Cyber Threats Amplified: AI-Driven Attacks and Emerging Trends

Our next presenter is John Tolbert, Lead Analyst and Managing Director at KuppingerCole US. Among other topics, he covers endpoint malware protection, managed security services, and AI and ML security. Before he was at Boeing, he was a VP with Queralt, where he helped clients with strong authentication. Presentation today is Cyber Threats Amplified, AI-Driven Attacks and Emerging Trends. Please come to the stage. Thank you. Thank you.

So, over the last year or so, we have been running some surveys online, LinkedIn, in our webinars. So, what we're going to do this afternoon is sort of give you the highlights of some of those survey results.

So, a little disclaimer beforehand. A hundred percent of these statistics are ours.

And again, these came from, like, LinkedIn and our webinars. Over a thousand responses were evaluated in kind of the standard safe harbor statement.

You know, these are subject to change. We will continue to do surveys and update you at the next event.

So, Berthold previewed some of these yesterday morning, but I thought it would be good to dive into it, maybe in a little bit more detail, or reiterate some of this. Some of the cyber attack trends that we've seen are what companies are actually reporting in terms of the number of cyber attacks that they've had. You can see, you know, almost half have had between 1 and 50. And these are ones that they know about.

You know, it's entirely likely that there could have been many more attacks that they didn't know about, you know, if they didn't have sufficient monitoring. But maybe what's even scarier than that is the fact that that means more than 50% have had enormous numbers of attacks.

I mean, if you look at the very top there, it may be hard to read, but this is more than 250,000 attacks, 6% have reported that. And again, you know, that seems like a lot. It is a lot. But if you think about large organizations with, you know, huge cloud estates and whatnot, it's pretty easy to imagine that there are lots and lots of attacks going on all the time. How do we deal with that? What's our recommendation?

Well, you know, you've got to have a really good full cybersecurity portfolio. And that means that whole acronym soup of different kinds of tools that are out there.

You know, we've been talking about MFA for years. We always strongly recommend using multi-factor authentication. There are other newer tools out there like attack service management. I'll talk about that more in a minute. But that's definitely something that can be helpful in knowing when these things are going on and then also helping you to prevent them by knowing where your vulnerabilities are and how to remediate them.

ITDR, Identity Threat Detection and Response, we've talked a little bit about that this week. I think people now realize that identity is a prime vector for attacks. There are many attacks and breaches that have happened where malware wasn't even used.

You know, if a bad actor finds credentials, goes out on the dark web, gets credentials, gets into your assets, then, you know, there may be no malware for them to find. They don't have to use it. That's not to say it's still not important to have things like endpoint protection, network detection and response, and then also XDR, which we'll be talking about tomorrow.

So, yeah, definitely a need for the different forms of detection and response. And then as Mike talked about, cloud security.

These are, you know, a whole, again, alphabet soup of different kinds of specialized tools for helping to deter these kinds of attacks. Our prediction, probably not a surprise, they're going to continue. They may actually get worse. If you look at the geopolitical situation around the world, as we often like to say, there are multiple wars going on. So state-sponsored attacks are likely to increase in the next year or two. Ransomware has been around for a while. We've been worried about it for, you know, nearly a decade now, and with good reason.

You know, it has been happening more prevalently. We heard in other sessions today the amount of the average ransom has gone up, the amount that it takes to clean up after an event like that goes up.

So, yeah, it's only right that CISOs and security professionals list this as one of their top concerns. We also see things here like attacks against critical infrastructure, insider attacks, you know, critical infrastructure attack. If you're running critical infrastructure, of course, you're worried about it.

But, I mean, we're all depending on electricity and water. So it's something that all of us are in one way or another concerned about. Insider attacks, software supply chain attacks. Software supply chain attacks have been going on for quite a while as well.

But, you know, in the last couple of years, there have been some pretty frightening news stories about major suppliers and how they were used as a vector to get into many, many, many of their downstream customers. So we see increasing emphasis amongst cybersecurity professionals, you know, trying to prevent these kinds of things. What are we concerned about after an attack?

Well, reputation damage was the number one listed response here. And I think that's very, very valid.

You know, a particularly egregious cyber attack can lead to a loss of customers, a loss of revenue. It's something you want to prevent really at all costs if possible. Intellectual property theft. You can see that this has jumped up 10% in the last year in how people responded to the survey. People realize there's a huge risk of intellectual property theft.

