Episode Transcript
Transcript is AI generated. There are errors. Additionally, this was recorded in a busy restaurant, so some of the transcripts attribution on who was talking is incorrect, b/c the two microphones were close enough to pick up cross talk.
David: [00:00:00] Welcome to the Security of Serengeti. We're your hosts, David Keener. Stop what you're doing and subscribe to our podcast and leave us an awesome five star review and follow us at SerengetiSec on Twitter.
Matthew: We're here to talk about the 2024 security predictions and hopefully provide some insight, analysis, and maybe correct predictions that you can take in the office to help you protect your organization.
David: And as usual, the views and opinions expressed in this podcast are ours and ours alone. Do
Matthew: Do not expect the
David: or opinions of our employers.
Matthew: I predict this year will cross the 10 listener threshold, putting us in the top ranks of podcasts with such luminaries as Bob's Fly Fishing Spectacular and Lisa Lisa's My Little Podcast about ponies.
David: Hey, that's my
Matthew: I listen to it every day. I
David: I should have included her predictions about ponies in this, this episode.
Matthew: This year, more ponies will be born. It's in the same, I mean it's basically the same level of prediction as we're about to talk about.
David: about. And little girls will love ponies. Little girls
Matthew: love ponies. This is the top 24 security predictions for 2024.
[00:01:00] This is from GovTech. com, which is a blog we've never covered before.
David: covered before. It's
Matthew: Gov in it, so it's gonna be wrong.
David: be
Matthew: me.
David: And
Matthew: The author Dan Lowerman collected 24 other articles about predictions for 2024. We're summarizing a summary. Because going through all 24 other articles would be wild.
David: Well, we're kind of summarizing it, so we picked three each,
Matthew: Yeah.
So
David: we're gonna provide a summary of three different group predictions,
Matthew: Yeah, we tried to find the most the most interesting ones. Well, you did.
David: I just picked mine at random.
Matthew: I tried some that were interesting, that looked interesting from his description, and then when I actually went into the article to look, I was like, oh.
There's one where I was like, A. I. is going to transform cyber insurance, and you go in there and it says A. I. is going to help cyber insurance make better risk ratings. That's not transformative. Anyways so here are some of the overall themes. More effective cyber attacks. Shocking. I can't believe it.[00:02:00]
More A. I. used in attacks. I'm really going out on a limb
David: Yep. This guys are stretching it.
Matthew: Shadow AI. This one actually is kind of interesting. A lot of companies seem to be taking it careful and slow on the AI thing, and I know that users especially if they're not supposed to be using AI, they can use it to boost their performance.
I mean, that
David: doesn't really surprise me, because we've been talking about I mean, the whole purpose behind a, well, one of the ideas behind a CASB is to be able to find out what SAS solutions people within your company are using.
So this is the same thing. It's just, it's, because the AI is the SAS, essentially. So it's just that's again, more of the same, I would
say.
Matthew: say.
For now. I can't wait till they get the models down to the point where you can run it on your phone and run a private one. Hmm. See, you can really train it on what you care about, what you want. Don't have to provide that backup to the companies. Yeah.
More regulations and laws. Governments passing more laws?
I, I, I can't even.
An increase in deepfakes, BEC,
attacks against LLMs, election related cyberattacks.
It does look like [00:03:00] most of these are not really verifiable and are pretty safe. I mean, it's an election year. Cyberattacks are an election
David: Well,
it's funny because I've heard from more than one place that 40 percent of the planet
Matthew: is
David: going to actually vote this year. In some kind of
Countrywide
Matthew: election.
Interesting. So, there was one kind of wild one predicted more cyberattacks in space. There were no black swan predictions, which I kind of get the whole point of a black swan event as it's difficult to guess, but come on, take a chance. Predict something wild.
David: Well, I think you did in the opening statement.
Matthew: All right. First one. We're gonna take one of mine. Trend micro security predictions for 2024. There were a bunch of them in here, but I picked out three that looks kind of interesting. The first one I think is the most interesting, but they spent like a paragraph on it. They had no details, but cloud native worm attacks.
So we've all seen worm attacks in the past where, you know, it exploits a service. It remotely scans the Internet, finds other services, exploits those services. So what they're talking about here [00:04:00] is they're talking about automated scripts that exploit, create new machines in the cloud. Okay. And then recon lateral movements, all automatically.
I think personally that's kind of terrifying, because right now, like the old style worm attacks, they required existing systems. This one builds its own systems. Like, I didn't
David: Right, so it's building its own attack platforms. And if you're talking about worming it, not just within a company, but imagine just across the entire a wormable
Matthew: or a worm like this That
David: attacks not just a company in AWS,
Matthew: AWS itself.
So
David: any organization that's running an AWS instance, where you could spin up a
Matthew: serverless instance. Yeah. Throw this out, and this could,
David: And imagine if that's,
Matthew: they turn that
David: into like a DDoS attack
Matthew: attack platform or something. Who knows what those things are. Take down the whole cloud. Or each, like a specific cloud.
AWS or something. I mean,
David: they're probably going to
Matthew: just spin up crypto miners. It's
David: going to be
Matthew: out of my
David: crypto miner generation
Matthew: there's a thing later about this. We'll, we'll talk about this more in detail because there's another prediction that I [00:05:00] think collides with this. That is interesting. Data weaponized against machine learning models.
