Security operations · 3 MIN READ · AARON WALTON · JAN 23, 2024 · TAGS: Expel report / MDR
Identity attacks were up last year, “qishing” is a new big thing, and watch out for AI in 2024.
2023 was a busy year for cyberattackers, which means it was a busy year for us and, we’re guessing, security operations centers (SOCs) everywhere.
Each year around this time, we release our Annual Threat Report (ATR), which notes and discusses the major trends we saw in our customers’ operations over the past 12 months. This time, we’ve also asked some of our top security minds to weigh in on what they expect over the next 12.
So, without further ado…
Top three cybersecurity findings and trends of 2023
Most incidents aren’t on the endpoint—identity-based incidents were the #1 incident type (for the third year in a row). Identity threats accounted for 64% of all incidents our SOC investigated and increased in volume by 144% from last year.
Stolen or leaked credential (aka secret) exposure is the biggest and most frequent risk for cloud infrastructure. Exposed secrets were the leading cause in 42% of all cloud infrastructure incidents we handled in 2023.
More than half of all malware incidents presented an immediate, significant risk—including risks of pre-ransomware activity or exfiltration. Pre-ransomware accounted for 57% of the malware incidents our SOC investigated.
What can you expect in the next year (and beyond)?
Greg Notch, Chief Information Security Officer:
Identity has been and will continue to be the frontier for risk. With location and infrastructure control no longer core places where security controls are added, access and identity controls are the new firewall. Adding to this complexity is the rise of large language models (LLMs) and generative AI technology, making the determination and re-validation of someone’s identity much more difficult (for example, onboarding a remote employee or doing a password reset in a world with deepfake video tools). We’re just starting to see the class of problems where third parties are given access to company systems with no real way to validate identity.
Steve Edwards, Director, Detection and Response:
Phishing will continue to remain prevalent as both an effective and inexpensive means for attackers to compromise organizations. This isn’t really a technical vulnerability, but a human vulnerability. Phishing, at its core, is simply one human lying to another. Whether the adversary’s desired outcome is credential harvesting or deploying malware, the crux of the attack is convincing the target to do something they know they shouldn’t. Since there is no Patch Tuesday for the human OS, security leaders will need to continue finding ways for humans to fail safely. Hardened credentials, modern EDRs, and closely monitoring for signs of compromise continue to be the critical “basics” for building a security program.
Christine Billie, Detection and Response Manager:
I firmly believe that looking forward through the windshield should be prioritized for any security organization, but I’m always wary of what can happen if we fail to periodically check the rearview mirror. This is especially important given the recent trend of attackers recycling “old” attack vectors that newer analysts may not have seen yet, and are least expecting. For example, our managed phishing service saw a homoglyph attack this year—and it’s unlikely that many of our customers’ security teams have seen this tactic before. We also recently saw an attempted HTML injection attack from a threat actor who was hoping that email subject lines would not be sanitized or converted to plain text prior to being ingested and parsed. While both of these are considered “old school” attacks by seasoned security professionals, it’s a fun opportunity for SOC managers to take trips down memory lane to teach analysts about attack vectors that aren’t necessarily new or trendy, but still potentially lethal.
Oscar De La Rosa, Detection and Response Analyst:
Last year was AI’s coming-out party. In 2024, we should expect to see it play a larger role, as it can streamline some of the attacker’s infrastructure. From enabling better social engineering attacks (phishing, smishing, vishing) or just helping with the increased deployment of malicious activity, we can already see it being integrated within more attack flows. I also think that adaptation for security controls and tools should follow, helping operators with all sorts of critical tasks. Implementation will be paramount for minimizing dislocations for security professionals and end users. With all of that being said, we should keep in mind the basics tenets of proper security practices for end users. Ongoing monitoring of conditional access, MFA, and application-review policies are great things to always have up to date within any system.