 Hello everyone. It's a pleasure to be here. Welcome to my temporal blue team village weather studio. In the next 30 minutes, I'll be sharing with you what we all thought would happen in 2021. Every year, and more specifically the beginning of each year, a lot of companies published their understanding of what they believe will happen in upcoming tournaments. This includes vendors, consultancy firms, etc. And today I'm going to share with you what happens if you do a meta analysis on all these understandings verified against the present and a personal outlook for the second half of 2021. I've been doing these analysis for a long time, yet mostly for clients to support them and either their security program, develop their management capability, or create third scenarios, and for them to actually test. Now, for me, this has been very useful. And I basically take all this published content and actually think about how I can make better assessments on using new upcoming virtual risk or third scenarios. So that being said, you know, let's let's dive into it a bit more. So when we doing when doing this analysis, three main elements came up. The first one is there, you know, there's all sorts of forecasts and predictions each year. But is it any good? Is it on point? The second thing I actually thought of was, when folks create these products, how are they created? And more importantly, how can these products influence our thinking about risk and threats to our organization? And are there any surprises? Let me be clear. No, there are no surprises in specific themes or topics. What was interesting though is how publishers delivered and emphasize everything. We will dive into these three data. The goal of this exercise is basically, first of all, change the norm folks have to do for predictions. And second, provide in-house teams some guidance on how they can deal with this. Before we get into those details, just an example. And mostly because things are shown in front of us. That's what we know. That's what we care about. That's what we think about. And if you have, for example, if you have certain network telemetry, but like host-based telemetry, then your view and priority will mostly be dictated by that. This then translate into budget and eventually can lead to you having a limited understanding of other risks or areas of risks that are outside of your viewpoint. And I will refer to this metaphor a couple of times throughout the presentation. But first of all, I would like to introduce you to the concept of forecasting. Technically speaking, forecasting is the process of making predictions based on past and present data and most commonly by analysis of trends. Now prediction is something else. It's basically the process of estimating outcomes of unseen data. And forecasting is just a sub-discipline of prediction. Why would you bother about forecasting since we all have thousands of things to do right now? Well, this goes a long way to help you shape your response strategy in the face of a uncertain future. An example could be being prepared for specific ransomware trends or preemptively checking your supply chain. It will help you answer not just, you know, the why and the how and the what questions, but it will also help you shape the answers to the when question. Finally, there's also the concept of super forecasting. And this comes from a great study performed by Philip E. Tatlock, various others, and simply said, they had a lot of people do forecasts of specific questions. There are some people that excel, basically performing better than a random selection, aka dark thrown chimp. And they explain, I explored why. Now there are multiple interesting pieces to the study. Once the monkey, of course, one of the outcomes was that the average of everyone's forecast was generally true. And this inspired me to do a little experiment on what everyone thought that would happen in 2021. So once you think about an experiment, you also think about the analytical techniques. And it's basically it's important to understand the basics of forecasting analysis. Basically, you have two types, the qualitative and quantitative type quantitative breaks into time series and causal models, or time series are trend lines, we all recognize and causal models represent complex, complex models, for which, for example, compute, which compute where rain is going to fall. So the third approach emphasizes the human telling what's up. This is what we're going to be focusing on. So the experiment. So if you're interested in the details reach out to me through the contact details on the last page, happy to discuss this. The essence of what I did was, I grabbed all the third prediction third landscapes, I could find through all sources in q1321. So the first thing for q2, I analyzed it based on recent events and assessed what direction the next half 2021 will take. And full disclosure, there was so much to unpack and too much impact that I basically kept it to the most impactful components. Now, let's get into some of the details. I've broken it down into four main topics publishers document themes and topics. First of all, I looked into 44 unique pieces. That's documents and articles. It's important to note that I found for that were actually released before 2021, and I excluded them from the upcoming contents and slides you will see. Most of them were reports published in q1 and the highest release moments for January and April. And of the total 67% was a report and the remainder online articles, all of them accumulating to a whopping 1100 pages. Smallest was two pages the biggest one 22. And with an average of 27.5 pages per document. It was a lot