Predictions for 2015


RSS feed

I’m late to the annual prediction party, but most predictions I saw were really just stating commonly accepted knowledge and proclaiming “It will continue.” For example, “More companies will be hacked.”

Better predictions tell people trends that are already happening that most people just aren’t aware of yet and identify important points on the trend line. They state how that will affect our present reality and how to prepare for it. In that spirit, here are my predictions for 2015.

  1. Poland will become a major focus for infosec
  2. Certificate Authorities will be more closely scrutinized
  3. Malware detonation platforms will evolve towards client honeypots
  4. Multifactor authentication will become more common, but this will be driven more by a marketing need than security
  5. Developers and admins will be targeted
  6. MiTM attacks will impact businesses
  7. Threat Intelligence will endure transparency by specializing

1. Poland will become a major focus for infosec

The Polish have a great history of achievements in infosec. The finest early example is their work on the Enigma cipher. Today many of the luminaries in infosec are Polish. Some examples:

Those researchers alone have done a disproportionate amount of work in the infosec industry and there are other active Polish infosec professionals as well. Considering the population size and lack of cyber security companies started in Poland, it is surprising. Parisa Tabriz of Google commented recently “I wonder how much of Poland’s GDP comes from vulnerability rewards”.

Poland is to infosec what Canada is to music. It’s weird how strong they are in that area, but unlike Canada they don’t get much credit for it (and thankfully there is no Justin Bieber of infosec from Poland).

We will see more of a spotlight turned to that country with investments in start-ups there (such as Invisible Things), and companies putting satellite offices there and recruiting more directly.

Nowadays every cyber security start-up mentions one of three things for their founders:

  • They formerly worked at the NSA (that’s on my bio).
  • They formerly worked for the Israeli defense and ran their networks.
  • They come from Silicon Valley with a big data and machine learning background.

If a cyber security start-up founder also does Crossfit and is vegan, they’re going to have a hard time figuring out what to tell you first. I expect soon being Polish will be added to that founder bio list.

2. Certificate Authorities will be more closely scrutinized

It’s been said that “Key management is the hardest part of cryptography”[1]. If you want to find the weaknesses in a system, look at the place that is hardest to do because that is where the most mistakes will be. We’ve seen a couple of Certificate Authority compromises over the years and Google has been working on their Certificate Transparency project. Of all places, North Korea probably has one of the best uses of Certificate Authorities by having only one Certificate Authority in their Naenara browser (however, this is largely due to the restricted Internet access and desire to spy on all their citizens). We will see greater examinations on the trust chains used by SSL and code signing.

As part of Summit Route’s application white-listing solution, we are developing the infrastructure to perform that monitoring for code signing.

  1. Bruce Schneier, Preface to “Applied Cryptography”

3. Malware detonation platforms will evolve towards client honeypots

Detecting threats requires knowing what threats to look for. Antivirus companies started by scanning the web looking for files and then determining if they were malicious. Firewall companies would set up honeypot servers and watch for attacks. In the early 2000’s, many worms were detected this way. Nowadays the main use of those global honeypot networks is so Norse, Kaspersky, and FireEye can show you “Cyber Threat Maps”. :)

Many attacks today exploit clients, such as exploiting web browsers when they visit a web page. Researchers have thus created what are known as high interaction client honeypots which will automatically browse the web with the goal of being exploited and infected so the threat can be analyzed. With attacks being targeted, we’ll see attackers doing a better job of filtering out researchers from their attacks. Someone phishing South Korea will ensure only South Korean IP’s can see their phishing site.

Companies like FireEye and LastLine have malware detonation platforms that will try to pick up every binary that comes into a network, run it a virtualized environment, and analyze it while it runs to determine if it is malware. These will evolve more towards client honeypot that you place in your network and will browse the web like your employees do, run the applications your employees do, and better mimic not just the environment, but the actual activities of your employees.

What this means is you’ll feed the client honeypot with real network data so it knows what websites your employees visit and can then visit them itself with different browsers and detect threats from those sites. It will need to be provided login information for different sites so it can truly look and act like your employees. You’ll install the software your employees use on that honeypot and see what happens when it opens the file types relevant to those applications. This is the natural evolution for those companies.

