2016: The Year the Entire Cyber Landscape Changes

Looking forward to 2016, these are my studied predictions and industry recommendations for us all for the next 12 months.  We'll look at Intelligence, Endpoint, Network Forensics, Data Anomalytics, The Threat Landscape, and finally, what I have been calling the New Perimiter in my latest keynotes (the human):
The views below are purely my own and are unrelated to any employer past present or future, other than by way of unavoidable coincidence. 

Intelligence isn't what we thought it was
Now that we know intelligence is not merely atomic IOCs and that APT's do not take the shape of malware families, but rather funded campaigns with targeted objectives carried out by whatever means necessary, we can start to hone in on extremely high fidelity intelligence that is packaged specifically for a given organization to be able to make decisions.  These decisions will need to made preemptively, however. We'll need to pivot from an intel product directly to a structured hunting workflow, as opposed to just pivoting from an alert to forensic analysis and response. 
To get to a predictive state, we will need to formally share this high fidelity intelligence across our industry peers into open-source containers for every threat actor, identified campaign, and for the ever-evolving TTPs we witness in the field during IR.  We can no longer afford to hold high-fidelity intelligence 'close to the chest' as a vendor and look upon it as a market differentiator. We must compete in all other areas... but we cannot compete when it comes to intelligence any longer. 
The entire industry will need to coordinate and share freely and pro-actively.
We need to game-ify this aspect formally within the security community at large and reward those organizations breaking the current mold.  There is room in this industry to actually pursue victory over the aggressor rather than perpetuate the problems that lead to continuous revenue streams.  <note: this is not meant as cynicism, but as honest reflection for us all> If indeed intelligence's ultimate goal is that of 'wisdom' then we had all better wise up, and remember what the mission of cyber security is to begin with.  If today's adversary has unfettered means, opportunity and motive, then we must counter with equal and offsetting forces on all three fronts.  We must be come the adversary's adversary, and lean into their operations, their intelligence, their motivations, their TTP's, and their rewards.  Yes, this means everything from psyops to kinetic interference and all else in between on the cyber front.
There is a bow-wave before us of incredible disruption and damage to the cyber fabric we continue to take for granted, and in particular the way in which it interacts with the physical world...holding economies together, keeping the lights on, and preventing disaster via monitoring and control systems.  The stage has been set, the enemies are many, diverse, and more empowered than ever, and have footholds on nearly every single network I have ever encountered with my time here at FireEye and my time prior supporting DoD and Federal networks. That is not a FUD statement... i truly hope anyone reading this has completely and utterly gotten past the notion that FUD drives this industry.  That was so 2006.  This landscape is driven by threat actors, period.
Intelligence exists for a reason...you cannot make wise, defensible decisions without it any more than you can enter a theater of war without knowing who the enemy is, how they think, how they are funded, what their TTP's are.

The End Point is the Endgame
We don't yet have a perfect kernel. Ring 0 is completely wide open.  90% of IR engagements Mandiant complete have one thing in common:  spearphishing as the original vector in.  If you add in drive-by/watering-hole browser attacks, you approach probably 95%, and an ever-larger percentage combine multi-staged, mutli-vector methods to achieve 'just in time' assembly on the endpoint and evade our legacy defenses. 
Then add to that, the incredibly effective and 'kiddie-fied' / well-understood methods of evasion and persistence, including dozens of ways to compromise Active Directories and other credential/SSO systems... we are in a firestorm on the endpoint with tools like cred-crack able to gain AD admin credentials in under 30 seconds immediately following a single end-point compromise.  

But this is about to change in 2016... we are taking it back!  Expect a tremendous amount of innovation around the endpoint, leveraging everything from high fidelity intelligence, behavioral analysis, A.I., Machine Learning, hardened hyper-visors, improved and off-loaded sand-boxing, and back-end big-data anomalytics approaches to the problem.

Network Forensics must evolve, and it will in a big way!
I think we all know the challenges of the necessary evil that is the SIEM. But there is good news on the horizon. Today we are overwhelmed with alerts, false positives and indeed, false negatives.  And even more-so, there is an ever-dwindling supply of experienced analysts that know how to triage alerts, let alone ones that know how to hunt or even have the cycles to do so in the first place.  
But have hope... the machines are coming to help us, and they are armed with math. Not ordinary math, but extremely fine-tuned algorithms so advanced that they will shift our stance from reactive to predictive.  All that data we currently loathe, is actually our biggest asset... it just has not yet been properly tapped.
Once we begin to apply hybrid analytics against multi-dimensionally related containers of data (thematic, semantic, temporal, etc.) the machines will be able to sift candidates to the top of the stack for humans to spend their precious cycles on.  We must let the "data find the data", because math. We do this everywhere else in the current economy, but we don't do it well or at all in cyber security. That is about to change, forever... perhaps as soon as late 2016 from the research I have been doing into the subject.  As we head into this brave new world, however....fair warning: not all algorithms are created equal, and not all sets of algorithms will be optimized to work with each other for quite some time.
If yesterday's Space X mission has taught us anything, it is that we cannot wait to build what is to be in 2020... we must build it now, break it, test it, and fail for a few years first. 2016 will be the first year where we get meaningful, actionable, and never-before-seen results from hybrid analytics... and this will be happening in real-time, in fractions of seconds, against massive sets of data that can be located anywhere... not just stored historical data in a SIEM.

