What are the main cybersecurity trends of 2024?

Piers Wilson, Head of Product Management at Huntsman Security: There are a few that are notable, one is AI. This seems to have three dimensions as far as cyber security goes. One (and this is far from new, more like a decade in the brewing) is using AI to detect changes and activity in networks and systems to detect attack. We’ve been doing this for a while, and it’s fairly mature, but obviously has a slightly newer level of attention. The second is using AI to aid the security operators in understanding or dealing with incidents. It's not quite a paperclip, “It looks like you are trying to diagnose a security incident, would you like some help?”, but more like enabling easier search and access to knowledgebases, other experts and sources to help diagnose a threat using AI. 

Lastly, and this is one of the most worrying, is its use to craft better and more convincing phishing emails, possibly even tailoring them for specific companies or people. Like asking chatGPT to write an email that would be most likely to get a member of the development team to click on a link…” as well as using AI to find other targets and ways to attack. 

The other big one is operational resilience, this puts new (regulatory) pressure on organisations, specifically the FS, with policy statements from the FCA and security checklists form the BoE that mean financial service providers need to better understand their critical processes, the systems they rely on, the dependencies these have and the third parties that are part of the supply chain. 

The OpRes agenda requires not just appropriate protective cyber security controls, but also a need to have thought about prevention, containment/mitigation, response and recovery - it's about surviving incidents when they do occur as much as stopping them occurring. 

 Alex Holland, Senior Malware Analyst in the HP Wolf Security threat research team, at HP Inc: Threat actors are increasingly employing a wide range of techniques to prevent campaigns being detected by security tools – with new evasion methods enabling attackers to infect computers under the radar appearing every day.” 

For example, cybercriminals changed the way Raspberry Robin is spreading. Threat actors have shifted to using highly obfuscated Windows Script Files (.wsf) with a range of anti-analysis and virtual machine detection techniques. This has made Raspberry Robin much harder to spot, triage, and protect against. In fact, currently the Windows Script loader is poorly detected by anti-virus scanners on VirusTotal, and some samples are not being detected at all. Additionally, a recent DarkGate PDF campaign evaded detection by proxying links though advertising networks. Each malicious link was obfuscated behind an advertising link, which helped the cybercriminals operating DarkGate to evade detection and even capture analytics about victims. 

Piers Wilson: The guidance on resilience, and this is seen again and again, can be helpful here. Survivability is key. So, consider prevention of cyber security incidents, how to contain them and limit the impact (or blast radius), then being able to respond - practiced and capable incident handling processes - and then recovery. Getting systems and functions back online and services restored quickly. 

Within each of these “pillars” does of course lie a number of processes, controls, checks and safeguards. Getting visibility and having more effective oversight of the controls is also key. An annual “cyber security review” is not enough, the pace is way too quick for that. You need good, accurate real time risk information that can drive the operational work of technical teams as well as give the board a continuously refreshed picture of the risk landscape. 

 Alex Holland: ​​​​​​​Organisations must start building a more collaborative security culture as they settle into the future of hybrid work. But even so, they must prepare for the reality that most users will eventually click on something they shouldn’t. 

As attacks against users increase, having security baked into people’s PCs from the hardware up – so they can easily prevent, detect, and recover from attacks – will be essential. Today, email is still the most common attack vector, particularly for opportunists like cyber hustlers. Isolating risky activities is an effective way of eliminating entire classes of threats without relying on detection. Threat containment technology ensures that if a user opens a link or attachment and something nasty comes through, the malware can’t infect anything. This way financial services organisations can reduce their attack surface and protect employees without hindering their workflows. 

Piers Wilson: These days it’s almost anyone. The big difference in the last few years has been the geopolitical angle. Whereas it might just have been large enterprises and banks with a financial motive, now its critical infrastructure and any business that could have a disruptive effect on society.

 Alex Holland: Home users or remote workers often get caught in the firing line, as they are easier to compromise than the enterprise. Cybercriminals can use simpler techniques, like scams and phishing – potentially capitalising on the economic downturn by offering people fast ways to make money, like cryptocurrency and investment scams. The interconnected nature of the cybercrime gig economy means threat actors can easily monetise attacks. And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organised groups even more reach.

Piers Wilson: Speed and bandwidth. The example of cyber security audits above is a good one. Checking controls annually is of little use, but doing that more often could be expensive if using manual/traditional processes, there’s a need to utilise technology better to free up the precious time of scarce security resources to work on finding and dealing with vulnerabilities and threats, not just endlessly reporting on controls, fielding audits and responding to questionnaires. As business more generally have undergone digital transformation, so too must cyber security operations and audit processes.

 Alex Holland: In recent years we’ve seen the rise of the cybercrime gig economy, where the shift to platform-based business models has made cybercrime easier, cheaper and more profitable. Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit. As we face another global downturn, easy access to cybercrime tools and know-how could increase the number of attacks we see – especially attacks against home users by opportunistic attackers.