Remember the days of fame-seeking mass mailers and network worms? Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.
We moved from fame to fortune (which we have dubbed “crimeware”) in the last 10 years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. Trojans and toolkits, like Zeus, are the modern tools of the trade.
We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In fact, business is just too good for the cybercriminals. With the tremendous growth of new mobile platforms, bad guys will have even more new avenues to attack and unchartered social engineering tricks to engage in to continue to steal from us.
However, Stuxnet is a marker and a clear indication that the world is changing and the 2011 threat landscape will be different than the previous years. With all this in mind, Symantec Security Response has put together our top Internet security predictions for 2011.1. Critical Infrastructure Will Come Increasingly Under Attack and Service Providers Will Respond, but Governments Will Be Slow to React
Attackers have likely been watching the impact that the Stuxnet threat had on industries using industrial control systems and are learning from it. We expect them to take the lessons learned from Stuxnet—the most significant example to date of a computer virus designed expressly to modify the behavior of hardware systems to create a physical, real-world impact—and launch additional attacks targeting critical infrastructure over the course of 2011. Though slower to start, expect the frequency of these types of attacks to increase.
Findings from Symantec’s 2010 Critical Information Infrastructure Protection (CIP) Survey also echo this trend as 48 percent of respondents said they expect to come under attack in the next year and 80 percent believe the frequency of such attacks is increasing. With such high level of awareness, expect to see these providers move forward with cybersecurity precautions to survive such attacks. In addition, the majority of critical infrastructure providers are supportive of and more than willing to cooperate with their government in CIP initiatives. However, we do not expect to see a lot of movement in this regard from governments this year.
2. Zero-Day Vulnerabilities Will Become More Common as Highly Targeted Threats Increase in Frequency and Impact
In 2010, Hydraq, a.k.a. Aurora, provided a high-profile example of a growing class of highly targeted threats seeking to infiltrate either specific organisations or a particular type of computer system by leveraging previously unknown software vulnerabilities. Attackers have been using such security holes for many years, but as these highly targeted threats gain momentum in 2011, plan to witness more zero-day vulnerabilities coming to light in the next 12 months than in any previous year.
The key driver behind this trend is the low-distribution nature of such malware. Targeted threats focus on just a handful of organisations or individuals with the goal of stealing highly valuable data or otherwise infiltrating the targeted system. Exploiting this fact, attackers aim to improve their odds and hit their target on the first try without getting caught.
The stealthy, low-distribution nature of targeted threats severely decreases the likelihood that security vendors will be able to create traditional detections to protect against them all. However, technologies such as Symantec’s SONAR, which detects threats based on their behavior, and reputation-based security, relies on the context of a threat rather than the content, turn the telling behavioral characteristics and low-distribution nature of these threats against them and make detection possible.