AI-Driven Social Engineering and Money is No Object: Attackers are Doubling-Down to Get Your Data
Often lost in the excitement of the new year is an update or review of cyber security threat management protocols to prepare organizations for the ways attackers have evolved their techniques over the last 365 days. This annual blog post detailing my predictions for security threats in the new year comes with no exception for 2024 – we’re already seeing a significant evolution of attack techniques that are quite different from previous years and will require an updated approach to internal and external security protections.
Everyone is at risk of falling victim to these attack techniques that are only growing in sophistication and becoming more adept at taking advantage of organizations’ weakest points and vulnerabilities.
Top Ten Cyber Security Threats for 2024
The top ten cyber security threats I’m identifying in this blog post fit into three main trends among bad actors looking to steal your company’s data and sensitive information:
- Leveraging AI for advanced social engineering techniques
- Spending more money on attack campaigns for the promise of a larger payout in the end
- Deploying tried-and-true attack vectors like ransomware – but in different ways
The overall trend among threat actors now is relying on older techniques but spending more money and deploying them differently in order to achieve greater success. There are a number of protocols organizations have long relied upon for security – such as multi-factor authentication – that attackers are now able to circumvent with very little problem.
I’ll go ahead and lead with the biggest takeaway from this post: trusted security protections are no longer to be fully trusted, and every organization should revisit its security posture in response to the evolving threat landscape.
1 – Money is No Object
Threat actors are now willing to spend a decent chunk of change to execute an attack. Why? Because a financial infusion increases the scale and magnitude of an attack, which delivers a better payout to the attackers. Bad actors have always been able to make money from cyber attacks, but this trend signifies that they’ve found a way to truly monetize the business of cyber attacks, which allows them to grow in sophistication and severity.
This trend is important to pay attention to for two reasons; one, it means threat actors have the means to find a way into your network, even if previously blocked, and two, it means if your data is being held at ransom and you have no backup plan or alternate recourse, expect to be making a big payout to get it back.
- Organizations should take steps to ensure attackers can’t breach the network in the first place – once they’re in, they can do a significant amount of damage and cost your company millions.
2 – SIM Swapping
One new threat vector made possible by a larger expenditure of funds is SIM-swapping. Attackers are investing thousands to break into an organization by side-stepping multi-factor authentication (MFA) measures through SIM swaps. Here’s how it works: an attacker takes over phone accounts for key personnel and ports those phone numbers over to their own SIM cards on alternate devices. With control over a victim’s phone, the attacker can receive SMS-based codes for MFA required for logging in to various corporate networks or services.
T-Mobile customers are especially vulnerable to SIM swapping due to the number of security breaches the company has endured, including two in 2023 that exposed employee and customer information. Additionally, this attack vector relies on social engineering tactics to obtain personal information about the victims, such as name, phone number, and proprietary network information.
- Organizations should be trained and aware of suspicious correspondences with individuals looking for this type of information and should implement stronger controls beyond MFA to prevent SIM swapping from being successful. Companies should also enable porting protection, which would require an attacker to enter a PIN number in order to “port out” any phone numbers and accounts to unauthorized users or carriers.
3 – Leveraging the AI Deep Fake
Threat actors are perfecting social engineering techniques because of AI and its ability to create deep fakes; i.e. synthetic videos and fake virtual identities that are closer to the real thing than ever before. While traditional phishing attacks using fake voices are riddled with grammatical errors or voiced using a foreign accent not native to the victims, AI-generated deep fakes can mimic a real person, engage someone in conversation, and eventually get someone to hand over sensitive information, hand over money, or grant access to private accounts.
- Companies need to be vigilant about social engineering attacks and train employees to be aware of what these attacks look and sound like since it is so vastly different from traditional attacks of this nature. Further, companies should implement stronger security measures; often, a simple verification with a call-back or clean call to the named individual will quickly prove whether the caller was legitimate.