We've talked about data poisoning before, but they had some specific outcomes that I thought were interesting. One of these or two of these are ones we talked about before, but number one, manipulate the language model to reveal internal information. That's kind of interesting. Allowing adversaries to write malicious instructions to the LLM.
We talked about that the other day with the I don't remember what it was called. There's some article about creating agents double agents inside the LLMs that we talked about. Deliver biased content to the end users? That would be interesting. I almost wonder I mean, there's some obvious ones where, like, political folks will try and bias a model to deliver, you know, something like Nazi supporters would, like, change Wikipedia's LLM to be like, Hitler was a hero, or something like that, but Well, I think we had
David: talked about this before, actually, where we're saying if you could poison
Matthew: the
David: AI model for a competitor of yours, you could
Matthew: influence
David: them to make wrong decisions, which would hurt [00:06:00] them or help
Matthew: or both. Well, there's, and there's, yeah, and ways to help you. Like, like, recommendation engines to recommend movies and stuff. We talked a little bit about that with the AIs, like selling ads and, yeah. Fraud detection and blue team tools can be fed bad info to hide attacker actions.
So. It's
David: like AI rootkit.
yeah,
Matthew: Yeah, I
don't, I haven't really thought deeply about that one. But yeah, if there's some way where you could, if you knew you were going to attack a company, like you could start throwing noise their way before the attack started.
David: Well, imagine this though,
Matthew: thinking
David: about AI root kit.
Matthew: So
David: when you're doing security, everybody wants that single pane of glass, right?
Well, it's supposed an attacker When they initially compromise an organization,
Matthew: if
David: we are, we're at the point where AI is basically running socks. by doing the detection and everything. Imagine that they compromised the AI so that at the sim level you will [00:07:00] never get an alert on any other actions from the sim because the sim has effectively been compromised kind of like a rootkit does by hiding all your actions.
Matthew: Yeah, yeah. The third prediction was attackers moving to hit blockchain. Despite crisp crypto seemingly sputtering out over the last few years, apparently companies are moving to use blockchain for supply chain management and an intracompany accounting. One of the proposed attacks they had was seizing the admin right to the chain to modify and erase entries.
But I thought the whole point of the blockchain was that you can't change it. Yeah. But I guess maybe a private blockchain could be different. I don't know. Well, they
David: may be
Trying to take advantage of loopholes that people build into their own private blockchains because they don't necessarily want them to be immutable. Which kind of defeats the point.
Matthew: Yeah, why use a blockchain over something else? Why not just use a database at that point? Spreadsheet. Yeah. Another was to seize control of enough validators to encrypt it or mess up with the blockchain, basically DDoS it, or ransomware it. [00:08:00] So, that was a little interesting.
I don't know, I was kind of disappointed with these,
but
David: they're not
Matthew: terrible.
David: They're
Matthew: And not as bad as one of the later ones. Not as
David: not as the ones that I randomly chose I would say. But the next one was because Kaspersky's Advanced Persistent Threats Prediction for 2024.
Matthew: This was put
David: together by Kaspersky's Global Research and Analysis Team.
Matthew: Great. What is such a great name? The Great Team.
David: No, it's just Great, because T is
Matthew: That's what I'm saying, but if you add the team, the E A M at the end, now it's Great Team. That's all one word.
David: Oh, but just to be known as, what do you do, I'm part of the Great.
Matthew: I'm part of the greats?
David: How do they put that on a business card? But one of the interesting things about Kaspersky's recommendations is they actually listed what they recommended, what their predictions were for last year and how well they fared on those predictions.
Matthew: don't think I saw anybody else do that.
David: so basically they gave themselves a three out of 3. 5 out of eight
Matthew: Fail.
David: for last
Matthew: year. Not quite 50%. [00:09:00] But I appreciate that. We were just talking about how many, so many of these were so, like, high level that they're basically all gonna hit. They're like, more ransomware, more attacks, more AI, like, okay,
David: Right, you're not telling me anything I don't know,
Matthew: So I do appreciate, I appreciate that not only did they make specific ones, they checked up on themselves.
David: Yeah, and this is kind of, this is what they're, assuming that this is going to benefit them in the long run because they're saying, Hey, this is what we did last year and why you should believe us this
Matthew: year. So.
David: Last year they, they predicted that mail servers would become priority targets.
They said they,
Matthew: they, they
David: were correct on this one based on three attacks which they outlined in the,
Matthew: in the article.
David: Hack and leak is the new black and bleak
Matthew: was another recommendation from last year which they said was also correct. Based on the act, actions of three different attack groups. Another one
David: they thought they got correct was SIGINT delivered malware. And this is based on a network injection attack within the connectivity between two Egyptian telecom providers that happened [00:10:00] last year. I
Matthew: I think. I'm gonna go back and look that one up 'cause that looks really interesting. Signals, intelligent based malware.
David: Now, where they get the 5 from is they predicted the rise of destructive attacks. And they said they got this kind of right, and this is really based on actions that have taken place between Ukraine and Russia. Some of the actions that the players have made there.