I mean, there have been cases, you know, let's say a decade ago there was a major attack against a cybersecurity vendor where the purpose of that attack was to get the keys to the kingdom so that they can then get into very key customers' intellectual property. And that has only continued to increase. So loss of IP is a definite concern. Financial loss, of course, that makes sense.

Like I said, you know, I think I heard earlier today another statistic around $2.7 million for the average cleanup, not counting what it costs if you happen to pay the ransom, which, of course, we always recommend not to do that. And then, you know, having a major IT outage or a data leak. Data leaks themselves are quite dangerous.

You know, we have many privacy regulations around the world, and simply losing control of the data, having that wind up in a published form could lead to rather substantial fines, as we all know. Identity security, drilling down into that a little bit.

I mean, phishing attacks, we've been talking about that for quite a long time. I mean, we all probably take regular online training courses about how to identify phishing. But now email is not the only vector. There's smishing, getting an SMS text. There's phishing, getting a voice call.

I mean, we've probably heard those ourselves, you know, trying to pretend that they're from maybe a major IT supplier and we need your username and password or, you know, get a call from somebody purporting to be your bank. So, yeah, there are lots and lots of social engineering kinds of attacks that are going on. Identity spoofing and PBAC exploits, those are out there, too. But I wanted to focus just for a second on session hijacking.

Of course, we have known that compromised credentials find their way onto the dark web. But now, you know, with so many corporate assets being tied up in the cloud, whether it be SaaS or an infrastructure as a service, simply a bad actor getting a hold of a valid token is a way in. And now these long-lived tokens are being traded on the dark web.

So, you know, I think it's worthwhile to go out and look at, you know, what's the time to live on these session tokens because if the bad actors can get a hold of that, then they can do replay attacks and get in and steal your data directly from the cloud that way, too. Identity security, passwordless. We've talked about MFA already.

We see, you know, what identity security technologies are the respondents looking at adopting over the next three years. Well, not surprising, you know, passwordless authentication is way up there because we have been talking about the dangers of passwords for a long, long time. And I think we all would like to get to a passwordless situation. We also have cloud infrastructure entitlement management, again, to deal with the complexities and the differences between on-premises infrastructure and the cloud. Zero trust seems to be slipping a little bit. Maybe people have implemented it.

Maybe these initiatives have been stalled somewhat but not as important as, let's say, three to five years ago. Then we have decentralized identity and SASE. Even though SASE shows up as zero, I think there are probably quite a few SASE projects going on out there because it's sort of the union of zero trust plus networking.

So, really, who doesn't need that? MFA, the most popular methods. You'll see 71% say they're using MFA but with password backups.

You know, this is far from ideal because a lot of downgrade attacks that we've heard about in the last year or two are forcing the downgrade from MFA so that you can rely on that bad password. Well, if the bad passwords have been exposed, then having MFA on top really doesn't do you any good. So that's why, you know, having pure passwordless authentication, I think, should be our goal. Unfortunately, nobody wants username passwords as indicated here.

But, you know, you've got to find the right balance. So the recommendation here is you don't want to overly encumber the users with endless authentication events because that sounds like something else that we've learned about today too with, you know, MFA fatigue where somebody tries to do a SIM swap, a bad guy that is, a bad actor tries to do a SIM swap and add their device to your account. Maybe they've gotten your password. So then they, you know, endlessly send out MFA push notifications to try to get you to say yes to it.

And, unfortunately, that happens more often than it should that a user relents and they wind up adding that account to, you know, a compromised device. So more about MFA.

You know, it really is the way we need to go for the future. We should prioritize it for, you know, sensitive accounts. As Mike was saying earlier, you know, that would have prevented a couple of the noteworthy breaches. Zero trust, it may not be as popular as it once was, but something that, you know, if your initiatives have not completed, please keep that on target. And then encryption, not surprising it's a little less popular on the chart because, you know, encryption is hard.

Well, not doing the encryption, but if you think about the compatibility, how many different places data winds up, and how do you, you know, apply encryption via policy, that's still something that's really difficult to get right across an entire enterprise. So budget, I think everybody's always interested in, you know, how is the budget looking.

You know, this is looking over the last year and forward into 2025, and what people are reporting is largely the budgets are staying about the same, which if you have sufficient budget, I guess that's a good thing. But if you don't, then I'm sure you wish you could find a way to make it grow. There have been, you know, at the slight growth level, it seems to have actually increased a bit. If you need help justifying budgets, then I think things like maturity assessments, benchmarking against your peers in industry, they may be ways to get the attention of stakeholders.

