(All views are strictly personal)
Here is my forecast for the cybersecurity challenges that await us in 2024 and beyond. I have tried to suggest strategic and tactical defences against each risk driver.
1. World Cyberwar I
The era of land-air-sea based world wars has passed, and the likelihood of using nuclear arsenals seems remote. In today's multipolar world, sufficient deterrents exist to prevent a classical conflict. However, in sharp contrast, there are no international treaties or conventions in place to deter cyberwarfare. But what constitutes a World Cyberwar? In my view, a cyber conflict that undermines the very foundations of our unified internet infrastructure would warrant this designation. And I am not referring to mere DDOS attacks, as these are akin to schoolyard scuffles. So anyone thinking the DDOS on 'kremlin.ru' in 2022 was a victory is just so naive.
The geopolitics of the world are rather immature on the subject of digital sovereignty. But the threats of isolationism already exist and I would expect the digital isolationism to be one of the weapons in the first World Cyberwar. We may see some of this in 2024.
A tactical defense mechanism would require multiple redundancies, including (1) physical layer, (2) network layer, and (3) the devolved trust mechanisms. That would be an urgent need for 2024 at the sovereign level.
One of the strategic defences could be distributed and immutable mechanisms of trust, such as blockchains. That development may span over 2024-2030.
But ultimately, the users of a fractured internet infrastructure will have no choice but to reinvent the internet and we may see that strategic need over the next decade.
2. Return of the GOATs:
Some authorities have boasted about a few 'takedowns' of websites belonging to criminal gangs and the 'dismantling' of their operations. Let us not delude ourselves, shall we?
Long-term followers will remember I made a mockery of MSFT's claims on Emotet, which was, in my opinion, a GOAT. I held the view that cyber crime was too lucrative, and cyber criminals were too creative compared to the defensive side, meaning the resurrection was inevitable. Exactly that happened, and Emotet returned.
Very recently, there have been similar claims of AlphaV and Lapsus$ takedowns. There is a strong chance that Lockbit has been infiltrated and will be taken down in the near future.
Authorities' success against cyber criminals has always depended on (1) luck, (2) infiltration, and (3) the money trail. None of these are permanently effective.
Therefore, I would prefer to anticipate the resurrection of the GOAT hackers with greater sophistication. The defensive side changes marginally as the time against patching shrinks. Unchanged are the concepts of cyber defense in depth and the Zero Trust architecture. Need I say that without cyber hygiene, you might as well shut down the business?
(Stop press note: Between the time I wrote a draft of this article and its publication AlphaV had already 'unseized' its darknet site and declared a no-taboos policy against non-CIS countries. So my forecast for 2024 came true in 2023! Not funny.)
3. Rise of "Ransomware Plus":
I expect ransomware attacks to evolve further in 2024, with threat actors becoming more targeted and sophisticated. Phishing is being replaced by spear phishing and whaling. Simultaneously, all phases of payloads are now avoiding signature detection. The last nail in the coffin is leveraging signed DLLs and LOLBINs.
As long as we rely on Microsoft (MSFT), signature-based detection, use loose session credentials, and do not apply minimum privileges in a segmented network, we take unnecessary risks.
On the strategic and tactical defensive side, there is no substitute for comprehensive immutable backups and the practice of rebuilding the infrastructure from scratch. That is our main defense.
On the tactical side, cyber insurance may help, but don't jump from the plane without being reasonably sure that the parachute will work.
4. AI-Powered Cyber Attacks:
Artificial intelligence (AI) is becoming more affordable, and cybercriminals will leverage AI to enhance their attack strategies. Automation of attacks is easiest during reconnaissance and response-based version detection. Then, AI use for impersonation comes next (the Deepfake Risk). (AI is being trained to lie, and that is a separate risk in its own right).
But the really dangerous misuse of AI would be identifying vulnerabilities in the code - either source or reverse-engineered.
You cannot defend against AI-based attacks through traditional means. I believe in aggressive cybersecurity using AI as the best defense against AI. For example, nothing stops you from using AI to identify coding weaknesses such as #log4j that can be remedied before getting hacked.
5. Supply Chain Vulnerabilities:
Supply chain attacks will continue to remain a significant threat, with cybercriminals targeting weaknesses in the interconnected networks of suppliers and service providers. Organisations will need to adopt robust supply chain security measures to mitigate these risks.
On the defensive side, my view is that the "Zero Trust Zero Tolerance" will be the most effective approach barring a few mission critical business cases.
6. Quantum Computing (QC) Threats:
I am sure every consultant will pretend to be an expert in QC for the next decade without writing a single line of code. They will talk about quantum preparedness and hybrid implementations. Let us talk sense, shall we?