of documents a lot of pages. Some interesting things that popped up on my end. Only 10% incorporated mites attack framework. This actually told me something about how actionable certain reports or vendor actually is, or at least the content they produce 20% of that includes explicit forecast. That usually tells me one of the parties that are looking ahead, thinking about the future 45% use proprietary telemetry, as far as I could actually dig up, and the remainder basically applied expert analysis. Finally, 49% of all the documents and articles I reviewed, build their piece with explicit company and service marketing. When comparing all these documents, it seems like publishers sometimes have an identity crisis. Most of the content is uses marketing and sometimes they want to actually refer flesh research paper. You know, in essence, this is also visible in the average structure, they differ across all documents with pros and cons to various topics one can add in to breaking them down. First of all, you know, everybody understands that these kind of products are actually marketing, and this is okay. But just remember to keep your third landscape factual, keep marketing separate from any produced intelligence value. I'd like to hear you take, not your pitch. The second observation focuses on creativity. More creativity can be put in structuring your messaging. It doesn't have to be the good old academic paper approach. And a great example of that is the Verizon's dbr. Our data is at large and tone of voices at times comical. And this makes reading a joy, in my opinion. And obviously also incorporate timestamps in your documents, white papers and blogs without dates and citation info makes it very difficult for researchers to track that. Thirdly, machine readable text structure text versus unstructured text. Well, this is actually an uncharted territory most and examples of that could be the area of attack framework or sticks enabled document structures. This is actually one of the areas I'm looking into to develop that further. Am I to be honest, I haven't figured out the answer quite yet myself. Finally, use of forecasting language. Most companies look back. They won't do look forward. I just read horizon report is an excellent example how one can do this. I believe this is the area where you see the most differences in themes and topics and mature and the maturity of the third intelligence teams. The second, obviously, of mature for intelligence teams is that they will also do recap of their anticipatory statements to continuously improve and adjust, which gives, in my opinion, them massive street credits. And final tip ties into the last point as well. It's also good to mention that I made the distinction when diving into the content between themes and topics themes are more or less overarching concepts or topics are well topics. And the dominant teams give no surprises, all of them are on point per the first half check. We'll see them by the way I think the outlier themes, or the themes that are not as vocal as others. That's where the differences were. There was IoT, that was certainly a thing, combined with botnats and DDoS. One thing I actually missed this year was the hardware and processor discussions, for example. In addition to that macOS security is not a theme as well. That is being vocalized. The same goes for 5G and artificial intelligence, both concepts, which are regularly in the news, but not yet manifested itself in the mainstream yet. Now, if we look into specific topics, the five most reference topics, mostly in front of us are ransomware fishing, the supply chain, vulnerabilities and DDoS. Let's take a quick look into all of them. Before we start, same as a weather forecast, I'm looking at the moment of Q1 as the reporting on Monday, our check today is Wednesday, and the end of the year is Saturday. Saturday is my personal analysis as cyber weatherman for the next half, based on the check done today. Currently, this will come to no one as a surprise. We had major ransomware incident globally, and in addition, we saw an increase to take down the big players. Big change to me was that ransomware finally became a topic of geopolitics. Now, for the rest of the year, I believe we will witness a small activity drop over the summer, following the legislative crackdown. We'll pop it back up in Q4 once the new status quo has been established, and they know what they can and can do. There's two evolutions in techniques and procedures I'm anticipating, one being victim pressuring. This could, for example, be double extortion, social media naming and shaming, and DDoS. All designed to pressure victims into paying more and faster. The second thing, which is actually something that has been done in the last 20 years, and that was the ability for malware to evade defenses. I think this we can surely expect this to still be the case. One pro tip I'd like to highlight here is the use of the so-called CIS keyboard layouts. And these reference languages of the former sovereign Soviet states, basically off limits to most Eastern Europe based groups. Once malware hits PCs with these layouts, it doesn't detonate. And there's actually a fun article from Brian Krabs, where he explains this concept. And obviously, tying back to my forecast in good fashion of the evolution of defensive agent, we will then probably see malware creators start integrating time and look at our triangulation. Number two was social engineering through phishing and what we like to call business human compromise BC phishing subjects have always been what is trending at the point in time. And now it's covered in cryptocurrency. Who knows what's