By Daniel Hofmann, CEO of Hornetsecurity. Hornetsecurity were finalists in the Security Innovation of the Year (Enterprise) category at the 2023/24 Cloud Awards.

Technology is advancing at a rapid pace, and threat actors are working hard to exploit new technological achievements.

Cybercriminals are becoming more adept, competent, and proficient. Thanks to generative AI becoming so accessible, attacks that used to take threat actors hours or days to develop now take dramatically less time, increasing the rate of attacks. With cyber threats becoming more prominent than ever, applying cybersecurity best practices, coupled with awareness training, should be treated as a top priority.

Generative AI will continue to be a huge threat, but offers positives

The introduction of generative AI has turned the cybersecurity industry on its head. It became apparent that novice threat actors now have the means to launch complex attacks with greater ease and speed.

Spear phishing remains one of the most common types of attacks, targeting specific individuals or organizations to acquire classified access and information. With a small fraction of data, such as a phone number, email address, or name, these hackers can use AI tools to search the internet and social media to learn additional information about their potential victims. Once all relevant information is acquired, hackers can generate individually tailored spear phishing attacks. Additionally, the machine learning algorithms in gen AI platforms can continually optimize and learn to create more effective attacks.

One of our predictions from our 2024 Cyber Security Report is that threat actors will continue to develop dark web variants of popular generative AI systems like DarkBERT and WormGPT. In turn, they will have a better understanding and ability to automate other portions of the attack chain, which could further speed up the rate of cyber-attacks.

Although novice threat actors have had the chance to partake in targeted attacks with the use of generative AI, learning how to properly incorporate tools like ChatGPT into an effective end-to-end cyber-attack still requires time to learn and understand entire attack chains.

Another positive is that cybersecurity experts and vendors are also developing defensive toolkits with generative AI. Organizations like OpenAI have also created grant programs which were designed to “AI-enable” and strengthen cybersecurity offerings by other organizations and curb potential threats.

Issues CISOs need to pay attention to

Considering the new level of cybersecurity risk brought on by AI, Chief Information Security Officers (CISOs) should understand the potential risks of these key areas. Our 2024 Cyber Security Report identified some key attack types to look out for this year:

1. MFA Bypass Risks

Multi-factor authentication (MFA) has a reputation for being a strong secondary security measure to complement standard password protection. Whenever an account holder logs into their account, they’re prompted to enter a randomized number string or a unique word sent to their email or smartphone to confirm their identity. This security measure not only acts as a barrier for entry in the event of a password breach, it also notifies the account holder that someone is attempting to gain access to their account.

On the surface, MFA might seem like a solid way to thwart hackers from accessing private company accounts. After all, even if hackers stole or guessed the correct password to an account, they’d still have another set of obstacles to get through in order to gain access. The unfortunate truth is that MFA isn’t as bulletproof as some CISOs might believe it is. If hackers are determined enough, they can utilize different strategies to bypass MFA.

Phishing attacks are a popular method that threat actors use to bypass MFA. Through social engineering, employees can be tricked into sharing MFA authentication codes. MFA bypass kits and reverse-proxy style attacks (like EvilProxy) have also grown in popularity, allowing hackers to create seemingly legitimate login screens that employees use to upload their credentials (including the authentication code).

MFA does provide a much-needed layer of security from criminals, so CISOs should still insist that employees use it for their company-owned accounts. However, CISOs should make sure employees understand all possible angles for an attack. They should also consider using more complex MFA methods, like physical or biometric credentials, if their business is in a highly regulated business sector.

2. Increase in Supply Chain Attacks

Over the last few years, cyber criminals have increased their focus on supply chain attacks. Many threat actors and criminal organizations have grown wise to the fact that the global economy is highly connected and dependent on digital infrastructure. They understand that a single supply chain attack can cause widespread damage to organizations and individual users all at once. Due to the scope of these incidents, victims may be much more willing to meet the demands of cyber criminals, in order to reduce the complications for everyone impacted by the attack.

Supply chain attacks can come in many forms. For instance, the recent 3CX Software supply chain attack was caused by malware hidden in legitimate software that was available to download directly on the company’s website. The MOVEit hack was caused by a Russian ransomware group that exploited a zero-day software vulnerability. Other potential avenues include phishing attacks, application programming interfaces (API) vulnerabilities, Trojan viruses, malicious code in open-source libraries, or even hardware vulnerabilities.

