Top 5 Cybersecurity and Cybercrime Predictions for 2024
ImmuniWeb presents its top five predictions on cybersecurity, cyber law and cybercrime prosecution that we expect to trend next year after a turbulent and eventful 2023.
Generative AI Disillusionment
While it is undisputed that recent scientific advances in LLM-powered generative AI can considerably accelerate and otherwise improve numerous simple tasks in diverse fields including programming and cybersecurity – ranging from creation of a patch for source code or secure config of cloud instance to generation of a payload to bypass web application firewall (WAF) akin to a human – most of the pompously advertised claims about AI capabilities are exaggerated, to put it mildly.
Severe regulation of AI vendors, pioneered by the landmark EU AI Act, mushrooming number of lawsuits against AI vendors for copyright infringement and other interrelated claims, and the amplifying lack of supply of high-quality, trustworthy and up2date training data – are just a few formidable obstacles on the way of economically sustainable generative AI. Those AI vendors that will manage to solve some of the foregoing problems, will almost inevitably face prohibitive costs of development and maintenance of their AI products, which will ultimately make human labor cheaper than their overhyped AI solutions. Even if operational costs become optimized allowing profitability, price of the so-called hallucinations or other AI errors may swiftly wipe out all previously earned profits. Thus, economic viability of generative AI is questionable in many areas of applications.
Having said that, various forms of AI, including generative AI, are poised to progressively penetrate into numerous modern cybersecurity and secure software development processes, bringing non-substantial but clearly measurable performance improvement and relief for human experts, who will finally have more time for complex tasks that truly deserve their ingenuity and intelligence. In sum, AI will certainly help but don’t expect any magic.
Request your free demo now and talk to our experts.
No AI Revolution in Cybercrime
Despite many sensationalistic reports produced earlier this year, projecting a looming surge of cybercrime due to novel capabilities of generative AI, we will unlikely see a tectonic change there next year or even in 2025. Modern cybercrime is a mature, highly profitable and well-organized industry. Therefore, AI disruption will have little impact on it with some exceptions discussed below.
Prior to the generative AI hype, heralded by the launch of ChatGPT in November 2022, sophisticated cybercrime groups and nation-backed cyber mercenaries already had the requisite skills and knowledge to rapidly launch creative, novel and almost undetectable cyber-attacks. Moreover, for a few years already, some most advanced hacking groups have been successfully using Machine Learning and AI for various purposes, such as classification and extraction of most valuable information from gigabytes of stolen data or prediction and profiling of victims most susceptible to silently pay a ransom. Thus, the most recent developments of generative AI will unlikely impress seasoned cyber gangs, let alone provoke a spike of cybercrime. That being said, in some narrow categories of cyber-attacks, such as impersonation of voice and video, generative AI will bring considerable and previously unavailable opportunities. Some current biometric authentication mechanisms should thus be entirely revised and enhanced to prevent misuse.
As for less sophisticated cybercriminals and newbies, with AI-powered chatbots they can indeed generate primitive malware or create a convincing phishing email in less than a minute. Those capacities are, however, not enough without advanced skills and infrastructure requisite for hacking operations: you need to host your phishing website in an abuse-proof environment, you need to purchase a phishing domain without triggering an alert from domain squatting monitoring companies, you need to exfiltrate data from your victim’s networks without being detected by their modern XDR and SOC team, and you finally need to launder your bitcoins or other cryptocurrency while avoiding detection and seizure by law enforcement agencies. In sum, next year, we may even see more arrests of inexperienced and wannabe hackers who will inadvertently expose themselves in imprudent hacking campaigns, being erroneously inspired by one-click AI-powered hacking.
Prosecution of Cybersecurity Professionals
The notorious legal cases implicating Chief Information Security Officers (CISO) of Uber and SolarWinds in their personal capacities is merely a tip of the looming iceberg of legal ramifications that information security professional may increasingly face during the next decade. Next year, we expect significantly more cases of criminal prosecution and civil lawsuits, hitting not just the C-level cybersecurity executives but also the mid-level cybersecurity employees for data breaches and serious privacy incidents impacting their employers.
Simultaneously, the rapidly evolving regulatory landscape in data protection, illustrated by the recent SEC Security Rule or the EU NIS 2 Directive, makes it clear that lawmakers are willing to hold Board members and executives personally liable for poor cybersecurity governance and practices at their organizations. We believe that in a few years from now, Boards will reluctantly accept the new normal, recognizing their accountability for supervision of data protection and privacy management at their companies, like they do for fraud detection and proper accounting practices. Personal cybersecurity insurance will become a default standard for Board members and senior executives, however, the insurance will not shield from criminal prosecution and may also have broad coverage exceptions and limits, being no panacea.