Decryption of confidential communication is not the primary risk for 2024. The real risk today is that from active and passive "capture points" between two parties. This is called the "capture now, decrypt later" or "harvest now, decrypt later" risk.
There are many things we can do to counter the data capture risk. Firstly, we need to be extremely careful about the "in-line appliances" that claim to undertake deep packet inspection and prevent data loss. Ensure that those appliances are not sending data to "home servers," just as an example. Second, MiTM (Man-In-The-Middle) attack risk needs to be re-assessed on both HTTPS and SMTPS protocols (which are the most commonly used). Third, the use of DNSSEC has become inevitable as a defensive measure. Fourth, improvements are required in the client side software using the CAA records. Be aware of some reverse proxy CDNs tampering with your desired certification constraints. Fifth, the older RFCs do not handle protocol downgrade risk very well. In fact, an official RFC even today requires a plaintext transfer of emails when ciphers are incompatible between the sender and recipient. My defensive tactic is to ignore the RFC and harden the cipher permissibility. The sixth and my most important recommendation is the use of PKI in routing. This requires upgrades on the upstream (e.g. your ISP's network backbone) but it is worth it. I have seen only the Dutch authorities being active on this risk mitigation, which is a universal need.
There are many other measures against QC misuse, and I can deliver a comprehensive lecture on the subject without resorting to overly complex, PhD-level cryptography terminology.
If I were a NED, I would challenge the executives who say "we are waiting on the NIST and vendors". IMO that is bollocks and shows an ignorance of the attack paths and the threat scenario.
7. 5G Network Security Challenges:
It would be naive to think banning Huawei from a country eliminates the 5G risk. The assessment of 5G risk needs to go far beyond the accusation of "phone home" or "Chinese backdoors".
The widespread adoption of 5G technology introduces new attack vectors, such as increased attack surface and potential vulnerabilities in IoT devices.
Securing the 5G infrastructure will be crucial to prevent large-scale cyber threats. The most significant defensive challenge lies in the ongoing conflict between official and unofficial espionage, a dilemma that, in my opinion, will remain unresolved indefinitely.
So what would I do in the meantime? I would suggest that the technology stack should benefit from the 5G efficiency and speed only up to the connectivity layer. Above that we must use E2E encryption applications based on protocols such as Signal (for confidentiality) enveloped within a protocol such as WireGuard (for privacy).
In essence, our defense strategy should focus on ensuring that smartphones, with their advanced capabilities, do not outsmart us.
8. Evolving Threats to Critical Infrastructure:
Critical infrastructure, including power grids, healthcare systems, and transportation networks, will remain attractive targets for cyber adversaries. Advanced persistent threats (APTs) targeting critical infrastructure may escalate, requiring enhanced cybersecurity measures and collaboration between the public and private sectors.
On the defensive side, the most urgent need concerns contingency communication plans. No, I am not expecting you to breed pigeons on your office rooftop. Starlink connectivity, as an example, makes sense for a BCP/DR (Business Continuity Plan/Disaster Recovery).
9. Increased Cybersecurity Skill Gaps (?):
The gap between the demand and supply of skilled cybersecurity professionals is often used as an excuse, a stance I refuse to endorse.
I believe the talent shortage only affects certain narrow roles in the infrastructure management. What is lacking is adequate incentive and investment in maintaining infrastructure hygiene. Consider this: does one really need a cybersecurity professional to enhance basic practices such as the Joiner-Mover-Leaver (JML) process, access controls, and backup systems? We have been doing those unglorified jobs for three decades and cybersecurity would be impossible without them!
As a Non-Executive Director (NED), I would disregard the nonsensical and overambitious transformation ideas often presented by frequently transitioning Chief Information Security Officers (CISOs). I will demand a culture of talent management for the defensive side and outsource the attacking side.
10. Misc. Other Items
I will not detail what I have said over the last few years. In short, I am sick of the cyber risk created by the use of 'hardware appliances'. Those who continue to use appliances are free to sing at their own funeral. The risk of data loss has increased due to the reckless use of cloud. A few more zero data attacks are only to be expected in 2024.
So what?
If you've read this far, you'll appreciate the uniqueness of this 2024 forecast. The defensive strategies and techniques discussed here extend well beyond the scope of what you might have encountered in other readings or through AI programs.
All views in this article are entirely personal and I do not expect you to agree with me. My expectation is for you to reflect on your adversaries, threat models, and risks, thereby shaping your strategic and tactical defenses for 2024 and the future.
Dear friends and followers, I wish you the very best for 2024.
Santosh Pandit
30 December 2023
Go to the Blog Collection