The Decade Cyber Went Mainstream
Yes, technically, decades begin in years that end in one, but it’s easier to say the 2010s than the 2011s. Prior to 2010, cybersecurity was an insular domain. No one really cared, until something they were using didn’t work. Devices blew up due to malware or adware, and users got annoyed when a machine disappeared to get reloaded by IT, but after the event was over, concern faded. As we entered the 2010s, most corporations acted the same way, but by 2018 and 2019, cybersecurity experts and security and risk pros became a fixture in boardrooms and newsrooms. The battle over “cyber” raged, and the resistance lost, so that’s what it’s called throughout . . . consider this our surrender as we accept defeat with grace. Let’s look at the last 10 years of notable security trends and events.
Phrase Of The Decade: “We Take Your Privacy And Security Seriously”
Everyone’s heard or read this phrase, right before a company starts explaining how something happened that violates that privacy and security. And most security and risk pros recognize that the sentence above is missing a key word: “now” — “we take privacy and security seriously now.” This phrase became so prevalent that Forrester analysts created a new metric for it: “Mean Time Before CEO Apologizes (MTBCA).”
Excuse Of The Decade: “Sophisticated Attackers Bypassed Security Controls . . . Etc.”
After the dust settled, what we almost always discovered is that the attackers weren’t that sophisticated. Or if they were, they didn’t have to flex too many mental muscles to get inside the environment. The combination of low-hanging fruit and living off the land provided all that attackers needed to breach the company.
Merger And Acquisition Bust Of The Decade: Intel And McAfee
The announcement of Intel and McAfee would kick-start a decade-long trend of M&A activity and capital flooding into the cybersecurity market. Much of the activity was positive, but this one certainly wasn’t:
- McAfee failed to innovate during its seven years under Intel. This one happened a long time ago — or at least it seems that way, but it didn’t: This was announced midway through 2010. Prior to writing this down, I would have told you that this happened last decade, but nope. It kicked off our 10-year period, and what a signal it was. Intel envisioned using McAfee to embed security into hardware to create a unique competitive advantage that standalone hardware and security vendors could never match. Unfortunately, this vision never came to fruition, and Intel eventually had to spin off McAfee. Forrester called this one with our blog, stating “Horseless Carriage Vendor Buys Buggy-Whips,” and we were proven right seven years later.
- Honorable mentions: FireEye and Mandiant
Watershed Moments: The Kill Chain And APT1 Report
Outside of all the breaches, no other moment defined most of the decade for cybersecurity more than the APT1 report, released by Mandiant in 2013.
- This turned cybersecurity into a spy novel and changed industry marketing. For security and risk pros, this report summarized what most of us knew: that China was stealing intellectual property from firms in the US at a rapid rate. But for outsiders, it carried them on a journey made personal, with nation states engaged in cyberconflict with personalities. Until the end of the decade, company after company would use threat intel reports as content marketing to generate leads and demonstrate their bona fides.
- The Lockheed Martin Kill Chain made cybersecurity more accessible. Every industry plays it loose with jargon, and ours is no different. This research created a taxonomy that others could use to explain what happened, why it happened, how it was classified, and, importantly, what could be done in the future about the stages of an attack. It didn’t solve the communication gap between technical and nontechnical audiences, but it did solve the communication gap within cybersecurity when it came to framing attacks.
“Best” (Or Worst) Malware
There’s no shortage of choices, but these two really stood out as examples of what defined the decade in terms of attack tools:
- Stuxnet had everything: sophistication, geopolitics, and industrial control systems. Stuxnet had books, about it, a documentary, and a General in the United States Army was disciplined for disclosing that Stuxnet was in fact a US initiative codenamed Olympic Games. Delivering Stuxnet required combinations of technical capability, HUMINT, and provided necessary time for diplomatic channels to resolve issues.
- WannaCry and NotPetya won the title as champions of ransomware. The latter part of the decade should be known for ransomware, as it crippled telecoms, logistics, utilities, municipalities, and more. Perhaps no other malware brought the attention to cybersecurity that these two did, especially from non-cybersecurity practitioners. Despite the destruction caused, they also helped illustrate the importance of cybersecurity to the overall connected enterprise.
