Active Response

Always A Bad Day For Adversaries

Tag: prediction

5 Cyber Security Predictions for 2013

2013 Crystal Ball2012 has been an interesting year with a growth in our understanding of our adversaries and some high-profile international security incidents.  2013 will continue to impress, but differently.  It will ultimately be a year of strategic growth.


Here are 5 cyber security predictions for 2013.



1. There will be little change to the threat landscape

There will be little change to the threat landscape in 2013 as our adversaries are already achieving their intent (extrapolating the size and scale of currently known adversary operations) and therefore have little pressure to change.  However, I do not see this as holding into 2014 as greater innovation in the threat intelligence and mitigation space is made (prediction #4) and the role of government is better defined (#5).


2. Cyber attacks will have a greater impact to a greater number

As data and service providers co-locate in cloud environments, attacks on the infrastructure providing these services will rise (attackers will always go to where the data lives) resulting in greater collateral damage to non-intended victims simply based on with whom they are co-located.


2.1 Corollary: Risks will be more difficult to assess as control of the location of data and an accurate knowledge of the infrastructure is lost in the cloud.  This will cause businesses to continue to mismanage public and customer relations when incidents occur.


3. The cost of cyber threats will grow and there will be an increased awareness and visibility of those costs resulting in greater effective action in the mid-and-long term.

Based on prediction #3 the cost of cyber threats to all organizations will grow.  However, as has been the trend, visibility of security issues and incidents will rise forcing business change to address this challenge in new ways (hence prediction #5).   Innovation will then lead to greater effective action in the mid-and-long term.


4. The role of government in securing computer systems from domestic and foreign cyber threats will continue to be muddled.

The role of government in any area is generally slow to evolve.  Cyber security has not been any different.  As governments around the world are consumed by domestic and international economic affairs, little attention will be focused on this problem further delaying necessary action.


5. Private industry, vice government or research, will make great innovations in the threat intelligence and mitigation space.

Based on: (1) the amount of venture capital flowing into cyber security industry to produce innovations in threat intelligence and mitigation, (2) the market growth for such innovations (based on predictions #2 & #3), and (3) with the growth in funding means the ability for private industry to recruit and retain the best talent in the field — it is no great stretch of the imagination to see that this is where the innovations necessary to combat the threat and increase risk and cost on the adversary will originate during 2013 changing the threat landscape in 2014 and beyond.

The Science of Intrusion Analysis and Incident Response: Introduction

[important]This is the first of several posts in a series expanding on how to turn intrusion analysis into a science.  Subscribe to the blog via email, follow us on twitter or like us on Facebook to keep-up!  [/important]

Previously I wrote about the Art of Intrusion Analysis and how I thought that Michelangelo’s quote was the best representation of how intrusion analysts arrive at knowledge.

However, my concern is not to document the art of Intrusion Analysis or Incident Response, but rather to transform the art into a science.  What does that mean?  What is the science of intrusion analysis and incident response?

First, we must define science (there are many definitions, this one will suffice for our purposes).

Science (from Latinscientia, meaning “knowledge”) is a systematic enterprise that builds and organizes knowledge in the form of testable explanations and predictions about the universe. — Wikipedia

Second, how will we know when intrusion analysis and incident response have become a science?  Aristotle can give us the answer.

[A] man knows a thing scientifically when he possesses a conviction arrived at in a certain way, and when the first principles on which that conviction rests are known to him with certainty—for unless he is more certain of his first principles than of the conclusion drawn from them he will only possess the knowledge in question accidentally.  — Aristotle (384 BC – 322 BC) in Nicomachean Ethics

From this I draw the following requirements to make intrusion analysis and incident response into a science:

  1. Intrusion Analysis and Incident Response must be systematic
  2. There must be first principles upon which hypotheses and predictions can be drawn and tested with experimentation
  3. There must be an organizing function to build knowledge
  4. There must be a set of theories which are generally accepted, testable, and repeatable following from first principles and hypotheses

Why do we care if Intrusion Analysis is a science or not?  An intrusion analysis and incident response science means less duplication of effort solving the same problems and a more cohesive approach to improving tools, tradecraft, and training.

Thanks to Richard (@taosecurity and Tao Security Blog) for the unanticipated use of his image! 🙂


Powered by WordPress & Theme by Anders Norén