Analysts like to look behind them to assess what is ahead. As CISOs and CSOs usher out 2023, most organizations continue to be faced with an ever-evolving cyber threat landscape that continues to grow as more cloud applications are added, Generative AI and machine learning advance, the IoT universe expands with myriad more devices and data stockpiles explode. Organizations and their security staff find that managing this increased risk often depends on their tactical approach and a proactive plan of attack.
Varun Badhwar, the CEO and co-founder of Endor Labs contends that as most organizations stand at the intersection of AI and enterprise control, malicious actors will continue to explore using AI and associated tools to accelerate exploitation and intrusions. They will also look to target the large GenAI platform providers and widely used AI OSS projects/components as part of broader software supply chain attacks.
“In a rapidly evolving technological landscape, the parallels between the adoption of cloud services and the current surge in artificial intelligence (AI) implementation are both striking and cautionary. Just as organizations eagerly embraced cloud solutions for their transformative potential in innovation, the haste of adoption outpaced the development of robust security controls and compliance tools. Consequently, this created vulnerabilities that malicious actors were quick to exploit, leaving enterprises grappling with unforeseen challenges,” warns Badhwar. “As we witness a similar trajectory in the adoption of AI technologies, it becomes imperative to draw lessons from the past and proactively address the looming concerns. The rapid integration of AI into various facets of business operations is undeniably transformative, but the lack of comprehensive visibility and enterprise control raises red flags.”
Badhwar adds: “In an era where data is a prized asset and AI is a powerful catalyst for business growth, the responsibility lies with industry leaders, policymakers, and technology providers to collaboratively build a foundation for responsible AI adoption. By establishing comprehensive controls and fostering transparency, we can unlock the full potential of AI while safeguarding the interests of organizations and their stakeholders.”
There will be an increase in new founders using AI to solve society’s challenges, predicts Kaarel Kotkas, the CEO and founder of Veriff, saying the responsibility for AI’s positive influence on society resides with security leaders.
“New founders are in a prime position to solve complex problems and societal issues with AI solutions. As digital natives, this generation of entrepreneurs has the innate ability to understand AI, its applications, and how it can influence the digital age - for better or worse,” says Kotkas. “For example, in 2023, fake identities and deepfakes became a significant challenge to identity verification - 85% of all fraud in 2023 was impersonation fraud. But, despite the threats it can pose, AI is also applied to provide fast and accurate verification and authentication of real users. While the AI threat landscape constantly evolves, we should look to these new leaders to ensure their companies are equipped to easily implement new techniques to solve major challenges ranging from security to predictive analytics to user authentication.”
The topic on everyone’s minds this year was generative AI — moreover what the potential security threats and risks are from its existence and usage. The discussions will only intensify according to Kev Breen, who is the Director of Cyber Threat Research at Immersive Labs where he researches new and emerging cyber threats.
“Fear-mongering headlines flashed AI's security risks instead of providing tactful ways to incorporate the technology into their organizations. Security leaders and practitioners alike always strive to anticipate the next big technology or threat to ensure they are prepared to handle whatever may come their way,” chides Breen.
Breen argues that GenAI hit the technology scene this past year with a bang and is already heavily being embraced — or companies are racing to get involved so they don’t fall behind. But among all its popularity, early adopters) are simultaneously seeing a significant amount of FUD - fear, uncertainty, and doubt - and misunderstanding.
“People still don’t fully understand the risks and vision of AI, which lends itself to paranoia or unfounded fears of massive AI security risks. In the year ahead we’ll hopefully see the hype around AI die down and become more of the norm so that we can focus on the many benefits of using these tools to do work more efficiently and effectively. A handful of organizations are dedicating ample time and resources to the actual use cases of this technology, and we can expect more businesses to follow suit,” Breen continues.
We already began to see this towards the end of 2023, but in 2024, we can expect governments and AI service providers to continue to implement policies regulating the development of AI. The key differentiator will be if these entities have moved beyond the shock and awe of AI to focus on the benefits. Risk assessment will continue to be a part of the equation as it should with any advancement in technology, but prioritizing innovation in these policies rather than fear will set countries apart. In 2023, we focused on the potential risks of AI. In 2024, it will be essential to focus on the potential opportunities,” concludes Breen.
Ransomware Remains in the Headlines
According to Daniel Howley, the technology editor at Yahoo Finance, after a slight downturn in 2022, cyber-attacks became more frequent last year. A new report by MIT professor Stuart Madnick says there were more ransomware attacks reported in the first nine months of 2023 than all of 2022. The Apple-funded report, but written independently by Madnick, highlights an alarming increase in cyberattacks that impacted as many as 360 million people through August. Madnick claims that ransomware groups are becoming more organized, operating as gangs, and targeting organizations with critical user data such as government and healthcare facilities.
These findings are no surprise to Dr. Darren Williams, the CEO and Founder at BlackFog, who says that after a record-breaking 2023, ransomware will not ease anytime soon and that ransomware is becoming the main threat to all organizations, and insurance is no longer a viable option. He warns that action needs to be taken now and predicts several new trends to take hold.
