As the saying goes, it’s tough to make predictions, especially about the future. And yet everyone tries—whether for planning or in the naive hope of not getting caught off-guard this time. While we do have our own modest tradition of end-of-year prediction posts on this blog, we look to the experts to help us make informed guesses about what’s coming.
This year, Invicti’s CTO and Head of Security Research, Frank Catucci, and Invicti Chief Architect, Dan Murphy, sat down for a retrospective fireside chat about the ending year and the trends they could see continuing on into 2024. They covered a lot of ground in their typical casual style and the full recording is well worth checking out (see below), but three main trends kept cropping up again and again as things that will shape security in 2024. If even half of these predictions come to pass, we’re in for a busy and noisy year.
Reason #1: Yes, it’s AI (but not in the way you might think)
Nobody doubts that the generative AI explosion in 2023 was a technological game-changer. Yet behind the “make it more” cat posts and the increasingly surreal LLM prompt injection methods, a less visible but far more impactful AI revolution is going on: supercharged application development. With integrated AI coding assistants like Copilot, developers can become far more productive, adding yet another accelerator to agile application development that’s already moving faster than ever—often much faster than security.
While AI assistants can and do directly contribute to vulnerabilities by generating insecure code suggestions, the prospect of suddenly pumping, say, five times more code into the same pipeline is a far greater security headache. If a new feature gets implemented much quicker than before, you can bet there will be business pressure to release it faster and make money faster, leaving less time for QA and security testing. All the testing tools you use to automate the process will now have to handle more code, generating more results to review and address in a shorter time frame. And if the AI-generated code is buggier or less secure than expected, you may have to deal with yet more bugs and vulnerabilities on top of the sheer volume increase.
There’s a very real risk that in 2024, application security will feel the strain of AI-boosted development—and not just because your own devs are now moving faster. The same AI tools are available to malicious hackers and malware and exploit writers, allowing them to work faster and better evade signature-based detection. Combined with the bad guys usually having more resources and fewer limitations, we can expect shorter times to compromise, a greater variety of attacks, and more unfamiliar signals for SOC personnel to investigate.
In testing and detection, 2024 may well see security tools generating more alerts from more inputs than ever, making alert noise the top challenge for security professionals and developers alike.
Reason #2: New model attacks combining all the buzzwords
The MOVEit Transfer hack and subsequent data breaches affected several thousand organizations and hundreds of thousands of individuals whose data was leaked. We have dissected the inner workings of the attacks and discussed the broader implications of the breaches as they unfolded. Apart from its sheer scale, the attack was notable for combining many techniques and vectors in a way that reads like an A to Z of cybersecurity and shows a likely direction for future mass breaches.
For starters, the MOVEit Transfer attacks targeted a third-party application for secure file transfer that was widely used by enterprises and government organizations. Living on the boundary between public and protected systems, such software is the gatekeeper of sensitive data, making it a high-profile target. To compromise the app, attackers cleverly chained together several relatively simple vulnerabilities that, taken in isolation, wouldn’t pose a risk: SQL injection, insecure deserialization, and insecure access to an internal API. While the vast majority of database operations in the application were secure, the attackers managed to find and target one of the few places vulnerable to SQL injection.
Putting all the pieces together allowed for remote code execution (RCE) and the deployment of a web shell for remote access. The attack was a perfect storm of application security risks: a third-party app trusted with sensitive data, innocuous vulnerabilities chained into a devastating RCE attack, a single piece of software being used to compromise thousands of organizations, just one insecure place in the code giving attackers a way in, an insecure API endpoint… The list goes on, not to mention the financially motivated attackers threatening to publicly release sensitive data rather than encrypt or delete it, as with more traditional ransomware operations.
Cybercriminals are looking for maximum returns from their attack investments, so it’s likely that 2024 will see more attacks on widely used third-party applications (like MOVEit Transfer or SolarWinds Orion) or software components (like Log4j). APIs are fast becoming the main attack surface, and RCE continues to be the ultimate prize. Let’s prepare some headline templates for 2024: “Thousands breached through RCE via insecure API endpoint in popular **** app.” Replace “app” with “library” as applicable and season to taste with AI. There, 2024 blog sorted.
Reason #3: A year of elections and mounting geopolitical tensions
At the risk of stating the obvious, the intensity of cyberattacks is strongly correlated with conflicts in the physical world, and while 2023 was already a hectic year in geopolitics, it was only setting the stage for 2024. With the globalization and global cooperation lever now firmly stuck in reverse gear and multiple economic, military, and social conflicts coming to a head or already in progress, cyberwarfare will be high on the agenda, as will opportunistic cybercrime.
By a trick of the calendar, 2024 will see elections in dozens of countries across the globe, including the US. This will mean months of heated electoral campaigns, tense and often contested elections, and equally nervous transfers of power—all this on top of cyberwarfare and hacktivism related to ongoing and upcoming conflicts. Probes and attack attempts are likely to increase drastically, bombarding security staff with yet more real and false alerts. Considering that the vast majority of initial attack traffic is automated, the noise will affect all applications and, by proxy, all the organizations that run them.
Apart from attacks against specific applications like MOVEit Transfer, 2023 also saw several of the most intense distributed denial of service (DDoS) ever recorded. Exploiting the Rapid Reset HTTP/2 vulnerability, attackers were able to generate unprecedented volumes of DoS traffic from relatively small botnets. Thanks to cooperation between major cloud service operators and their quick response, these attacks passed unnoticed for most Internet users—but what if the attackers were just watching and learning? The underlying vulnerability in HTTP/2 cannot be fixed without redesigning the entire protocol, so remediation was focused on patching and reconfiguring web servers, load balancers, and other appliances.
Any site or service running without the Rapid Reset fixes and outside the protective umbrella of a handful of big infrastructure providers could be DoSed into oblivion in a matter of seconds. As the global situation unfolds, threat actors motivated by financial, political, military, or ideological reasons may well weaponize this and other vulnerabilities against specific organizations, groups, or even states. Meaning, once again, more probes, more late-night incident response scrambles, and more daily security alert noise.
AI to the rescue? Sure, once it stops making its own noise
Reading through all this doom and gloom, you may be wondering if there’s any positive outlook at all for 2024—maybe AI can save the day? After all, if AI can generate a lot more work for security teams, then surely AI can also help them do some of that work? Well… Yes and no. The problem with generative AI (which is what the current boom is all about) is that you can never be quite certain of the results. In other words, it is inherently noisy and of limited use whenever you need exact data to make quick and accurate decisions.
Without spreading too much FUD, 2024 will likely be a year of security alert noise rising to new levels for all the reasons listed above and more. Even more so than today, the main challenge will be deciding what is real and what to prioritize. For its part, Invicti helps to cut down on the noise in application security testing with its proof-based scanning, but the approaching flood of probes and attacks will affect everyone in all areas of cybersecurity.
If you haven’t already, be sure to check out Frank and Dan’s review of 2023 for even more insights and expectations for 2024. Tl;dr: It’s gonna get loud.