Sanctions may range from suspended and real prison sentences to hefty monetary fines and prohibition to occupy managerial positions for a certain period of time. Regrettably, cybersecurity insurances will unlikely cover legal actions targeting employees of the insured organizations, leaving the former alone amid the mounting legal risks and little support from employers.
Decreasing Sophistication of Attacks
At first sight, it may seem counterintuitive, however, we do believe that in average, cyber-attacks will technically become less sophisticated in 2024. First, while many organizations and governmental agencies progressively migrate to multicloud environments, increasingly relying on infrastructure-as-a-code (IaaC), few have the requisite security skills and sufficient experience to properly harden their cloud-powered infrastructure. Resultingly, comparatively simple cloud hacking techniques will allow stealing gigabytes of ultra-sensitive data without recourse to expensive 0-day attacks or laborious advanced persistent threats (APT) campaigns. Having said this, professional cyber mercenaries, backed by nation states, will likely continue developing or acquiring 0-day vulnerabilities, driving their prices higher.
Second, the grim post-pandemic legacy of shadow IT, when vast majority of organizations still do not have an inclusive or up2date inventory of their portable devices kept by employees during few years of working from home (WFH) period, widely opens door to corporate networks. At ImmuniWeb, our Dark Web monitoring service detects many compromised and backdoored individual’s machines available for sale on hacking forums just for several dozens of dollars, while containing hardcoded passwords from privileged and still working credentials from various corporate accounts from business-critical systems, client SSL certificates for corporate VPN authentication, access to Git repositories with source code containing hardcoded API keys and other secrets, just to name a few. Pragmatic cybercriminals will now first try to compromise their victims by exploring and exploiting their shadow IT, and only then deploying heavy and costly artillery of cyberwarfare. IT vendors, accountants, lawyers and consulting companies will probably be the favorite target of hackers next year.
Finally, as evidenced by multiple notorious third-party data breaches happened in 2023, external suppliers and vendors are oftentimes the low-hanging fruit for result-oriented cybercriminals. The former have exactly the same data as their over-protected VIP customers, while having insufficient cybersecurity capacities and even less intrusion detection capabilities due to budget restraints, eventually making “perfect cybercrime” possible. Having said this, both the number and success rate of intrusions via shadow IT and supply-chain attacks will likely balloon in 2024, while their average technical sophistication will remain lower compared to previous years.
Boom of Ransomware and Hacktivism
Good old ransomware may well attain a status of global cyber pandemic in 2024. The underlying infrastructure, spanning from exploits and data encryption malware to cryptocurrency laundering services, becomes readily available as a service on pay-as-you-go scale. After compromising a website and making your victim clicking on the malicious page, even beginners can start getting payments in bitcoins if they are lucky enough. Of note, no AI is required herein, as elaborated above.
Worse, amid the unfolding geopolitical tensions and global uncertainty, law enforcement agencies and prosecutorial authorities have no more possibility to efficiently collaborate in complex cross-border investigations of organized cybercrime. Ultimately, cyber gangs calmly operate from non-extraditable jurisdictions in impunity, enjoying steadily growing income paid by desperate victims. Given that from an economic viewpoint ransomware is a scalable and highly profitable business, we will likely see its hydra-like proliferation around the globe next year. Extortion tactics are likewise poised to become more nefarious and lucrative, for instance, with double extortion (asking ransom from both the breached company and individual victims) as well as threats to report the data breach to authorities in case of non-payment.
In addition to ransomware, next year we shall expect massive and unpredictable attacks of politically motivated hacktivists on innocent companies and organizations from specific countries or regions. Those attacks will likely be highly destructive, aiming at paralyzing operations of businesses having from little to no connection with political processes of their countries of incorporation. Worst, cyber infrastructure of hospitals, schools and even critical national infrastructure (CNI), such as water supply facilities, may suffer long-lasting and irreparable damages.
Dr. Ilia Kolochenko, CEO & Chief Architect at ImmuniWeb, comments: “Cybersecurity and incident response become deeply intertwined with cyber law. In 2024, organizations of all sizes should consider enhancing their cybersecurity strategies, policies and procedures with input from law firms specialized or having solid experience in cybersecurity law.
Currently we observe cybersecurity professionals and in-house lawyers being separated by a stonewall of misunderstanding and mutual hostility. Collaboration is essential to ensure that data breaches and security incidents will be properly handled, minimizing reputational damage, financial losses from both litigation and monetary fines, as well as protecting cybersecurity executives and managers from personal liability. Next year, ImmuniWeb will offer a dedicated product to support businesses and organizations with their cyber law needs, reducing their legal risk exposure.”