Skip to main content

Forbes: Three Emerging Cybersecurity Trends to Follow

May 14, 2024
clock 4 MIN READ

Today, a perfect storm of attacker evolution, federal regulation and AI is brewing. Businesses should focus on these three disruptors to best prepare themselves and embrace the future.

 

The rise of “Ransom Anywhere”

A decade ago, ransomware attacks were relatively simple to thwart. As long as the ransomed data had been backed up, it was generally enough to get an impacted system operational with a simple rebuild and restore of the backed-up data. But last year, increasingly sophisticated ransomware attacks collected a record $1.1 billion.

In the never-ending pursuit of ROI, attacker tactics have evolved to spur the creation of a new term: extortionware. Before encrypting the victim’s data and posting a ransom note, the attacker will now first exfiltrate sensitive data over a period of time. If the victim doesn’t pay the ransom, the attacker—armed with the company’s sensitive data—will attempt to extort the victim for payment in exchange for not publicly releasing the data.

This approach gives an attacker additional leverage and opportunities to monetize the stolen information. By the end of 2023, extortionware attacks pivoted yet again to include the individual data owners in a compromised dataset. That is, attackers are now reaching out directly to individuals whose data is part of a data breach to request a nominal payment in exchange for redacting their data from public disclosure. Would you be willing to pay $50 to keep your medical record private? Ransomware was once something that happened only to corporations, and now, it’s getting personal.

The “good old days” of thwarting ransomware by rebuilding and restoring from backup systems are over. As attackers continue to innovate, organizations need to realize that data is leveraged for money at both business and individual levels. Expect to see “ransom-anywhere” attacks on organizations and individuals continue to thrive.

The gamification of regulation

Federal regulators have proposed and implemented regulations aimed at elevating organizational maturity in managing cyber risk. Notably, the SEC rule, Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure, has been widely discussed because of its requirement for all public companies to report material cybersecurity incidents to the SEC within four business days. Additionally, the definition of “material” is noticeably ambiguous. Taken together, the likely result is an inconsistent interpretation of materiality and ultimately gamification of this new rule by both corporations and attackers.

To illustrate, attackers found a way to turn this regulation to their benefit almost immediately. At the end of 2023, a threat actor reported one of their breached victims to the SEC for failing to self-report the incident after the company refused to pay their ransom. The new rules that organizations must adhere to are now providing new tactics for the very threat they’re trying to address. Because threat actors don’t play by the rules, defined rules need to ensure they don’t give the attacker any additional leverage.

The absence of a clear-cut definition of materiality may lead to “strategic” corporate compliance—possibly due to outright negligence, technical incompetence or plausible deniability. We could see a future legal precedent shape the definition of what constitutes a material cyber breach that, in turn, will shape future regulation or perhaps even legislation.

But we shouldn't look to cyber regulation as a source of innovation. Rather, it provides guidelines to set a sort of mandatory baseline or obligation. However, we can expect the current regulatory environment to undergo revisions to address the newfound challenges of early gamification. Regulatory cyber obligations are still in a nascent stage.

The intersection of artificial intelligence and information warfare

Think of AI as a curated librarian that excels at connecting data points in a large dataset, providing specific answers to complex questions at a scale and speed not easily replicated by humans. But like humans, AI is fallible. As with most technologies, it’s a double-edged sword with defenders and attackers using AI to advance the never-ending game of cyber chess.

AI eliminates language barriers and other human errors that were once giveaways of social engineering attempts. Phishing, one of the original (and still relevant) attack vectors, has undergone a renaissance with AI. Instead of spam messages loaded with grammatical mistakes, AI-generated content has quickly become sophisticated and convincing. This extends beyond email-based phishing to any digital communication method, including phone, text and even video calls that can deepfake your boss.

With the backdrop of an election year in the U.S., global kinetic conflicts and AI’s near-limitless potential, the stage is set for complex information warfare beyond traditional cyber indicators. Imagine how AI, as a curated librarian, could facilitate and manage long-term, complex and personalized campaigns against individuals or corporations. The management of information to gain a competitive advantage isn’t new—it’s arguably as old as human communication. But the biggest challenge is that the mind isn’t something that can be patched. You can’t reboot and push an emergency update to human psychology.

Ransomware is getting personal. Attackers are using well-intentioned regulation for their own benefit, and AI is leveling everyone up. Traditional cyber indicators that once served as reliable guideposts are no longer effective alone, and what we might have imagined the future state of the cyber landscape to be is already here. Tracking and understanding these trends is the first step to evolving effective strategies for cybersecurity before a business response is mandated—whether by regulation or a cyber incident.

Insights for cybersecurity professionals