Phishing remains the most common attack, with the 2023 Comcast Business Cybersecurity Threat Report finding that 90% of attempts to breach customer networks begin with phishing.
Threats continue to evolve as hackers and scammers acquire new technologies or figure out new ways to exploit old vulnerabilities. "It's a cat-and-mouse game," said Mark Rucci, CISO of security firm EnTrust.
Phishing remains the most common attack, with the 2023 Comcast Business Cybersecurity Threat Report finding that 90% of attempts to breach customer networks begin with phishing.
The number and velocity of attacks is increasing, and so is the cost to victims, with the official 2022 Cybercrime Report from Cybersecurity Ventures estimating that the cost of cybercrime will jump from $3 trillion in 2015 to 2025 of US$10.5 trillion.
At the same time, security leaders say they are seeing new forms of standard attack methods, such as those launched by Midnight Blizzard (the company has also been named APT29, Cozy Bear and Nobelium), as well as new attack tactics. Data poisoning, SEO poisoning, and AI threat actors are the new threats CISOs face today.
Andreas Vukner, CISO of security company Panaseer and a member of the company's advisory board, said: "When you agree to become a CISO, you agree to enter a competition that you will never completely win, and you must See something constantly changing on the screen.”
AI and AIGC-powered attacks
Experts say some of the most compelling emerging threats stem from the rapid maturation and proliferation of AI. Security officials have watched hackers adopt AI faster than their competitors — and sometimes even enterprise technology teams.
The possibility of AI-powered attacks is not unexpected. According to a 2019 Forrester Research report, 80% of cybersecurity decision-makers expect AI to increase the scale and speed of attacks, and 66% expect AI to conduct attacks unimaginable by humans.
The report further states that "these attacks will be stealthy and unpredictable, allowing them to circumvent traditional security methods that rely on rules and signatures and instead refer only to historical attacks."
Some experts say that's happening now.
The authors of a December 2022 report released jointly by the Finnish Transport and Communications Agency and Helsinki-based cybersecurity company WithSecure asserted: “AI-powered cyberattacks are already a threat that businesses cannot deal with. As we witness As AI methods improve, and AI expertise becomes more widespread, this security threat will only increase."
According to that report, hackers are using AI to analyze attack strategies to increase their likelihood of success. Hackers are also using AI to increase the speed, scale and scope of their activities.
Cybersecurity leaders note that AI - and more specifically AIGC - poses other emerging threats. The first was that hackers used AIGC to develop malware, and they also used it to create additional phishing and obscene messages whose content accurately mimicked the language, tone, and design of legitimate emails.
This eliminates the awkward wording or sloppy graphics that often help identify them as malicious messages. As Rucci said: "Today's phishing emails are becoming more and more sophisticated, and AIGC will definitely take it to unprecedented levels."
Kane McGladray, a senior member of the Institute of Electrical and Electronics Engineers and CISO of Super Security, has seen the evidence. He worked with a business whose executives received a contract to review and sign. "Pretty much everything looked normal," McGladray said, adding that the only error of note was a small mistake in the company's name, which was discovered by the general counsel.
But McGladrey said the new generation of AI is not only increasing the speed and sophistication of hackers, but also expanding their reach. Hackers can now use AIGC to create phishing campaigns with trusted text in almost any language, including those where attack attempts have been low to date because the language is difficult to learn or because few non-native speakers speak the language.
McGladry added: "If for no other reason, AIGC does a good job of translating content, so countries that haven't experienced many phishing attacks so far may soon see more."
Others have warned that other AI-enabled threats are on the horizon, saying they expect hackers to use deepfakes to impersonate individuals — such as high-profile executives and civic leaders (whose voices and images are widely available and could be used for training AI model).
"It's definitely something we're watching closely, but the possibility is already pretty clear," said Ryan Bell, threat intelligence manager at cyber insurance provider Corvus. "The technology is getting better and better, and it's harder to discern what's real." He quoted Deepfake images of Ukrainian President Volodymyr Zelensky were used to spread disinformation as evidence that the technology was used for nefarious purposes.
Furthermore, the Finnish report provides a dire assessment of what the future holds: In the near future, fast-paced AI advances will enhance and create a wider range of attack techniques through automation, stealth, social engineering or information gathering. As a result, we predict that over the next five years, AI-enabled attacks will become more common among less skilled attackers. As traditional cyberattacks will become obsolete, AI technology and tools will become more accessible and affordable, incentivizing attackers to use AI-enabled cyberattacks.
