Watch to learn what we learned from 2023 data breaches and what we can expect in 2024 and beyond.
In this webinar, VP of Investigations Aaron Willis and Deputy CISO Matt Heffelfinger will discuss what we learned from last year's data breaches and what we can expect in the coming year, including:
This webinar was given on February 6, 2024.
Hello, everyone. Welcome. We are so glad you could join us for another exciting webinar from Security Metrics. We are talking today about trends and predictions that impact cybersecurity.
So we're gonna look back on twenty twenty three and also look forward to the future and talk about kinda what's happening out there in in the world of cybersecurity in twenty twenty four.
With me today is I'm Aaron Willis.
I'm the vice president of forensic investigations.
And you may recognize my beautiful face here. I am the director of the threat intelligence center. I am the deputy CISO here at Security Metrics. It's kind of odd though. I feel, Aaron, like we're missing somebody here.
Oh, we are, Hef. We said goodbye last year to Dave Ellis, our former vice president of forensic investigations. We're gonna miss him.
We, you know, he added so much value to our trends.
And he's been doing this for what, eight, nine years of of Yeah.
Addicted? He started this about about nine years ago.
My goodness. We were gonna miss you, Dave. I hope you're watching at home. But we do have some interesting stuff to talk about today.
And really, our main goal for today is to kind of help you out and understand the knowledge about the future of what cybersecurity is looking like, especially for our clients who may be wondering what threats are coming, which threats are already here, what's the impact of AI. That's a big part of our conversation today. And, of course, what you can do to prepare, we're gonna talk about that. And awareness is half the battle.
So I think what we should do, let's kick it off by looking back at our past predictions.
And what's really interesting folks is not a lot of our colleagues and peers do that. If you go out and you look on the web, you're only gonna find really about one or two of these of these other cybersecurity companies that actually look back and said, how did we do last year? We're gonna do that.
We're we're gonna tell you what we actually got wrong as well.
Yeah. And that's unique. I I gotta tell you, you know, we we had some really good predictions. What were our top three that we had last year?
We had a handfuls, but I summarized them down into three categories. We're gonna talk about, fish phishing sophistication rapidly increasing.
Wow. Yeah.
And, we predicted that mobile attack surfaces would grow larger. Mhmm. And, this was one of your predictions.
Focus on dev environments, cybersecurity posture. Yeah. And we're gonna talk about what we saw from a forensic perspective, in people's dev environments.
We did get some of our predictions spot on, but there were a few times where we were just completely off, folks. What what did we get right? And when you look back on twenty twenty three.
The big thing was phishing.
We saw AI allowed attackers to create some really sophisticated phishing content. And this is stuff that we really haven't seen before.
The content that that, the bad guys are putting out, it was terrifyingly good this year. Mimicking brands Yeah. Mimicking the language that they use, the tone of the emails, things like that. Very difficult spot. Sometimes even for trained professionals like you and I.
Yeah. It was tough. It was really tough. I was really shocked, Aaron. And I I know we're gonna spend more time on talking about phishing, but I was shocked at the velocity of the new phishing tactics.
And that kinda blew me out of the water. I know we will spend a little bit of time talking about some of these tactics and give you some great examples, but it is absolutely out of control. I'm glad we got that prediction correct.
So Yeah. We're also gonna talk a little bit, about shopping cart portal credentials. We're being phished using some of these, AI tools with devastating consequences.
We'll talk more about that.
Another prediction, we have mobile attack surfaces did get larger.
Huge. Yeah.
Yeah. And again, AI tied into that. AI allowed malware for various platforms to really rapidly, get created. And, they made it so adaptive that that, you know, normally, when when they would create malware, you have to create it specifically for one platform, and you spend a lot of time tailoring it just for that.
With the new AI tools, it's just quick Gotcha. And it really doesn't matter what platform it's running on. Yeah. It can just steal information just left and right.
I know we'll talk more about that prediction in just a minute. And then also, you talk about the dev environment. This was one of my predictions last year about how crazy the threat actors would go after that dev environment.
Yeah. In our forensic investigations, a third of our investigations had compromised development environments. Oh. And most of the time, the merchants really didn't even know that their dev environment was even exposed.
But the the bad guys really targeted those those development environments last year.
That's a shocking statistic when you think about that. One third of all your investigations involved the compromised dev environment, and that should shock you a lot there, folks. Alright. So let's look back though. Also, we had some misses, and this is where we humbly look back on our lives and say, oh, we got it wrong. What did we get wrong, Aaron? Because there were a few.
Yeah. Well, we talked to a a little bit last year about crypto, and I believe I made the comment that we are gonna see just a huge increase Yeah. In crypto attacks. It actually turns out there's a fifty one percent decrease in the amount of crypto hacks in in twenty twenty three versus twenty twenty two.
Shocking too. I thought that number would have gone up.
Yeah. Yeah. But, you know, it actually did go down even though, you know, it was still a big number. Hackers stole almost two billion dollars worth of crypto. Yeah.
And, you know, when you look back on that number, you kinda ask yourself, why did that happen?
Why were there a decrease in the number of crypto attacks last year? And there's some thoughts around that too. Yeah. Oh, yeah. There's there's a number.
Things. Number one, we kind of had a crypto winter in Crypto winter.
That's a quick call.
In in two thousand twenty three. The value of of the whole market was just kinda down. So Yeah. So the incentive for attackers to go after some of the most vulnerable crypto coins and tokens just wasn't there.
Yeah.
And so that was a big reason.
Another reason was just security got better, especially in the adoption of things like bug bounty programs Yeah. Where, you know, the self policing went a long way to to stop a lot of those attacks.
You know, one of the other predictions that we did get wrong, while your team is heavily heavily involved in those e skimmers and the shopping cart attacks, One of the areas that we just did not see coming was the number of hosts attacked.
Oh, yeah. Yeah. We've we saw an uptick in the in the number of of the brand name third party web host, the the big ones. Yeah. I I I won't call them out here, but Thank you.
