Trend #1: Government Malware Goes Commercial
Trend #2: Black Clouds on the Horizon
Trend #3: Strength in Numbers
Trend #4: APT Targets the Little Guy
Trend #5: Hacktivism Gets Process Driven
Trend #4: APT Targets
the Little Guy
We expect that, in 2013, attackers will also extend the practice commonly dubbed as APT to smaller businesses.
In 2012, we saw the continuing trend of smaller businesses being hit by cyber criminals. This is a direct outcome of the industrialization of hacking that successfully automated web application attacks. Attackers have learned to exploit and profit from compromised web applications—especially since automation can help uncover poorly protected, smaller companies. Automation and poor protection will assist APT hackers target smaller organizations containing valuable information.
There are two key drivers that put smaller business at the risk of cyber attacks. First is the ability to automate web application attacks from start to end, compiling a list of potential targets, identifying vulnerability and completing the exploit. Second is the ability to profit from such exploits in some way – either directly monetizing data that was captured from the applications (especially PII and payment information) or indirectly by using them as platforms for attacks against consumers.
In the APT arena, attackers are already capable of launching massive, automated infection campaigns and one can assume their infection success rate is higher among users and devices in smaller organizations (that usually demonstrate lower security standards and awareness). Thus they already have a large foothold within small enterprise networks. In order to take advantage of this foothold, they need to evolve in two directions: automate the exploit process within the compromised network and find a way to monetize on the information.
As Mandiant indicated in a recent report, today internal network exploration and exploitation is mostly manual and thus attackers focus on a few larger targets. In order to scale these operations, botnet agents are going to become more sophisticated, allowing them to operate autonomously within compromised networks. Moreover, botnet agents will need to have autonomous mechanisms for filtering the data they send out; otherwise, storage and bandwidth are going to become an issue on the drop server side. We are already seeing botnet agents downloading and executing large software modules that perform local processing, in particular, file and data collection. Therefore, we can safely assume that local document and data filtering capabilities are a natural evolution for such attack software.
The big question? How will attackers monetize their activities abusing smaller enterprises? There are two potential directions:
- Financial fraud—In this case, the attackers will require technology for automatic extraction of information from unstructured sources.
- Information trading—Requires attackers to obtain technology for the automatic extraction of information from unstructured sources.
Given that both technologies are already being put to use in valid commercial applications and that most hacking is driven by well-funded criminal organizations, we believe that this is a natural evolution of attacks.