The year started with the Apple-FBI argument over Farook's phone in February and ended, more or less, with the Russian state-actor attribution statement on the DNC and election interference issued by the Office of the Director of National Intelligence on the 7th of October (ODNI joint statement on election security). Between those two cases — neither of which is, on its substantive content, a routine incident-response or research story — the year reshaped at least three threat models that I had been working with previously, and produced one significant addition to the operational toolkit that I want to write about more carefully in the new year.
The first reshaping was in financial-services threat-actor modelling. Bangladesh Bank in March established the SWIFT-attack pattern that the rest of the year filled in: Banco del Austro, Tien Phong, several confidentially-disclosed cases via the SWIFT customer security alerts. The campaign is patient, professional, well-targeted, and operationally similar across cases. The SWIFT Customer Security Programme launched in May is the right structural response and will be a substantial piece of work for member institutions through 2017 and 2018. For the vCISO portfolio, the financial-services customer engagements have been reshaped by this — the threat model has shifted from "fraud and external-perimeter attack" to "patient back-office targeting with insider-grade reconnaissance", and the controls that matter follow from that change.
The second reshaping was in the politically-targeted threat model. The DNC compromise and the Wikileaks publication of the email cache in July, the parallel publications by Guccifer 2.0 through the autumn, and the broader pattern of releases that targeted other political-organisation networks throughout the year, established the disclosure-as-information-operation pattern at a scale and a clarity of effect that I do not think the operational community had fully anticipated. The Hacking Team leak in 2015 was the precursor; the DNC operation is the demonstration. The implication for the customer organisations whose information has political-operational value is significant and the conversation continues. The 7th of October ODNI statement and the eventual full intelligence-community assessment expected in early 2017 will fill in the formal attribution; the operational lessons do not depend on the formal attribution and have been incorporated into the pen-testing and detection work for several customers already.
The third reshaping was in DDoS planning. The Krebs attack in September at 620 Gbps, the Dyn attack in October at over 1 Tbps, and the publication of the Mirai source code in early October established that the IoT-device population is now a substantial component of the DDoS threat landscape, that the volumetric scale of attacks has moved up by a factor of perhaps four from where it was at the start of the year, and that the architectural decisions about hosting and DNS that customers had been making on the assumption of mid-2010s attack volumes need to be revisited. The vCISO conversation about hosting and DNS resilience has been on every customer's agenda this autumn, and most are in motion on it.
The patching marathon continued. DROWN in March was the third in the export-control-cryptographic-debt sequence after FREAK and Logjam, and the cleanup followed the same operational pattern. Stagefright tail issues continued throughout the year on the Android estate. The Shadow Brokers August dump produced a wave of patching against Cisco, Fortinet, and Juniper devices that the security teams at those vendors have handled professionally, but the operational cost of staying current with the leak's contents is non-trivial.
The legal and regulatory environment shifted substantially. The Schrems judgment from late 2015 produced the Privacy Shield negotiation in the spring; the framework was formally adopted in July (European Commission adequacy decision on the EU-US Privacy Shield) and is operational from August. The substantive standards from Schrems will, eventually, produce litigation against Privacy Shield itself; the Article 29 Working Party guidance has been clear on this. The General Data Protection Regulation was formally adopted in April and the implementation window is now running. Customer programme work on GDPR readiness has been, since June, the dominant strategic conversation across the vCISO portfolio. The operational work to reach attestable readiness by the May 2018 deadline is on track for Browne Jacobson and Towry, in early-stage at Northcott, and recently started at the manufacturing client.
The fourth thing I want to record about 2016 — the addition rather than the reshaping — is the work on machine-learning-assisted alert triage that started with the postgraduate intern in February and has, by year-end, become a substantive piece of internal R&D with a working name (Emily) and an operational shadow deployment. The team has grown around the work; we have hired a second engineer in October specifically for the ML pipeline and integration; the agreement rate against analyst classifications continues to track around 91% on the four-way classification problem, the precision-recall figures on the incident-grade class continue to improve as we refine the feature engineering, and the production deployment path through 2017 is now, I think, clear in outline if not in detail. The piece I want to write properly in early 2017 is on what this kind of capability does to the staffing and capability shape of a SOC, because the early indications are interesting and not what I would have predicted.
The portfolio. Browne Jacobson, Towry, and Northcott Global Solutions all continue. The manufacturing client closed its second year on engagement and is in deeper than the first year. We added one new vCISO client in September — a UK financial-services firm whose name I am not yet writing down because the engagement is in its early shape — that brings the total to five. The pen-testing engagement queue grew, the SOC customer count is at eight (added one in November), the team is fourteen including the two ML engineers and the postgraduate intern who has been confirmed as a full-time joiner from January.
The personal note. I wrote 47 posts on the blog this year, more than any year previous, and the discipline of writing notes contemporaneously has made the operational thinking sharper in ways I did not expect. The Evolution of DDoS book from 2007 is showing its age; I have started outlining a successor that engages with the IoT-DDoS evolution, the SWIFT campaign work, and the information-operation pattern, but the book is unlikely to close in 2017. I want to be at one major conference next year — probably Infosec Europe in June — and on the BSides circuit at least twice. The longer-form essay file continues to grow without much of it actually getting written. I want to fix that.
Onward into 2017. The GDPR run-up, the Privacy Shield litigation that will eventually come, the IoT-DDoS escalation, the continuing SWIFT campaign, the ML-triage productionisation, and whatever the year produces that I have not yet imagined.