about Dropbox?
Are files
Where is the
protected?
data stored?
Are you
Is sensitive
allowed to use
data already in
it?
the cloud?
53
54. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targeted Attacks
Long Tail
Perspectives for 2013
Conclusions
54
59. Server-side Polymorphism
• Weaknesses of old-style polymorphic worms
• Polymorphism engine part of the code
• Can be reversed by persistent researchers
• Must be decrypted in memory
• Emulate the code until the invariant is found
• Detection can be based on the decryption loop
• Server side-polymorphism
• Responsible for the explosion of variants
• 250,000 new malware samples are analyzed every day by SophosLabs
• No direct access to the polymorphic engine
• Frequent updates
59
60. Obfuscated JavaScript
• Endless source of obfuscation techniques
• Anti-emulation techniques
• Recursive function calls
• Hooking events (eg. amount of mouse movements )
• Elapsed time checks
• etc …
60
61. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targetd Attacks
Long Tail
Perspectives for 2013
Conclusions
61
62. Thirteen predictions for
1. Attack toolkits continue to proliferate
2. Modernization and hardening of operating systems
3. Cloud-based malware testing changes the threat protection model
4. Increased focus on layered security
5. One step forward, two steps back
6. Mobile attacks become more advanced
7. Web servers back in the crosshairs
8. Integrate ‘all of the things’
9. Diverse business models and irreversible malware
10. Skills problem becomes more apparent
11. Cyber criminal anti-forensics
12. More advanced hacktivism and political Debate
13. Arguments over big data vs. analytics and confusion
62
63. Agenda
Web
Blackhole
Java
Ransomware
ZeroAccess
Mac OS X
Android
Cloud
Targetd Attacks
Long Tail
Perspectives for 2013
Conclusions
63
64. Protect Users at all levels
Deploy solutions at all levels, covering the entire threat lifecycle
Reduce attack surface Protect everywhere Stop attacks and breaches Keep people working
URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security
Firewall Protection for cloud
Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help
Application Mobile app Clean up Technical
Device Control Secure branch Intrusion Firewall
Control security support
offices prevention
Encryption Tamper Free Email Live Protection Small
protection Home use VPN Performance updates
encryption
64
65. Reduce attack surface
Deploy solutions with preventive features
Anti-Malware
Unified Engine
Anti-Spyware
Sophos Entreprise Console Anti-Rootkit
HIPS
Web Protection
Application Control
Integrated Mangement
Device Control
DLP
URL Filtering
Patch Assessment
Client Firewall
NAC
Encryption
65
66. Protect all the Devices or your EndUsers
The emergence of BYOD requires to protect an ever larger number of devices
Corporate Mobiles
Employee Mobiles
Corporate PC or Laptop Employee Device
66
Corporate Servers Virtualized systems
67. Control Web Applications
Control Web access and Web applications usage
Endpoint Web access Web Applications
• Anti-malware • Anti-malware • Real time monitoring
• Host IPS • HTTPS Scan • Block / Allow
• Malicious URL blocking • Anonymizing • Manage risks
• Application control Proxies blocking dynamically
• URL Filtering • URL Filtering • Limit bandwidth
• DLP • Content filtering • Manage priorities
68. Educate Users
Use Sophos free Education toolkits and resources
DOs and DON’T
Mobiles Data Social Networks
(Best practices)
68
69. Staying ahead of the curve
Staying ahead of the curve
US and Canada
facebook.com/securitybysophos 1-866-866-2802
NASales@sophos.com
Sophos on Google+
UK and Worldwide
linkedin.com/company/sophos
+ 44 1235 55 9933
Sales@sophos.com
twitter.com/Sophos_News
nakedsecurity.sophos.com
69
Editor's Notes
Facebook also suffers from rogue applications.Messages posted to people’s walls, providing some link to an applicationApplication purports to be some enticing videoWhen you try and play, requests permission to access info, post to wall etcAlso pops up fake online survey, pretending to be a FB anti-spam verification surveyWhy? Scammers will get money for each scam completed!