But, yeah, we didn't see this happening. Normally, if you're on one of those third party hosts, they're handling all of the security, and you kinda just focus on your business and and, you know, getting your products out the door. Right?
But we did see a large uptick. Found malware running on, some of the, CDNs for these, for these hosts.
So the threat actors pivoted not just going after the business ecommerce shopping carts themselves, but also now going after the hosts that the businesses are are using for their their infrastructure.
And if you think about that, the return on investment, if you can get into a host and compromise a host, is just tremendous.
Wow. Wow. So I know you were you were enjoying a little bit of a vacation time. And one of the other predictions that we did not see coming coming was you were down in Vegas. What happened?
Well, I I taken my family down to go to the Ed Sheeran concert. Ah. And it got canceled on us, of course. So my daughters were really upset.
But, we decided to go to to some of the other, venues down there. We went went and saw the Titanic exhibit Oh, nice. And the bodies exhibit and those things. But when we got there, we noticed it was cash only.
And we're like, what? What's going on? It's like, where are we gonna get enough cash to get my entire family into the exhibit? But, luckily, we we we had enough on us, and we were able to get everybody in.
But it caused disruptions all over.
Those casino breaches. Yeah. We're talking about September of this past year. Caesars Entertainment got breached.
MGM got breached. This was a nasty, nasty event. I mean, we're talking here their loyalty program, customer data allegedly stolen. There was a fifteen million dollar ransom allegedly.
Caesar's be paying that. Lot of attribution back to a threat group called Scattered Spider.
And yeah. I mean, when you look back on that, that was a huge breach, Aaron. It was gigantic in the news.
Yeah. Just unbelievably big breach.
But before we get too big into the twenty twenty four predictions, I I think we should just take a quick moment and talk about the twenty twenty three breaches because there were some huge names in there. I mean, we know of roughly two thousand two hundred or so hospital breaches that were published in the news that were reported. We're talking also school breaches.
Did you say two thousand?
Two thousand. Just in that category, in that space of schools, hospitals, and governments. And that was just the reported stuff. A lot of breaches go unreported, folks, and we never even hear about them.
But there were thousands. I'm talking thousands of private sector businesses. We do know that on average in twenty twenty three, the average cost of these attacks was about one point five million dollars to rectify. That's a huge amount of money.
Luckily, though, for small businesses, it's a little bit lower. It's about twenty five thousand dollars, but still, that's a huge amount of money.
If you're a small business, that's painful.
That's painful. But so many breaches were in the news. And I I think we should just take a quick moment to highlight some of the biggest ones, Aaron, like MoveIt, that MoveIt vulnerability.
Yep. And the supply chain attacks going on. Wow.
You're talking over two thousand reported organizations were impacted by the MoveIt vulnerability, and they were breached.
Individuals. I think the threat actor was CLOP ransomware gang, if I'm not mistaken. Yep. It was an SQL injection vulnerability, in this MoveIt software, which is a transfer. It's a file transfer software.
Yeah.
And so that that was a huge deal. But there were other breaches too.
Lemur root? Lemur root. Yes.
Yes. That was another big one.
The Microsoft account, they were talking Microsoft consumer keys, the MSA breach Yeah.
Was a Chinese group, but allegedly behind it where they were able to forge Azure active directory tokens. That's a crazy attack.
Yeah. The sophistication of that was is just mind boggling.
Forged tokens. Unbelievable. There were some other breaches too that we just quickly highlight here. Citrix bleed. You remember that one?
Oh, yeah. We we we had several cases that were due to those Citrix.
NetScaler, LockBit was the bad guy on that one.
Oh, the big one, twenty three and Me.
Oh my gosh. Remember that? And they changed folks, I don't know if you knew about this one, but twenty three and Me, they changed their terms of service after they got breached. Yep. And then they said, oh, we're just, well, you know, we'll just make it more difficult for breach victims to file legal claims against us by changing the terms. I did by changing those terms and conditions, I can't wait for this one to get to the courts. Yeah.
That one stung a little bit because I mean, I've got family members that that, you know, submitted their Yeah. Samples. And so, you know, that's your DNA out there.
And a lot of that was based on a setting that if you choose to share your DNA information, that is one of the bad guys what they pivoted towards. So dangerous stuff. I you know, another breach that really got me was all the video game.
Video games. Yes.
And it was just it seemed like every other week or so, Ubisoft was in the news, Rockstar, Insomniac Studios, just breaching their source code and releasing it to the public. And even this year, in twenty twenty four, we've already had another video game company breach, which is the rock star again, the entire source code for one of their new video games.
Grand Theft Auto six hasn't been released yet, but the source code is out on the dark web.
And so More satellite TV companies getting breached.
Oh, yeah. Dish Network.
Yeah.
Boeing was in the news for a big breach. The Florida go anywhere breach was big. Royal Mail, three c x. It's a phone system.
Oh, what about you?
Yeah. I mean and folks, again, Sony, in fact, Sony got breached three times.
Again?
Again. Yeah. They have the move it they were part of the move it vulnerability. Then they were the SonarQube software got breached, that platform.
And then Insomniac Studios is owned by Sony. So a lot of breaches in twenty twenty three. Yeah. But we wanna get to twenty twenty four.
And I thought it was really cool. I love how we do this every year where we ask for your opinion. I wanna hear from you, Aaron, and myself too. What are your top predictions that impact our clients?
Let's start with you because I know you have some doozies. I mean, these I looked at some of these and go, woah, Aaron. This is this is some good stuff.
Yeah. I I think twenty twenty four is really gonna be the year when AI hits merchants' radars in in a big way. You know?
We've all been hearing about, you know, the generative AI things, you know, the chat GPTs.
Oh, yeah.
I think this year, the the generated e commerce skimmers, that the script kiddies are are getting their hands on Yeah.
That that can be used to to get into merchants' websites and steal the credit card data right as their customers are typing it in. Yeah. You know, that used to be somewhat of of a sophisticated attack to pull off. Now with these AI tools Anybody.
You know, any kid that knows just a tiny bit can get in and use these tools to to rapidly create the specific code to run on your website.
