Key Points
From more zero-day attacks to increased exploitation of AI over the course of 2023, robust vulnerability and attack surface management has never been more important. Andy Hornegold, Intruder's VP of Product, shares his predictions for how the cyber security landscape will continue to change throughout 2024 and what organizations need to do to stay ahead.
1. Time to fix will decrease
Over the last 12 months, we’ve seen an increase in continuous monitoring and a focus on attack surface reduction across all our customers. As a result, the time it takes for our customers to fix critical vulnerabilities dropped from 30 to 17 days.
We expect to see this throughout 2024, as small and medium-sized businesses continue to see, understand and feel the impact of ransomware. Some vendors are shifting focus to SMBs, but at Intruder we’re built from the ground up with ease-of-use in mind, allowing us to offer out-sized gains in those segments for vulnerability scanning and attack surface management.
2. Zero days will keep rising (record number of zero days and CVEs in 2023)
It appears that there's not going to be any shortage of zero days in 2024, with potentially more of them coming out for remote access services. Ransomware operators continue to profit by hitting these services, as we saw with Citrix Bleed and the plethora of Fortigate VPN vulnerabilities in 2023.
Kicking off in 2024 we’ve seen a number of critical vulnerabilities exposed in Ivanti remote access solutions. Based on the abundance of those remote access vulnerabilities, it seems that initial access brokers aren’t going away – they're the ones that stand to turn a quick profit by scanning the internet to find those remote access services, exploit them, and then sell the access to ransomware gangs.
In 2023, we saw more action from law enforcement in targeting ransomware operators, and early in 2024 we’ve seen a huge international law-enforcement success story with the disruption of Lockbit. It seems unlikely that this will slow down, and with the Lockbit disruption we’re seeing the trend continue.
3. AI will be used for attack, defense and as a target
The biggest buzzword of 2023, AI has taken off in a big way and everybody is trying to find ways to plumb it into their business or processes. This has continued with an increase of competition in the AI space with Google releasing its newest Gemini LLM.
When it comes to AI being used to facilitate cyber attacks, it's easy to see how it fits into already established techniques used by threat actors. LLMs are statistical models which are good at generating text and extracting information from data which may not have any defined structure, like a huge number of written documents.
Since LLMs can handle natural language so easily it makes them a good option to automate the creation of emails or text messages, and responding in real time without a person having to be there. So, there's an easy and obvious use case for attackers to facilitate phishing campaigns using AI.
Additionally, on a traditional enterprise network there is a large amount of data which may or may not be useful to an attacker.
As an attacker crunching through all that data to find something useful can be time consuming, when carrying out red team operations it’s common to use regular expressions to find specific patterns in that large data set to find something of interest.
There’s a use case to reduce dwell time (the length of time an attacker has access to a compromised system or network before they carry out the objective of their compromise – like deploying ransomware) by using LLMs to more efficiently extract useful information.
Ransomware actors will often carry out double-extortion where they encrypt their victim’s systems and then threaten to leak the data that they have exfiltrated from the compromised network.
Going through gigabytes or terabytes of data can take time and effort – but using LLMs threat actors may be able to more effectively assess the value of the data they’ve exfiltrated because they can more quickly and comprehensively understand what sensitive data is included in their exfiltrated data set.
One way to look at the potential for AI and LLMs in particular is that where you once used regular expressions to extract very specific data types, LLMs are potential alternative solution that are easier to use and more effective.
While machine learning models have been around for a while, and could allow threat actors to categorize data in the past, the requirement for training and maintenance of those models was not nil. But, with the introduction of LLMs trained on eye-wateringly large datasets (like most of the internet) that training and ease of access has suddenly become a lot easier.
On the defensive-side of the fence, there is a big opportunity to help defenders stay ahead of those threat actors. There are already use cases of machine learning being deployed in cyber defense such as modelling anomalous network traffic or anomalous activities on endpoint devices; something the likes of which Darktrace and Vectra have been doing for a while.
Greynoise have recently announced that they’re using LLMs to identify network protocols and attacks as part of their honeypot network; something that was previously a time sink for security analysts but now frees them up to focus on more impactful tasks.
When looking into security controls validation and vulnerability management there are use cases for automating the tasks involved in vulnerability detection and remediation. Automating penetration testing has been something that people have strived to achieve for years, with varying levels of success. But AI has started to make fully-automated penetration testing more feasible. After being trained on available security resources the internet has to offer, we’ve started to see that LLMs can follow the decision tree process that penetration testers follow during an engagement.
While the approach may not deliver 100% effectiveness (finding every single vulnerability) it may deliver better results than some penetration testers (like the intern that your provider scheduled on your assessment).