- Honorable mentions: PoisonIvy, Magecart, Anthem, Community Health Systems, and every banking trojan
Most Important Breaches
Mentioning every major or mega breach is impossible, and these can’t be called “best.” With that in mind, let’s take a look at the breaches that caused major changes to occur during the decade:
- Target became marketing fodder for every vendor using FUD to sell. The consequences of the Target breach were certainly wide-ranging, but the thing that haunted all parties within the industry the most is that it became a default in every vendor marketing deck: Somewhere between slides 3 and 7, you were guaranteed to hear about Target.
- OPM devastated the intelligence capabilities of the United States. On March 20, 2014, the Office of Personnel Management in the United States learned that hackers had exfiltrated data from sensitive Standard Form 86 copies used in background checks for security clearances.
- Sony Pictures brought together Seth Rogen, Aaron Sorkin, and North Korea. While the initial attention from this attack focused on North Korea’s cybersecurity retaliation for “The Interview,” what came after was chilling for Sony Pictures, as emails to, from, and about various celebrities were scattered on websites across the internet. This led to charged debates about intellectual property ownership and who can profit from exfiltrated data. We learned that celebrity writers and showrunners sometimes write scripts to pay for private school tuition and that Sony Pictures considered using attorneys to force stars to appear in what eventually became a failed reboot of a beloved film franchise.
- Honorable mentions: RSA, Equifax, Yahoo, Marriott, and SWIFT
Most Damaging Vulnerabilities
Before we go into each of these vulnerabilities, we do have to cover a category spawned by them, which is “Trend We Hated Of The Decade”: Every Vulnerability Gets A Logo And Website. No write-up needed, as it’s self-explanatory, but from 2010–2019, we had one vulnerability that rattled the infrastructure of the internet and another that would lead to an explosion in ransomware:
- Heartbleed was an issue in OpenSSL . . . and OpenSSL was — and is. There’s a few famous CVEs out there, but not many know off the top of their heads what CVE-2014-0160 is. But when you say Heartbleed, they know immediately. It exceeds MS08-067 in fame, and rightfully so. This bug hit everything: websites, appliances (including security gear), applications . . . everything. And what could it enable attackers to get? Everything: Private keys, usernames, passwords, emails, data . . . everything encrypted by affected versions of OpenSSL could be compromised. If you wanted to find a bug that could disrupt almost everything in technology, this was the one.
- EternalBlue confirms that the NSA is really good at developing exploits. And it also proved that cyberweapons are really dangerous when they fall into the wrong hands, as EternalBlue continues to plague firms despite patches being widely available since 2017. WannaCry, NotPetya, and Bad Rabbit have also used EternalBlue for initial compromise or for lateral movement by exploiting a flaw in Microsoft’s SMB Protocol.
- Honorable mentions: Meltdown and Spectre and VPN appliance vulnerabilities
It’s not easy to get excited about frameworks, but security and risk pros desperately needed some commonality to help shape programs and provide a target for security programs. NIST and MITRE stepped up to provide exactly that:
- NIST Cybersecurity Framework has become the language of security programs. Unveiled in February of 2014, NIST CSF debuted to much fanfare — deservedly so — as a comprehensive framework that ensconced the concepts of identify, protect, detect, respond, and recover into our shared lexicon. In our recent research, “How To Talk To Your Board About Cybersecurity,” we found that NIST CSF has become the board-level language to use when discussing your cybersecurity program, spreading via network effect. Many board members sit on more than one board, and after hearing about NIST CSF from one CISO, they began to ask others about it, as well, leading to its prominent place in discussions about cyberprograms.
- MITRE ATT&CK has become the language of threat for cybersecurity. ATT&CK is now an accepted industry wide standard that per the ATT&CK website: “ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle.” What the Kill Chain did for the phases of attack, ATT&CK has done for behavior and actions of attackers at a deeper level. Given the massive amounts of funding that end users and investors have poured into companies focused on detection, ATT&CK developed a way to understand how vendor security tools performed across its various classification categories. My colleague Josh Zelonis has since expanded on this with his “The Forrester MITRE ATT&CK Evaluation Guide” and made the code of his evaluation available on GitHub to help enterprises create a detection plan that aligns with their cybersecurity program.
Let’s Keep Our Upward Trajectory
The decade had some highlights — and plenty of lowlights. But for security and risk pros that started their careers prior to 2010, things did change for the better with more executive buy-in, an increased awareness of the importance of cybersecurity, and a focus on the societal implications of technology. Security, risk, and privacy challenges won’t go away, but we’ve learned plenty of lessons from a decade of setbacks and attained the credibility in how we handled them to contribute meaningfully moving forward. It took some suffering and despair to get there, but most worthwhile things do.