So what it's doing is it's creating a bigger pool of threat actors that businesses just have to be aware of. It's it's tough. It really is tough.
And then, there's gonna be a a rise in iterative attacks. What I mean by that is these are, really a malicious type of attack that are so hard to detect.
And they come in ways that are randomly generated so that if you go and look at at the code, in one instance, it will look completely clean. You won't see anything there that's suspicious. You won't see any outbound traffic. Yeah. No malware calling home.
But if you look at it a dozen times, two dozen to three dozen times, one of those one of those iterations malware will just pop up, steal credit card, go back to sleep.
I know later on in our in our webinar, we are actually gonna show you a quick demo of one of these iterative, I can never pronounce it, attacks.
And wait till you see this folks. This is, I was I was blown away how obfuscated the code was and the way you explained it. So I think you you've taken a very complicated subject and in the demo, you you're gonna nail it for us.
So It will look really easy, but when you see just how sinister this is and how difficult to detect.
It'll really creep you out. Yeah.
What are your other predictions that you have on the top of your head top of your radar?
Well, deepfakes are gonna play another prominent role.
We've been hearing a lot about, these voice emulators Yeah. Where, you know, mom might get a a call from a daughter and said, hey. I've been in a car accident. Send money.
Or I've been arrested.
Yeah.
I've been And it's her voice.
Yeah. Cloned.
Yeah. It's a cloned voice. I think we're gonna see that more on the social engineering side now. You know, maybe in the past you may have gotten a call from your boss or your manager that says, you know, pay this invoice here. We forgot to pay it. Or send us some Amazon gift cards because we need to compensate somebody.
In the voice of the business owner or in the voice of the CEO or an executive.
That's gonna come from from a prominent member in your organization that might have their voice out online somewhere like your voice or my voice.
Yeah. I would you know, the other the other day, I was playing with a voice cloning tool where I wanted to take my father's voice who passed he passed away ten years ago. I wanted to clone his voice and bring him back to life. And I was able to do that using these voice cloning tools.
So in the power of good people, in the hands of good people, it can be a very powerful tool. But in the hands of bad people, it can also be a powerful tool, very dangerous. But those deepfakes are absolutely growing. I agree with you a hundred percent.
Yeah. And we're we're seeing a lot of these pop up right now already.
You know, pick any celebrity. You know, we saw Taylor Swift this last week. Yes. Yeah. You saw that movie. With the free pants.
Yeah. And it was in Taylor Swift's voice, and people were going nuts trying to get these free pants.
Yeah. And I mean, we've seen it with Joe Rogan and and all these other others that are peddling stuff that they would never do. Yeah. And so, that's gonna continue, but it's gonna get a lot more personal. You know, it's gonna come from people you actually know.
The cyber kidnap the number of cyber kidnapping cases where the the person's voice is being cloned and then the parents get the phone call saying I'm in jail, I've been in a car accident, or I'm in the woods right now, and I'm not coming home until you pay these kidnappers this amount of money, transfer the money to the bank account. A lot more growing a lot more cases in the news to be aware of and and so on.
Yeah. So if something weird happens, you may just wanna verify.
Yeah. Have a trigger word in your family to verify that this is not AI calling you, but actually your family. Yeah.
I think, more shopping cart hosts are gonna be breached. You know, we saw a little bit last year. I think that's going to hockey stick this year.
Yeah. So it's more of a keys to the kingdom breach because if they can breach the host of where all your ecommerce is at, then they've got everybody underneath that, as part of their their their environments. It's tough.
Yeah. Another big one that we're seeing is attackers going after Node. Js.
Node. Js is a really neat application that allows you to run JavaScript, on the server side. Yep. And you can do a lot of really powerful things using the JavaScript language. Language. But attackers are going after so many vulnerabilities that exist in Node. Js.
And, we saw a number of exploits last year, but, just looking at what the attackers are doing in the logs right now, the things that they're trying to do, I think Node. Js is gonna have some more zero days. Yeah. And, we're gonna see more breaches coming from Node. Js.
Excellent. I mean, we'll talk more about vulnerabilities in a minute. But overall, AI is the front and center of it all. And wait wait till you hear some of these other predictions that we have regarding AI.
I think it's gonna kinda blow your mind a little bit. But we wouldn't be right if we did talk about PCI. And that that is something that we love around here. It's something that we're we're born to do.
We're good at it. Talk to me about PCI. What's happening in there? Your predictions?
Well, there's gonna be a rush to comply with two new standards.
PCI DSS six dot four dot three Okay.
And eleven dot six dot one.
Okay.
Six dot four dot three, is a mandate to know what's running in your shopping cart. You know, most merchants have no clue really Yep. Of what's going on there. So six dot four dot three says you gotta know what's what you're running, what scripts are there, why they're there, what's the business reason.
And eleven dot six dot one is is, hand in hand with that That once you know what you've got running there, now you've got to monitor it. So so that, you know, if something changes, if one of these iterative attacks come in, you're there.
Yeah.
And you know something changed, and you can figure out whether that was an authorized change or not.
Your team is all over the shopping cart. I know that's one of the areas that you guys focus on a lot is the shopping cart attacks, the e skimmers, knowing those threats, being well aware of the latest tactics and techniques.
I'm I'm really excited to talk more about that here in just a minute. But, you know, with the shopping cart attacks, are you seeing an increase using the speed and the velocity and the the enhancements with AI that threat actors Yeah.
All all of this is coming together, and, you know, there's no website too small to get get hit. Yeah. And and I see that over and over again where, you know, people thought we're so small, you know, who would target us?
Yeah. The complexity of these attack vectors, and then you add in the fact that small businesses may not even be aware of it. Medium sized businesses may not be aware of it. The enterprises, they are a little bit on on the on the ahead of the curve.
But at the end of the day, I know it it's just being ahead of what web scheming is doing and hearing what you're talking about and how important it is. Yeah. Can you kinda dive into I know you saw a lot of crazy examples this past year. Can you just real quickly kinda share some of those insane examples?