Even if complete automation isn’t delivering the same level of quality as an experienced penetration tester, we expect to see AI enhance a tester’s ability to deliver meaningful results to their customers. Which is unlikely to make a scratch on the skills shortage in cyber security, but will hopefully alleviate some bottlenecks. I expect we'll start to see more of this automation over 2024, and I have high hopes for the likes of Sec-PaLM from Google and Mandiant.
With an increase in AI usage across every industry, and as it is introduced into more business-critical processes, the likelihood of it being targeted by threat actors increases. We’ve seen the beginning of prompt injection attacks, where an attacker forces an LLM to divulge information that it shouldn’t be divulging, and data tainting attacks, where an attacker corrupts the data on which an LLM is trained. We expect to see these types of attacks continue and expand.
4. Tighter regulations
Compliance and tighter regulations will continue to drive change in 2024. CISA have been pushing hard to make sure the US government is keeping up to date with vulnerabilities and patching.
At the beginning of 2024, we saw CISA issue a directive which required all government agencies to disconnect their Ivanti Connect or Policy Secure solutions:
As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. (source)
A big step for CISA, but something that was generally welcomed by the wider information security industry. Remote access solutions with critical vulnerabilities have been a common thread leading to compromise over 2023. We expect to see more of this type of guidance over 2024 as it has a meaningful impact.
5. Exposure management will gain traction
The trend of moving from vulnerability management, to attack surface management will continue into exposure management.
Vulnerability management is the process by which you find, contextualize, prioritize, address and report on weaknesses in your systems which can be exploited by a threat actor.
One of the problems with vulnerability management is that it relies on you knowing what you have exposed to the internet. But with it being easier to create new internet-facing systems and as the likelihood that systems are exposed to the internet which you don’t know about increases – this is where External Attack Surface Management (EASM) helps you by adding the asset discovery, contextualization and prioritization to your established vulnerability management processes.
There are additional assets which are more difficult to track, code repositories in GitHub or GitLab, cloud accounts, SaaS applications; Exposure Management aims to bring all of this visibility under a single umbrella.
The idea of exposure management will gain traction in 2024. It’s a cliché now, but many security teams are still striving for that single pane of glass where they can see every problem that they're dealing with – from IP address vulnerability scanning and pen tests, to your GitHub status, SaaS posture, and cloud accounts.
There are a lot of facets of Exposure Management, it’s grown out of vulnerability management which was already a complex problem, and then from attack surface management which expanded the scope of vulnerability management. We expect to see more vendor consolidation under a few key players. Current exposure management solutions are tailored towards larger enterprise customers, and are unattainable to many SMBs.
6. SMBs will continue to be a target
We’re in the middle of a ransomware epidemic and while it remains profitable to carry out extortion attacks it will continue.
LockBit has been one of the most impactful ransomware organizations, and their attacks are relatively indiscriminate. They’ve recently been disrupted by an international law-enforcement operation, which has put a dent in their operations. However, in the past we’ve seen operators from different ransomware gangs be hired into other ransomware gangs/affiliate schemes or set up a new operation.
When this has happened, they’ve taken their previous tactics, techniques and procedures and reused them under that new brand. If we take a look at who Lockbit have successfully targeted we can see the trend.
Close to 65% of their targeting is on small and medium sized business because big business is spending billions of dollars on cybersecurity a year. Compromising a small organization is still likely to result in a payout, and the security controls in place are less robust – a small business is unlikely to be running a 24/7 SoC because it’s cost prohibitive and many small organizations are concerned about keeping their business alive at a time when global uncertainty and systemic risk are heightened; they’re less concerned about the potential risk of ransomware when they might not make payroll next quarter.
Since there are fewer security controls to contend with in smaller organizations, after Lockbit and other threat actors have successfully compromised those organizations they can use any connections (technical or otherwise) to pivot into larger organizations. Ensuring that SMBs have the tooling and services available to them to mitigate the majority of their risk, at a price-point and level of complexity that they can handle is going to become increasingly important.
So where can you start?
Getting the right tools in place, that are easy enough for you to use, and help you with attack surface discovery, vulnerability validation and exposure reduction will be critical in 2024. Intruder makes it easy to keep track of your attack surface by monitoring for network changes and synchronizing with your cloud accounts. Find vulnerabilities in your infrastructure, web apps, and APIs and stay ahead of emerging threats with Intruder's proactive threat protection.
Mastering cloud defense has never been more important given all the expected trends for 2024. Join us in our upcoming webinar for insights into protecting dynamic environments. Andy will be covering the top mistakes that unnecessarily expose cloud environments, common methods for asset discovery used by attackers and tips to protect your attack surface. Register here.