Regarding this Top Prediction:

By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.

Are these attacks well organized?

What is the most common origin of these attacks?

Do you see actual efforts coming from national or nongovernmental organizations?

Do we have a position on nationally sponsored efforts to undermine enterprises or governmental organizations from a financial perspective?

Submit a Comment | Permalink

Pretty scary prediction. Could become a self-fulfilling prophecy, with every hiccup in the system attributed to undetectable malware and, by extension, inept security staff.

Does it? Necessarily?

One way of having malware evade traditional perimeter and host defenses is to have someone on the inside put it in place.

Or tricking someone on the inside into putting it in place...

By definition, targeted attacks are well organized. They aren't trying to be noisy or cause denial of service across a broad range of enterprises. Many targeted attacks have been custom executables that show signs of research having been done against the targets: knowledge of applications being used, IP address ranges, network configurations, others.

There also have been a lot more "disorganized" targeted attacks that have failed — a lot of unknown executables have got to the inside but failed because they weren't well written or hadn't successfully researched their target.

There is only anecdotal evidence about the real origins of these attacks, but law enforcement people typically say Russian, U.S. and Latin American organized crime, and China, appear to be the most common sources — but it is difficult to be definitive without actually catching the bad guys.

In what I have seen and talked to law enforcement, government agencies and enterprises about what they have been hit by has almost exclusively been financially motivated attacks:cybercrime. There has been no real evidence of government-sponsored efforts to undermine financial systems or the like. Immediate financial gain is the goal, not mischief.

Determine which individuals, national or nongovernmental organizations, enterprises or governmental organizations are stupid enough to engage in activities that will ultimately bring financial ruin upon themselves, and you will have answered the four questions.

The prediction is about two basic subjects: 1) motivation and 2) capabilities.

Regarding motivation, where government-sponsored attacks are concerned, financial gain is only one possible motive. Geopolitics is “financial” in the sense that it involves economics, but geopolitically motivated attacks aren’t “financially” motivated per se. But geopolitics might be the motivation behind “undetected malware” — the time horizon and scale for payoff are a lot different (bigger) from the typical criminal attack. U.S. government agency CIOs believe they’re getting a lot of attacks that originate in China; it’s hard to believe that financial gain is the desired payoff for those.

Regarding capabilities, what’s proposed here is that an attack (or multiple attacks) can be made undetectable, not just momentarily but over time, to a large number of institutions, public and private. To the extent that an attack can be targeted to a victim and customized to take advantage of the weaknesses of that victim, that’s more likely. But that implies deep, ongoing knowledge of the victim’s defenses, and it’s tough to get that kind of deep knowledge on a mass scale, or to convert the knowledge to thousands of customized, undetectable attacks. A government might have the necessary resources; I doubt that even a dedicated criminal organization specializing in such crimes would have the resources to take on more than a few targets at a time.

So I don’t think this prediction works. It might work if:

- We forecast widespread attacks by governments whose motivation was long-term and geopolitical, not short-term and financial, or
- We forecast fewer successful attacks, but more highly targeted and financially devastating attacks, by financially motivated criminals

The second prediction isn’t really a prediction because it’s been happening for awhile, but the pace is apparently picking up, as shown in Avivah Litan’s recent research on targeted phishing attacks. I think that in this regard, we should watch for the development of long-term, “chronic” attacks against selected, qualified targets (including individuals and enterprises), as opposed to one-shots.

The first prediction is also happening now, but we might have some new insights into future directions. For example, foreign governments might begin to target data brokers, on the assumption those businesses have the most current and comprehensive databases for mining, including mining for insights that could translate into future geopolitical advantage. Governmental databases are in some cases large and in many cases relatively unprotected — nice targets for attackers whose timeline is long, resources are large and motivations are geopolitical.

Final question: We should have in mind what clients would do differently because of it. The short answer is: Fix your security to something near the current state of the art, fast. But that’s not really different, is it? It’s just faster.

Note: I exclude here the possibility that someone will discover an intrinsic security flaw in the design of widely used products that is exploitable and nearly impossible to detect or defend against. This could happen, but it's not easily predicted with a probability factor. If it did happen, our clients would have a really big choice to make: Do they unplug from every network worldwide, at least temporarily, or do they take their chances?

Very much scary prediction..Seems that we are very much going into the age of cyber warfare that has been seen only in sci-fi movies yet.