The next part of our attack scenario is the installation and use of the ZeroAccess rootkit. However, before we go on it is important to remember that this is simply an example scenario. There are many ways in which ZeroAccess can be delivered, Blackhole is commonly used but is by no means the only method. We have seen various social engineering schemes, including uploading the rootkit installer to torrent sites masquerading as cracks or key generators for popular software. Likewise, ZeroAccess is not the only malware that is delivered from Blackhole.ZeroAccess itself, although most commonly known as a rootkit, combines the features of a rootkit and a peer to peer botnet to provide an attacker with a difficult to detect foothold on a PC from which to install further malware of their choosing. As such it is, like Blackhole, just another link in the attack chain. This particular link is designed to conceal its own presence and the presence of the malware it is instructed to download and install.The term rootkit originates in the Unix world where it was used to describe a set of software designed to obtain and keep root, or administrator, access to a computer. Now the term is used to describe malware that conceals its presence in an attempt to evade security scanners.As we’ll see shortly ZeroAccess is under active development. In SophosLabs we have seen hundreds of thousands of unique ZeroAccess related binaries in the last year.
Lets take a look at how ZeroAccess hides itself. It is this feature that leads malware distributors to use tools like ZeroAccess rather than simply spread the final stages of their attacks directly. The additional concealment of a rootkit makes it more likely that their attack will remain unnoticed, allowing them to either steal more information or take advantage of a compromised network for a longer period of time. The techniques used by ZeroAccess have changed as it has evolved and they vary depending on whether the operating system is 32 or 64 bit.Older versions of the kit install a malicious driver on 32 bit systems and subvert the operating system’s access to the disk. The components of the kit and the malware it installs are then stored in either a newly created encrypted file system or in a specially linked folder which has been modified to make it inaccessible to the operating system. The contents of these areas are available only to ZeroAccess using its own driver and therefore are invisible to both the operating system and security scanners that use the operating system to read the disk. This type of infection is usually discovered by scanning the operating system kernel to search for the malicious driver.On 64bit systems the enhancements in kernel security make it more difficult for the criminals behind ZeroAccess to install drivers. Instead, they employ some of the standard operating system features to conceal the kit’s presence from a casual observer. To do this the files are placed into the Global Assembly Cache, an area used for storing information about installed .NET assemblies. When this area is browsed using Windows Explorer the operating system will automatically switch to the Assembly Cache Viewer and display assembly information rather than the true contents of the folder, thus hiding any additional files, including ZeroAccess. More recent versions of ZeroAccess use a strategy that works on both 32 and 64 bit platforms, probably to simplify the development process. These versions add a malicious DLL to system processes and hijack the loading process for a legitimate COM object in order to activate itself. Some of the later versions also used advanced file system features such as extended attributes to hide their data. While the later techniques are not stealth in the technical sense they still serve to conceal the presence of ZeroAccess from a casual inspection. We can speculate that the authors of ZeroAccess have learned from their progression to 64bit that a truly stealthy rootkit is not necessary for them to build sufficiently large botnets and make profit from them.
An aspect of ZeroAccess that makes it resilient lies in the organization of its botnet infrastructure.ZeroAccess operates as a botnet, meaning that to be useful it must have some way to receive commands. For many botnets the command and control infrastructure that they use is their weakness. Remove the key command and control servers and the individual PCs are left without instructions. The botnet still exists but it cannot be used and is therefore useless to criminals. To avoid this weakness ZeroAccess, and some other recent botnets, use a distributed or peer-to-peer control model. By using distributed control ZeroAccess is resilient to attempts to destroy the botnet. Individual nodes can be cleaned up and removed from the network but it cannot be killed at a single stroke.This reduces the fragility of the botnet by removing the option to ‘cut off the head of the snake’. However, it does have some weaknesses too. The individual nodes of the botnet have to know of some other nearby nodes in order to receive instructions and those instructions may take time to propagate. Also, nodes that do not have direct internet access cannot act as servers for nodes in other networks. To account for this each installation of ZeroAccess contains a configuration file with addresses of 256 previous nodes to ensure that it will be able to contact another infected computer for instructions. For ZeroAccess the peer-to-peer model is used mainly to enable distribution of other malware or for click fraud, that is, getting the infected PC to visit a website or access online ads generate advertising income for the affiliate serving those ads. It is also used to distribute spam bots which use the infected PCs to send spam. It is likely that the click fraudsters, spammers and malware authors are renting space on the ZeroAccessbotnet and thereby funding the profits of its authors and the continued development of ZeroAccess.
Some versions of ZeroAccess use aggressive techniques to defend themselves on each infected endpoint. It is common for malware to attempt to disable security software, usually the malware simply has a list of security programs that it will attempt to kill if it finds they are running. This is a crude technique and can be fooled by using software that implements some randomness in its file and process names, a common technique in anti-rootkit software. To counter this ZeroAccess sets up a tripwire for security software. It creates a dummy or trap process which does nothing useful and then monitors whether any programs attempt to access the dummy process. Anything that takes the bait is assumed to be a security scanner and ZeroAccess then tries to disable the scanner by both terminating its running processes and changing its access permissions so that it cannot be run again. However, this kind of damage to security software may have been too obvious in revealing the presence of a rootkit and is not used in more recent versions of ZeroAccess.