Ransomware gangs will look for new ways to force victims into paying. We have already seen gangs contact the SEC directly, reporting victims immediately to inflict maximum damage, forcing regulatory, reputational and class action liabilities. We expect this is just the beginning of several new tactics to maximize payouts.
- Organizations will realize that their existing security is not making any impact on the new threat vectors and will finally start to focus on the core problem, “data security” and “data exfiltration.”
- More than 40% of existing data exfiltration goes to China and Russia. We predict other countries such as North Korea to play larger roles in 2024.
- Expect to see major infrastructure applications become threat vectors for cyber gangs, like the way the MOVEit exploit was developed. Hiding in plain sight is going to be the new mantra for cyber gangs as they continue to avoid detection.
- Ransomware will disrupt major infrastructure through IoT devices and non-traditional platforms. These diverse systems often have limited security designs and have significant exposure for organizations, particularly in the manufacturing industry.
Kev Breen adds that while some organizations are spending too much time fretting about AI risks, they may be taking their eyes off of ones that pose a more clear and present danger – like ransomware.
“One can hope that organizations have learned from the major data breaches we’ve seen over the last year, but we unfortunately continue to see a lot of organizations who are simply not ready to handle the impact of a ransomware attack. Organizations still fall victim to the tried-and-true tactics that cybercriminals use to gain access to their most sensitive information and despite government advisories saying otherwise, they continue to pay the ransom — which is why this attack style is still popular,” he says, adding that organizations should expect to see ransomware groups leveraging new techniques in Endpoint Detection & Response (EDR) evasion, quickly weaponizing zero days and as well as newly patched vulnerabilities, making it easy for them to bypass common defense strategies. “As a result, security teams can't rely on an old security playbook. Companies should not worry about how they can detect everything, and instead just assume at some point it will go badly so you should have plans in place to best respond.”
The State of SaaS Vulnerabilities
The Cloud Security Alliance recently released a study where it reports that SaaS has emerged as a vital lifeline for operations in organizations big and small. As businesses entrust the cloud with their invaluable data, the security of these applications and the information they harbor takes center stage. While SaaS applications are secure by design, the way they are configured and governed is what poses a risk. Without robust security measures, these organizations expose themselves to potential data breaches, cyber-attacks, and other security incidents, potentially wreaking financial and reputational havoc.
“SaaS apps will increasingly be targeted in cyber-attacks – they have already become a major part of the enterprise attack surface. For example, we saw major misconfigurations at Salesforce and ServiceNow this year that impacted a large number of organizations. Enterprises are already ramping up monitoring SaaS activity logs for signs of attackers and active exploitation, but this will need to increase dramatically in 2024,” advises Tim Bach, SVP of Security Engineering at AppOmni.
“AppOmni’s research team noted marked upticks in attack activity following information about these widely publicized SaaS-related attacks and misconfigurations – SaaS apps are on attackers’ minds. IT leaders need to direct their threat hunters to be vigilant when looking at SaaS activity so incidents can be detected and mitigated swiftly. This threat hunting is only possible when and should be conducted in addition to, deploying a comprehensive SaaS security management solution. This will help security teams proactively understand and monitor the security posture of their SaaS applications. In this manner, IT and security leaders can put in place a comprehensive program which continuously monitors their most sensitive applications and data in both a proactive and reactive nature,” Bach concludes.
Mike Wilson, the founder, and CTO of Ensonic adds that cybercriminals are increasingly turning to subscription models to access a range of tools and tactics.
“Various malware, including ransomware and infostealers, will now only be available via a “Malware as a Service (MaaS)” subscription, making it easy for a bad actor with limited experience to launch sophisticated, targeted attacks at scale. By 2030, the vast majority of software-based cyber threats will be readily available via a subscription,” he says.
It's the Supply Chain, Stupid
SupplyChainBrain, a digital platform dedicated to supply chain issues, recently posted that as “a result of a supply chain attack, cyber-criminals exploit vulnerabilities in an organization's supply chain, including third-party software, hardware, and services. Even if an organization has robust cyber-security measures, insecure suppliers or third-party providers can be a gateway for hackers to bypass the security system. These attacks can cause catastrophic damage, with Verizon coining the term "supply chainpocalypse" in its 2022 Data Breach Investigations Report.
Chris Hughes, chief security advisor at Endor Labs and Cyber Innovation Fellow at CISA shares that malicious actors will continue to target the software supply chain, realizing the ROI of compromising a single key target that has many downstream consumers.
“Attackers continue to realize it is far more effective to attack a single software supplier on the proprietary front or widely used open-source software (OSS) library than targeting individual organizations. In 2024, we will continue to see an uptick of software supply chain attacks as malicious actors look to capitalize on the complex and overlooked software supply chain attack surface that most large enterprise environments have,” Hughes predicts.