One of one of the ones that really caught our attention was the spoofed sponsored ads on on on Google. Now you see an advertisement for some product that you want that's from Amazon.
Yeah.
You click on that sponsored ad, and it looks great. Only the price is a little bit too good. Yeah.
And so go look at some of those. You you know, if you're right click, go in and see who's doing that ad. It's not Amazon at all. It's just somebody that went and made it look like it was an Amazon sponsored ad. And so Google is just having a a a a heck of a time trying to sort through all of these faults, you know, spoofed ads, brand impersonations. Mhmm.
They're trying to use Bard, you know, their Oh, yeah. Their I their AI tool to go in and and fix some of this malvertising.
There There were some other examples though too. I I think I heard a story, a use case from your team where they were seeing credit card numbers being exfiltrated through the CAPTCHA. Wasn't that a situation? Also through images, comments field was being used to exfiltrate credit card numbers. I think I even heard a story where you you guys have seen one digit exfiltration, where only one credit card number was being exfiltrated at a time. Is that right?
That was that was an attack where as soon as the customer kite in one digit of a credit card, that one number went out. Wow. And so, even even if you, you typed it in and messed up and hit backspace, that was all getting recorded and and being sent out. So even if you messed up on your credit card, the attackers were still getting that card number.
There was one use case though that you guys found this last year that blew my mind, and you had to really get creative to find it. It was where the threat actor had cloned the entire website of the e commerce. They they remember they cloned everything, and then you guys didn't even find it until you say, you know, we're gonna think outside the box. We're gonna search. And wasn't that something like that where you found this other fake website?
Yeah. We had to we did a forensic investigation on the merchant's website and could not find anything wrong. There was nothing wrong, but the the card rounds were insistent.
These guys were just bleeding cards Yeah.
Left and right. And so we we decided to just do a search to to look at where else their products were being sold. And maybe it was an affiliate or something that was. What we found was a clone of the entire website, just running through a proxy.
So as soon as a new product arrived, it was on the clone site. If they made a change in in the formatting of something, if they change the color scheme, it was instantly instantly reflected in that clone website. Amazing. And and so, you know, you could easily, this was it was targeted towards mobile customers.
Think of how difficult it is if you're on your phone. Do you check that URL to make sure it's right?
Yeah. A lot of people don't.
Yeah. So, you know, they would take the order on the spoofed website.
They would take all that information, then they would just run it back through the real web site. And so the customer was getting their product. Yeah. Yeah. The merchant was getting paid, and the hacker was getting away with a credit card.
That's phenomenal that you guys find that. You know, we have a special treat for you, and the special treat is this. Aaron has brought a little demo, and he's gonna show it to you right now. He's just very quick to explain to you in the most simplistic terms as he can exactly what one of these new threat actor tactics looks like. So just take a look at this right now.
As we mentioned, this is a demo made from a real world iterative attack that we found in the wild that harvest credit card data right as the customer is typing it in. So if you can see this page, you know, right as the customer is typing in in this info, the attacker is getting it in real time right out of this iframe.
Now to start off, let me give a just a quick refresher on on what iframes are and why they're a critical part of your website security.
You know, this this form right here is actually running from another website and it's just included inside of this iframe.
Doing it this way protects this credit card data from any scripts that are running on the outside of this window or this iframe.
And if we look right here we can see that I've got a script running in the background here that's trying to grab that credit card data, but the iframe is working and and we get this error, which is exactly what we want to see. Blocked an iframe with the origin, scriptlets from accessing a cross origin frame. That means that a JavaScript that's running on scriptlets dot com, which is our merchant website, is trying to access this iframe that is running on the payment gateway website and just include it on our page.
Now in the wild, when we when we saw this attack, we saw that it was if we look at this code right down here, we can see that there's a random number generator, written in JavaScript here that says pick a number between zero and thirty three. Then if that number happens to be thirty, then run all of this code right here. Now in and of itself, that doesn't look particularly malicious. That could be just about anything in the world.
Now I copied this code for this demo, but rather than waiting, you know, for our one in thirty four chance, I changed it to be a a a one in four chance. So I'm just gonna refresh this page until we hit the number two. Once we see that the number two is hit, we'll see a different, content appear in this text field here. So I'm just gonna refresh this a few times.
Until we hit the number two, it might take a a few times. This is truly random.
So we hit the magic number of two, and the iframe was broken.
The credit card data was stolen right out of there. We've got the card number. We've got the expiration, and we've got that CVV number. The attacker gets away with that that credit card number, and it only happened when that random element was met.
That makes it really, really hard to detect these type of attacks.
You could have any number of security protocols scanning your checkout process, but if they're not present when that random number, is matched, the the code stays dormant. You don't see any malicious activity.
It's only detectable when that random element is matched. Otherwise, the code stays dormant. It just sits there looking pretty, doing nothing, you know, nothing to see here.
And something that that's a little bit disturbing is that, in this case, they chose a random number generator, and that's, you know, subtle and sneaky in and of itself, but it can be anything else as well. We've seen them using, you know, time stamps.
We've seen them using IP addresses or or geolocations. You know, if if the customer is coming from a certain area, it'll only trigger if if they're coming from a certain area.
And so that random element can be just about anything.
And doing it that way actually allows the bad actors to stay under the card brand radar. Now let's let's them fly under the radar so they're really not grabbing a whole lot of cards from any single merchant. They just skim a few, you know, whenever that random number is reached, they'll they'll grab a card.
And that prevents the card brands really from seeing a level of theft from any one particular merchant, where they would, you know, tell the merchant to go hire somebody like me to to go in and and do an investigation and shut the party down. If they only steal a few cards, then then, you know, they can do that for a very long period of time, before anybody worries about it.
Very important, the new requirements in PCI DSS four point o, particularly six dot four dot three and eleven dot six dot one, are really designed to help prevent and mitigate the risks from this type of attack.
