The security industry expects the number of cyber-espionage attacks to increase in 2012 and the malware used for this purpose to become increasingly sophisticated.
In the past two years there has been a surge in the number of malware-based attacks that resulted in sensitive data being stolen from government agencies, defense contractors, Fortune 500 companies, human rights organizations and other institutions. (See also "How to Remove Malware From Your Windows PC.")
"I absolutely expect this trend to continue through 2012 and beyond," said Rik Ferguson, director of security research and communication at security firm Trend Micro. "Espionage activities have, for hundreds of years, taken advantage of cutting-edge technologies to carry out covert operations; 2011 was not the beginning of Internet-facilitated espionage, nor will it be the end," he added.
Threats like Stuxnet, which is credited with setting back Iran's nuclear program by several years, or its successor, Duqu, have shocked the security industry with their level of sophistication. Experts believe that they are only the beginning and that more highly advanced malware will be launched in 2012.
"It is quite possible that we will see another of these threats in the near future," said Gerry Egan, director of security response at Symantec. Duqu was used to gather design documents from companies that manufacture industrial control systems and could be a precursor to future Stuxnet-like industrial sabotage attacks, Egan explained.
"It is likely that new Duqu variations will cause mayhem in early 2012," said Jeff Hudson, CEO of Venafi, a provider of enterprise key and certificate management solutions. "We have to be on a new state of alert to safeguard our assets and be better prepared to respond when the threat strikes."
Battles, But Not Cyberwar
However, despite the emergence of Stuxnet and Duqu, security experts don't believe that the world is actually watching a cyberwar in progress.
"To have any opposing action earn the title of 'War', there must be a declared state of conflict, and to my recollection, this has never happened in the case of CyberWar," said professor John Walker, a member of the Security Advisory Group at ISACA, an organization that certifies IT professionals, via email.
"However, if we were to frame the question relating to 'CyberConflict', then I would consider this to be a very different case, where regular aggressive deployment of such capabilities occurs in one form of another in support of either a political or military purpose," he added.
Countries like the U.S., U.K., Germany, China and India have established specialized teams and centers to defend government assets against cyberattacks and to even retaliate, if necessary. However, determining who is behind Internet-based hostile operations with certainty is impossible most of the time and that's just one of the problems.
"All countries are wrestling with the question of retaliation," Gerry Egan said via email. "If a blatant act of cyber war has occurred, how does one country retaliate and to what extent? What is a proportionate response?"
Threats like Stuxnet and Duqu could very well lead to major international cyber-conflicts in the future, but for now companies and governments should be more worried about cyber-espionage attacks that use simpler data exfiltration tools.
These unsophisticated, yet effective, pieces of malware are known in the security industry as Advanced Persistent Threats (APTs) and are usually distributed via social engineering. Operation Aurora, Shady RAT, GhostNet, Night Dragon and Nitro, are all examples of APT attacks reported during the last couple of years that have affected hundreds of organizations worldwide.
Bracing and Training
The number of APT attacks is likely to escalate in 2012 and defending against them requires frequent employee training and more aggressive protection technologies like those based on white-listing, file reputation, and application behavior.
"People still represent the weakest link in security for a large amount of enterprises and that is the reason they are targeted," Ferguson said. "Training still has an important place in an organization's security planning but it needs to be ongoing training, not a one-time only event."
"So far we have been doing a much better job patching software than patching people," said Amichai Shulman, CTO at security firm Imperva. "I spent time in the military trying to educate people about information security. It didn't work there and it won't work anywhere else."
There should be a shift in protection paradigms and more control should be put around the data source. Restricting which applications can read certain information and detecting anomalous behavior, like sensitive data being accessed at strange hours of the day or being transferred in large quantity, is part of the solution, Shulman believes.
Technologies that can check a file's reputation, age and regional popularity, before allowing it to be executed on a system can also be used to block APTs that were designed to evade traditional anti-malware detection methods.
"There is no doubt that major organisations need to be far more aware of the potential effects of malware," said Jeff Hudson. "If this issue isn't on the agenda of your board right now then the board is negligent," he concluded.