Hijacking enterprise AI
On the other hand, some security experts say hackers could use companies' own chatbots against them.
As with more traditional attack scenarios, attackers could try to hack into chatbot systems, steal any data in those systems, or use them to access other systems of greater value to the bad guys.
Of course, this isn't particularly new. However, Matt Landers, a security engineer at security firm OccamSec, said hackers could repurpose compromised chatbots and then use them as a conduit to spread malware or potentially interact with others in nefarious ways. Customers, employees, or other systems—interactions.
Cyber risk research group Voyager18 and security software company Vulcan have recently issued similar warnings. The researchers published a June 2023 advisory detailing how hackers leveraged AIGC, including ChatGTP, to spread malicious packages into developers' environments.
Wuchner said the new threats posed by AI don't stop there. He said that as more and more employees - especially those outside IT - use the new generation of AI to write code so that they can quickly deploy and use it, enterprises will Bugs, vulnerabilities, and malicious code may be discovered that may find their way into the enterprise.
Wuchner added: “All the research shows how easy it is to create scripts using AI, but trusting these technologies is bringing things into the enterprise that people never thought possible.”
Quantum computing
The United States passed the Quantum Computing Cybersecurity Preparedness Act in December 2022, writing into law a measure aimed at protecting federal government systems and data from quantum cyberattacks. Many expect that as quantum computing matures, quantum cyberattacks will occur.
A few months later, in June 2023, the European Policy Center urged similar action, calling on European officials to prepare for the arrival of a quantum cyberattack—an anticipated event known as Q-Day.
According to experts, in the next five to 10 years, work on quantum computing may progress enough to reach the ability to break today's existing cryptographic algorithms - an ability that could make all digital information currently protected by encryption protocols vulnerable Network attacks.
"We know quantum computing is going to hit us within three to ten years, but no one really knows yet what its full impact will be," Ruchie said. Worse, he said, bad actors could use quantum computing combined with AI to "create new threats."
Data and SEO Poisoning
Another threat that has emerged is data poisoning, said Ronny Thakur, a university associate professor in the School of Cybersecurity and IT at the University of Maryland Global Campus.
Through data poisoning, attackers tamper with or corrupt the data used to train machine learning and deep learning models. They can use a variety of techniques to do this. Sometimes called model poisoning, this attack is designed to affect the accuracy of AI decisions and outputs.
As Thakur summed it up: “You can manipulate the algorithm by poisoning the data.”
He noted that data poisoning can be caused by both internal and external bad actors. Additionally, he said, many businesses lack the skills to detect such sophisticated attacks. Although enterprises have not seen or reported such attacks on any scale, researchers have explored and demonstrated that hackers may actually be capable of such attacks.
Others mentioned another "poisoning" threat: SEO poisoning, most commonly manipulating search engine rankings to redirect users to malicious websites that will install malware on their devices. Info-Tech Research Group noted the SEO poisoning threat in its June 2023 Threat Landscape Briefing, calling it a growing threat.
Prepare for the next step
Most CISOs expect the threat landscape to change: 58% of security leaders expect a distinct set of cyber risks to emerge over the next five years, according to a poll conducted by search firm Heidrick & Struggles for its 2023 Global CISO Survey.
CISOs ranked AI and ML as the top cyber risk factors, with 46% agreeing. CISOs also listed geopolitics, attacks, threats, cloud, quantum and supply chain as other top cyber risk factors.
The authors of the Heidrick & Struggles survey noted that respondents had some thoughts on the topic. For example, one of them wrote that there will be an ongoing arms race for automation. "As attackers increase attack cycles, respondents must move faster," another user wrote. A third said "cyber threats will move at the speed of machines and defenses will move at the speed of people." conduct."
The authors add, "Others expressed similar concerns that skills would not transfer from old to new. Still others were more concerned about survival, citing 'a dramatic erosion of our ability to discern truth from fiction.'"
Security leaders say the best way to prepare for evolving threats and any new ones that may emerge is to follow established best practices while layering new technologies and strategies to strengthen defenses and build upon enterprise security. Create active elements.
"It's about mastering the basics and applying new technologies where possible to advance your security posture and build defense in depth so you can get to the next level," said Norman Kronberg, CISO of security software company NetSPI. level so that you can detect any novel threats." "This approach can give you sufficient capabilities to identify unknown threats."