The year retrospective. 2012 has been less spectacular than 2011 in the sense that there was no single year-defining incident equivalent to the RSA–DigiNotar pair from 2011, but it has been more substantively important in several ways that the headline coverage has not quite captured. The structural picture, looking back across twelve months, is sharper than I would have predicted at January.
The five things I want to record from the year.
First: the destructive-malware category has crossed from theoretical to operational. Shamoon at Aramco in August was the demonstration; the RasGas follow-on a fortnight later was the confirmation that the technique was reusable. The threat model that had previously excluded destruction as a private-sector concern — on the basis that quiet exfiltration was the rational adversary choice — needs to be redrawn. The operational implications for any organisation with substantial dependency on continuous IT operations are direct enough that the post-Shamoon conversations with clients have been substantively different from any post-breach conversation I had during 2010 or 2011.
Second: the state-grade operational tempo has compressed. Stuxnet was disclosed in summer 2010; Duqu in autumn 2011; Flame in spring 2012. The cycle is now nine to twelve months. The coverage for the eventual successor to Flame — which the Crysys-Kaspersky-Symantec consortium is presumably already analysing somewhere — should be expected in the first half of 2013, on present cadence. The implication for the engagements with industrial-or-OT exposure is that the threat intelligence relevant to them is changing across quarters rather than across years; the defensive posture has to be built to absorb this rate of change rather than to be tuned to any particular threat.
Third: browser plugins as the dominant attack surface. Mac Flashback was about Java; the August Java zero-day was about Java; the Adobe Reader and Adobe Flash issues that have run quietly through the year have been about plugins; the BlackHole exploit kit's economics depend on plugin-vulnerability deployment. The operational answer at the engagement clients has been to disable plugins where possible and replace plugin-dependent legacy applications, which is a programme of work that several clients are now seriously committing to. The wider technical-industry question — when does Oracle stop shipping the Java browser plugin, when does Adobe properly retire Flash — is one that 2013 may or may not begin to answer.
Fourth: the Anonymous-and-AntiSec activity has mostly continued without producing the single-year-defining incident that 2011 produced. The LulzSec UK convictions earlier this year and the revelation in March that Hector Monsegur (Sabu) had been an FBI informant for six months before the Stratfor Christmas hack — which means that the Stratfor operation was substantially conducted under FBI observation — has destabilised the operational core of AntiSec. The successor organisations have been less coherent. The political-cyber category has not gone away — the Megaupload-takedown DDoS was a substantial co-ordinated activity, and there has been continuing Anonymous-aligned activity around various political moments — but the year-long sustained campaign of LulzSec's 2011 has not had a 2012 equivalent.
Fifth: privacy and encryption is now a mainstream conversation. The Petraeus-Broadwell metadata exposure in November was the year's cleanest public lesson on metadata as a threat-model concern, but the broader trajectory has been visible all year — Twitter and Google deploying TLS-with-forward-secrecy, the HSTS draft moving towards standardisation, the gradual normalisation of "we encrypt traffic" as a baseline rather than a feature. The OpenPGP-and-PGP-tooling problem is still essentially unsolved at the practitioner-usability level, and that is where my engagement-team work for 2013 will concentrate.
For Hedgehog, 2012 was the year the SOC was built. The decision in May, the analyst recruitment through summer, the first monitoring engagement starting in late August, the eight-week operational update in October. The first three monitoring clients are running productively; the fourth onboards in January; the financial model is performing roughly to projection. The structural contribution to the practice has been larger than I expected — the SOC's monitoring data is now informing the advisory work in ways that the advisory work alone could not, and the conversations with clients have moved on from "we think we are mostly OK" to "here are the things we are seeing in your estate this month, here is what we are doing about them". This is the structural shift I was building the SOC to enable.
For the secondment portfolio, 2012 has been continuity rather than change. Towry Law, Northcott, News International, Browne Jacobson — all have continued without major friction. The fifth conversation I mentioned in the January retrospective has not yet resolved; it may resolve in early 2013 or it may dissolve, and either is acceptable. The shape of the secondment work — sustained part-time CISO advisory across substantial UK organisations alongside the Hedgehog client base — continues to be the right shape for the practice.
The reading I have done this year is probably best summarised by what I have come back to. Schneier's Liars and Outliers, which came out in February, has been the long-form work I have been recommending to peer CISOs all year. The Verizon Data Breach Investigations Report has continued to be the corroborating data point I keep coming back to. Brian Krebs's reporting on the credit-card-breach beat has been the steadiest source. The Crysys/Kaspersky/Symantec consortium's malware-analysis publications on the Stuxnet-Duqu-Flame line have been the technical reading I have spent most time with.
For 2013, the priorities are continuity. The privacy-and-encryption methodology continues to be the focus area I want to develop further. The TTP-deep-dive work the SOC build has accelerated continues. The penetration-testing methodology piece I shipped to the engagement team in September will be revised based on twelve months of using it. The vCISO portfolio continues. The structural question of whether to build out the SOC to a 24/7 capacity is one I will defer to mid-2013.
The first technical post of 2013 will be whatever breaks. I expect the next state-grade malware piece to land before April; I expect the next big credit-card breach disclosure within the first quarter; I expect the year to be substantively interesting. Happy 2013, when it arrives. The next post is the end-of-year notebook entry; the year retrospective is this one.