We had a saying in one place I worked where we asked “Is he the honeypot?” The belief was that the purpose of one of the less prolific employees was really to click on dumb links and get infected so you knew what your threats were. You didn’t care if they did any real work, and you didn’t tell him that his real purpose was. His real purpose was just to be the canary in the coal mine that suffocated before the real workers did.

4. Multifactor authentication will become more common, but this will be driven more by a marketing need than security

Facebook and Twitter ask you for your phone number to secure your account and also in order for marketers to identify you. Two-factor authentication is great, and I recommend you use it almost no matter what form it comes in. However, the ulterior motive behind collecting your phone number is so marketers can figure out who you are and match you against their databases. Once they figure out who you are, they can provide more directed ads, and this gives the advertisers better ROI, which means they are willing to pay more for the ads.

My knowledge in this area comes from having worked on a predecessor to something like Facebook’s Atlas (not as a Facebook employee). As long as you don’t care about what you’re giving up and you feel you are getting more value by giving those things up, this can be a good thing. Personally, I don’t want to be associated with those business models. Instead I am practicing an altruistic version of the South Park underpants gnome business model wherein I plan to “1) Create value in the world, 2) ???, 3) Profit!”

(Step 2 will likely be a subscription model, but first, I need to do step 1.)

5. Developers and admins will be targeted

I write a weekly cyber news report called Downclimb, and before I started this company I wrote a private, internal version for the company I worked at. I had predicted last year that developers will become more targeted by attackers. That didn’t really manifest in 2014, but I still believe it will occur.

Developers and admins will targeted for two different purposes:

  1. For the companies attackers want to target, developers and admins at those companies have more access and are more vulnerable.
  2. In order to infect more systems or for more hardened targets, attackers will penetrate software companies or lone developers of libraries and tools used by those targets.

More access and more vulnerable

In order for hackers to obtain the data they are looking for, it is best if they can get access to as many things as possible. The people with the most digital access are the developers and admins. Thus those are the best targets for hackers.

Developers and admins are also more often downloading and running random scripts and binaries to accomplish their work. So they are more vulnerable.

Indirect attacks

We are seeing hackers progressively accomplishing their goals through more indirect means. To infiltrate a network attackers would originally go after it directly by exploiting the servers, but then with more hardened servers and firewalls, attackers started phishing the users and using client side exploits. But it’s hard to get your exploits to those users, so they first compromise a web site the user visits. But those servers hardened up, so then they compromised the ad networks used by those web sites and the domain registrars.

We’re also seeing people realize that if they find a vulnerability in a library used by many sites, then they can compromise many sites at once.

The intersection of these ideas is if you compromise the developers behind the libraries, or the package management servers, you can distribute backdoored or infected libraries and binaries to greater numbers of targets, or against specific and more hardened targets.

Summit Route is working on solutions to the threats identified in this prediction.

6. MiTM attacks will impact businesses

With the rise of the remote workforce, more people are working outside of controlled business networks. Google is handling this via their BeyondCorp initiative by doing away with VPNs.

When employees start doing work from public coffee shop networks, the threat of MiTM attacks impacting businesses becomes greater. Unencrypted HTTP logins are of course a concern with things like Firesheep, but I’m more concerned about unencrypted downloads and auto-updates, with things like BDFProxy. Many developers and admins are also just using wget against HTTP servers and other unencrypted means to download and run scripts and tools without much concern.

Summit Route is developing solutions to detect and protect against this threat.

7. Threat Intelligence will endure transparency by specializing

Anti-virus is a dying industry both due to it’s technology (how it works) and it’s commoditization (how it can be marketed). In terms of technology, Threat Intelligence is a re-branding of antivirus signatures, but without the transparency and public evaluations. Therefore it can’t currently be commoditized. There are a variety of organizations that take different malware samples and test them against different Anti-virus products and tell you which detected what. That doesn’t really exist for Threat Intelligence. The market will demand it.

Threat Intelligence will realize it is being commoditized in the same way that Anti-virus has, and will react by specializing based on region and industry. For example, a Threat Intelligence company will respond to it’s evaluation with “I wasn’t the best in the general Threat Intelligence test, but that’s because we’re more focused on threats against the South American banking industry. Against those threats we’re really good.”