Andy Hornegold shares his cybersecurity predictions for 2024. From more zero-day attacks to exposure management and increased regulation, is your organization ready?
SHARE
back to BLOG

6 cyber security trends for 2024 and how to stay ahead

Andy Hornegold

From more zero-day attacks to increased exploitation of AI over the course of 2023, robust vulnerability and attack surface management has never been more important. Andy Hornegold, Intruder's VP of Product, shares his predictions for how the cyber security landscape will continue to change throughout 2024 and what organizations need to do to stay ahead.

1. Time to fix will decrease

Over the last 12 months, we’ve seen an increase in continuous monitoring and a focus on attack surface reduction across all our customers. As a result, the time it takes for our customers to fix critical vulnerabilities dropped from 30 to 17 days.

We expect to see this throughout 2024, as small and medium-sized businesses continue to see, understand and feel the impact of ransomware. Some vendors are shifting focus to SMBs, but at Intruder we’re built from the ground up with ease-of-use in mind, allowing us to offer out-sized gains in those segments for vulnerability scanning and attack surface management.

2. Zero days will keep rising (record number of zero days and CVEs in 2023)

It appears that there's not going to be any shortage of zero days in 2024, with potentially more of them coming out for remote access services. Ransomware operators continue to profit by hitting these services, as we saw with Citrix Bleed and the plethora of Fortigate VPN vulnerabilities in 2023.

Kicking off in 2024 we’ve seen a number of critical vulnerabilities exposed in Ivanti remote access solutions. Based on the abundance of those remote access vulnerabilities, it seems that initial access brokers aren’t going away – they're the ones that stand to turn a quick profit by scanning the internet to find those remote access services, exploit them, and then sell the access to ransomware gangs.

In 2023, we saw more action from law enforcement in targeting ransomware operators, and early in 2024 we’ve seen a huge international law-enforcement success story with the disruption of Lockbit. It seems unlikely that this will slow down, and with the Lockbit disruption we’re seeing the trend continue.

3. AI will be used for attack, defense and as a target

The biggest buzzword of 2023, AI has taken off in a big way and everybody is trying to find ways to plumb it into their business or processes. This has continued with an increase of competition in the AI space with Google releasing its newest Gemini LLM.

When it comes to AI being used to facilitate cyber attacks, it's easy to see how it fits into already established techniques used by threat actors. LLMs are statistical models which are good at generating text and extracting information from data which may not have any defined structure, like a huge number of written documents.

Since LLMs can handle natural language so easily it makes them a good option to automate the creation of emails or text messages, and responding in real time without a person having to be there. So, there's an easy and obvious use case for attackers to facilitate phishing campaigns using AI.

Additionally, on a traditional enterprise network there is a large amount of data which may or may not be useful to an attacker.

As an attacker crunching through all that data to find something useful can be time consuming, when carrying out red team operations it’s common to use regular expressions to find specific patterns in that large data set to find something of interest.

There’s a use case to reduce dwell time (the length of time an attacker has access to a compromised system or network before they carry out the objective of their compromise – like deploying ransomware) by using LLMs to more efficiently extract useful information.  

Ransomware actors will often carry out double-extortion where they encrypt their victim’s systems and then threaten to leak the data that they have exfiltrated from the compromised network.  

Going through gigabytes or terabytes of data can take time and effort – but using LLMs threat actors may be able to more effectively assess the value of the data they’ve exfiltrated because they can more quickly and comprehensively understand what sensitive data is included in their exfiltrated data set.

One way to look at the potential for AI and LLMs in particular is that where you once used regular expressions to extract very specific data types, LLMs are potential alternative solution that are easier to use and more effective.

Obligatory XKCD comic: https://xkcd.com/208/

While machine learning models have been around for a while, and could allow threat actors to categorize data in the past, the requirement for training and maintenance of those models was not nil. But, with the introduction of LLMs trained on eye-wateringly large datasets (like most of the internet) that training and ease of access has suddenly become a lot easier.

On the defensive-side of the fence, there is a big opportunity to help defenders stay ahead of those threat actors. There are already use cases of machine learning being deployed in cyber defense such as modelling anomalous network traffic or anomalous activities on endpoint devices; something the likes of which Darktrace and Vectra have been doing for a while.

Greynoise have recently announced that they’re using LLMs to identify network protocols and attacks as part of their honeypot network; something that was previously a time sink for security analysts but now frees them up to focus on more impactful tasks.

When looking into security controls validation and vulnerability management there are use cases for automating the tasks involved in vulnerability detection and remediation. Automating penetration testing has been something that people have strived to achieve for years, with varying levels of success. But AI has started to make fully-automated penetration testing more feasible. After being trained on available security resources the internet has to offer, we’ve started to see that LLMs can follow the decision tree process that penetration testers follow during an engagement.

While the approach may not deliver 100% effectiveness (finding every single vulnerability) it may deliver better results than some penetration testers (like the intern that your provider scheduled on your assessment).

Even if complete automation isn’t delivering the same level of quality as an experienced penetration tester, we expect to see AI enhance a tester’s ability to deliver meaningful results to their customers. Which is unlikely to make a scratch on the skills shortage in cyber security, but will hopefully alleviate some bottlenecks. I expect we'll start to see more of this automation over 2024, and I have high hopes for the likes of Sec-PaLM from Google and Mandiant.