next. I mean, this was pretty consistent for the first half, and it will probably be so for the next half. We saw vendors were responding to new trends faster. An example for that is the use of these fishy Microsoft authentication emails. That was actually quickly shut down by additional authentication methods. And it all macro enable documents as it files consistently state the main source of problems. And I believe we will not see a phishing drop. It is just too effective and we will become. It will just become more and more refined. In addition, I also believe that cross medium integrations will occur. For example, pre texting through something like WhatsApp. Specifically for business email compromise, the taxis are expected to be become a bit more sophisticated. And for example, targeting group mail boxes to instruct changes of payment details. And I think it's safe to say that ransomware and this and phishing business email compromise still industries to biggest problems. I'm always surprised actually about this one, the supply chain compromise, especially about folks referencing supply chain compromises is something new. This technique was around when I was in diapers and it will probably exist until I'm not there anymore. Most interestingly, major service providers got hit in the first half and cloud providers have been at the cross as continuously. And being said, we haven't seen any the latest. We haven't seen the latest of this big instance, this will continue to happen. And I'm expecting this to also appeal to the geopolitical theater. Now one element that actually doesn't get a lot of attention is the non technical aspect of gaining initial access. Don't need to comprehensive targeting program when you can just force people into clicking a link right by paying them or funding them. Nothing sophisticated about that. Let's see if we see some more on that. Fundabilities right when it rains of course and this is unfortunately the same for our friends at Microsoft. When his vulnerabilities dominated the last six months with the exclusion of some VPN basically anything remote work centric fundabilities. Sometimes appears to reside in but the business in all the versions of windows, which are then weaponized in modern versions. And this will most likely not change. All this media attention, however, does deflect from security of other voices like macOS Linux, etc. Another big thing to keep an eye out on is the new Chinese regulation for vulnerability disclosure, just putting it out there. So the new regulation forces Chinese researchers to first share vulnerabilities with the MSS. With all consequences, you can think of. This is very, in my opinion, concerning development for our friendly Chinese vulnerability researchers. And finally we have DDoS. To me, DDoS came actually as a surprise when analyzing the keywords of all the as part of the meta analysis. But the conclusion today is quite simple. There is still a valid technique in the arsenal for the pandemic and the role of cloud services needed for work for me this vulnerable to peak flooding. Remember that time when slack was done. Oh boy. I'm going out on a linear forecast that we will see more than 10 million details to text this year. And I'm expecting new innovations that will lead to more effective targeting. Thus, you know, tech be more refined. And at the same time, DDoS extortion, for example, is not the well machine. And it is that it could be, but I can imagine people can do that. So that being said, these are the five topics, which are most reference. And what happens if you take all top five threes, etc. and put that in a chart, then you get something like this what you see on screen. Basically what everyone is thinking in a chronological order. There's a couple of interesting highlights. The first one is that initial access is consistent with the main topics we identify phishing supply chain, so vulnerability expectation. The second is that once inside droppers, take care of dropping additional malware. This could be info stealer Trojans or ransomware. Third one is that ransomware is more often deployed. Another compromise when the Trojans are in place, the actions on objectives have been fulfilled, for example, acts for trading that confidential information. And the fourth is the crackdown of law enforcement that is also clearly visible in this overview. My compliments go out to all the people working day at night to stop this misery. Now what makes these kind of overviews useful in my opinion is that you can leverage this understanding to prepare a strategic program. This is sufficiently equipped to combat remote access Trojans. Yes, so let's check that. Another example could be how well equipped are we to identify the fan favorite global strike. Let me know what you think about this. Now there's a couple of themes and topics. You should be monitoring which are not, let's say, in front of everyone. The risk is great. Everybody says the overall risk is becoming greater every year. I'm seeing this area. I think this is bullshit. They're just movements challenge every vendor that tells you this. So for example, the over dominance of ransomware and fishing articles. Does that actually align with real world activity. In this case, it probably does but the point is to do the work. Folks need a fresh angle, which they didn't think. Another theme is the evolution of crime where especially the business behind that. So imagine this, you know, these are the kids that were growing up in the zeros. Excuse me. So these are the kids that are growing up for the zeros and who otherwise could have been successful internet entrepreneurs. Unfortunately, they now