The Industrial Internet of Things (IIOT) is a Thing, no really
As I write this, we have the luxury of looking 'forward' into the cyber impact of the IIOT. Once again, there is no FUD going on here...this the real deal, and our cumulative attack surface is about to explode exponentially for the first time since the smartphone in ~2007.  Rather than re-hash what has already been said  I'll go straight to the good news:  Some of the same technology we'll see providing protection for the endpoint 2016, will also be able to help protect the IIOT, whether that means RTOSes, embedded linux, or any other light weight OS...once again, machine learning and AI to the rescue.  Here's the call to arms, however...we need this technology brought in at the OEM level, instead of afterwards. The best way to leverage any anomalytics engine is to start with a known-good baseline. This will allow us to employ lighter-weight algorithms, and minimize any CPU overhead when it comes to the IIOT.

Beyond just the 'endpoint' of IIOT, there are also the backend zigbee receivers that are currently being fingerprinted en masse and catalogued by vendor and purpose, whose security features are near non-existent. This again will be where network anomalytics will come into play, again starting with clean baseline network behaviors to every extent possible. 
The IIOT presents both a direct-attack surface as well as a means to gain entry into the enterprise / production networks.  If we get ahead of the curve as an industry by baking in machine learning/AI at the OEM level, we at least stand a chance in mitigating this near horizon threat. There is no reason that Amazon delivery drones won't be able to run these algorithms natively on the drone OS, if we start now to integrate.

The Threat
A lot is being written about the APT moving away from malware-based vectors and into more 'stealth' approaches in 2016.  Here's what I predict... forget all that. The APT is simply going to move where it needs to to get the job done with the greatest efficacy and least chance of discovery, and will continue to incorporate false-attribution at every stage of the attack, whether tools, or TTPs.

Ironically, this often means simply masquerading as malvertising campaigns, PUPS, or ransom-ware.  The last sample of crypto wall I looked at also incorporate a tool called Pony... which executes ahead of the encryption callback/key-retrieval stage, and grabs all the credentials off the victim machine prior. By the time traditional forensics is done on that host, 99% of organizations will have mistook it for 'just' ransom-ware.... and this leads me to my final comment for 2016:

The Human is the New Perimeter
Why is an endpoint compromise so devastating to an organization?
Why is malware moving to mobile at an exponential rate?
Why is ransom such a powerful motivator, even in cyber?
Why are spearphishing tactics re-orienting back towards simple user/pass form fields instead of using malware?
Why are the Chinese, Russians, Iranians, and even ISIS sharing breach data with each other?
Why are most of the campaigns coming out of the Kremlin focused on targeting individuals instead of on compromising enterprise domains?

The answer is quite simple:  The human is the new perimeter, and credentials are the new ring-0.  There is one thing that every single APT tracked has in common...if they can simply use credentials to access information, they will do so every single time. They will use malware only as a last resort when campaign timelines require more risk to be taken on their part.  Using valid user credentials to access data is, today, the single easiest, and least detectable manner to accomplish mission objectives.  And it is because of this simple phemonenon that the human has become the new permeter, not the network boundary. Both attacks and defenses will continue to move 'closer to the human' as much as possible, and on both the offensive and defensive side, big data is the ultimate Death Star.  The attackers are using it to create massive multi-dimensional containers with human identities as their centers of mass. Meanwhile, we must learn as defenders to assess our organizations' people as individuals moving through space and time and interconnected to a world of social media, IOT, surveillance cameras, mic-enabled browsers, wearables, portables and more.
To the extent we can see ourselves through the eyes of the enemy, we can even begin to secure the new human perimeter.  I have at least 3 different start-up ideas around this concept already that I continue to refine...and in 2016, I think we will see new meaningful innovation in this area for the first time.

So enjoy these last few days of 2015 and don't look back...everything is about to change... again.   I'm curious to hear your thoughts and predictions too, so leave them below in the comments!