“Taking the chess pieces off the board” - how the 2024 threat landscape could be markedly different to anything we've seen before

 Fortinet Convergence 2023.
Fortinet Convergence 2023.

Security firm Fortinet has unveiled its threat predictions and perspectives on how the threat landscape has evolved over the past 12 months, and how it will continue to evolve into 2024.

Speaking at the company's recent Fortinet Convergence23 event in Monaco, Derek Manky, VP Global Threat Intelligence, gave his insights into how its strategy was changing, and how companies can best deal with emerging threats.

According to Manky, it’s all about, “taking the chess pieces off the board from the cybercriminals."

Reflecting on years gone by

As have been mentioned in multiple previous reports, as cyber criminals have become more organized they have developed more sophisticated organizational structures, with many of the largest criminal enterprises now having dedicated sections for areas such as recruitment, penetration testing and money laundering.

This rapid growth in organization and group complexity has led to some cybercriminal enterprises teaming up with nation states to plan and carry out attacks. This collaboration has not only provided an additional source of funding, but has also allowed cybercriminals to engage in more rigorous planning and reconnaissance in their attacks.

In 2023, advanced persistent threat activity saw a 30% rise as cyber groups expanded and developed their tactics, techniques and procedures (TTP). As a result of this, Manky pointed out that we can expect a further increase in APT activity with attacks crossing the cyber-physical barrier particularly when it comes to critical infrastructure such as healthcare and oil and gas.

digital key
digital key

Ransomware as a service (RaaS) - a more modern approach to ransomware attacks where the infrastructure needed to launch a ransomware attack is provided by a third party - has seen and will continue to see increased usage by cybercriminals. Manky also noted that cybercriminals are competing for targets, and that some organizations are facing multiple intrusions and ransoms from different groups within a matter of days. This is due to access being sold online by RAAS brokers.

As RAAS expands and greater profits are made, there are increasingly complex methods of money laundering being used by cybercriminals. Last year, Fortinet correctly predicted the increased usage of cryptomixers and cryptotumblers as a means to launder finances gained from ransomware attacks. However, through 2023 many crypto exchanges were targeted by law enforcement across the globe, with the most notable being ‘Bitzlato’, which was formerly used by groups such as KillNet.

As a result of the increased attention paid to crypto exchanges, groups have moved towards more traditional methods of washing their funds. However, as more inventive techniques are developed, Manky states that there are indications of an increase in crypto exchanges and laundering methods, and greater recruitment campaigns searching for launderers and cryptomules.

Through 2023, there were some indications that cybercriminals were employing AI as a mask to bypass detection and also used AI to generate messages used in phishing campaigns. AI is also predicted to have significant increases in its employment by cybercriminals, with a particular focus on phishing.

‘Generative profiling’, as Manky put it, is expected to become an essential part of the planning phase as part of spearphishing campaigns targeting c-suite and executive level ‘whales’. Criminals could use deep-fake technologies to generate audio snippets of a CEOs voice to, for example, ask a colleague to make a payment transfer through an email ‘they’ just sent.

Future insights

Manky also provided some insight into more unique and innovative trends that could emerge in 2024, such as the potential playbook development that could be expected. Manky noted that traditionally, cybercriminals often stick with what works and take the path of least resistance, but as techniques and organization improves, cybercriminals are putting in the man hours to develop extensive attack playbooks and increasing their aggression.

As mentioned before, ransomware attacks targeting critical infrastructure are becoming far more common as it presents a tangible and immediate risk to its customers. If the ransom is not paid, then there can be significant costs involved due to the unavailability of a service especially when it comes to healthcare and energy.

The Internet of Things (IoT) is also posing an increasing risk to businesses due to the sheer number of devices being manufactured and released without adequate security measures. As a result, cybercriminals can find an IoT device with local network access, infect it as part of a C2 botnet before blueprinting the network and looking for vulnerabilities to infect.

This could result in the emergence of IoT brokers selling access to secure networks through zero-day exploits, eventually diluting the value of zero-days and extending the shelf life and value of n-day exploits.

Furthermore, as a result of the increasing security regulations that companies need to comply with cybercriminals are increasingly turning to insider threats as a means of access. As a result of greater funding being allocated to left of field activities, cybercriminals are putting more time and effort into reconnaissance to recruit insiders. Manky noted that there is the potential for cyber groups to start offering recruitment as a service.

There is a significant number of high profile events and elections in 2024 that are almost guaranteed to suffer some form of cyber attack, most notably the US elections and the Paris Olympics. Due to the increasing size and profile of such events, providing comprehensive security is an increasingly challenging task, allowing threat actors to penetrate such events especially in the context of the 2018 Olympic destroyer attack. There is also the potential for external influence with the growing development of disinformation, misinformation and malinformation.

Combating new techniques before they emerge

In the ever-changing threat landscape, what can be done to combat the increasing competencies and complexities of cyber criminals?

Fortinet is collaborating with the MITRE Engenuity Center for Threat-Informed Defense alongside a number of security providers as part of the Attack Flow project. This project aims to ‘map’ the processes used by cybercriminals to establish a number of TTP frameworks, providing visibility on vulnerabilities and ‘choke points’ within the techniques used by threat actors.

According to Manky, this will provide security professionals with the ability to summit the pyramid of pain, hit cybercriminals where it really hurts, and map procedures involved. This will essentially remove the trusted TTPs from the game board, forcing cybercriminals to spend more time and money investing in new means of attack and less time successfully exploiting their targets.

More from TechRadar Pro