Six dot four dot three says know what's running on your checkout page. You've gotta know what scripts are authorized to be there. If they're not authorized to be there, they they need to be removed even if they're not malicious, or if they're not required. A lot of times we see scripts running on these checkout pages that are just there by default. They're not really serving any purpose. You know, they're only needed on another section of the website.
You really only want stuff that is mission critical for for handling this checkout process to be on there.
Then there's eleven dot six dot one says, okay. After you have validated that that only code that is needed, and authorized to be on your checkout page is there, monitor it to make sure no bad guys get in there and inject some silly little, you know, lines of code that can turn into a full credit card skimmer, just like the one we've seen here.
Because this code is so small and so hard to detect, it's really easy to white list scripts that may have this malware inside of them. And so it's really important that, you know, if you don't have the expertise to to go through your scripts yourself and and find out if they've been altered or or tampered with, you know, reach out to us, and we can we can help you make sure that the scripts that are running on your checkout process, are, you know, good clean scripts that that are only doing what they're supposed to be doing.
And that concludes, our demo of of the random attack or the iterative attack.
And, keep your eyes open for for these type of attacks. These are on the rise. We're seeing a whole lot more of them. Alright. Back to you, Hef.
What I find the most as we get off this topic, what I what I find the most interesting is the number of threat actors. And we know that there are approximately seven mage cart groups. Mage cart is a threat actor that typically targets the e commerce shopping carts. The fact that each one of these threat actors has a different TTP, a different tactic, a different technique, It's a real challenge. And I gotta tell you, I'm always impressed how your team finds these new tactics and these new techniques. So kudos to your team.
So, Heath, tell me what your predictions are this year.
Oh, you guys are in for a real treat, folks. I gotta tell you, we got in the threat intelligence center, we are kind of on the on the forefront of small to medium sized business cyber attacks. And there's a lot of trends out there. I think you're gonna wanna know. And I I do wanna start off, Aaron, with some some really incredible statistics.
Take a guess. How many attacks annually target small businesses?
Do you have a number in your head?
It's gonna be thousands upon thousands, hundreds of thousands.
It is. So in the last twelve months, and this is globally, Aaron, we're seeing forty three percent of all attacks are annually targeting small businesses. That's a huge uptick. That's a dramatic spike, folks, in the last twelve months, the number of attacks in small businesses. And and I see that trend continuing. And I see that trend continuing because of all these small businesses and medium sized businesses that are they're trying to move their operations to the cloud. They're trying to adopt new technologies.
Some of them are trying to upgrade their infrastructure.
What's really fascinating though, Aaron, is the numb the number of attacks towards medium to small businesses that have less than a thousand employees. And what we're seeing is a is an uptick in there. About forty three percent of all attacks target companies that have less than a thousand employees. Let that sink in for a moment.
That's a lot. And not only that, but the average small business loses about twenty five thousand dollars per attack. So, So, again, I see a dramatic increase coming in this area. It's only gonna get bigger, especially as threat actors come after small businesses.
We know that in their eyes, you might be perceived as a easy target.
We know that there's sometimes infrastructure maturity issues. There's sometimes people resource problems and concerns and spending level concerns. So I know that, you know, that's that's the area that I specialize in, is trying to use things like the Pulse platform to try to help small businesses level the playing field. And I gotta I gotta tell you folks, you really have to be conscious of this and just be aware of the dangers to your business. Get the scans running at least. Get get an idea of what's in your environment.
Is the Pulse product, is that price for small business?
It is. It is. And that's what we tried to do. We tried to make it as a tool that's easy to use, that won't break the bank account, that will actually get in there and help you identify your digital footprint, you know, and just try to try to try to make a a handle on on where these threat hackers might be in your environment. So that is the number one trend. If I can talk to you about that for a moment, in my opinion, it's the increase in on small businesses.
But I do have other trends, other predictions Alright.
What do we have. Yeah. You know, and the one area that I do wanna call out is the number of vulnerabilities. And this was mind blowing. How many vulnerabilities came out last year?
It was it was an incredible amount.
So Twenty eight thousand?
How how many is that over twenty twenty two?
Yeah. And so twenty twenty two, there was about twenty five thousand vulnerabilities. That's a lot. And then twenty twenty three, we had twenty eight thousand. So there's a there's an uptick there. And you're talking about an average of about eighty vulnerabilities per day.
For a small business to try to manage that, how do you how do you keep up with that?
You don't. Yeah. And especially I mean, some businesses are lucky. They've got automated patch management. I know some of our clients, they they like the Pulse platform because of that feature where they can get in, they can see what devices are running in their network. And we know that the severity score is important.
The average severity score in twenty twenty three was about seven point one two or roughly.
And that's out of ten.
Out of ten. Yeah. And so you you stack those numbers and you go, wow. I have to do a better job at at patching in my environment. But it wasn't just the vulnerabilities, Aaron. It was the zero days. There were so many last year.
For everybody out there, tell us what zero days are.
Yeah. So it's it's one of those times in your business where a vulnerability gets announced. It could come from a security researcher who found a vulnerability in a piece of hardware or software in your environment, or it could be the threat actor found a doorway in. And there's this time that it takes from when the announcement is made to when the patch becomes available.
At that time, that leeway for the bad guy to be in your environment, to exploiting that device, that software, that hardware is dangerous. And that's what we try to do for our clients is try to find all of that. And we know that in twenty twenty three, drum roll, please, how many zero days were there? We sixty nine.
Sixty that could be low.
That's just the number we found towards the end of the year. But Yeah. There are a couple of months that weren't accounted for. Yeah.
So it it could be pushing eighty maybe.
Forty three of those zero of those zero days were exploited in the wild. And that number alone is tremendously damaging in knowing that. So it's critical. It's and what I always tell my clients is I say, it's critical that you sign up for the vendor alerts.
You know, get on the get on the website, whatever hardware you've got in your business, go to the vendor's website and sign up for their alerts. They'll tell you when things need to get patched. But sometimes, those vendors, they don't announce it. They don't, they, you know, they they delay the announcement.