Matthew: I know they tried, but they generally weren't terribly successful, right? The Russian attacks were not
David: no, they, they, they had limited effect and maybe that's why they said there was
Matthew: a point five.
David: Now what they said they got wrong was a new cyber, a new cyber
Matthew: epidemic.
Not yet!
David: well that was last year. So last year was gone. So that one didn't come true. APT targeting turns towards satellite technologies, producers and operators. More APT groups will move from Cobalt Strike to other alternatives. So I guess Cobalt Strike is still going strong according to them. And drone hacking. Now one of the things that I, I, [00:11:00] I noted here is that It's interesting that, that they didn't carry forward anything for 2023 into 2024, by saying, hey, it didn't happen in 23, but we expect it any day now, which means we're
Matthew: also going to make the same prediction for 24. Especially although someone else did predict more attacks in space, so the satellite one, seems someone else picked that one up.
Yeah. I'm actually really surprised they didn't bring back the Cobalt strike one. Because that seems like, as more and more attackers do Cobalt Strike, defenders are going to focus more and more on stopping Cobalt Strike, so they're going to have to transition to something
David: And we've talked about that many times before. So I'm just surprised that they didn't think those, any of these predictions were worth bringing into 2024. So for 2024, they made nine predictions.
Matthew: The first
David: one being
Matthew: the rise of creative exploits for mobile and wearables and smart devices.
David: So
Matthew: they expected, of course,
David: those
Matthew: be against smartphones,
David: apple TVs,
Matthew: Apple Watch, that kind of stuff.
David: And they expected these to be.
Matthew: Well they categorize it as silent, but it's only partially silent. So they
David: expect [00:12:00] zero click zero click through infection, one click through infections with a malicious link via SMS,
Matthew: And
David: the interception of network traffic.
Matthew: this, I'm thinking about the zero clicks one, so I'm thinking about my watch.
So I've got a smartwatch. Like if I got a, if someone could figure out how to send me a text message, I don't get a choice on whether or not that thing comes up here. Like it just pops up. So if they could figure out a way to deliver code, with a no click, like a zero click through the popular messenger platforms, everybody with a smartwatch, they could just get.
That'd be interesting.
Cause most other places, like if you open your phone, Is it, I don't know, does it process it before you, you know, go into your texting platform? I think that has happened before. If you go back
David: read some of the Citizen Lab reports, I think some of that stuff was happening actually on the Apple platform.
Matthew: with some of those attacks.
I'm not sure if it was last year or a
David: couple years ago that they were dealing with that.
Matthew: Interesting.
David: So another recommendation was the building
Matthew: of new Non recommendation, prediction. Prediction. We recommend you build a botnet.
David: recommend you build a botnet. [00:13:00] I mean, who doesn't recommend that?
So they predict the building of new botnets with consumer and corporate software and appliances. Basically, this is a continuing trend one.
Matthew: Actually, it'd be cool if we could build our own botnets. I don't know what I'd do with that, but What's stopping you, man? Laws. Regulation.
David: Damn cops with
Matthew: guns.
David: Another prediction is barrier, barriers to kernel level code execution increasingly
Matthew: evaded. So basically kernel level rootkits.
Yay!
David: And saying this is being made possible by an underground market for EV certs.
Matthew: an EV cert?
David: cert. Extended validation.
Matthew: Hmm.
David: Where you're going to abuse developer accounts.
Matthew: to
David: compromise existing code bases. And, and they think this is particularly likely due to the bring your own vulnerable driver scenario.
Especially considering that the Microsoft, I can't remember if it was actually last year or the year before, where Microsoft had egg on their face and said they weren't going to fix the fact that they
even though a [00:14:00] driver has been marked as malicious, they weren't going to exclude those from being automatically installed.
Matthew: Ah. And of course
David: another prediction is the growth in cyber attacks by state sponsored actors,
Matthew: Amazing.
David: And they say that this is likely due to the rising tension between the United States and basically
Matthew: everyone.
David: I mean, because we're, you know, we're, we have the Middle East, we've got China, we've got Russia, Ukraine and, and I think just based on.
Matthew: those
David: theaters, I think it's something like 50 percent of the world's population or more
Matthew: are in countries
David: that
are, unaligned with the United States at the moment. Another prediction, hacktivism in cyber warfare to be the new normal in geopolitical conflicts. And I thought this was an interesting statement that they made in relation to this.
That they would expect these hacktivists to start making false claims to divert resources. So they would claim that [00:15:00] they hacked a
water treatment plant without actually having done the attack at all in order to divert resources to finding out whether they actually had conducted the attack or not.
I thought that was an interesting
Matthew: approach. Yeah, cause there's that group right now, that's a bunch of script kiddies, but they're constantly announcing like, we broke into Coca Cola or something, and then they're releasing old data, that somebody else released a couple years before.
So it's basically repurposing that, to the government, cause the government can't ignore it. Like you're saying like a water treatment plant they can't ignore if someone's threatening like we're gonna put you know Chlorine in the water or like poisonous amounts of chlorine or we're gonna ruin this water supply
David: It's almost like calling in a fake bomb threat. You know, can you really not look into it?
