With generative AI taking the world by storm in 2023, what can AI and smart automation mean for cybersecurity in 2024?
At the end of 2023, CybersecAsia managed to catch up with Kunal Anand, CTO and CISO, Imperva, for his take on cybersecurity trends in 2024, especially with the rise of generative AI and other automated tools in the cybercriminal’s arsenal.
With 2023 being dubbed the Year of AI, especially generative AI, what are the likely threats arising from both the increasing use of AI tools by both corporate users and bad actors?
Kunal Anand (KA): The increasing integration of AI tools by corporate sectors and malicious parties brings potential benefits and dangers. These sophisticated general-purpose AI models are designed to replicate human cognition, problem solving and creativity, intending to reflect human intellect in various contexts.
However, the possibility of misusing these systems to detect and exploit vulnerabilities in computer systems poses a substantial threat. Such exploitation affects businesses and their key stakeholders, including shareholders, employees, customers, and partners.
Critical threats from the growing use of AI tools include:
- Data privacy and security breaches: Enhanced AI capabilities in processing and analyzing large datasets heighten the risk of data breaches and privacy infringements. Companies may inadvertently leak sensitive information, while malevolent actors could employ AI to pinpoint and manipulate security weaknesses.
- Automated hacking and cyber-attacks: AI’s ability to automate and refine cyber-attacks escalates their sophistication and difficulty in detection. This encompasses AI-powered phishing, ransomware assaults, and the exploitation of system vulnerabilities.
- AI-driven fraud: Demonstrated by AI’s proficiency in cracking CAPTCHAs, these tools can now enable fraud on an unprecedented scale and complexity, impacting financial systems, e-commerce, and the security of personal identities.
What other developments in 2023 do you think would continue to be trending in cybersecurity in 2024?
KA: The imminent obsolescence of CAPTCHAs as a security measure signifies a significant shift in the cybersecurity landscape due to AI advancements. Once reliable for distinguishing humans from machines, these Turing tests are becoming increasingly ineffective as deep learning algorithms, such as visual object detection, advance, enabling automated systems to bypass such tests easily. To adapt, alternative methods like analyzing web page interactions or peripheral usage are being considered to identify human users more effectively.
Another significant issue is API abuse and business logic attacks. The growing use and proliferation of APIs and a lack of detailed visibility into each API call and the data flowing through them pose substantial risks for data leakage. Rapid development cycles often mean APIs are deployed into production with insufficient review, cataloging, or security assessment, leaving vulnerabilities unaddressed. The direct connection of many APIs to backend databases, where sensitive data is stored, makes them attractive targets for hackers seeking access to applications and databases to exfiltrate sensitive information.
Software supply chain attacks are also rising, highlighted by recent incidents like exploiting a critical flaw in MOVEit Transfer. This trend underscores the importance of securing the entire digital landscape, including third-party suppliers, to mitigate these risks. Companies must assume responsibility for the security of their entire digital environment, regardless of whether the components are developed in-house or integrated from external sources. This involves implementing comprehensive controls to monitor and protect assets.
The responsibility extends beyond third-party risk management. Organizations should pressure vendors to provide thorough vulnerability reports, including an unredacted software bill of materials (SBOM). This is crucial for demonstrating compliance and identifying potential supply chain threats, ensuring a more secure and resilient digital ecosystem.
Do you see new threats arising from organizations moving into the ‘phygital’ space and the metaverse?
KA: Attacks targeting devices like Meta’s Oculus or Apple’s upcoming Vision Pro are not expected to introduce new short-term threats. These devices are extensions of existing computing platforms, differentiated mainly by their unique user experiences.
When considering the metaverse, especially in the context of Web 3.0, there are several noteworthy threat vectors to consider:
- Data privacy concerns in more complex environments: The metaverse and ‘phygital’ (physical + digital) interactions will involve collecting and processing large volumes of personal data, including biometrics and behavioral patterns. This poses substantial privacy concerns, particularly regarding how this data is stored, utilized, and shared.
- Identity theft and avatar fraud: In the metaverse, identity theft risks could evolve into avatar fraud, where malicious actors may impersonate individuals’ virtual personas. This could lead to fraudulent activities or the spread of misinformation within these digital realms.
- Tokenized asset security: With tokenizing physical assets (such as real estate) in the metaverse, new risks emerge around property theft and fraud. This shift necessitates novel asset protection forms and mechanisms for resolving disputes in these virtual environments.
- Increased attack surface for businesses: Integrating physical and digital platforms in the metaverse significantly expands the attack surface for organizations. This exposes them to broader cyber threats and underscores the need for more robust and comprehensive cybersecurity strategies.
While the core technologies may not be entirely new, their application within the metaverse and Web 3.0 contexts introduces unique challenges and security considerations.
How should organizations in APAC today prepare to address the cybersecurity challenges in 2024?
KA: In 2024, we face many evolving threats amidst a significant technological transformation. The nature of applications has transformed; where web applications once dominated, APIs now constitute 80% of all internet traffic, a dramatic increase from the 20% pre-Covid era. This rapid change within just three years underscores the urgent need to develop new strategies for API protection. Many companies have thousands of unidentified APIs, posing a critical challenge for CIOs who must prioritize their discovery and management.
The accelerated digital transformation during the COVID-19 pandemic has also heightened general data risks. Many organizations rushed their modernization efforts but now face uncertainty about the whereabouts of their sensitive data. This lack of visibility becomes a significant concern if an attacker gains access to this data – how can one identify what was compromised without knowing where it was located in the first place?
Organizations must rethink their approach from first principles. Relying on current controls and strategies may not suffice. There’s a need for a comprehensive reevaluation of investments across networks, cloud services, applications, and data workloads.
The emerging threat landscape is increasingly characterized by sophisticated bots that mimic human behavior, demanding innovative solutions to effectively identify and mitigate these threats. Therefore, organizations should proactively adapt and re-strategize to confront these new challenges in the evolving digital landscape.