took the dark route and I think this combination of cyber crime rush profit and interest talents. So we're, you know, I'm expecting nations to further collaborate join forces share resources to target common enemies. Also considering victim vetting and service model energy. I even heard somebody say that they're the words, an apex protector. Oh boy. Now run for a treat, right. Another element to consider is the role of Western bias in our opponents. Primary adversary said China, Iran, Russia and North Korea. Well, the East is not what's us it's Israel. The reality is that most countries actually have developed powerful capabilities. Not to mention foreign versus domestic actor groups. We have the macOS based first, and in the next half, we might even see the development of the first ever malware to take advances of Linux version streamline on Mac computers running Apple Silicon and the big sir you know who knows. And finally, we have another big one is the windows high ground. And what I'm saying plan to say with that is the dominance of the windows to terrain has a big impact on everyone that's get mostly the windows user base. And that drives security research obviously into new attack factors in that majority. And that's also demonstrated by the recent exchange vulnerabilities, but also the new features announced related to Android signals some interesting discussions. If we have some specific topics to monitor. One, the first one could be the focus on the old. We mentioned earlier that the research that goes into old versions of windows and this is a big thing. Another big thing yet simple is a prep applications, but it is a simple tax that applies small number of steps or additional actions after the initial web application compromise. We can expect the continued emphasis on double extortion attacks. You know this is a low cost effort with moderate high return, basically a criminal sweet spot and it could tie into DDoS could tie into ransomware we could see it everywhere. The third one is DNS focused attacks, you know, even our phone book should be considered. It can be DNS over HTTPS as a tech factor. Everyone's talking about that for years, and even the influencing DNS is the thing for years. For some reason this is pushed again and I'm actually curious if this is part of one of the trends I've been seeing recent years, the doctors move back to the perimeter, because hosts are sufficiently locked down. Now in terms of browser injection malware code has become more flexible than ever, and is able to reach further into the tech service. One malware campaign, get a wide focus across different device platforms. A specific malware, for example, and controlling hundreds of thousands of the main and the malware itself performed browser injections in order to see malicious search results in a browser once it is affected. And once you load a malicious DLL extension, this is essentially game over. And what people don't realize is one of the edge devices also a browser, right. Finally, we have war driving. Yeah, you know, the topic we talked about five to 10 years ago. Well, right now had never been so easy and commoditization has spurred solutions that simplify this process. And what is interesting is that you don't have to build it yourself anymore. Yes, I know this is what everyone does. But it evolved from just we feed to also do it. So traditional skimmers get an upgrade that allows for more effective collection of some sensitive information. Probably see something more on that. So next steps on my side. First of all, I will do this exercise again by the end of the year. It will be interesting to compare what people put out there and if they saw the lessons of this talk. And I will explore more automatic analysis of reports. Maybe me and some friends will help the old algorithm. Who knows. It would be really cool if we can get to some sort of machine readable format. I'm thinking Jason stakes tagging something like that. And this would allow for more comparison and making everyone's precious time more effective. Finally, I'm also a big fan of scenario creation and more importantly testing of that and to determine the actual risk. And I'm anticipating that the industry can also play its part in enabling this test this scenario philosophy. And one good example is Verizon TBR, which includes some specific scenarios, which folks can look into. So concluding the average of what everyone thought was on point. Hypothesis check. In the last teams, I have three main takeaways. One is that basic security hygiene, obviously, combats pre compromised behavior. Prepare for the post compromised behavior. Thirdly, report on forecasting, however you can. More specifically what you expect to happen soon. What is happening right now. And what do you think about the gap between the two. What about the vendors. Well, I want to challenge all the vendors to think more in terms of creativity. We will hate you. We will not hate you for trying something new innovative and fail. What what people just don't like is complimentary marketing briefings and people reach will reach out to you, either way. And finally, and most importantly, make actual forecast instead of the easy topic X will be going trending soon. And that's that dark throwing infosec gym. Well, special thanks to the folks who helped me create this presentation. I really enjoyed it. It was my pleasure to speak at the blue team village to wrap it up. My contact details are listed here. And if you're up for custom weather forecast just want to hang out. Also, the reports reviewed in this research are uploaded to my get up. The link can be found individual. Cheers everyone. Bye bye.