Considering the potential avenues for a supply chain attack, organizations face difficulties staying completely shielded from hackers. However, CISOs can use a few different strategies to reduce the probability of a supply chain attack:

  • Keeping third-party software up-to-date prevents hackers from exploiting known vulnerabilities.
  • Encouraging teams to learn and follow secure coding practices cuts down on new attack vectors.
  • Monitoring and Security Information and Event Management (SIEM) platforms can help security teams detect unusual activity before it manifests into a greater threat.
  • Digital signature verification helps verify that software and updates are from legitimate sources.
  • Company-wide cybersecurity training allows organizations to reduce security risks associated with human error.

3. Complexity in the Cloud

Cloud infrastructure has become an essential part of the modern business landscape. Adoption has accelerated significantly since the Covid-19 pandemic, as many organizations have embraced digital transformation for greater work efficiency, reduced IT costs, and to support employees with remote work environments. But in the collective rush to the cloud, many organizations have failed to recognize the cybersecurity risks associated with its use.

The sophisticated nature of cloud infrastructure can make managing its security a challenge, especially for organizations with less technological experience. Managing APIs, network configurations, data storage, user account access and other aspects of the cloud create new risk variables that criminals can take advantage of. These digital components can open doors to a number of cyberthreats, including malware/ransomware injections, denial of service (DoS) attacks, and distributed denial of Service (DDoS) attacks, among others.

These threats shouldn’t dissuade organizations from embracing the cloud, but CISOs should be familiar with them, to understand the security measures needed to keep threat actors at bay. CISOs should ensure their teams regularly update and patch cloud systems, back up critical data, and disable unused ports and protocols. They should also utilize secure APIs, security monitoring applications, and regularly perform penetration testing to uncover vulnerabilities within the system. Needless to say, they should continue to invest in robust email and web security services to ensure all their bases are covered.

Instilling cybersecurity awareness training to all employees

For companies, one of the best lines of defense against cyber-attacks is instilling a “human firewall”. This can be achieved by training employees to be able to recognize sophisticated phishing methods on their own. Establishing this type of cybersecurity defense, companies must implement the “Mindset – Skillset – Toolset” triad”:

  • “Mindset” — Influences employees to raise their cybersecurity awareness. Solely relying on IT security technology is a recipe for disaster and can sometimes lead users to blindly trust their email traffic, making them vulnerable to phishing attacks.
  • “Skillset” — Develops awareness training through practice and simulation. This can include offering education to employees with realistic phishing simulation to strengthen their ability to discern between authentic and phishing emails.
  • “Toolset” — Provides additional IT security tools such as password managers, recipient validation services and more. For instance, password managers are easy to integrate to manage multiple accounts, preventing employees from choosing the same log-in details for all their accounts out of convenience.

In addition to employees having proper, ongoing cybersecurity awareness training, it is also important to have technical cybersecurity measures, such as email filters, firewalls, network and data monitoring tools, and regular software patches. These types of security solutions are also using AI to detect the latest types of attacks.

Employing the ESI® – Employee Security Index

Cybersecurity training is gravely important, however, the success of that training should be measured and monitored. An extremely efficient way to do so is by using standardized methods, such as Hornetsecurity’s Employee Security Index (ESI®). This helps to provide employers with reliable key figures for comparing the individual employee groups with each other and deciphering what further phishing simulations need to take place.

The ESI® also enables IT security managers to continuously measure the security behavior of their employees as part of their training based on the phishing emails they open. This allows for the frequency of simulations and e-training to be specifically designed to an individuals’ needs as not every user learns and adapts their security behaviors at the same pace.

Also, to ensure that these new behaviors stick with the employees as they learn them, the simulated spear phishing attacks must be repeated continuously. This helps to prevent the ESI® level from dropping again once it has reached its peak. Long-term memory is the name of the game and permanent reports makes it possible to include new employees in these training sessions.

Conclusion

Considering the complexity of the cyber threat landscape, CISOs should be extra cautious about their organization’s security posture. After all, a single security breach can lead to devastating consequences. But prioritizing cybersecurity with a proactive approach can help CISOs diminish risks by reducing vulnerabilities across the organization. With proper training, awareness, and tooling, CISOs can prevent threat actors from jeopardizing their organization’s success.