Okay.
Matthew: it takes a lot longer to
David: to, to
Matthew: Figure out electronically
David: there. You're like, because 'cause another thing with that is like, if they make the claim, you're like, if you're on the defensive side, someone makes the claim that they've hacked you and you don't find anything, you're
Matthew: Am I
David: that bad that I haven't found something?
[00:16:00] Or, you know, are they that good? Yeah. Or did this not take place? So
Matthew: I think,
David: and because of that, it's gonna take you.
Matthew: it
David: would take you probably two or three times as long to rule out
Matthew: that
David: they attacked you versus identify that they did attack
Matthew: you. alright, another
David: prediction Was the supply chain tax as a service
Matthew: Operators
David: buying bulk access and they really didn't explain why they thought this was basically because
Matthew: There was no real
David: good justification that I could find any article for why they thought this was going to be a thing.
Matthew: I think it's an overly complex
David: process to be something that's as
Matthew: a service
Today anyway. Another prediction, spear, spear phishing.
David: To expand with accessible,
Matthew: with
David: accessible generative AI.
Matthew: Bold, aren't we?
David: they? Yeah, and, and to quote from the Kaspersky article, this may include automatic data collection
Matthew: the victim's online presence such as social media posts, media
David: comments, or authored columns.
Matthew: [00:17:00] Any
David: content associated with the victim's identity. This information will be processed using generative tools to create various
Matthew: text, audio messages
David: in the specific individual's
Matthew: style and voice.
I
David: think this is what you and I have talked about in the past as well
Matthew: as
David: We need
Matthew: to be able to leverage the, the corn appropriate information about people in order to more betterly, better target them and
David: who they associate with.
Matthew: Actually, I have a combination prediction later that combines this with one of the other predictions, but we'll talk about that in a minute.
Alright
David: and the next one is the emergence of more groups offering hack for hire services.
Matthew: And this,
David: this is interesting because They are basically saying this is not hack for hire
Matthew: for
David: nefarious people hiring other nefarious people.
This is legitimate organizations, quote unquote,
Matthew: hiring
David: illegitimate folks to, to,
Matthew: for hacking.
Interesting. And
David: to quote from, from their article, Deathstalker, it focuses on law firms and financial companies providing [00:18:00] hacking services and acting as. An information broker, rather than operating as a traditional APT.
So
Matthew: So
is this like, I'm thinking of the a bunch of U. S. companies in the Central America in the 80s, 70s, and 80s got caught, like, hiring, like, gorillas and stuff.
Right. To, to, like, the, the, the union organizers that got murdered and stuff like that. So they're saying, they're saying legitimate companies are turning to these guys, kind of the gorillas, to, like, dig up stuff on their competitors and Hmm. Right. Interesting. Interesting. Basically another
David: avenue for industrial espionage, kind
Matthew: of.
I mean,
I wouldn't be surprised if it was not already happening, but
David: Well, I'm
Matthew: saying more, they're saying emergence of more groups. I wonder what the groups that are doing that now.
David: Yeah, more groups offering the service. So, that would seem to indicate that it is an expanding market.
Matthew: It'd be funny if we saw some of those ransomware groups pivot over.
David: them to
Matthew: hiring them to ransomware Pepsi. You know?[00:19:00] Alright, and
David: their last prediction is MFT systems
Matthew: at the forefront
David: of cyber
Matthew: threats.
David: And MFT is managed file transfer systems. And they're basing this on the move it and go anywhere hacks of last year. There
Matthew: were more. Excellion? Like, I think this is a backwards prediction.
That MFT systems were at the forefront of cyber threats last year.
David: Well,
maybe they think there's gonna be even more prevalent in this
Matthew: coming year. How many different MFT, I guess there's Dropbox and, and SharePoint. I guess there's some more that haven't been popped yet, so.
David: Well, I think, you know, I was thinking about this in a, in a different way
Matthew: than
David: the way that this has been attacked in the past.
So they were exploiting vulnerabilities in the software to get any of these companies. But imagine if they. Basically, we're able
Matthew: to exploit those, those, those
David: products
Matthew: and services to
David: act as a
Matthew: shim. So,
David: I want to send you a file or I want you to pull a file for me to use
Matthew: it and move it. Imagine if I [00:20:00] were to put in
David: there a shim and anything that you
Matthew: transferred, you know, I also, somebody else got a copy of.
Hmm.
David: instead.
So, you really, there's.
It would be harder to detect the fact that you still get the data, I still send you the data. It's not data that wouldn't have been transferred anyway, but a copy is
Matthew: is siphoned off effectively. Hmm. Interesting. Yeah, I don't know.
David: I think that would be an
Interesting attack that we haven't seen before.
Matthew: Yeah, because you don't
David: would make it particular to these kinds of softwares. Yeah.
Matthew: And you wouldn't necessarily detect it because you're not doing anything with the file. There's no ransomware, there's no obvious, you know, change in how it works. Is it just still working correctly? All right. I grabbed a couple from WatchGuard, their 2024 cyber security predictions.
Number one is MSPs double security services via automated platforms, citing the talent gap and burnout. They're predicting MSP growth and SOC and MDR services more than doubling. They're cause they're expecting [00:21:00] companies to double the use of MSPs. And then those MSPs will move to platforms with heavy automation.
