Well, it’s that time of year again. With the new year comes new threat intelligence predictions. Sometimes it seems that these posts can simply be a cut-and-paste job from year to year. I’m going to do my best to avoid that here. Let’s take a look back on some of our past predictions.

Cloud Attacks
If we jump in our time machine and head all the way back to 2020, one of the things that we talked about is the rise of attacks against cloud infrastructure. Specifically the idea was around multi-tenant systems being an attack vector for infecting “the entire herd.” It seems that has proven out, and as usual the adversaries are becoming more and more creative in their TTPs. Take for instance the idea of grabbing customer tokens from a SAAS company’sies support teams. 

We’ve seen attacks against cloud-based SAAS platforms over the past few years, and I don’t see that changing in 2024. While a ransomware attack to on-prem infrastructure has the opportunity to give the attacker lateral movement, being able to capture and encrypt key systems can often offer the same amount of leverage for ransom. This is further complicated by the fact that the victim could be the SAAS vendor, the customer(s) of that vendor, or a combination of both. 

While the onus goes to the SAAS provider to maintain security of their product, there are simple steps that customers can take to help mitigate the risk. Simple things include utilization of multi-factor authentication, regularly scheduled audits, and generally working with the vendor to establish good security practices. 

Machine Learning & AI
The year 2023 was almost certainly the year of AI/ML. It’s been exciting to watch the rapid development and creative application of Artificial Intelligence and Machine Learning in general. That said, we are still squarely in the hype-cycle of this technology. This coming year should go a long way to helping us establish better definitions, separate truth from fiction, and ultimately get down to doing some really helpful things. 

There has been a lot of fear around using generative AI to leverage better phishing attacks. I have long said that the idea of phishing being easy to detect based on bad grammar and punctuation is a dangerous sense of false hope. Spellcheck, grammar check, and even the ability to identify tone have been built into products for years. Perhaps we can call what they do AI now, but that feels a bit disingenuous. 

The battle we continue to wage against phishing, I hate to say it, is going to continue to be largely based on tried and true approaches such as leveraging the Mitre Attack Framework and utilizing a good approach to threat intelligence management.  

But wait… What about all the AI that every security vendor has been shouting from the rooftops about? Unsurprisingly, I have some thoughts on that as well. I think the most promising short term use for ML/AI in security products is best discussed alongside my favorite topic, and that of course is automation.

The best implementation of automation starts with having an established and documented process. Once you have that, you can begin to look for manual tasks within that process that could be automated. If we sprinkle on the magic of AI, the opportunity for automation begins to grow even further. 

Consider an analyst who’s tasked with reviewing long form intelligence reports, pulling out the names of specific adversaries, malware families, etc. that your team is tracking in your threat Intelligence platform. Since you’ve already identified those important components, you can leverage NLP, a form of artificial intelligence, to identify that data in the reports, pull it into the TIP and even automatically relate associated MITRE ATT&CK data such as TTPs. 

I’m sure we will revisit this next year and see how we did with our 2024 threat intelligence predictions.