Chuck Randolph, the CSO of Ontic insists manufacturing will be in the spotlight in 2024, whether it’s changes in global supply chains or a domestic resurgence.
“From a security perspective, manufacturing leaders operate in one of the most complex security environments of any sector. They face risks in the supply chain, cyber, insider threats, workplace violence and weather. Leaders in this space will need to continue to utilize innovative ways to stay on top of threats,” he adds.
Finally, Henrik Plate, CISSP, and security researcher at Endor Labs says the market for supply chain security solutions will continue to grow. This trend is partly due to the regulatory efforts of U.S. government organizations and other, non-U.S. authorities.
“However, the growing solution space makes it increasingly difficult to distinguish, evaluate and compare the capabilities of all those solutions. Organizations will increasingly demand that solutions become interoperable and comparable,” says Plate. “This can be achieved by further standardizing tool outputs (e.g., SBOM and VEX documents), or developing benchmark applications, among other means. I expect (better: hope) that open-source foundations like OpenSSF or OWASP step forward to create such benchmark projects for a set of core programming languages and build technologies. Ideally, such benchmarks will be created dynamically.”
Fraud is a Fast-Emerging Threat
According to Cybersecurity Ventures, a top infosec research firm, cybercrime was forecasted to cost the world $8 trillion in 2023, and if it were measured as a country, then cybercrime would be the world’s third-largest economy after the U.S. and China.
Cybersecurity Ventures predicted that global cybercrime damage costs would grow by 15% per year over the next three years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
David Divitt, a Senior Director of Fraud Prevention and Experience at Veriff, warns that access to advanced technologies by bad actors will only increase cyber fraud throughout myriad business sectors.
“There has been a 20% rise in overall fraud in the past year and it will continue into 2024. We will see the number of account takeovers using deepfakes with liveness rise as the use of biometrics for authentication purposes increases. As tools like AI become increasingly easier and cheaper to access and facilitate, we will see more impersonation and identity fraud-type attacks,” laments Divitt. “We’ll see more counterfeit attacks pushed on and at the masses as well as at-scale mass attacks that use deepfake libraries and acquired identities. The trifecta of counterfeit templated docs, deepfake biometrics, and mass stolen credentials will continue to be a looming threat.”
Kevin Vreeland, the North American General Manager for Veridas concedes that benefits fraud has been an ongoing conversation since long before COVID-19, but the effects of it became exemplified following the widespread need for benefits throughout COVID-19. But he sees light at the end of the tunnel -- maybe.
“As we are a few years out from the pandemic and benefits use has returned to normal, we can start to dissect the avenues criminals would go down to defraud the benefits providers. One tactic we saw increasing this past year was junior-senior fraud, a tactic that happens too often to those whose loved ones are caring for them. Due to the nature of the relationship, whether a family member or a loved one, those who take on the role of caretakers often have easy access to the devices which the benefits provider is familiar with,” Vreeland adds. “With today’s security standards, which can be all that is needed to log into someone's benefits account and take control as the assumed proper recipient. From there, criminals can manipulate where funds are going and how long they are received for.”
Vreeland predicts that a seismic change will be necessary to prevent these schemes from continuing.
“As far as what that change will look like and how successful it could be, we predict, and we know, that the only way to move forward is by focusing instead on the individual rather than the device. This can only be done by requiring verification of the individual, targeting features that are truly unique to everyone, whether it be their facial features, voice, or a combination of the two,” he says.
The Bottom Line
So, what does the bottom line look like for 2024? Most cybersecurity experts figure it is a mixed bag. Attacks will be more targeted and the role of the CISO will become even more difficult. However, according to Patrick Arvidson, Chief Strategist/Evangelist at Interpres Security, it boils down to the same challenges, simply a different year.
“Unfortunately, I think a lot of the challenges that we faced in the cybersecurity industry will persist in 2024. Cyber communities continue to operate under the idea that risk is independent of threat, and it will take time to move past that belief. We continually try to boil the ocean when dealing with issues. The creation of the risk formula in the 80s did not have true threat data. Today, we have threat data, but we are using completely outdated methods,” Arvidson points out.
“For our challenges to dissipate, there needs to be a fundamental paradigm shift in cybersecurity. Gone are the days when we needed to seal anything and everything against all risk. There is always going to be risk. We must prioritize our defenses against the threats that are targeting us, raising the efficiency of our cyber defense program.”
For Scott Roberts, the Head of Threat Research at Interpres Security, the endgame can be summed up by how the shifting role of the CISO is now redefining what cybersecurity is.
“With the sentencing of Uber’s CISO and the charges against SolarWinds’ CISO in 2023, the CISO job description is looking to get a bit more complicated. Part of a CISO’s job, love it or hate it, is to take the hit for the board when they get hacked, lose their job, take a nice payout, and take another CISO job six months down the road. If that hit now potentially includes legal trouble and even jail time, it is going to change the role’s entire dynamic in some good ways, but also some unforeseen bad ways,” says Roberts.
Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]