With an increase in AI usage across every industry, and as it is introduced into more business-critical processes, the likelihood of it being targeted by threat actors increases. We’ve seen the beginning of prompt injection attacks, where an attacker forces an LLM to divulge information that it shouldn’t be divulging, and data tainting attacks, where an attacker corrupts the data on which an LLM is trained. We expect to see these types of attacks continue and expand.

4. Tighter regulations

Compliance and tighter regulations will continue to drive change in 2024. CISA have been pushing hard to make sure the US government is keeping up to date with vulnerabilities and patching.

At the beginning of 2024, we saw CISA issue a directive which required all government agencies to disconnect their Ivanti Connect or Policy Secure solutions:

As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. (source)

A big step for CISA, but something that was generally welcomed by the wider information security industry. Remote access solutions with critical vulnerabilities have been a common thread leading to compromise over 2023. We expect to see more of this type of guidance over 2024 as it has a meaningful impact.

5. Exposure management will gain traction

The trend of moving from vulnerability management, to attack surface management will continue into exposure management.

Vulnerability management is the process by which you find, contextualize, prioritize, address and report on weaknesses in your systems which can be exploited by a threat actor.  

One of the problems with vulnerability management is that it relies on you knowing what you have exposed to the internet. But with it being easier to create new internet-facing systems and as the likelihood that systems are exposed to the internet which you don’t know about increases – this is where External Attack Surface Management (EASM) helps you by adding the asset discovery, contextualization and prioritization to your established vulnerability management processes.

There are additional assets which are more difficult to track, code repositories in GitHub or GitLab, cloud accounts, SaaS applications; Exposure Management aims to bring all of this visibility under a single umbrella.

The idea of exposure management will gain traction in 2024. It’s a cliché now, but many security teams are still striving for that single pane of glass where they can see every problem that they're dealing with – from IP address vulnerability scanning and pen tests, to your GitHub status, SaaS posture, and cloud accounts.

There are a lot of facets of Exposure Management, it’s grown out of vulnerability management which was already a complex problem, and then from attack surface management which expanded the scope of vulnerability management. We expect to see more vendor consolidation under a few key players. Current exposure management solutions are tailored towards larger enterprise customers, and are unattainable to many SMBs.  

6. SMBs will continue to be a target

We’re in the middle of a ransomware epidemic and while it remains profitable to carry out extortion attacks it will continue.

LockBit has been one of the most impactful ransomware organizations, and their attacks are relatively indiscriminate. They’ve recently been disrupted by an international law-enforcement operation, which has put a dent in their operations. However, in the past we’ve seen operators from different ransomware gangs be hired into other ransomware gangs/affiliate schemes or set up a new operation.  

When this has happened, they’ve taken their previous tactics, techniques and procedures and reused them under that new brand. If we take a look at who Lockbit have successfully targeted we can see the trend.

Close to 65% of their targeting is on small and medium sized business because big business is spending billions of dollars on cybersecurity a year. Compromising a small organization is still likely to result in a payout, and the security controls in place are less robust – a small business is unlikely to be running a 24/7 SoC because it’s cost prohibitive and many small organizations are concerned about keeping their business alive at a time when global uncertainty and systemic risk are heightened; they’re less concerned about the potential risk of ransomware when they might not make payroll next quarter.

Since there are fewer security controls to contend with in smaller organizations, after Lockbit and other threat actors have successfully compromised those organizations they can use any connections (technical or otherwise) to pivot into larger organizations. Ensuring that SMBs have the tooling and services available to them to mitigate the majority of their risk, at a price-point and level of complexity that they can handle is going to become increasingly important.

So where can you start?  

Getting the right tools in place, that are easy enough for you to use, and help you with attack surface discovery, vulnerability validation and exposure reduction will be critical in 2024. Intruder makes it easy to keep track of your attack surface by monitoring for network changes and synchronizing with your cloud accounts. Find vulnerabilities in your infrastructure, web apps, and APIs and stay ahead of emerging threats with Intruder's proactive threat protection.

Mastering cloud defense has never been more important given all the expected trends for 2024. Join us in our upcoming webinar for insights into protecting dynamic environments. Andy will be covering the top mistakes that unnecessarily expose cloud environments, common methods for asset discovery used by attackers and tips to protect your attack surface. Register here.  

Release Date
Level of Ideal
Comments
Before CVE details are published
🥳
Limited public information is available about the vulnerability.

Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.

Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Day of CVE publish
😊
Vulnerability information is publicly accessible.

Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.

Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
First week since CVE publish
😐
Vulnerability information has been publicly available for up to 1 week.

The likelihood that exploitation in the wild is going to be happening is steadily increasing.

Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
Between 1 week and 1 month since CVE publish
🥺
Vulnerability information has been publicly available for up to 1 month, and some very clever people have had time to craft an exploit.

We’re starting to lose some of the benefit of rapid, automated vulnerability detection.

Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
After 1 month since CVE publish
😨
Information has been publicly available for more than 31 days.

Any detection released a month after the details are publicly available is decreasing in value for me.

Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.

With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:

These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.

We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.

In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.

Figure 10: Absolute numbers of critical CVEs with a remote check release date from the date a CVE is published

While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.

Figure 11: Percentage chance of delay for critical vulnerabilities

So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.

I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.

What can we take away from Figure 12?

Figure 12: Release delay year-on-year (lower is better)

With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.

The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.

Written by

Andy Hornegold

Recommended articles

Ready to get started with your 14-day trial?
try for free