Of course, unfortunately, if you have a cyber attack that's successful, you usually wind up with more budget the next year too. So what are the challenges?

Hey, budget, like we were just saying, it can be hard to get as much as you think you need. We recommend the alphabet soup.

But, you know, you really need to prioritize which of those different kinds of systems are right for you and where can you consolidate. You know, using something like MSSP or managed detection and response, which Warwick talked about this morning, that can be a way to sort of optimize your coverage without necessarily increasing your spend so much. There's the skill shortage and stakeholder management, siloed organizations.

You know, I've seen this in a number of cases where you have, let's say, a large conglomerate. They're doing a lot of M&A or merger and acquisition activity. They wind up with a whole bunch of different little fiefdoms that have different security products, different policies. It can be hard to unify those in a very large organization. And that in itself can become a real liability because any one of those, you know, the weakest link could allow an entire organization, a conglomerate, to be brought down.

I think most interestingly, though, is people, only 8% said, you know, we've got too many tools. I think there's a willingness on the part of most organizations to operate the kinds of tools that they need to stay safe. Investment priorities. What are companies and organizations saying they're going to do?

Well, IAM remains a pretty high priority, about 40% over the last couple of years. And, again, that's a good thing because identity is a primary vector. How many cyber attacks, how many data breaches have come about just because of lost or stolen credentials? We see threat detection and response.

I think, you know, 2023, 2024 was kind of the year of the blank DR kinds of products, the EPDR, the XDR, the NDR. And, you know, that's a good thing.

I mean, we need visibility at all those different levels. Simply having something like EPDR is not necessarily sufficient.

I mean, a sophisticated attacker can get in and wipe the logs off of the machines that they've been compromising. But, you know, if you have that network layer view, then you can still see signs of an attack. So I think, you know, organizations are now realizing, hey, we've got to do more than just have endpoint security and firewalls and things like that. And they're really filling out the rest of their cybersecurity portfolio. Lastly here on this slide, we see a pretty big jump on cloud security.

And that's definitely a good thing, too, because, you know, you can't really use on-prem tools to secure the cloud. There are some fundamental differences in the way they operate. That's why, you know, we do have so many different cloud security posture management, CNAP, CASB, and a wide range of tools like that that are built for securing cloud applications. AI and machine learning, not a real surprise here. Customers are starting to look for it.

You know, a good chunk there, 43%, say that they're doing some sort of evaluation or POC involving tools that have some sort of AI components. You know, 28%, I think it says, are yes.

And, you know, less than a third are no. I think the key takeaway here, and we've been talking about it, you know, all this week, is AI is important.

I mean, it has a role. Machine learning has been important in things like endpoint detection for more than a decade.

I mean, with hundreds of thousands of variants of malware being created every day, there's no way a team of human analysts can cover all of that. So, you know, we have to use machine learning. Gen AI can be useful, but, again, it's text prediction. It's like text prediction on your phone when you're texting or autocorrect.

I mean, it's not perfect. So, I mean, we have to be cognizant of its limitations and how it can help. Deep fakes, I think we've heard about that a little bit today, too.

I mean, the story of the CFO impersonation, Hong Kong, $25 million loss. I mean, this is real.

You know, we've been talking about this for a number of years. Now it's actually happening.

So, you know, what do you do to prevent that? You know, you can do some user awareness training about how to recognize what might be a fake video of your CEO calling you and ordering you to transfer money.

But, you know, we may be going backwards to things like establishing code words and saying call out of band, you know, to get verification for certain kinds of actions. I think, you know, the future is the past, maybe, in trying to deal with deep fakes.

Lastly, I mentioned attack surface management. I think this is a pretty neat tool set.

You know, you can, if you want to engage with an ASM vendor, it can be as simple as plugging in your domain name, and they'll go out and look up all the variations of that and then come back with a report about what assets you have, what patches you have, where the vulnerabilities are. Then you go in and sort of give it some business context. And when it tells you, hey, you've got 1,000 vulnerabilities exposed on the web, at least it'll tell you, you know, these are the ones that you should look at remediating first.

So ASM has been around for just a couple of years, but we see a pretty big uptake, as indicated here, in this kind of technology. And it's definitely something we would recommend as part of a modern cybersecurity architecture. And I'm almost out of time, so if you have any questions, feel free to see me later. I'm around tomorrow, or feel free to e-mail me.

Thank you, John, for these insights, and I couldn't agree more with regard to the risk-based approach due to limited resourcing.