Remaining robust and resilient: A CISOs top six recommendations for 2024
By Yubico’s Chad Thunberg
2023 saw a whirlwind of challenges – both old and new – but we also realised many opportunities to become more secure and stay ahead of evolving information security threats.
As expected, it was another challenging year for information security as organisations continued looking for ways to stay ahead of hackers. We saw an increasing amount and complexity of phishing attacks overall, driven by a major trend throughout the year making a significant impact: AI-driven phishing.
Phishing remains the most prevalent attack method due to its relatively low cost and high success rate, and the implementation of AI now only furthers this problem.
Across the board, we’ve seen a dramatic increase in attacks targeting businesses, governments and consumers using phishing to social engineer individuals to provide their credentials, identity information, and subvert legacy multi-factor authentication (MFA).
A major reason for this is highlighted in Yubico’s recent survey which found 91 percent of people still rely solely on a username and password to secure their accounts.
In order to be more secure moving forward, collectively we must do better overall and move away from the reliance on passwords and other weak forms of authentication, towards modern, phishing-resistant MFA.
In 2023 we also saw many attacks spearheaded by the increased amount of information attackers have about specific vendors in the supply chain and employees within companies. The information enables attackers to provide sophisticated pretext, understand relationships and even communication styles.
Due in part to the success and impact that these types of attacks have had, we’ve seen governments in Australia, the U.S., Europe and around the world increase their focus on ways to increase the security of businesses, citizens and the government entities.
The U.S. government specifically is showing signs of losing patience with the commercial sector’s inability to keep attackers out of their environments and have emphasised the importance of using taking action: in early 2023 the government announced a National Cybersecurity Strategy which aims to shift responsibility of cybersecurity burden from individuals to “organisations that are most capable and best-positioned to reduce risks for all of us.”
Big tech giants like Apple, Microsoft and Google all added support for passkeys in 2023, among a number of other companies, applications and services.
In 2024, I expect to see many of these same trends continue – as well as new ones – steered by similar driving forces within cybersecurity and around the world. Below are my top cybersecurity recommendations for businesses and security leaders as we head into a new year.
- Continue prioritising implementing Zero Trust strategies, with a focus on phishing-resistant MFA
We talk a lot about Zero Trust architectures (ZTAs) at Yubico because the industry has realised that although we spend a lot of time and energy trying to prevent breaches, they still happen. And when they do, the next line of defenses should minimise the impact that breach should have.
ZTAs, in part and when implemented holistically, create additional trust boundaries that limit the attacker’s ability to move laterally and the relatively short session lengths inhibit the attacker’s window of opportunity and ability to maintain persistence without taking further action.
The adoption of ZTAs has also driven the attacker toward post-authentication attacks (more on that later), and forced them to try and subvert preventative measures like device registration. It is common for enterprises to require specialised registered devices for administrative access to the environment.
Registration of one of these devices should be a rare event – rare enough that it is appropriate to notify a broad set of operations personnel to the event so that it can be triaged to ensure its expected and authorised.
This type of approach provides defenders an opportunity to detect attacks early. In fact, quite a few high profile attacks in the last few years have been detected this way. Well crafted alerts around rare and sensitive events that are then reviewed by personnel should be a pattern in most of our playbooks going into 2024.
With the critical need to take a more secure approach to cybersecurity health, it’s highly encouraged that every company moves beyond passwords and legacy MFA like SMS one-time passcodes (OTPs) and push-based applications.
Governments around the world recognise that not all MFA is created equal, and adopting modern phishing-resistant MFA – including hardware security keys like a YubiKey – is a core building block of a Zero Trust strategy that will significantly enhance the security posture of organisations.
- Be prepared for attackers continuing advancements of AI-driven attacks
While there are known benefits of generative AI, bad actors can use AI to their benefit by writing customised phishing emails on a massive scale or placing scam phone calls to thousands of people at once. By automating the most time, skill, and labour-intensive parts of running phishing campaigns, generative AI is making it possible to dramatically increase the number of attacks and lowers the bar for less capable attackers to get involved with phishing.
Modern day phishing attacks leveraging AI can start with a phrase as simple as this by an attacker: “Hey [virtual AI assistant], send phishing emails to all IT administrators at companies, X, Y, and Z.”
The risk doesn’t end there, though. Generative AI can make each social engineering attempt more potent and likely to succeed because modern AI leverages massive amounts of data to support generating realistic text and voice-based attacks, or generate a dossier on specific targets to be used in a sophisticated campaign.
