Vulnerability research and offensive capabilities, in general, are almost generational by nature. The average researcher will generally dedicate years of his or her life focusing on an individual or group of technologies. The main reason for this is that to develop something that’s truly advanced, a lot of very dry fundamentals need to be first understood about that technology.
With a closed-source product, this isn’t something that happens overnight. When considering something complex like the internals of the Java Runtime Environment or Flash, this fundamental understanding could take half a year to acquire before your research starts to yield anything close to useful. This creates observable trends in the type of offensive technologies that we see baked into advanced threats and, historically speaking, also can be observed through the types of things that vendors have to fix most.
Five years ago, it was file format fuzzin; 10 years ago, it was attacking the Microsoft RPC stack; in more recent years, we have seen a definite trend toward research around embedded systems -- much of which has been spurred on by the advent of "Stuxmania," or Stuxnet.
And so my first prediction for 2012 is that we will continue to see an increased focus on offensive research toward embedded systems, utilized primarily in the industrial control systems realm. Much of the research we are likely to see in 2012 is unlikely to pose an imminent threat to the average electric utility or the nuclear enrichment efforts of the world’s super villains; however, it will get us significantly closer to having to really start to wonder whether we’re going to wake up one morning to no power -- and it might not come back on for weeks, if not months.
For those of you who have been relying on NoScript for the past three years to block anything that smells of Flash, I believe 2012 will see the large well of Flash vulnerabilities drawn from by the baddies over past few years start to dry up. A lot of effort has been invested in finding Flash vulnerabilities during the past 12 months, which can only result in a rapid reduction in the number of Flash zero-days that we see emerge on a regular basis at least. If you have secrets to steal, then this, of course, does not mean 2012 is going to cut you any kind of break.
Will 2012 be the year of the so-called “cyberwar” that so many like to talk about? Doubtful. However, we absolutely are going to see things heat up between the West and many of the usual suspects who have persisted in their use of cyber as a means to stealing our secrets. At most, 2012 could see open suggestions of diplomatic sanctions against the worst offenders; however, this will largely depend on what happens in the lead-up to November, in the United States at least.
Happy 2012! Stay safe!
Tom Parker is Chief Technology Officer at FusionX.