Trend Forecast for 2024

As is our custom, we would like to open by referring to the global cost of cybercrime expected for next year. Cybersecurity Ventures' estimate for 2024 is $9.5 trillion. Reasons for the rise in cost include the expansion of the attack surface, the constant evolution of ransomware, the increase of cryptocurrency-related scams and the emergence of further geopolitical tensions. Considering the breakdown of this record figure, we will spend this New Year's knowing that, each second, organizations worldwide are losing $302,000 to cybercriminals. Accordingly, the cybersecurity market will continue to grow. Gartner forecasts companies worldwide will spend a total of $215 billion in security and risk management in 2024. Of course, it helps to be aware of the current trends and prepare for the trends to come. In this blog post, we present our brief forecast for 2024.

We had mentioned as a 2023 trend the way that generative artificial intelligence (gen AI) is helping criminals create more convincing phishing messages. Well, this trend is expected to grow even stronger in 2024. It is very likely that the material used by cybercriminals, including voice and video, will appear more legit. What's more, gen AI "as a service" will probably rise. That is, there will be a market for gen AI tools in underground forums, so that criminals can buy their use to carry out their campaigns.

We're anticipating advanced persistent threats (APTs) to be at the center of cybercriminal activities next year. (If you're unfamiliar with the term, it denotes adversaries with lots of expertise and resources and who can therefore repeatedly and adaptively create opportunities to achieve their objectives over an extended period of time.) Kaspersky, who have documented APTs' interest in smart devices, predict that the criminals will leverage systems of home cameras and cars with vulnerabilities or misconfigured or outdated software to expand their malicious surveillance. As the firm has seen APTs' successful use of very silent exploit delivery methods it expects these adversaries to keep that practice: sending exploits through messaging apps which are activated without user interaction, sending links that trigger attacks upon being opened and hacking Wi-Fi networks. Apart from smart devices, threat actors may turn their attention to the exploitation of managed file transfer systems, since, as was evidenced with the consequences of the exploitation of MOVEit, the impacts would be compromising thousands of organizations.

We have referred to cyberwar as one 2023 trend. As conflicts around the world keep emerging, so will the activity of state-sponsored threats grow in cyberspace. This possibility should urge nations to strengthen their protection of critical infrastructure systems, as well as those of government and defense sectors. Moreover, the activity of hacktivists is expected to persist, which involves mostly distributed denial-of-service (DDoS) attacks, website defacement and unauthorized access to data.

Ransomware activities this end of year have declined a little, given the dismantling of the Ragnar Locker gang and the Qakbot botnet prior to that. Anyway, what's normal is that the individuals who had worked on dismantled gangs and botnets find their way back to the stage.

LockBit, who have been the most active actor for quite a while, and other gangs keep the threat of ransomware very much alive. A recent stunt by LockBit was to leverage a widely exploited vulnerability to bypass password requirements and multifactor authentication in The Boeing Distribution Inc.'s systems. After perceiving no ransom payment, the gang published 45 GB of Boeing’s data. It won't be a surprise, then, to see a continuation of the exploitation of zero-day vulnerabilities by ransomware gangs and affiliates to deliver their malware.

As gangs keep demanding costly ransom sums, it's predicted that the victims of their attacks will have lost around $265 billion annually by 2031, and every two seconds there will be a ransomware attack.

Regarding the use of artificial intelligence in the cybersecurity industry, we expect to see next year the continuation of the trend of using AI for the remediation of vulnerabilities in software products. That is, to help devs achieve faster fix times, security testing solutions will continue to offer AI-generated fixes.

As for promoting a more secure cyberspace that can still embrace AI, some regulations on its use are going to be in place in the following years. An example is the use of the Blueprint for an AI Bill of Rights framework to guide organizations' policies, practices and design to protect the American public. Basically, they should follow five principles, which we could summarize as follows:

We had talked last year about the coming of new rules by the U.S. Securities and Exchange Commission (SEC). On December 18, 2023, the SEC rules will start to take effect. In our words, they require publicly traded companies do the following:

We expect these new rules to shape how companies see cybersecurity and react to cyber incidents. As a matter of fact, some recent events already have shown what awaits those who fail to comply. We are talking about the SEC filing charges against SolarWinds and its chief information security officer, and the prior sentencing of Uber's chief security officer to three year's probation. Both cases underline the aversive effects of lying about the companies' state of cybersecurity.

Naturally, this state of affairs, capturing security leaders' legal liability in the aftermath of cybersecurity incidents, is and will keep creating a sense of urgency to disclose events and a higher level of compromise in cybersecurity. It has been advised that the C-suite and cybersecurity team work harder to speak the same language, i.e., be actively involved in complying with the SEC rules. Further, the cybersecurity team should have a deeper relationship with the legal team to work together in managing corporate risk, compliance and regulatory functions.

We had mentioned software supply chain security (SSCS) as a 2023 trend. This one is not going away any time soon, as supply chain attacks keep being successful and more costly than attacks of other kinds. No organization should turn a deaf ear to this threat. Gartner's prediction has been that by 2025 almost half of organizations worldwide will have suffered the consequences of such attacks.

2024 is the launch year of the U.S. Cyber Trust Mark program. It is the creation of the White House and the U.S. Federal Communications Commission (FCC) that will certify and label Internet-enabled devices as secure. This is an important step to help reduce the cybersecurity risks caused by Internet of things (IoT) devices, which are the ones targeted by this program and are estimated to be around 25 billion by the start of the new decade.

The program's guidelines include providing regular software updates, implementing strong and unique default passwords, protecting data and having incident detection capabilities. Seeing the earned digital label in a device would help consumer choice, ideally with them favoring those products that are safer and less vulnerable to attacks. It's noteworthy that big manufacturers and retailers will be supporting and committing to the program. They include, according to the White House, "Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics." This trend will hopefully protect consumers from suffering the consequences of the campaigns by APTs on smart devices, which we referred to above. We provide more information about this trend in a dedicated blog post.

You can see that it's going to be a risky business to go into 2024 without securing your software. At Fluid Attacks, we are aware of the trends to come and prepare for them, developing our own security testing software in accordance with them and growing our hacking team. We assess our clients' software continuously and contribute to their remediation of security issues both through AI-generated guides and our hackers' advice. Don't put it off any longer: Start a free trial of our automated security testing now. Upgrade at any time of the trial to include pentesting by our ethical hackers.