This is less exciting than I thought it was. I was kind of picturing, like, a fully end to end automated. I was expecting they would predict, like, end to end automated platforms. But no, they're just saying more automation. Well,
David: you know, I think this is, I don't know if this is necessarily a good prediction for this year, but I think the better that AI gets, the more MSPs will leverage them,
Matthew: the easier
David: will make them suck less, which will Incentivize more companies to adopt them because if you talk to anybody who's ever used an MSSP It's like just find one that sucks less than the last one.
You don't find a good one So maybe this is
Matthew: actually a red canary was good.
Red canary was a good one. Okay, they were just super expensive
David: And with the exception So, but this would actually move towards where MSSPs are actually valuable and Provide great service versus simply suck [00:22:00] less
Matthew: I mean, we've discussed before, like, the tier one sock function is not terribly useful anyways.
So having a mediocre MSP is not the end of the world there. Alright, second one. This one's a little more interesting, but maybe a little less applicable.
David: The
Matthew: use of virtual reality and mixed reality headsets will allow recreation of user environments. Now, I'm picturing the classic heist movie Entrapment.
Where, like, they're practicing, like, going through the laser beams and stuff like that. But now you practice it in VR. Like, so now I'm, now what I'm picturing is I'm picturing like, heists. Like, where you can figure out what a user's house looks like, and like, then go target their house and rob them. And the point of this is that with all these VR headsets, they have to track the room around you.
The Quest 3 headset has a depth center and can detect furniture and other objects in the room, and you can use all that theoretically to now map your entire office or house in 3D. Supposedly the headset creators aren't storing this data or bringing it back up to the company. Yet. And obviously 98 percent of people's houses, like my house, has nothing [00:23:00] worth going to this level of effort to try and figure out how to get into my house.
But can you imagine like a billionaire's kid is using like their VR, their Quest, or whatever, and like building up a map of this billionaire's house? And you can figure out exactly like the layout of the house. You could see the cameras in the corners, maybe, like figure out some of the like
David: Hmm. Mm
Matthew: Although most billionaires probably, I don't know if they've got stuff worth stealing in the house that's easily transferable.
You can't steal stocks that way. But I don't know, maybe they've got art or something. I don't know. Have you played Cyberpunk?
David: I haven't. I own it, but I haven't. It's on my, it's on my list to play, but I haven't started
Matthew: there's something in Cyberpunk called Braindances, where you go in and do like an analysis of them, and it seems like this would be very similar.
In the Braindances, you don't just see what the person, so in the Braindance, they put on like a Braindance capture thing, and they do a thing. And then they turn it into a video that other people can plug into their head and like, live through it. Ah,
David: well that's the, that's the the premise behind the movie Strange Days. [00:24:00] With Ralph Fiennes.
Matthew: Fiennes. Alright, I haven't seen that, but yeah.
David: it's pretty good.
Matthew: Is that what it sounds
David: is also a play off of a
Matthew: It's bad for
David: It's a guy from Deer Hunter. Christopher Walken movie. From the 70's dang Anyway, Christopher Walken movie, 70s, same kind of, same kind of concept.
Matthew: Touch on it.
David: But this actually reminds me of, imagine using this for defense though. So, you know how everyone's moving to remote work, people don't want to go in the office anymore. But imagine that your entire team has VR headsets.
Matthew: And,
David: it's like the bridge crew, Star Trek bridge crew game.
Matthew: Oh, I've wanted to
David: Where everyone
Matthew: they got
David: a VR headset, and they're actually virtually in a sock.
Where they turn to look at people in the sock, you're in a, so you recreate the sock concept that people have been using for years, where you have the bullpen and the big dashboards or whatever. But instead, it's in VR and you have your entire team VR'd into this virtual [00:25:00] sock. So, you get the same kind of feel
Matthew: of
David: being in a sock next to your teammates and everything, but virtually being remote.
Matthew: Yeah. Interesting. I know that the Facebook has shown off some of their, like, meetings with this, and the technology is just laughably, like, the graphics aren't there. They really need to bring in some game designers.
We've talked about this, yeah. All right, third prediction. Rampant QR code usage results in a headline hack. I'm sure you've seen this after COVID. Tons of restaurants have started using QR codes you scan with your phone to bring up links to the menu and other, other things like that. So we're training people just to scan these code.
So they're anticipating now, attackers, they've warned against this for years, but they're saying this year it finally happens. Attacker, you know, replaces the code with a sticker, or they put up their own somewhere, you know, Check this to do this thing. They're expecting someone to finally hit one of these, leading to a big enough compromise that it becomes AdLine, you know.
Coca Cola hacked, because CEO [00:26:00] scanned QR code. So.
David: I was going to say, they've been doing this quite a fair amount already with parking.
Matthew: And if you target the right parking lot, like, for example, Google has a building over in Reston, Town Center. Like, if you, you could put that in the right parking lot to get Google employees. That'd be interesting. Target, you could target a computer, target a company by location.
Interesting.
David: Alright, and the next group of predictions comes to us from Forbes. This is Chuck Brooks. Artificial Intelligence, Quantum
Matthew: What a name. That's a man's name. Chuck Brooks.