Oh, we got a patch available. So the best thing you can also do, if you go to cisa dot gov, cisa dot gov, you could sign up for their alerts too. And they sometimes get out alerts faster on what vulnerabilities are in your environment. You could also use us in the SOC here, the security operations center.
We'll try to help you identify those vulnerabilities and those zero days quickly. But it's not gonna get any easier, Aaron. I'm telling you. Yeah.
Twenty twenty four, we're gonna have more vulnerabilities. You mark it right here, right now, more vulnerabilities in twenty twenty four.
It is it's so critical to be on top of those alerts. Yeah. We can actually see in the web logs.
You know, we can go look at a date when when one of these vulnerabilities is made public. Yes. And we then we go look in the logs. And then usually within twenty four hours Yeah. The attackers are on your website trying to to see if you're vulnerable to that exploit.
Yeah. And, you know, Aaron, people ask me, well, why are there gonna be more vulnerabilities? And it's a very simple equation. It's the fact that a lot of companies now are using AI in their dev environment, and they're pulling snippets of code that may be vulnerable, and then they're pushing that out in the updates.
And that is why folks, you're gonna see more vulnerabilities. It's more critical than ever that you get on top of patch management in your environment. Very very dangerous stuff. There's a third prediction that I had.
I want And I wanna definitely talk about this one because, this the phishing.
I know we we've talked about a little bit at the beginning of our past predictions, but the amount of phishing, the AI using phishing is unbelievable. I I have to tell you the it's probably more dangerous than ever right now.
Yeah. You've you've talked about it being a force multiplier. What do you mean?
Yeah. And and I I mentioned that in our in our conversations, but what the threat actors are able to do with phishing is they're able to change their tactics. They're able to act and use the AI as an as a way to increase the number of bad guys. And they're doing that. We you know, you had mentioned phishing being they're mimicking brands in emails. They're mimicking the tone, the grammar, the language. It is very difficult to spot an AI generated phish.
I'm telling you, we show examples all the time in our in our we do this threat intelligence email. You can sign up for it. It's really cool because we highlight the top phishing examples that are out there. But we do this every week, and we show some of these examples of these AI generated phishes. And it is so hard to see, not just the emails, Aaron, but the texts, the vishing. You mentioned deep fakes, the fake apps, the fake Google search engine advertisements. I mean, that stuff's just exploding more and more with the threat actors now using AI.
Yeah. In fact, you you had internal contest where you sent us that that Yeah. Email. We were we were supposed to spot six, six indicators that that it was a fishy one. I think I got three.
We're gonna see so much more of the velocity and speed. And I am always shocked every week at the number of phishing emails that go out from threat actors that are mimicking so much of the brand. You could tell that this is a Microsoft email or a Microsoft phish. That's how real it is. We also know that the phishing folks now have call centers where you get a phishing email and there's no way to respond to it other than to pick up the phone and call a call center where these people actually think they're working in a real call center, but they're actually working for a a phishing operation.
And then we see we also see more trends with phishing emails that are able to bypass email filters.
Yep.
So you think that you have email filtering set up correctly and the phishing email comes right on through.
And it may be set up correctly.
And it may be set up correctly. Yeah. But the hackers are using AI more than ever to analyze attack strategies, to heighten the speed, heighten the scale, the scope of their phishing activities.
It's absolutely dangerous. And we we even mentioned you know, you had mentioned AI being used to create malware, which is another tactic too. It's I was just reading the other day that that the phishing groups now are able to go after countries that they typically have never targeted before. Because they can use AI to copy the right language and get the right, you know. So now they now they can speak other languages that they normally don't attack, and they're going after these other countries.
Yeah. It used to be nice and convenient. If you if you got an email, you could just see the grammar was so bad. You knew it was not coming from a professional organization. And yeah. That's disappearing now with AI.
Yeah. And now that they have AI, they're using threat actors are using chat bots. So you're communicating. You're you're getting phished, but you're communicating with a chat bot.
Again, very very insane world that we're about to enter here, folks. And I and, you know, just the other day, the you know, AI being used on fake Amazon advertisements, AI being you mentioned the Taylor Swift ad with deep fake voices. You mentioned the cyber kidnapping. I mean, it's just it's insane the number of doorways into your business, into your life, thanks to phishing.
Oh, yeah. My sister just got a phishing attack with a fake job listing.
Oh, yeah. That's going around. Especially, like, Facebook job scams are are just absolutely growing.
This is my other prediction kind of falls in your area, your wheelhouse. You deal a lot with malware. I wanna talk about AI being used to create malware. We we briefly touched upon it. But what are some things that you see? Because this is one of my predictions, and I can talk a little bit about it, but you are the expert on this one.
The things that we see are just the adaptive nature of the AI being able to run on any given platform with just very few commands given, by these script kiddies. Also getting into to different languages.
Yeah. Like Golang, Nim, Simplicity, the Swifty.
Swifty is in there now.
Yep. Yep. So so they're using AI to craft malware in languages that we typically don't see. Our defense systems typically, this is globally folks, don't see these types of malware in these obscure languages. Yeah.
It's not. I we're so used to looking for malware in in the PHP code or the ASP code. Yeah. Now we're finding it in in the system drivers, you know, written it written in these other, you know, systematic languages.
Malware with malware that's created with AI, it's it's lightweight. It's speedy.
Again Stealthy? Stealthy. Yeah. It's just insane. You know, and there was a lot of other malware stories where AI is being used to craft malware.
I I was really taken back by I get this a lot of questions from my clients about, well, I have a Mac.
We're a Mac environment. We're safe. Right?
Oh, the tell them about how many, new malware families came out from Mac.
Yeah.
And this is one of my predictions.
I think you're gonna see a lot more malware written for Mac. And we know this because because in twenty twenty three, I believe the number was was it about twenty three?
Twenty twenty three new malware families.
Just for Mac, folks. That's, that's some dangerous stuff. Again, the malware is exploding. We know threat actors are using it to craft it.
