Cyberthreat predictions for 2024 from Barracuda’s security frontline

Predicting the future is difficult, but you can anticipate what is likely to happen by looking at how things have evolved over the past year. This year again, Barracuda asked colleagues who work on the security frontline, from XDR and offensive security to international product experts, our own security operations team, and more, about the things they witnessed in 2023 and expect to see in 2024.

What most surprised you in 2023?

Adam Khan, VP Global Security Operations: In 2023, the number of potential attack surfaces in organizations will continue to increase as more of them adopt cloud-based and Software-as-a-Service offerings. Fortunately, this will be matched by a growing understanding that cyberthreats are active and evolving and need intelligent, automated, and real-time monitoring and response.

Peterson Gutierrez, VP, Information Security: The apparent shift threat actors have made in moving away from encrypting data for ransom to simply threatening to disclose the information publicly.

Merium Khalid, Director, SOC Offensive Security: That the volume of business email compromises (BEC) we encountered was almost equivalent to the number of ransomware attacks. Ransomware is often perceived as the more prevalent and damaging threat, while BEC has been somewhat under the radar, with many businesses underestimating its potential impact. The near parity of these two threats highlights the evolving nature of cyber threats and the adaptability of cybercriminals. As organizations bolster their defenses against ransomware, attackers are diversifying their tactics, leveraging BEC as an equally lucrative avenue.

Jesus Cordero, Director, Systems Engineering, SASE and Cloud: The increasing amount of open cybersecurity positions worldwide. The latest data from ICS2 shows that the number of unfilled security roles has reached just under 4 million and other research shows the gap grew by 350% between 2021 and 2023.

Charles Smith, Consulting Solutions Engineer, Data Protection, EMEA: That companies are still not taking seriously the need to protect their data. Organizations are neither investing in the right solutions nor putting together a data protection recovery plan they have confidence in.

Rohit Aradhya, VP and Managing Director, Engineering: The blissful unawareness of smaller companies and their employees of the impending threat to their business. Outside the security industry there is a general lack of awareness about the importance of protecting digital assets, digital transactions, and web portals, and the acceptable use of email, public cloud services and cloud storage, and many other digital services.

Stefan van der Wal, Consulting Solutions Architect, Application Security, EMEA: Despite the overwhelming evidence of success by hackers attacking web applications, there still seems to be a lack of knowledge — and sometimes even motivation — in organizations to address it.

Emre Tezisci, Product Marketing Manager, Zero Trust: Several large mass ransomware attacks that used exploits in software and weaknesses in IT supply chains to target multiple companies. For example, the MOVEit mass cyberattack, which exploited a data transfer software product, impacted millions of individuals and thousands of companies.

Mark Lukie, Director of Solution Architects, APAC: The rapid increase in the sophistication and frequency of supply chain attacks.

What are the biggest security concerns on customers’ minds as we approach 2024?

Sheila Hara, Senior Director, Product Management, Email Protection: How to deploy defense-in-depth, a cybersecurity strategy that involves layering multiple security measures to protect against various types of threats.

Stefan Schachinger, Senior Product Manager, IoT: That cybercriminals could be faster with the adoption of AI than the security industry. As a result of tools such as generative AI, the quality of attacks, especially social engineering such as spear phishing, has reached a new level that makes it almost impossible for human victims to distinguish between real and fake.

AK: The evolving AI threat, exploit mapping for ransomware, supply chain and critical infrastructure attacks, and the continued shortage of cybersecurity professionals.

MK: The bypass of multifactor authentication (MFA). While MFA is a trusted security measure, there’s a growing trend of cybercriminals finding ways to circumvent it. Another pressing issue is the threat from critical zero-day vulnerabilities and cloud-based risks from misconfigurations, inadequate access controls, and vulnerabilities in cloud infrastructure.

CS: We’re seeing companies starting to worry that their backup solution could be compromised if they are attacked. Hackers employ various methods to seek out and destroy backup data prior to encrypting or extorting data, and on-premises solutions are particularly vulnerable to such attacks.

ET: The speed of cyberattacks. Account takeover and phishing together with ransomware-as-a-service (RaaS) kits, where prices start from as little as $40, remain key drivers in cyberattacks. They help attackers carry out more attacks faster, with the average number of days taken to execute a single attack falling from around 60 days in 2019 to four in 2023.

RA: Not having a single comprehensive security platform or solution to protect their business. Businesses today rely on a plethora of security vendors with varied offerings and expertise to protect their businesses, and they are concerned about the gaps in these solutions and unknown unknowns.

JC: The vast number of solutions they need to deal with for their daily tasks and not knowing if their legacy solutions are the right tools to approach new and future challenges.

