Well, as we have just closed the door on what has been a busy and interesting year for, let’s face it, both bad and good actors alike, just what exactly might be in store in 2014 when it comes to security breaches and advanced threats? Here at Damballa, we have pulled out the Tarot cards, Ouija board, crystal ball, and oh yeah, our scientific big data, to provide you with a look into the future from what we are seeing as possible signs for bigger things to come.
More Sophisticated C&C Discovery Mechanisms will Emerge
If we observe the way Zeus, PushDo, ZA and other major threats evolved, it should only be expected that more sophisticated C&C discovery mechanisms — similar to P2Ps and DGAs – will be in play. The main reason behind this trend is that the WhiteHat community has to work very hard to take down a botnet that uses DGAs and P2P C&C mechanisms. So now we are seeing more and more the use of such agile C&C communication mechanisms from the point of modern adversaries. As the criminal makes an investment of building its botnet, they certainly do not want it taken down overnight! Thus, if the primary C&C channel goes offline, they need to have redundant C&C channels for its bots. Those channels most likely will be channels that are hard to be taken offline — in the spirit of DGAs and P2Ps.
Disruptive Technologies Will Impact the Threat Landscape
Today’s mobile technologies effectively negate the notion of perimeter-based protection for enterprises. We have known this for some time. In this current era, the only way an enterprise will be able to become breach resistant is through detection methodologies not tied to particular devices and operating systems. Enterprises need to start witnessing network communications looking for illicit communications from infected devices. A holistic approach to reasoning about the entirety of one’s corporate traffic is the only way enterprises will stay relevant in the modern threat landscape.
Next Generation Security Solutions Will Rely on Big Data
There has been plenty of discussion around the futility of chasing malware. Depending on your data source, there are over a million news samples of malware a day. Clearly any security solution that relies on seeing malware will not scale in the future. This is why security solutions based on big data and data science will be key in the future. Using big data and data science, future security solutions will rely on models of legitimate and illicit behavior gained from analyzing large volumes of data.
Data-driven Security Will Be Harder for the Next Generation of Threats to Evade
Information security has been a game of tit and tat between the attackers and the defenders. As soon as the defenders deploy a new technology to stop attackers, the attackers learn how to evade those defenses. As we have discussed in previous blogs, due to the asymmetry of information, attackers can easily learn what preventive defenses are deployed and then work to evade them. We have seen this with IDS, IPS, NBAD ..etc.. We have seen this with present day sandboxes. What makes data-driven security harder to evade is that in order for the attacker to know how to evade the models coming from big data security, the attacker must have access to the same set of data in order to see how the models are created. Getting that data will not be easy for the attackers since they would need daily network data from 50% of North America internet just in order to replicate what Damballa sees.
End-to-end encryption and encapsulation techniques will be widely deployed.
Snowden made the world realize that we do not have an effective data security policy. We should soon see end-to-end encryption and encapsulation techniques being widely deployed. This will effectively kill the DPI market, however approaches to detection that are based on network objects like domain names and IPs will future-proof any network from security breaches.
Well, those are the big things we are seeing coming in the year ahead based on our research and data. We hope that by giving you some insight on what might be ahead, you and your team won’t need a crystal ball or have to guess what’s ahead but instead, be better prepared to find, respond and contain active infections before they become breaches. May you have a happy and breach resistant New Year!