It's only gonna get more evolved, more complex in terms of their ability to take advantage of this. Again, having something in place that can help you identify that malware and be aware of it, it's a challenge. Because defense systems aren't up to speed with all these new languages being used. So I did have a final prediction that I do wanna talk about.
And my final prediction was about governance and laws. And we would not be right if we didn't talk about governance and compliance and all that that that space. I mean, we are heavily at SM. We are heavily into HIPAA and HITRUST and PCI.
You know, I was I was taken back by all of the states that are now pushing out privacy laws Yeah.
For new states in twenty twenty three.
I know that the federal government is working on legislation for a nationwide privacy law. Utah Utah.
Where we're based out of.
Right here.
They just came out with their privacy law. Just got started. It's just a crazy patchwork right now of privacy regulations.
And I'm I'm hoping that we're gonna see some I'm hoping we're gonna see some semblance of order in this space. Standardization.
Yeah.
Because right now, if you're a small business owner or a medium business owner and you've got businesses in all these different states, you've gotta be aware of what privacy legislation is being pushed through in your state because there's no nationwide law right now for it.
Well, also in other states too. If you're doing businesses in other state, I know California has so many laws you've gotta comply with if you want to do business in California.
And that's why, you know, part of this trend in this prediction that I have is when I look at the there's a law firm, a cyber law firm called BakerHostetler. They put out this great report every year, the data security report. And they talk about the biggest trends they cite. And this is where I'm going with this conversation in that they saw saw more investigations than ever for GDPR, HIPAA. They they they see more big fines in the news. And they then they also highlighted that small to medium sized businesses are being targeted more and more by these these compliance investigations. So you got you kinda really gotta wrap your head around the impact of all the governance and risk compliance areas that are targeting small to medium sized businesses.
Businesses.
And I mean, that's so difficult to to stay on top of. Yeah.
I think there were there were more lawsuits under ten thousand records last year in twenty twenty three than ever before.
So if you have less than ten thousand records in your database, your customer database, you've you've gotta be aware of all of the the things that are happening in this this area. I'm gonna I'm gonna tell you, you're gonna see a lot more of this.
Yeah. And I mean, if you don't have somebody in your company that's on top of it, you really need to tree lie on the expertise of the company like security metrics Yeah. To to get you through that. So it's just getting more and more complicated.
Help me understand, Aaron. If you had to pick one of your predictions, like, pick one that be the most impactful to our clients, disconcerting maybe. I don't know. What what do you think in your head, off top of your head?
Well, I'm the thing that keeps me up at night, are these iterative attacks, where the car data is leaking. We know it's leaking. We we can't find it. But the speed and velocity that you had had mentioned, just all these things coming together all at once Yeah. In in twenty twenty four, it's I have no doubt I'll be up, you know, over several weekends trying to solve a lot of these cases that that, you know, where the bad guys have just come in and steamrolled a lot of small businesses. Yeah.
It it breaks your heart. Yeah. It really does. You know, if I had to pick one, Aaron, flipping gears for a moment here, folks. If I had to pick one my choice, I I really wanted to talk about all the record vulnerabilities and the record number is zero days. I know that's impactful to our clients.
But that is really manageable. At some point, you you can manage that. So if I had to pick my top choice for predictions, I would say it's the sophistication of fishing. And, you know, doing one time a year fishing training, honestly, is not enough.
You you really have to be in the know. I I always tell our clients, sign up for the threat intelligence email. It helps you understand and see the latest examples. There's so many advancements here.
The threat actors, they're just, you mentioned velocity, speed, the innovations, the use of AI here. Staying on top of this is a challenge because there's so many just different doorways that they're using now for phishing.
Yeah.
But, yeah, it's tough, man. Yeah.
Just a shout out to your email. And we use that email in our forensics group all the time. Good to hear. Now that that is it's such timely information to have.
Now, where do our predictions come from? And I gotta tell you, what I love about security metrics is we're able to talk about our colleagues and peers in a way that's constructive.
You know, in our opinions are great. Our predictions are awesome, I think. But, you know, the reality is there are other bigger name companies like Google and Splunk and WireGuard and all these other vendors that put out their own security reports, their own trends, their own predictions. Just real quickly here, you know, if you had to go through and look at some of their predictions, I wanna just call out a few of them that I think are important.
They're valuable to your knowledge. Situational awareness, big picture industry trends last year, Aaron. How many huge IT failures did we see globally? Gigantic failures.
It was another big number.
Yeah. A lot. A lot. And, you know, when you're looking at the news and you see these stories about these airline outages, do you remember that where Southwest Airlines at the end of twenty twenty two, start of twenty twenty three, huge outages.
IT falling apart. United Airlines outage. Hawaiian Airlines fail. Epic fail.
Travel meltdowns all over the place.
My goodness. But they weren't the only big IT breaches. And you're gonna see more and more of these in the trends where these IT failures were like the FAA, where they had their outage and they had a ground stop to all takeoffs. You guys remember that in the news?
It was damaging, really damaging. It was all blamed, I believe, on a damaged database. Yep. Okay.
They couldn't restore a database. K. That shows you there, folks, how important it is that you get your backups running and that you check your backups. Dave was here right now.
He would say, check your backups. Dave's greatest hits. The New York Stock Exchange, they had a huge IT outage. Their backup failed.
NASA, they spent fifteen million dollars, Aaron, on Oracle licenses they never used.
Oh, man. Yeah. And that's bad documentation, folks. Lesson learned there. No softwalls.
Dollars hard at work.
Yeah. I thought Nutanix, they they were in the news. They had a third party software not being used in a compliant manner, I e not paying for it, folks. You gotta pay for software that you license. That Massachusetts high school caught my eye too. They got breached. They were breached for three years.
No one noticed that their software that runs all their environmental systems Their lights got left on.
They turned their lights on full brightness in this high school for three years. Nobody noticed. Again, just insane that that Aussie helicopter crash, that broke my heart.
That was that was horrific.