Yeah. I'm Sorry. I said a name,
David: I said the name, I can't remember the name, but it reminds me of an animation producer who did Bugs Bunny, produced a bunch of Bugs Bunny animations back in the day.
Matthew: I know the one you're talking about.
David: I can't remember, but
Matthew: see it at the end of the cartoon, all the way at the end. Such and such and yeah,
David: produced by so and so.
Matthew: and
David: So anyways, artificial intelligence, quantum computing and [00:27:00] space are three tech areas to watch in 2024 is the
Matthew: article.
David: So basically it's a let's talk about a bunch of buzzwordy stuff than any actual practical challenges
that we'll deal with. And this is actually prediction inception because this is also an amalgamation of predictions from others.
God.
Matthew: Summary of summary of summary. So
David: each of the three domains that he lists here,
Matthew: there are four
David: four predictions per, per per domain. We won't go into all
Matthew: the predictions for them.
David: Actually, I'm just gonna basically
Matthew: explain why this,
David: all these suck.
So in the first domain, AI
Matthew: the
David: predictions here are pretty much garbage. But the most ridiculous one is 2024 will be when all this. Initially crashes together and we witness who will get the initial upper hand, attackers or defenders.
So basically, he's saying that this year is going to be the year that defines whether AI defen attacks Haha, that's fine destroy AI [00:28:00] defenses.
Matthew: So, first we have to have fully functional AI attackers and fully functional AI defenders. We don't even have those yet.
David: But this isn't going to be the year, Matt.
Matthew: is going to be the year.
David: We will, by the end of the year, and they will have clashed, and we will see who's in head.
Matthew: I could see that by 2027, 2028, maybe. Maybe. Yeah.
David: Not next year, for sure.
Matthew: This year. Not even next year. Yeah, yeah, yeah. Alright the next domain, quantum. And this is, of course, more garbage.
David: Yeah, it will be here and awesome for reasons.
Hey! Is my initial summary for this prediction.
And to quote
Matthew: one of the individuals
David: the, in the
Matthew: article.
David: in a world of increasing resilient,
Matthew: reliant
David: on digital infrastructure, the present
Matthew: approach
David: to supply chain, security and management pose significant national security risk, particularly as we strive to secure emerging quantum information ecosystems.
Matthew: This
David: precarious reality necessitates a fundamental shift in our thinking approach. [00:29:00] Prioritization, cross industry collaboration, specifically amongst the scientific community, academia, and the cyber security arena.
Matthew: That guy must get paid by the word. He must be paid by the syllable. And
David: that was by Dr. Merrick Watchthorn.
Matthew: Watchorn? D MIST Program Chair,
David: Quantum Security Alliance.
Matthew: Man, I want to work for the Quantum Security Alliance. That sounds awesome. And, and, and, and, just, the way that I would
David: summarize Para that paragraph is, this basically says, fuck all
Matthew: there's a lot of syllables for not a lot of content.
David: all right. And the last domain
Matthew: space. The final frontier.
David: No, the last domain.
Matthew: Dammit.
David: Get that wrong. But there are no real predictions in this section at all. And here's a quote that explains that
In the coming years, there will be a greater focus on tools that can be
Matthew: that
David: can enhance space innovation and cybersecureness. Is
Matthew: Is that a word? [00:30:00] Cyber secure ness? I guess.
David: Such as Zero Trust, Software Bill of Materials, and Secure by Design. Special attention should be also paid to the utilization of AI and emerging technologies that will allow the public and private sectors to scale and address cyber concerns effectively. And that's from David
Matthew: Longstock.
Information Technology Industry Council,
David: Senior Director of Space
Matthew: Policy.
David: So
Matthew: See, that's another cool title. I want to be the Senior Director of Space Policy.
Well, in your, put in your resume.
So basically what he's
David: saying here is, we should do in space what we can't get done
Matthew: on Earth.
But to summarize this whole article, I'd just say,
David: I don't see how so many supposedly smart people can talk so much without saying a
Matthew: Thing. Yeah, that sounds about right. So my last one is checkpoint into the cyber abyss. Drink. So first prediction is more GPU farming. But here's the, here's the wrinkle.
Not for crypto, for AI. [00:31:00] Ohhh. So this actually reminds me of Damon. Where the titular Damon is multi hosted and keeps itself widely dispersed. This is I think related to the previous prediction about cloud worms.
David: Cloud Worms.
Matthew: Cloud worms, that's, that's awesome. AI requires GPUs to run it. And attackers don't want to pay for their own computers to run their AI.
So it's better to use someone else's computer. So we combine a cloud worm with the GPU farming. And yeah, maybe we could do some crypto too.
David: Yeah, why not?
Matthew: And now we run our we run our malicious AI off someone else's computer. That's constantly moving between hosts and That's genius. Distributed. That's our next business idea.
That's actually
David: really
Matthew: good.
I mean,
David: that's a really good, bad idea.