ML: Ransomware, phishing, and data breaches. Customers are also concerned about the specific security risks associated with new technologies, such as artificial intelligence (AI) and the Internet of Things (IoT).

And what are they least prepared to deal with?

SS: Most organizations are not prepared to defend themselves against targeted and high-quality attacks that we used to see only at the nation-state and intelligence agency level. That includes social engineering and technical attack vectors. If you add the use of AI, it’s clear that more organizations are going to face sophisticated attacks.

CS: Companies are poorly prepared to deal with testing their data loss prevention (DLP) and recovery. When it comes to data protection, for example, many companies do the bare minimum — they implement a backup solution, schedule their backups to run daily, and think the job’s done. They generally don’t give any time to testing all types of data restoration or to documenting the steps so that anyone in the IT security team can implement the process when under pressure.

ET: The use of AI to automate and accelerate attacks, creating more effective AI-powered malware, phishing, and voice simulation.

MK: MFA bypass. While zero-day vulnerabilities and cloud-based attacks are recognized threats that have been in the spotlight for some time, the increasing sophistication in bypassing MFA is a relatively newer challenge.

SH: Image-based attacks. These attacks exemplify the evolving nature of cyberthreats. They include steganographic payloads where cybercriminals embed malicious code, text, or files within images. This payload can be extracted using specific tools, allowing attackers to conceal their intentions. There is also malicious watermarking, where attackers add imperceptible watermarks to images, containing encoded information or links to malicious content; and polyglot files that are crafted to be interpreted as both valid images and executable files, allowing attackers to bypass certain security checks.

RA: Ransomware. Most companies don’t have a standard playbook on how to deal with a ransomware incident.

JC: With their legacy technologies, a lack of skilled staff, and AI in the hands of cybercriminals, unprepared IT teams relying on average solutions to protect their business are likely to be hit hard by the emerging wave of intelligent persistent threats.

What do you expect attackers to focus on most in 2024?

AK: AI-powered cyberattacks, with cybercriminals leveraging AI and machine learning (ML) to enhance the sophistication of their attacks.

MK: AI-powered attacks and more targeted ransomware campaigns. Attackers are leveraging advanced AI algorithms to automate their attack processes, making them more efficient, scalable, and difficult to detect. These AI-driven attacks can adapt in real time, learning from the defenses they encounter and finding innovative ways to bypass them. Ransomware attacks are evolving into more targeted campaigns as cybercriminals focus on critical infrastructure and high-value targets, aiming to inflict maximum damage and, in turn, demand exorbitant ransoms.

PG: There seems to have been a great deal of energy spent by cybercriminals on account takeover attacks in 2023. I think we will see a continued and concentrated effort by threat actors to attack identities first and foremost, as this affords them a variety of pivot points for additional attacks.

ET: Attackers will continue to focus on attack kits and account takeover attacks. It is almost impossible to stop all employees from clicking on increasingly sophisticated phishing emails.

SH: 2024 may see new threats emerge based on technological advancements, geopolitical events, and changes in attacker tactics. This may include deepfake and synthetic media attacks. As deepfake technology advances, attackers may use it for disinformation campaigns, impersonation, or to manipulate media for malicious purposes. At the same time, established attacks including ransomware, supply chain attacks, and data privacy violations are likely to continue and increase. Attackers may focus increasingly on exploiting vulnerabilities in IoT and operational technology (OT).

RA: Attackers are shifting toward small and mid-market businesses as they are aware of the increased digitization and lack of cybersecurity professionals in the market.

SvdW: Attackers will keep exploiting the weakest links within businesses. As always, cybercriminals are interested in the path of least resistance. This means organizations need to make sure they have an overarching strategy ready to deal with all vectors rather than focus on one.

JC: I see two trends. The first one is the continuation of the usual threat vectors as attackers know that companies are both understaffed with inexperienced IT teams and grappling with possibly legacy, outdated, or misconfigured solutions. The second one is the natural evolution of technology — as we enhance our security assets with AI-based solutions, we are automatically creating new attack vectors that are crafted based on the quality of results of generative AI itself.

As AI-enabled cyberattacks take deeper hold in 2024, will security vendors need to do more to help companies deal with attacks?

SS: Organizations should prepare themselves for compromise. This means that, in addition to the initial prevention, we should focus on the detection of ongoing attacks and the corresponding response, for example with decentralized security at the edge.

MK: The inherent adaptability of AI-driven threats, which can analyze defenses and recalibrate their tactics in real time, challenges the traditional preventive measures. Security vendors must equip organizations with tools not only for rapid breach detection, but also for understanding the scope and containing the threat swiftly.

SH: Security vendors need to evolve beyond a purely preventative approach and embrace a more holistic strategy that includes detection, response, recovery, and continuous improvement.

Photo: PeopleImages.com – Yuri A / Shutterstock