I was in an airport lounge waiting for my flight to the Middle East when the news broke. Millions of credit card numbers had been exposed over a number of months. How about you? Where were you when you heard about Target? It was just a year ago when the Target breach broke into mainstream media, becoming a reference point for cyber thefts exposing personal financial information. 2014 has been a wakeup call for those outside the world of cybersecurity.
Since Target, we have seen more and larger breaches almost weekly. With that ongoing drumbeat of reports, however, they become common and even mundane. What happens next?
In 2015, I predict that we will see more of the same, but there will be a shift, too. We already see it beginning.
The subtlety and length of the breaches that are now being publicly disclosed indicate that the underlying goals of the attackers are moving away from a “smash and grab” theft of credit card numbers towards the benefits accessible by waiting for “interesting” data, probing for possible valuable information and seeking opportunities for disruption and destruction. Similar to the miscreants who traded in secretly purloined celebrity photos long before they were released in a massive bundle in 2014, criminals are sitting inside networks today gathering information to create a more significant payday or opportunity for theft or destruction.
In 2015, expect to see at least one attack that destroys a midsize or larger organization. 2014 saw a small company forced out of business when they refused to pay a ransom. The approach of attacking for extortion will continue to expand, and very likely cause the demise of a larger organization.
Attacks will become both more sophisticated and more subtle and most will go undetected for months, years, and many may never be detected. The long-running breaches that we’ve seen in 2014 point towards even longer-running breaches with more subtle characteristics that are likely to result in more severe damage. The longer a breach goes undetected, the more information the attackers can gather to use for many purposes even after the breach has been closed, including theft, espionage, and extortion.
Reconnaissance, disruption, and destruction will become more prevalent motivations for cyber attacks. Attackers are becoming both more subtle and more focused on avoiding discovery, so expect long-running breaches that result in significant financial loss through ongoing espionage, timed disruption and strategic destruction.
Unfortunately, most organizations will continue to focus on defensive strategies, which increases their likelihood of being breached. Once a breach is detected by reactive defenses, the damage is already in progress. This almost universal focus on reactive defenses uses monitoring of traffic and logs, scanning, and packet analysis together with standard network defenses like firewalls, load balancers, and proxy systems instead of developing a companion defense using preventative technology. In physical security, we all recognize that prevention is the primary defense: be aware of all potential access points and paths, lock all of them, keep threats from approaching, monitor access, and so on. Yet, relatively few organizations use this approach for their virtual infrastructures.
With modern network modeling and analytics, it is possible to determine all potential access paths, and then automatically assess the potential risk paths. Organizations that do not do so either do not believe that it is possible, or else they are so overwhelmed by the reality of potentially seeing their risk that they remain with their heads in the sand, hoping against hope that their organization will be overlooked by attackers… or, at the very least, that they won’t be held culpable for a breach.
That said, 2015 will be the year that a growing number of more sophisticated organizations will add proactive strategies to their security arsenal, especially proactive analytics for attack prevention. This will help reduce their risk of attack while also showing them the reality of their environment–what today they don’t know they don’t know. With this newfound insight, they will make wiser investments and get greater value from them by placing them where they will do the most good.
I expect cyber attacks to get worse before more effective defense strategies become the norm. The good news is that it’s possible to build those defenses in 2015. The question remains of how many organizations and potential targets will defend themselves. We will soon know.