Matthew: I guess. Maybe I'm,
David: I need
Matthew: going to rephrase that exactly. That's fair. But
David: But basically, you couldn't stop it because it would be
Matthew: constantly mobile. You'd have to patch. Like, you'd have to stop it from infecting, first. And then you could strip it off.[00:32:00]
But
like, if it got by on, you know, leaked credentials or something, good luck stopping that, because those credentials
David: Yeah. We've got 12 terabytes of leak credentials.
Matthew: Next one with cyber insurance will be transformed by AI. I was really excited to go look at what this meant, but it was a super generic prediction that AI will just do a better job of predicting realistic risk. Not transformative. Finally, I mean, if
David: if AI could, could transform
Matthew: cybersecurity,
David: maybe they could transform regular organizations by doing the same thing, by predicting
Matthew: risk and
David: fixing the
Matthew: problem there.
Fixing stuff automatically. Well,
David: not automatically, but at least identifying where the real problems are with AI. I would say
Matthew: that
David: if you could
Matthew: predict that cyber insurance would transform AI, you could say vulnerability management could be transformed by AI. That would be a better one, yeah. You know what would actually be interesting, too, is the ability for AI to write its own code.
What about writing custom patches? Oh, like the zero patch
David: guys do for unpatchable Windows boxes?
Matthew: [00:33:00] Yeah, that would be interesting. Now, I wouldn't trust it right now. Yeah, so eventually you
David: have AI
Matthew: reverse
David: code, which means
Matthew: the bad guys would have that too. So reverse engineer code in order to identify what patches need to be done.
It'd just be a race to see who got there first. Yeah,
David: we would lose.
Matthew: Alright, the third one is deepfake technology will be weaponized. And this one's kind of an interesting one to me, because we've seen talks about this for the last couple of years, but it never really took off in a real way until last week.
Who is Taylor Swift? Yeah, yeah, yeah.
David: Well, there was the as you heard about the, the, the bank in Hong Kong that supposedly lost 26 billion, or 26 million
Matthew: I saw that, but I wouldn't say those are like one time. When I think weaponized, I think like, like an AR 15. Like in the hands of people.
Mass market. Like mass market, mass produce. Like, you mentioned before where they said that they were successful because of three attacks. I would say one attack is not enough to say your prediction's correct. Unless you're predicting exactly one
David: like. But [00:34:00]
Matthew: like, whenever you say something like, like they're saying weaponized, like when I think weaponized, Right.
It's done
David: at scale.
Matthew: Yeah, it's an assembly line. There's a tool that does it for you. Right. So, and I think the presidential election this year is as good a place as any to kick this off. So I have a more specific prediction around this this year. Because again, we talked before about good predictions are specific and easily falsifiable.
Like, how can you say it will be weaponized? Like, that's not something you can easily falsify. Unless you
David: quantify what you mean by
Matthew: that. So, I have a quantified prediction for later.
David: Okay Another
Matthew: a quality one. This is a good one.
David: another group of predictions I was going to talk about was BAE's Future is Now Top 5 Defense Technologies to Watch
Matthew: in 2024.
But
David: I, I couldn't do it. ha ha!
Matthew: It covers quantum,
David: but there's there's subtitle words, experts from BAE's systems, digital intelligence, take a closer look at top five defense technology predictions
Matthew: for 2024
David: covering
Matthew: multi domain [00:35:00] integration, space, cyber power, A. I. And quantum sensors.
Quantum. But really, this whole article was nothing but a sales pitch for the
David: to the Pentagon They would, they would make a vague statement about something and
Matthew: then there would
David: be a link at the bottom that says of each one of these sections says, learn more about
Matthew: our
David: X.
Matthew: So,
David: learn more about our triple X, maybe.
Matthew: I started to
David: going through this one and I just couldn't bring myself to do it. So we're going to
Matthew: skip that one.
David: My last one is Delinea, and this is by Joe Carson, Chief Security Scientist and Advisory CISO at
Matthew: de Linea security scientist.
David: So he made five predictions. The first one being AI driven attacks
Matthew: and defense.
David: And this is basically saying this is going to be the first year of the AI Defender Arms Race.
Matthew: I mean,
David: and what's worrisome about this, this idea, you know, we were talking about before where they were saying that this is going to be the [00:36:00] year where we decide about who's ahead is defense is always the second mover in an arms
Matthew: race. So,
David: we are always going to be behind the eight ball because we're never going to be somewhere before the defense before the attackers are. Next prediction is increased demand for cyber insurance. That's
Matthew: Hold on, let's go back to the defense's second mover thing because one of the things that one of these guys talked about was how cyber attacks are going to cost. So we lost companies 10 trillion dollars this year. Maybe it was 10 trillion last year and it's going to be more this year.
But then they also said that the cyber security market is only like 300 billion dollars. There's a huge gap there. That companies are, I guess, just absorbing the loss. Like, so, defense is always a second mover. We know what we need to fix. We need to fix vulnerability management. We need to fix security operations, especially the tier one and two.
We need to fix security monitoring and log management. Why should we be the second mover?
David: In, in theory.
Matthew: Yeah. [00:37:00] No, because I guess you're right, because if every company did that, then we would be spending more than the ten trillion dollars we lose. Because the ten trillion dollars we're losing is not evenly distributed across all companies.