There are few things which make malware for Android more common than for other platforms. Adding new applications to the market is easy and Google’s process for controlling functionality of applications is not very strict.It is very easy to become an Android developer and publish applications. It’s also easy to decompile an application, change its functionality and repackage the application as a completely new (effectively stolen application). Installation from third party sites is possible. There are number of alternative Android markets for applications, including the one set up by the network providers and other well known companies such as Amazon.Cracked applications are shared on many Android related forums and file sharing web sites. Piracy is a major problem. An article on Forbes states “The costs of piracy are very real. One-in-three developers say they’ve lost more than $10,000 in revenue due to piracy. 32% say piracy increases their support costs. One-in-four say piracy increases their server costs, with all those extra users piling onto their servers.”There is a significant number of alternative markets in China, which is currently the main source of malicious applications.Overall, the situation with Android applications is very similar to early days of Windows.It is not surprising that we are seeing increasing numbers of Android malware in our labs.
Of course ransomware isn’t the only threat using technology in an attempt to defeat security software. Blackhole itself and many other threats extensively use polymorphism to hide their code. Like ransomware, this isn’t a brand new technique but we are now seeing it in ever increasing numbers, especially in web-based attacks.We can see here the result of research done by SophosLabs studying around 7 million attacks over a 3 month period. It shows how many attacks are launched by each individual version of a threat. Three quarters of binaries are unique to the victim of that particular attack. As we can see the numbers drop away rapidly for 2, 3 or more victim organizations. What this means in practice is that if you encounter malware there’s a 75% chance that no-one else anywhere has seen that exact piece of malware before. In effect, a unique attack has been generated just for you. The actual effects of the attack will be exactly the same as those that everyone else sees but the form it takes will be slightly different. This is all done to avoid detection by security software.
1. Attack toolkits continue to proliferateOver the past year, we’ve seen significant investment by cybercriminals in toolkits like the Blackhole Exploit Pack. Features such as scriptable web services APIs, malware quality assurance platforms, anti-forensics and self-protection mechanisms are becoming readily available. Slick reporting interfaces and ‘premium features’ are fostering new innovation and ensuring that the barrier to cyber crime entry is low and the quality of malicious code is growing. This trend will continue in 2013, with new toolkits being developed and older toolkits being strengthened.2. Modernization and hardening of operating systemsOne positive trend for 2013 is the modernization and hardening of operating systems. This year, there was a plethora of vulnerabilities that made headlines, such as the recent string of Java vulnerabilities (the 2012 equivalent of Adobe in 2011). Despite the attention these received, exploiting vulnerabilities in general became harder as people adopted more modern operating systems with new security features. The availability of DEP, ASLR, Sandboxing and new trusted boot mechanisms made exploitations more challenging. In 2013, cybercriminals will be able to find a vulnerability, but more often struggle to produce 'useful' exploit code. These mechanisms can be bypassed, but the development time and the number of vulnerabilities that can be weaponized will be smaller. We may well see more of a focus on quality social engineering to compensate for harder automated exploitation.3. Cloud-based malware testing changes the threat protection modelIn 2012, malware testing platforms were widely used to test malicious code before it was released in the wild to make detection by anti-malware products much harder. These testing platforms are now growing more feature-rich, introducing money back guarantees and continuous testing features, making cyber criminals even more agile. These platforms have forced the use of more behavioral and reputation-based security mechanisms, a trend that will accelerate in 2013. Watch out for more bi-directional security data exchanges between endpoints and security labs and new strategies in intelligence gathering to equal the efforts of cyber criminals.4. Increased focus on layered securityThe aforementioned attack tools plus the trend of targeted, low-volume attacks means we will see more attacks where the malware authors will gain long-term access to systems (a trend most definitely now established). As a result, 2013 will see a stronger focus on layered security systems that detect malware across the entire threat lifecycle, not just the initial point of entry. There was a recent incident where the initial exploit and malware were entirely missed (they were genuinely new and well tested) but the attacker was caught when he started to use command and control to try and dump password hashes. Even features like application control and reputation can be useful against targeted attacks.5. One step forward, two steps backWe all know the story. The pace of adoption of new technologies, devices and operating systems is only increasing, a trend that will naturally continue in 2013. The challenge however is that many of the new devices and protocols we introduce are making basic mistakes, which allow simple attacks we had previously eliminated to once again be effective. For example, there are lots of new devices configured not to encrypt email usernames/ passwords in transport. This problem is trivially mitigated with configuration, but