Now that knowledge of targeted attacks, including APT activity, has become mainstream within the broader security community, I predict that 2013 will be a year in which our assumptions will be challenged. We have already seen how successful so-called “technically unsophisticated” attacks have been over the last few years, and I predict they will continue to be so as they are designed to exploit the human factor as much as, if not more, than technology.
In his 2013 predictions, our CTO Raimund Genes predicts that there will be increasing sophistication in malware attacks, not necessarily in the technical aspects of the malware itself but in the deployment of an attack. Moreover, he believes that such attacks will increasingly have a destructive capacity and that it will be challenging to determine attribution. Building on these points, I predict the following trends for 2013:
- There will be an increasing specificity in targeted attacks, especially as knowledge of some of the noisier APT campaigns is increasingly publicized. We will see an increase in localized attacks such as malware that will not execute unless certain conditions are met, such as language settings, or “watering hole” attacks that will only affect certain geographic regions or even only specific netblocks.
- While we are used to targeted attacks that are motivated by espionage, 2013 will see a rise in attacks with a destructive capacity. The malware used in targeted attacks will increasingly have a destructive capacity, either as its primary intent (i.e. sabotage) or as a clean-up mechanism to cover the attackers’ tracks. This functionality is likely to be part of time-sensitive attacks that have an expressly political – and perhaps military – purpose.
- Simple technical indicators are too often used to determine the motivations and geographic origins of targeted attacks. In 2013, there will be an increasing recognition that social, political and economic indicators must be used in conjunction with technical indicators to fully assess and analyze targeted attacks. However, this lesson will be learnt the hard way as I predict that we will see cases of wrongful attribution. In addition to “false flag” operations in which attackers exploit the knowledge of technical indicators to cast suspicion on others, the rise of deception (and possibly offensive) operations by, or on behalf of, routinely targeted entities will contribute to the murkiness of determining attribution.
As the knowledge of targeted attacks increases, those that are targeted will be better equipped to defend themselves. However, those conducting the attacks will come to understand what is known about them and will make use of this information. Whether this will tip the scales toward the defenders or the attackers remains to be seen. These developments will challenge what we think we know about targeted attacks.
To read the complete list of forecasts for 2013, check our report, Trend Micro Predictions for 2013 and Beyond: Threats to Business, the Digital Lifestyle, and the Cloud.