4 – Compromising Corporate AI Tools
In addition to using AI to gain network access, attackers can – and will – take advantage of vulnerabilities within AI platforms that companies are using to gain access. As with any software or platform, AI tools introduce new entry points for attackers that companies should be aware of, and 2024 will likely carry an emphasis on which policies and procedures companies should be following to safely implement and use AI tools within their organizations.
We don’t expect to see mandated policies and procedures around AI use as it would be extremely difficult to enforce, so the onus will fall on companies to deploy AI tools responsibly.
- We’re already seeing corporate browser packages for Chrome and others that make it safe for companies to interact with AI tools online. We expect to see more of these security offerings in the AI space and a greater emphasis on the security risks of AI tools as they become more widely used in corporate environments.
5 – Going Around Endpoints
Attacking an organization’s network infrastructure isn’t new, but this is one of those trends that’s morphing into something less familiar. Companies that have invested in the latest and greatest next-generation antivirus software will be less than thrilled to know that attackers have found a way around it. They’re now simply avoiding endpoints altogether and going right into the organization’s network to attack on-prem cloud environments. Attackers don’t face much of a barrier since there is little oversight for cloud product development and if an organization has poor network segmentation, attackers have an even easier time moving through a cloud-networked environment once they’ve gained access.
- All cloud environments should have configuration and cloud-hardening. Companies using VMware should be aware that there is no endpoint detection response for these solutions, making them easier for attackers to compromise. Limiting access and enabling logging are best practices for spotting suspicious activity, and network segmentation will prevent easy access to management interfaces.
6 – Smooth Sailing Within a Network
At DirectDefense, we continue to sound the alarm about the importance of network segmentation. Given the endpoint circumvention mentioned above, segmenting your network is becoming more critical than ever, especially for manufacturing infrastructures that are required to monitor security regularly. Attackers are adept at abusing common configuration issues and shortcomings of corporate solutions, and if they’re able to move within your network unabated, privileged accounts will be a primary target.
- Organizations must be able to employ strong network segmentation and evolve it with changing trends to ensure that even if an attacker gets it, they aren’t able to move around without a hitch.
7 – Infiltrating IR Communications
After an attack has taken place, what we continue to see – and expect to see more of in the new year – are companies that struggle to effectively communicate following a breach because the threat actor has infiltrated the communications systems. When the attacker is in your ear as you try to manage a breach, your disaster recovery and incident response procedures can be drastically undermined. This type of breach fallout is especially prevalent in remote work environments where the ability to communicate is paramount.
- Companies should have an alternative solution to their primary solution, for example, if you use Microsoft Teams or Google Chat across the organization, use Zoom or GoTo Meeting instead.
8 – Ransomware as a Calling Card
Ransomware makes this list every year, but what will be different about 2024 is how it’s being used in an attack. Historically, attackers have used ransomware as the primary attack vector; however, now, it’s being used as more of a “calling card” and attackers are deploying it after they’ve already broken in and locked you out of your on-prem cloud. This double-whammy compounds a company’s issues in retrieving data and getting back online – and essentially guarantees a big payout for the attackers.
Ransomware attacks are now being specially crafted based on what the potential payout might be, which falls right in line with the trend of attackers spending more to make more. Breaking into your on-premise cloud, locking you out, and subsequently deploying ransomware. In the event of resistance to negotiation, the attackers threaten to disclose the compromised data within a few hours. Following such an attack, the victim faces constrained choices, with a significant setback being the prolonged recovery process. This is primarily due to the necessity of rebuilding all VMware servers before initiating the restoration of backups.
- The goal for 2024? Make sure attackers aren’t getting into your network in the first place – and make sure your backups aren’t accessible.
