As the holidays approach and 2013 is on the horizon, December is a natural time to reflect on events of the past year and what we have learned from them.  Subsequently, every December I inevitably am asked to extrapolate or predict what the threat landscape might look like next year. 

I’m not Nostradamus, and I know that we can’t use the past to predict the future with absolute accuracy.  But I wanted to share my thoughts on the top five trends that I predict we’ll see in the coming year based on current observations of the threat landscape.

Before I get to my predictions, it’s no secret that privacy and cyber-security are two topic areas that will continue to be hot topics in 2013.  Several privacy-related topics are garnering interest such as Differential Privacy and Do Not Track (DNT), among others.  To state the obvious, privacy will be a super important topic area in 2013. Governments in many parts of the world are working on ways to best protect critical infrastructures from attacks that could impact the safety and stability of their regions.

A colleague of mine, Paul Nicholas, published an article earlier this year called The Future of Cybersecurity: Understanding How the Next Billion Users Will Change Cyberspace that provides insights into this topic area.  With these more obvious trends stated, let’s dig into my top five predictions.

Prediction #1: Criminals will benefit from unintended consequences of espionage 

Over the past couple of years there have been news reports on the origin of targeted attacks that use sophisticated malware.  Stuxnet is one such example.  If these news reports are accurate and governments are developing malware as part of their military/economic espionage programs, it’s a safe bet that there have been some unintended consequences that we will continue to see in 2013 and beyond.

For example, one of the vulnerabilities that Stuxnet uses is CVE-2010-2568, for which an update was released back in 2010 (MS10-046).  Since then many malware authors have adapted their malware to use this vulnerabilityin an attempt to successfully compromise as many systems as possible.

Data published in the Microsoft Security Intelligence Report volume 13 indicates that exploits targeting CVE-2010-2568 accounted for more than 85 percent of operating system exploit detections worldwide in the first half of 2012; over three quarters of a million systems reported detections of this exploit in the second quarter of 2012 alone, almost two years after the associated security updates were released.

The barriers to entry for criminals to leverage highly sophisticated techniques in their attacks are lowered each time the malware and vulnerabilities that highly skilled professionals develop and use, are discovered.  This is likely to amplify the unintended consequences of espionage in the coming years. 

Figure 1 (below, left): Individual operating system exploits detected and blocked by Microsoft antimalware products, 1Q11–2Q12, by number of unique computers exposed to the exploit; Figure 2 (below, right): Families commonly found with CVE-2010-2568, July 2011–June 2012


Prediction #2: Attackers will increasingly use apps, movies and music to install malware 

As attackers shift their tactics, the relative prevalence of the categories of malware that Microsoft antimalware products and tools block and clean from systems all over the world change.  For example, worms have come in and gone out of vogue with attackers over time as seen in the figure below.

Over the past few years Trojans (and social engineering) have become the most prevalent category of threats. This is also true for mobile app marketplaces as evidenced in Figure 1 with the Unix/Lotoor threat that targets Android users.  I expect this trend to continue in 2013. 

Figure 3: Malware and Potentially Unwanted Software categories since 2006 by half year/quarter


We recently warned software users that attackers were using software key generators to install malware on their systems.  Given that several new operating systems and devices from various different vendors were recently released, I expect key generator downloads to surge in the coming year.

After all, the first thing people do after getting a new device is install applications on it.  As key generator downloads continue to increase, Trojans will flourish.  My mantra always has been: if you don’t trust the source of the software, don’t trust the software.  In 2013, this advice will be as relevant as it ever has been.  

One similar trend we have seen growing for some time is the use of video and audio files to install malware.  One Trojan downloader family in particular that uses this tactic, called ASX/Wimad, has crept into the top ten lists of threats in several locations around the world.  I suspect this upward trend will continue in 2013 as attackers continue to take advantage of people’s desire for free entertainment and software.

Finally, notice the relatively recent drop in adware in Figure 3.  This drop doesn’t mean that online advertising is going away anytime soon.  The drop in adware is likely the result of online advertisers being more declarative and transparent about the value propositions of their products and services.  As the advertising economy shifts to in-App advertising, the advertising ecosystem will change.

Prediction #3: Drive-by attacks and cross-site scripting attacks will be attacker favorites

The long term trends are very clear: attackers have been leveraging drive-by download attacks and cross-site scripting attacks more and more each year.  Drive-by download attacks are being made easier to perpetrate by the broad availability of exploit kits, such as the Blackhole exploit kit.  Such kits allow attackers to focus on vulnerabilities in ubiquitous software that is infrequently updated or hard to keep up to date. 

I don’t think I’m making a risky prediction that attackers will continue to use drive-by attacks and cross-site scripting as much, or even more in 2013, than they did in 2012. 

Figure 4 (below, left): Unique computers reporting different types of exploits, 1Q11–2Q12; Figure 5 (below, right): The portion of Microsoft Security Response Center (MSRC) vulnerability investigation cases identified as involving cross-site scripting, 2004–2012, by year


For additional information about cross-site scripting attacks and how to mitigate them, please see theCross-Site Scripting Quick Security Reference.  For more information on drive-by download attacks, please see the series of articles I wrote on them:

Prediction #4: Software updating gets easier and exploiting vulnerabilities gets harder

As the drive-by download data above indicates, many attackers rely on outdated software to successfully compromise systems.  This has been a successful tactic for many years and attackers will continue to use it in the foreseeable future. 

As I predicted above we will see large numbers of detections and blocks of drive-by download attacks and exploit attempts in 2013.  But these attacks will become less effective than they have been in the past. 

We started to see some signs of this already.  For example, following a surge in detections that peaked in the third quarter of 2011, detections of exploits that target vulnerabilities in Adobe Flash Player have decreased significantly in every subsequent quarter, likely due to the ease of keeping it updated. 

Figure 6: Adobe Flash Player exploits detected and blocked by Microsoft antimalware products, first quarter of 2011 (1Q11) – second quarter of 2012 (2Q12), by number of unique computers exposed to the exploit


As vendors like Adobe, Oracle, and others make it easier and easier for customers to keep ubiquitous software updated, the window of opportunity for attackers to exploit old vulnerabilities will get smaller and smaller.  I’m also optimistic that app store distribution models will also help software vendors successfully distribute the latest and most secure versions of their software.

Prediction #5: Rootkits will evolve in 2013
Two new technologies, Unified Extensible Firmware Interface (UEFI) and secure boot, provide more protection against rootkits and other boot loader attacks.  As systems that leverage these technologies become more pervasive, I expect to see purveyors of rootkits attempt to innovate and evolve their malware.

In conclusion, keeping all software up-to-date, running anti-malware software from a trusted source, and demanding software that has been developed using a security development lifecycle will continue to be best practices in 2013. These are among the best measures people can take in light of how the threat landscape is evolving.