They didn't do updates on their helicopters, and then they had crashes. So a lot of big breaches. And you're gonna see more of this trends and predictions where you're gonna see huge IT failures going forward in twenty twenty four. I you know, I as we kinda wrap up the situation here today and the and the predictions and trends, there's so much to talk about with AI. And I kinda wanna just make sure the audience understands, Aaron, that AI is a greater risk to small businesses than ever before. And it's been known because we had back in December in front of, I believe it's in Washington, DC, executives from Sentinel SentinelOne, IBM. They got in front of our government and said, it's a lawn it's a bigger deal, AI's impact on small to medium sized businesses than ever before.
The force multiplier is not going away. We know that there there's more errors in software than ever before, more vulnerabilities.
We know that phishing, vishing, smishing, deepfakes, it's gonna be more impactful. So, again, you really, really just having a situational awareness, folks, of the stuff that's happening in the news.
Especially, you know, there's a huge temptation to to use AI in your own business. Yeah. You've got to be doing your code reviews.
Yep. One of our colleagues, one of our peers is talking a trend, a prediction of exploit mapping. What that means is the bad guys are going out and they're not even breaching your environment. They're simply scanning your environment, looking for all the vulnerabilities and all the doorways into your environment.
And this is a huge trend, folks, where Then they're selling it.
And they're selling it. Yeah.
So they're not breaching you. They're just they're mapping your vulnerabilities.
They're selling it as a service. Exploit mapping as a service. You're gonna see a lot more trends around that. A lot more privacy impacts. It's a Pandora's box, folks, of privacy and security woes. I think we need to kinda, you know, get get to the end of this here. I know, you know, folks, thank you for being on this incredible journey here.
More QR code phishing than ever before as a prediction from one of our peers. We're talking about the impact, especially on you. You got menus with QR codes. You've got all kinds of stuff.
Imagine somebody just walks in, prints a sticker, sticks it right on your menu. Your customer goes and pulls up your menu, and their phone is now infected with malware.
It's nuts. It's absolutely crazy. And there's new botnets more than ever. We we spent a lot of time in the last week looking for KV botnet Yeah. On behalf of our clients.
It's absolutely nuts because it's it's caused it's the threat actors is Volt typhoon. They're based out of China. They're really just going after end of life devices. So having a knowledge of what is end of the life.
Is your router at the point where it can't be patched anymore or updated? You gotta get a handle on that. We do have some questions. We have some questions from the audience.
I I we love your questions. We always thank you for sending them in, and we're gonna do our best to try to answer some of the the questions here. If we don't get to your question, don't worry. Someone will reach out to you and try to get your question answered.
One of the questions that we got was what are our top five things to do to protect my business? And I'll tell you, if you talk to anybody that's a security practitioner, they're all gonna give you different answers. Alright? My top five are probably vastly different than your top five.
But one of my big call outs is always this. Number one, if you have software in your environment, you have to update it. Number two, if you have software you no longer use, you gotta remove it. Alright?
And number three, I always say that you've gotta start doing scans in your environment. You gotta know what's in your environment. You can't protect it if you don't know it exists. So those are huge, huge issues, concerns that if you get a handle on those top three there, top three will really help make, a way a pathway forward that you don't get popped, you don't get breached.
So here we go. We we have a really good question here too. What industry are you seeing the most security issues?
As we mentioned earlier, hospital attacks are through the roof. Overall, the the health care industry is getting hit hard. Mental care services Yeah. Are ransomware.
Yeah. And and the main reason that comes down to that folks is when you go on the dark web and you look at how much do employee health records go for, you know, you're seeing prices astronomical. A thousand dollars for a record for an employee health for, you know, a health record. It's crazy.
A a, you know, a good credit card, you know, under twenty bucks.
Yeah. It's absolutely insane.
I you know, if I had to say health care, I would agree with you. Probably health care. I also see a lot of attacks going towards not industry specific, but software specific third parties. And my call out to all of you in the audience is this.
If you have software in your environment that's a third party, maybe it's your accounting software, maybe it's it's software you use to run the business, you really have to be on top of patching that stuff. Because we saw this in the move it vulnerability where two thousand businesses got got popped last year because of the move it vulnerability. So and it's a third party. Again, you just have to be on top of that.
If I had to pick one, that would probably be my top though. We have one final question that we're gonna get to here. One final question is, where can we get more information about cyber trends?
There are lots of good places, a lot of good government places, but security metrics is is really, kind of a a conglomerate of a lot of different things going on. Your email.
Yeah. That helps. The threat intelligence email. You can go to our website to sign up for that.
Again, we try to highlight the latest trends, the latest things that are impacting our clients and small to medium sized businesses. I would also say that we have Security Metrics Academy, which is really cool to learn more, and it's all free. I mean, I can't believe we put out this product that's completely free, folks. Security Metrics Academy.
Another thing that I I tend to tell people to do is take a look at our YouTube channels. We have some really awesome content on there. And there's so many great resources out there, but targeting the resources for your needs and your business. I mean, I get it.
Y'all don't have a lot of free time to just go and and see all this stuff. And that's that's one of the joys of what we do in our job is to summarize it all, highlight it for you in real short bites, and give me the most important need to know information.
We've got one more question that just came in. Oh, yes. This this is a good one. As someone who has their ecommerce business hosted on a Wix or Shopify, what do we need to do about cybersecurity?
This is actually an awesome question.
And the thing is is do not rely solely on Shopify or Wix or or any of these other third party hosts to do all the security. Yeah. You know, you've you've got to take responsibility for you the security of your own website even if you're hosting it on, one of these third party hosts. You need to make sure that that you've got layers of security, that you're using multifactor authentication on on all of your logins, on your shopping cart portal, that you've got good strong passwords.
Yep.
And just making sure that you've got multiple layers of security wrapped around your website.
Yeah. And you guys are the expert on on knowing all those different threat actors that are in there. So excellent advice. And on that note, we wanna thank you for joining us. If we did not get to your question, someone will reach out on behalf of everyone here at the Security Metrics family. We wanna thank you for joining us every year as we go through our trends and our predictions.
Thanks, Seth. Let's do it again next year. Absolutely.
.svg)