For example, AI can mimic someone’s writing style or reference relevant and accurate details extracted from previous breaches. It can even create “deep fakes,” where attackers use AI to clone someone’s voice and speech patterns.
These types of attacks usually focus on convincing the victim to take action but can be mitigated by validating the request using an alternative communication path – ideally one that is known to be good.
For example, if you receive an email from a family member asking you to send them money to help them get out of a situation, call them using a phone number that you already possess for them to confirm the situation.
- Be extra cautious of increasing misinformation around global events and election campaigns in the coming year – double check your sources
AI and deep fakes will have a major impact around the world next year, and especially around disinformation to influence global events and elections. The challenge will be how to mitigate the threat of deep fakes to limit their impact.
Our common methods of consuming information and communication will need to adopt some of the ideas that have been incorporated into our Zero Trust models. For example, video content sites may need a method for viewers, or companies on behalf of the viewer, to confirm the identity of the individuals appearing in videos in order to combat concerns of deep fakes. The same needs to be true for email content.
Over the years our industry has attempted to implement systems to sign email, but they have been difficult to use, administer, and often don’t work well across systems or companies.
As passkeys become more ubiquitous and the adoption of electronic federal identities become more common, we will have some of the basic building blocks required to increase the trust in our content and communication systems using well understood and battle-hardened approaches.
Until we have something better, be sure to always double check your sources and be sceptical of content that is too good to be true or “feels off.” This can be done by confirming the official account (either individual, organisation or company) posting the video – on social media sites like X, Facebook and LinkedIn, you can see this through the official page’s check or marking noting they are verified and legitimately the source in question.
In order to have any meaningful impact on disinformation, governments around the world need to continue prioritising cybersecurity and partnering on cybersecurity posture.
- Adapt to the expected rise of post-authentication threats
In the last few years we’ve seen increased adoption of MFA which is leading attackers to change, or at least broaden, their tactics. We’ve seen a return to social engineering attacks that entices victims into downloading and installing software and a resurgence of fake, but convincing, web pop ups that lead victims to believe that their device is infected that eventually turns into a common call center-based technical support scam.
Although not new, we’re also seeing an increased focus on stealing browser tokens that allow an attacker to impersonate the victim. These tokens or identifiers are set after successful authentication and are used to uniquely identify the authenticated user as part of their web session.
In some cases, these tokens are traded and sold and can sometimes support larger ransomware or extortion campaigns. The prevalence of token-based theft is leading to more research into token binding, a technical solution focused on tying the token to a specific device and to allow defenders to detect when the tokens are stolen and then used on a different device or in a different geographic location.
- Continue improving on information sharing and collaboration among CISOs
We live in a very connected world where our safety and security depends heavily on the safety and security of others. A time of crisis is never a good time to get to know your vendors, suppliers, partners, and customers. At least for a subset of the critical and strategic relationships, I recommend that CISOs and security leaders find ways to connect over more than a risk questionnaire.
It is important for CISOs to have a pre-existing relationship prior to a breach or other crisis.
- Ensure a secrets manage is used for machine and service accounts
Last year, we saw quite a few high profile breaches where the attacker was able to obtain key material and machine secrets that allowed them to persist and move laterally across the environment. In cloud platforms, this often means being able to attack tenants or customers. We have also seen instances where the compromised key material allowed the attacker to establish a trust relationship between an attacker controlled device and the victim companies environment.
In many cases, these credentials were not properly protected from theft which allowed the attacker to remove the credential from the environment and use them for their own purposes. A secrets manager, ideally backed by a physical HSM, mitigates the threat of theft — although not from abuse.
It will, however, force them to perform their attacks within your environment. This should provide an increased ability to detect and respond to the breach.
Attackers will certainly continue evolving and adapting to keep up with how cybersecurity postures change among business and consumers around the world, and we must do the same. It’s clear we’re seeing some big wins when it comes to stopping attacks like phishing, and we’re actively seeing bad actors change their strategies.
I’m more hopeful than ever for the bright future and opportunities at hand. We must never rest on our laurels, and aim to continue staying diligent in our efforts around cybersecurity hygiene and moving toward known effective tools to stop attacks like phishing-resistant MFA. Here’s to a new year filled with new, active efforts to improve cybersecurity globally.