the traditional processes and controls (or knowledge) are not implicitly covering these new scenarios. The security community needs to watch these new technologies closely in 2013 as they are already in production in most cases.6. Mobile attacks become more advancedMost mobile attacks to date have been comparable to 1990s PC malware or simple attacks. They can largely be avoided by correct device configuration and management. The increased adoption of mobile control and security solutions will force mobile malware authors to alter their strategies in order to remain effective. This is also likely as the mobile device becomes a more interesting platform for attackers to target in terms of pay off. In 2013, it is likely we will see mobile malware start to borrow more techniques from its PC cousin (though volumes are likely still to remain low with more of a focus on attacks than malware). The open versus walled garden control model will continue to be tested with both ends of the spectrum creating opportunities for cyber criminals to capitalize.7. Web servers back in the crosshairsAttacking web servers to distribute malware has been the default for some time – we find a new infected website every couple of seconds. While most businesses have protection for traditional PC environments and endpoints, many neglect to adequately protect their web server environments. In 2012, we saw a large number of web server and database hacks. Like most trends, malware attacks come in cycles, and it has become fashionable to extract credentials from web servers. This trend was gaining momentum in 2012 and it shows no signs of slowing down for 2013.8. Integrate ‘all of the things’Mobile devices, applications and social networks (amongst others) continue to become more integrated, which will potentially breed new opportunities for cyber criminals in 2013. New technologies—like NFC being integrated into mobile platforms and increasingly creative use of GPS services to connect our digital and physical lives—means there will be new opportunities for cyber criminals to compromise our security and/or privacy. This is true not just for mobile devices, but also for traditional computing. Digital systems are gaining the ability to have far more kinetic impact in the real world. In 2013, we need to watch not just the evolution of existing attacks but new types appearing with which we haven’t previously dealt.9. Diverse business models and irreversible malwareFor many years, the majority of malicious code has been financially oriented–stealing credit cards, bank details and other credentials. Theft of intellectual property or intelligence has notably been on the agenda (particularly over the last 24 months), but represents a much smaller portion of malware. Business models and motives for malicious code are however diversifying. One particularly concerning category is ransomware. Ransomware encrypts your data and demands money to unlock your files, forcing you to pay the criminals or to restore from a backup, a process can go poorly in many enterprises. Whereas early samples were low in numbers and easy to reverse and remove, the latest versions are more widespread and use public key cryptography. In some cases their damage is irreversible. We can expect to see more of this class of malware and potentially similar evolutions in 2013.10. Skills problem becomes more apparentAs the platforms and technologies that we use and need to secure are diversifying, so too are the targets of the attackers. Securing platforms like Linux is increasingly on the priority list of many organizations (not necessarily from malware, but from hackers) and getting staff with up-todate skills will be an increasing issue. Staff will need to plan to train on mobile platforms, new computing delivery models and even protocols such as IPv6 as they become more relevant. With perhaps the greatest degree of change occurring in computing platforms in the enterprise since we moved from the mainframe, the next couple of years will bring many new lessons to learn.11. Cyber criminal anti-forensics Cyber criminals and hackers are now using those techniques we’ve developed in the security industry against us. Reputation lists that block forensics teams, labs and security researchers from accessing malicious code networks are being shared between crime packs, presenting more challenges for those doing forensic investigation and trying to chase down incidents. Forensics specialists, law enforcement and vendors need to work carefully to avoid falling into cyber criminals traps.12. More advanced hacktivism and political Debate It goes without saying that hacktivism has a huge place in the public eye and that it is likely to continue to escalate next year. Interestingly, political debates are raging over whether methods like DDoS are legitimate online versions of protest. Over the year we saw hacktivists employ a wide range of techniques beyond DDoS, though many organizations still perceive this as the primary threat from hacktivists. There has been an upward trend in more advanced hacktivist attacks and we can expect more nasty surprises and news headlines next year. Organizations should not limit their field of thinking on hacktivists to DDoS.13. Arguments over big data vs. analytics and confusionWith the challenge of malicious code and attackers bypassing traditional single-layer controls, lots of organizations are discussing the hot topic of the moment: ‘big data’. You’ve likely seen some of the marketing hype around big data, with many claiming magical solutions to the security problem by just combining lots of information together. This process somehow works together to then output actionable and useful intelligence, even though the original data was often poor in quality. Many organizations are still chasing basics like patching. In 2013, the hype turns to reality. As more companies slowly develop the business process and organizational maturity to benefit from these forms of analysis.