Goodbye 2023, Hello 2024! It’s time for your annual checkup.

am i secure

TL;DR

  • 2024 Predictions
    • Targeted attacks against AI companies, emerging AI technology, and abuse of LLM’s for data disclosure
    • Advancements in coding capabilities (specifically with AI) to make it quicker and harder to detect adversary malware
    • Ramp up in information warfare, deception, and cyber-related activities around politics
    • Increase in the number of attacks in the software supply chain due to multiple proven successful hacks in 2023

Targeted attacks against AI companies, emerging AI technology, and abuse of LLM’s for data disclosure

I would not be surprised if 2024 presents us with a large data disclosure/breach of an AI company. As we continue to make advancements in AI, we will see targeted attacks. 

In 2023, organizations from many industries dove into AI, trying to move as fast as possible and cash-in on its novelty and efficiency. But cybersecurity isn’t always viewed as an enabler for that level of quickness, with innovators sometimes forgoing the common, simple security protocols in a race to be first to market.  Unfortunately, OpenAI has been known to disclose confidential/sensitive information from other organizations when prompted. We saw this in at least one case where Microsoft AI Researchers exposed 38TB of data, including keys, passwords and internal messages.  Though the disclosures were largely benign in 2023, criminals are likely on the ready to exploit them maliciously in 2024.  

An interesting project to democratize GPT and LLM’s is the GPT4ALL project. Some companies are using this locally originating chatbot to digest amounts of internal sensitive information to derive answers based on company and security specific use cases.  These types of democratization efforts could be huge targets for adversaries as they are seen as having valuable information that isn’t governed under normal security controls.

Attackers are already seeding custom built large language models (LLMs) with content specifically tailored for the cybercrime to increase their success rates.  However, AI companies store massive amounts of data and many organizations are starting to hoard data now to feed into a future quantum computing type of model, as described best by this article. It’s reasonable to expect an increase in breaches against encrypted data that is stored until it can be cracked later.   

You should not create an entire defensive strategy around AI generated attacks. Organizations just need to double down on the fundamental cyber protections. You can be secure in an emerging field and still be a market leader. Think about security early and often, and try to build a culture of security-by-design.

Advancements in coding capabilities (specifically with AI) to make it quicker and harder to detect adversary malware

More AI. It has made coding exponentially easier for the good guys and bad guys alike. When criminals have an easy button, they are more brazen in their attacks, harnessing the power of stealth to penetrate organizations. But their TTPs are the same once they’re in a box. They still have to get credentials, escalate their attacks, and gain access to sensitive parts of the company.

So, while we can predict advancements on the initial access point, what happens after that is still very much traditional ‘live off the land’ type of post exploitation activity. If you’ve adopted an assumed breach mentality in your organization, then you’ve already protected against the activities that will happen once an adversary lands in the box. You shouldn’t think “What if they develop a fully undetectable piece of malware?” You should be expecting it.

Cyberattacks will likely focus on election infrastructures to manipulate election activities, control news outlets, and/or conduct other warfare operations.

There will be some form of cyber related activities around politics, regardless of your party. The US is in an election year. In addition to the AI concerns outlined above, AI derived cyber tactics can be further utilized during times of global interest to increase success rates of common cyber attacks such as phishing. The use of AI models created by malicious attackers and seeded with social data, similar to Cambridge Analytica, can be used to create convincing political emails that can further extort companies in traditional Business Email Compromise (BEC), or run of the mill fraud against consumers.  With the availability of those models to create deepfakes, fake campaign donation attacks utilizing traditional telephone and cell phone infrastructure is also highly likely.  

2024 is also an Olympic year.  When you combine this, the world conflicts at large, election year, and larger socio-economic condition, there are lots of situational opportunities for hackers to exploit users this year.

Attackers continue to target the humans in an organization to perpetuate their attacks.  Whether that is through phishing or, as indicated by this Fortinet blog, recruiting from within target organizations for initial access.  Integrate security early and often, making for security-by-design and don’t ignore the human element of your cyber defense strategy.

Increase in the number of attacks in the software supply chain due to multiple proven successful hacks in 2023

We have already seen successful compromises of companies due to failed due diligence of the software supply chain. My edge case prediction is that of a breach or attack that leverages a software supply chain issue.

SolarWinds has experienced profound supply chain attacks over the last five years. NIST has started to develop software bill of materials standards. We have seen certain compliance frameworks start to encourage software bill of materials.

And as a result, I believe one of two things could happen: either we’re ahead of the curve (which would be nice for once in cybersecurity), or the explosion of massive supply chain attacks as a result of failing to implement good software bill of materials design principles.  I think this one is 50-50 and you can go either way with this year.

Recommendations

We need to continue to reinforce the importance of the basics of cybersecurity. Integrate security early and often. Make your organization secure-by-design, not an afterthought. Be open and honest with your stakeholders. We should all know by now that it is not a matter of if we get hacked but when (cliche I know, but just as true today as it was yesterday). Emerging adversary tactics and technology can be scary. Be as prepared as possible and don’t try to hide it. The truth will set you free! 

Conclusion

Sometimes we forget that we are all vulnerable, no matter how well-armed. Just like no one is immune to getting sick. Immunotherapy helps stop a tumor from growing, but it’s only administered after you’ve been diagnosed with cancer. Cybersecurity is more advanced and accessible than ever before, and we have brilliant minds working to defend companies daily – just like our immune system. We’ve got the immunotherapy of our age to stop some of the cancer that is cyber crime, but we’ve neglected our basic fundamental cybersecurity health. Technologies like EPP, email security,  and DLP are the vaccines of cybersecurity that empower our immune system (security teams) to fight against threats daily.  But we can’t wait until we get breached to start taking security seriously – it might just be too late.  

And now it is time to collectively take a step back, re-center, and reinforce our basic cybersecurity hygiene. I’m immensely grateful for the tools and opportunities in cybersecurity. There will always be bad guys, but we are catching up


Upcoming Webinar

2024 cybersecurity predictions webinar

So, what did we learn in 2023? Join Query CEO Matt Eberhart and guest CISO Neal Bridges in this upcoming webinar as they discuss the cyber security trends from 2023 and predictions for 2024. Register for our upcoming webinar here.