Experts warn that zero-day flaws will be exploited at mass scale, while the adoption of AI technology will lead to a rise in advanced social engineering attacks.
The cybersecurity landscape is always in a state of flux, but certain developments in 2023 shook up the sector.
Constant tech developments led to new threats, with the rise of AI technology creating new ways to defend and attack security systems. A report at the end of 2023 suggest most Irish businesses faced a cyberattack during the year, highlighting the dangers.
Meanwhile, cyberattacks continue to target larger businesses and critical infrastructure, with examples such as the disruption to most of Iran’s petrol stations showing just how damaging and widespread a successful attack can be.
As we move into the unknown of 2024, various cybersecurity experts have shared their predictions for how cybersecurity will evolve this year.
Zero-day flaws will be exploited at scale
With everyday devices getting constant updates, it seems inevitable that vulnerabilities manage to slip through the net and go undiscovered – until either security researchers or attackers manage to find it.
But as cyberattackers and ransomware groups improve their capabilities, Raj Samani – SVP chief scientist at cybersecurity platform Rapid7 – believes zero-day flaws will be exploited more frequently. Samani claims Rapid7 has observed ransomware groups exploiting more zero-day vulnerabilities and that this will be conducted “at scale”.
“This trend is seeing criminal groups that to date have not demonstrated any real capable skills in gaining access to previously unidentified vulnerabilities, exploit them and gain a foothold into victim networks,” Samani said. “This demonstrates that potentially something is afoot in the ransomware ecosystem.
“For organisations, the message is simple: get your vulnerability management and patching procedures in place and do it now.”
The impact of zero-day flaws can be significant, as one of these vulnerabilities on iPhones was used to install Pegasus spyware in recent years. Recent reports suggest other forms of spyware have exploited zero-day vulnerabilities in iPhones.
Cloud will be a battleground
As more companies adopt cloud technology, they also open the door to new avenues of attack. Samani said the cloud will continue to be a cybersecurity “battleground” and raised concerns that commercial cloud service providers (CSPs) will be targeted.
“That’s because cybercriminals are no longer relying on known command-and-control servers,” Samani said. “Instead, they’re turning to commercial CSPs for cover to host malicious content. It’s a clever trend, and it comes back to the game of hide-and-seek, with attackers exploiting the cloud’s anonymity and legitimacy, and blending their activities with legitimate services.
“Combatting this threat requires more innovative solutions, such as those leveraging AI and advanced automation techniques – as well as heightened vigilance – in the cloud.”
AI could cause new risks
Last year, experts predicted that 2023 would see both attackers and defenders utilise AI technology for the purposes of cyberattacks and cybersecurity – a prediction that was proven correct in many cases.
Sabeen Malik, VP of global government affairs and public policy at Rapid7, predicts that more advanced AI and automation techniques promise a way to deal with the growth in cyberattacks, but said it’s important to “not get ahead of ourselves”.
“The inevitable rush to market for some solutions means that some AI capabilities will miss the mark,” Malik said. “Therefore, organisations that adopt AI solutions must ensure that they truly improve cyber resilience without presenting new cyber risks.”
Malik predicted a growth in AI being used to create deepfakes – AI-generated images and videos – and for identity management. Mike Britton, CISO with email security provider Abnormal Security, noted that generative AI is a “double-edged sword” as it can help criminals launch attacks. Britton also raised concerns about deepfake technology.
“The rise of deepfake technology will further complicate social engineering attacks as well,” Britton said. “Today, deepfakes are possible but are not yet a common attack tactic. However, we are right around the corner from seeing them become more widely used by bad actors looking to trick their victims into sharing money or sensitive information.”
A rise in phishing attacks
Deepfakes being used for malicious purposes is one example of how cyberattacks are predicted to evolve. Concerns are being raised about other types of cyberattacks surging in 2024.
Ani Chaudhuri, the co-founder and CEO of data security company Dasera, predicts that phishing attacks will rise this year to exploit human vulnerabilities.
“The sophistication of these attacks is anticipated to rise, exploiting a range of industries and technologies,” Chaudhuri said.
Chad Loeven, business development president at cybersecurity company Opswat, said AI products like ChatGPT can get “overblown”, but that they will make it easier and faster to create “credible fake identities and plausible phishing sites”.
“For instance, I’m fairly certain that some questionable LinkedIn invites I receive are from AI-generated profiles,” Loeven said. “AI will also have the potential to break captcha and voice recognition.”
Ariel Parnes, the COO and co-founder of cloud cybersecurity company Mitiga, predicts software-as-a-service (SaaS) breaches will take “centre stage” this year, due to businesses being increasingly reliant on SaaS applications.
“The rapid adoption of numerous SaaS apps, sometimes with no visibility or control by the organisation, has created blind spots in many environments,” Parnes said. “The lack of visibility and control, coupled with the access these apps have to sensitive data, makes them attractive targets for cyber adversaries.
“Organisations will need to address these risks urgently, as SaaS applications are fast becoming the Achilles heel in cybersecurity.”
CISOs in the spotlight
When former Uber chief security officer Joe Sullivan faced charges for his alleged attempt to cover up a 2016 data breach, it raises concerns to various CSOs and CISOs of the risks they could face on the cybersecurity frontlines.
Mike Walters, the president and co-founder of patch management platform Action1, believes the spotlight on CISOs will “intensify” this year as they navigate the “delicate balance between technical expertise and business acumen”.
Walters believes this will be primarily driven by supply chain attacks, which emphasise “the critical need for effective communication between CISOs and executive boards”.
“CISOs are now in a pivotal position to advocate for enhanced cybersecurity measures and garner support for crucial initiatives across all organisational tiers,” Walters said.
To protect themselves from the fallout of breaches, Nicole Sundin, CPO of cybersecurity company Axio, said CISOs will need to have a “system of record”.
“It’s no secret that the SEC [Securities and Exchange Commission] is now holding CISOs accountable for the risks organisations take on,” Sundin said. “With CISOs being elevated to the boardroom to discuss these risks, they will need a system of record to protect themselves and demonstrate duty of care.
“Currently, CISOs have these conversations, make difficult choices and act as they see necessary – but these may or may not be documented. By having a source of truth or a system of record, CISOs can better protect themselves, otherwise we will continue to see high-profile incidents where a CISO who doesn’t have this in place takes the fall.”
Cyberattacks will be recognised as a true risk
There is evidence that – despite the clear risks – some organisations fail to have proper cybersecurity strategies in place.
Axio senior cybersecurity adviser Richard Caralli believes 2024 will be the year when business leaders “finally understand that cybersecurity truly is a risk management challenge – full stop”.
“Increasingly, society has evolved into one where automation and technology rule the day,” Caralli said. “In this digital society, IT and cybersecurity risk management must be elevated to the same level as market risk, compliance risk, operational risk and so on.
“At its core, cybersecurity is a risk management consideration that must underpin risk management decisions and investments for organisations in every industry.”
Malik of Rapid7 believes that various factors will force businesses to spend more time determining their risk profile. These factors include the growing number of regulatory disclosures for cybersecurity risk management practices and, the emergence of generative AI as a potent tool for cyberattacks, more ransomware attacks and “the lack of common lexicon around cyber risk”.
“This means that more leaders will be deciding between whether to deal with compliance risk mitigation and/or creating agile cyber risk management strategies,” Malik said.
“The leaders that understand this moment as a rallying call to uplevel the conversation about systemic risks will set their business up for success by not getting sidetracked by playing compliance whack-a-mole, but by investing in a strategic vision for dealing with cyber business risks.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.