The emerging trends that security teams need to address [Q&A]

The world's critical national infrastructure remains on high alert. The National Cyber Security Centre in the UK and agencies in the US, Australia, Canada and New Zealand have all detailed how threat actors have been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.

We spoke to Chase Richardson, lead principal for cybersecurity and data privacy at Bridewell to discuss the critical trends and emerging dangers that cyber teams need to continue to watch out for?

BN: As we move through 2024, what are the key cyber threats that organizations must continue to be aware of?

CR: US organizations face a changing array of cyber threats, with the emergence of new forms of attack and reinvention of more familiar techniques.

One of the greatest threats is from the growing professionalization within the cybercrime world, especially in relation to ransomware and its deployment against critical infrastructure. Off-the-shelf ransomware-as-a-service (RaaS) toolkits are available to criminals now, which along with AI, reduce the skills requirements to write and execute an attack.

Nation-state-sponsored attacks are also continuing and are better resourced – which has not gone unnoticed in critical infrastructure sectors. Research by Bridewell found 81 percent of respondents were worried about cyber warfare.

The rapidly expanding IoT networks in critical infrastructure, manufacturing, logistics and healthcare also face significant threat-levels. As IoT devices become more ingrained in these sectors, the importance of integrating them into an organization’s overall security framework is paramount.

Another major area of potential vulnerability is sustainable technology where new IT and OT (operational technology) systems for renewable energy facilities and smart grids open up potential risks. Bridewell research found a very high percentage of cybersecurity decision-makers (91 percent) expected this to be a significant new channel for attackers.

Supply chain attacks are now part of life in business and remain a serious threat. The emergence of 'double supply chain attacks' has increased the potential for harm. Finally, we have two contrasting threats. The first is the evolution of AI-driven malware that can adapt after each attack, using the lessons it has learned. And the second is the familiar one of insider threats. This is unlikely to diminish soon. Bridewell research found 77 percent of US organizations operating in critical infrastructure witnessed an increase in cybersecurity risk from insiders during 2022.

BN: As critical national infrastructure in the US remains on high alert, what are the biggest threats and what steps can critical infrastructure organizations take to protect themselves?

CR: Awareness of threats is half the battle. But in the critical infrastructure sector, awareness of the seriousness of RaaS developments is still low. In the US, Bridewell research found less than a quarter (23 percent) of organizations viewed ransomware as a primary risk to their IT.

The increased TSA (Transportation Security Administration) regulation should focus minds on improving airport protection. Airports have many technology partners and extensive OT systems, which increases the level of risk they face. Airport employees are potentially open to phishing as a result. The new rules (introduced a year ago) require segmentation so OT is not at risk from compromise of IT and vice versa.

Cyber agencies in the Five Eyes countries have also issued warnings about attackers exploiting native tools and processes built into systems to gain persistent access to critical infrastructure using ‘living off the land’ techniques. In February, US cyber and law enforcement agencies issued their own warning about China-sponsored Volt Typhoon using this technique, targeting IT systems in US critical infrastructure to enable lateral movement to OT.

OT assets need to be brought up to the same level of protection, with real-time monitoring and managed detection and response. As a starter, organizations should use penetration testing to find out where the gaps in their security are. They must accelerate implementation of accredited cybersecurity frameworks to embed best practice, consolidate their tools and conduct thorough due diligence and cybersecurity audits of suppliers and partners.

Continuous training for teams across IT and OT will improve all-round understanding of new technology deployments, their interdependencies, and their threats to security. Hybrid security operations centers (SOC) models, which combine internal expertise with outsourced specialists, are also emerging as an effective solution at a time when cyber skills are scarce. This approach allows for a more robust and dynamic response to the evolving cyber threat landscape.

BN: With the upcoming US elections what action can businesses take to prevent any serious incursions into databases or networks during these events?

CR: Cyberattacks often correlate with general elections. Russia, North Korea, Iran and activist groups are likely to attempt disruptions aimed at undermining public confidence or gaining massive publicity. Attacks may be directed against election processes and preparations, or against the wider national infrastructure.

The threats are real. The National Intelligence Council reported limited disruption of 2020 US elections, with ransomware attacks in some states and attempts to breach governmental networks at state or county level.

We should remember that criminals solely interested in financial gain are also likely to regard the election as a time when gaps open in organizations’ defenses and attention is distracted by the focus on nation-state attackers.

Countering these threats demands deep defenses, access to comprehensive threat intelligence and fast response capabilities. Technology can only go so far. It provides fast alerting, but organizations need access to human expertise to analyze results and decide what is a serious threat and demands action to snuff out or significantly mitigate attacks. Relying on technology alone risks missing the indicators of more subtle attacks, or conversely, crippling the operation of processes through excessive reaction to false positives.

BN: AI is transforming how criminals organize and operate, how can legitimate organizations defend themselves?

CR: An AI-arms race has begun, as cyber organizations and criminals compete to take advantage of the technology. Criminals will continue to exploit the latest AI-enabled tools to turbocharge the quantity and quality of their attacks. Automation will enable more complex and cunning methods, giving greater penetration to existing capabilities using unregulated tools.

AI is the threat on everyone's mind. It can use breached data to write more precisely targeted phishing emails, but it can also create polymorphic malware that teaches itself what works and mutates after every attack.

In cyber defense -- the other side of the arms race -- AI has huge capabilities in anomaly detection and mitigation, but we must not get carried away. It is a force-multiplier rather than a panacea, so organizations should be wary of AI-badged solutions making extravagant claims. What is most effective against AI-driven threats is the integration of human-driven detection and response processes, such as extended detection and response (XDR), with machine learning and AI. This enables organizations to get to the root cause of security vulnerabilities.

BN: What areas are contributing to the acceleration of the professionalization of cybercrime and how can organizations combat these threats?

CR: The growth of ransomware-as-a-service (RaaS) has enabled cybercrime gangs to scale up into criminal enterprises, developing departmental specialisms or partnerships with smaller groups with greater coding expertise.

The horizontal professionalization in the murky cyber world means ransomware gangs that can write software code are filling the skills gap for less able partners that may have other aptitudes. Specialism means the emergence of R&D departments and a thriving initial access broker ecosystem. These access broker groups compromise systems and networks and then sell on their unauthorized access to other criminals. These developments are hot-housed in countries where groups know they will not face extradition if detected. Bridewell investigations also constantly reveal that RaaS groups are very versatile and operate from servers in many different countries.

The RaaS model is sufficiently successful to attract groups from other areas of crime such as narcotics. Professionalization has also been aided by the growth of crypto-currencies and exchanges that the criminals use to process ransom payments in partnership with superficially legitimate organizations.

To protect themselves from these threats, organizations should consider implementation of more advanced SOCs so they have 24/7 capabilities to respond rapidly and with maximum effectiveness. Ready-make analytics and automated responses are unlikely to work against increasingly sophisticated and specialized threats that may be unfamiliar. Instead, proactive threat intelligence and threat-hunting have become essential in tandem with response preparation. The threats have changed and so must defensive preparations.

Image Credit: Alexandersikov/Dreamstime.com