9 – Taking Advantage of Weak Application Security
App development has been a notoriously slow industry to adopt security testing as part of its overall quality assurance process. Ideally, security flaws should be measured as defects in the code, but there is currently no law or regulation within this industry that holds software development companies liable for the quality of their products, especially where security is concerned. Moving into 2024, it won’t be sufficient to rely only on WAFs (which monitor entry points) and database access monitoring (which alerts you to unauthorized access) because there is no “middleware” monitoring what’s actually happening if an attacker gets in.
App users need to be concerned about abuse of functionality. In many cases, a company realizes something is amiss because there’s a ton of traffic hitting the website all at once, or there are suddenly millions of transactions in the queue – but there’s no way to know what’s happening to cause those activities.
- The best way to stay on top of this information is through application testing services, which monitor your application and create a log that can be immediately read and interpreted by a human.
10 – Single Sign-On
Gone are the days of “one password to rule them all!” A single sign-on (SSO) is a great way to streamline logins for employees, but it’s also a great way to hand over widespread access to an attacker. When SSO is abused, attackers will log into multiple accounts and databases at the same time, so a company is unable to fix everything all at once and ends up scrambling to identify, respond, and remediate as fast as possible.
- A company’s best defense is to disallow SSO for operationally critical applications like security and network infrastructure applications. At the very least, conditional access policies should be enabled for SSO applications to limit logins to privileged accounts to only selected devices or from specific locations.
Make a Renewed Investment in Security for 2024
Attack techniques are always evolving, but already we’re seeing how new tools and technologies like AI are transforming the more “old school” techniques into something not as recognizable – and that gives attackers more of a leg-up.
As attackers demonstrate a willingness to increase their investments, organizations can anticipate ongoing breaches of their endpoints and infiltrations into their networks, even with existing security measures. The only viable solution is to make a fresh commitment to security in 2024, ensuring that defenses are aligned with the latest attack tactics. This involves not only maintaining investments in protection solutions but also allocating additional resources for security visibility and response measures.
Here are some quick wins to consider for the new year to ensure your organization is adequately prepared:
- Hire a Full time or virtual CISO. These remote, on-demand cybersecurity professionals can provide the same level of expertise and guidance as an in-house CISO without your company having to hire for the full-time position. Get the security help you need, when you need it. We expect the virtual CISO to be a big trend in 2024, and we’re already seeing a push for these roles in the DoD space to help with CMMC certifications.
- Invest in an MSSP. With attackers upping their game and doing more damage than ever once inside your network, the best defense is to make sure they never get inside in the first place. Hiring an MSSP gives you 24/7 network monitoring so you won’t miss a thing, and incident response planning and deployment to help you properly and immediately respond to get your organization back to business as soon as possible if a breach is successful.
- Prioritize OT. If your organization is focused primarily on IT security but you have manufacturing or industrial capabilities, you need to be prioritizing OT security to protect those operations from attack. An MSSP can help you address OT vulnerabilities and effectively address them to keep your critical operations safe from attack.
- Focus on Productivity. Clients often ask us about how to improve productivity and our response is to evaluate management controls and make changes that can improve productivity. When you have a documented process for requesting, reviewing, approving, and implementing changes, you can ensure compliance and more streamlined change control.
- Create an IR Plan. In any attack, intellectual property theft is a significant issue, and organizations that have been breached are often left struggling to understand what’s been stolen and what hasn’t. This issue is further exacerbated in work-from-home environments. An incident response plan helps you get your head around what’s going on and what to do faster, ultimately shortening the amount of damage an attacker can do – and how much intellectual property they can steal. Ensure you are aligning your disclosure plans with the Securities and Exchange Commission (SEC) ruling from July. The SEC now mandates registrants to disclose material cybersecurity incidents promptly and provide annual disclosures on critical aspects of their cybersecurity risk management, strategy, and governance.
Each year, companies struggle to overcome security breaches they didn’t see coming and weren’t properly protected against. In many cases, these companies believed they were properly protected. But the pace at which things change now requires regular due diligence to update and test security protocols against the latest and greatest attack vectors and threats.
Contact us today to get started.