It's focused on a few companies that get hit each year, and they get shafted, and then everybody else who doesn't get hit is like, Oh, our security's great.
David: Not exactly the free rider problem.
Matthew: No.
David: I mean, it, ideally, you know, if it would cost 10 trillion, we'd spend 9. You know, and we would not see those 10 trillion in
Matthew: losses.
Well,
David: like you said, the, the, the thing is that maybe 10 trillion in losses, but if you look
Matthew: at,
David: let's, for ease of math, we'll say there are a thousand companies that 10 trillion is going to come from,
Matthew: you know, 100
David: of those companies and not the vast majority of them.
And because it is it's another problem that you run into with the whole idea.
Matthew: in economics.
David: as well as the aggregate doesn't really
Matthew: exist, so
David: you can't really
Matthew: say that[00:38:00] you know, the world is going to cost the planet 10 trillion next year, so
David: we should spend nine
Matthew: to fix it, because
David: there is really
Matthew: no such thing as aggregate. Each company has to make their own decisions about what their loss risks are, and
David: each company is going to
Matthew: pay a different amount.
This is how big we are. This is our portion of the 10 trillion dollars. Yeah, we'll sort of fund, maybe that's
David: how we get rich, Matt. We'll start a fund, say, hey, this is a cyber defense fund for the
Matthew: planet. Let's pitch in.
David: Alright and as I was saying before, the next one is increased demand for cyber security insurance, which is a big shocker there.
Geopolitical tensions in cyberspace, you know, there's more surprises, obviously.
Matthew: AI compliance
David: will accelerate. And what he expects is that AI to be used more to get and keep organizations in compliance with regulations. Since compliance is all about checking boxes, this is probably actually not a bad idea.
Matthew: Yeah, this makes sense too with a lot of, like I was thinking, I was having discussions the other day about various countries compliance regulations, and if you could get an [00:39:00] AI that could do all that automatically, like when a new event comes into the SOC, and it says, you know, this user's in this country, and therefore these regulations apply, you have to determine it's an incident within 48 hours, and you have to inform these people and like do all that stuff automatically for you.
Like, that'd be great.
David: Yeah, so I think that's not a bad prediction. I just I'm sure if this is the year that that's going to happen because it completely makes sense because those things marry up pretty well.
Matthew: Yeah, turns out the regulations are too complicated. Not even the AI can do good. Oh. Yeah.
David: And the last prediction is passkeys paved the way for passwordless authentication. This may, and it sounds like, you know, what he's assuming here is that this is going to replace MFA requirements or recommendations. And the thing is, I don't think you could pull this off though in an enterprise
Matthew: in an enterprise, until you
David: you could do passwordless with Active Directory.
Matthew: Yeah.
David: So I don't think that prediction is going to go anywhere.
Matthew: Ha!
David: For the enterprise
Matthew: anyway. [00:40:00] Dang. Alright, we have some of our own predictions this year. I pretend these are, the idea behind these is, some of these are kind of related to what we saw before, but they are more specific. They're falsifiable. They can happen or they can not happen. So I predict that this year is going to be the first blue on blue security incident caused by an AI driven product.
And what I mean by that is I mean that let's say an AI driven EDR product is gonna, for example, maybe shut off DNS at the host based firewall across the enterprise after it detects an attacker exfiltrating via DNS.
It's gonna be like, oh no, attackers are using this, kill it. It's gonna shut down everything.
David: Is DNS really that important?
Matthew: that important? Ha!
Second prediction. I'm going to use the same term they used before, a headline hack. We'll be traced back to vulnerability, and we're going to discover that the code is going to come from an AI.
We're going to be like, we used chat GPT to generate this. And, Well,
David: the question would be on that one, would be what [00:41:00] percentage of the code? You know, if AI generated 90 percent of the code, does that count? Because you're almost always, at least today, going to have to do some minor tweaks with
Matthew: it. Yeah, you can usually, I agree, I agree.
You can't just expect to get 100 percent good code out of there. But I mean, you're usually able to trace back a vulnerability. I've seen analyses of patches where they can figure out exactly, like, where in the code it is. So I guess the question would be, would anybody remember that the code was there?
Like, that that specific segment was AI generated versus human generated? I don't know.
Here's my, here's my, here's my one for the, combining the GPU hacking, and the Cloud Worm, and the phishing toolkit that you talked about, the deepfake phishing toolkit. Someone is gonna we will discover, it may already exist, a distributed, generative AI phishing toolkit.
It will live on thousands of computers across the world. This will make it free for the attackers to run it, but it's also going to make it incredibly difficult to take down. They're gonna sell [00:42:00] it for a rental fee, and you can get in, and it will go out, and it will automatically build a profile like that other prediction was saying.
You know, look through all your social media, look for samples of your voice, and automatically build emails based on any given person. Like Mr. Beast or Taylor Swift.
David: or Taylor Swift.
Matthew: fill in the person's name. And any of their social media stuff, and yeah.
Alright, final prediction. This year we're gonna see at least two weaponized deepfake campaigns. Although I guess we could probably say, I would say the Taylor Swift one was not weaponized. That was a one off. That was just one dude doing his thing. So, I think that we're gonna see at least one presidential campaign deepfake.
That will either show Biden as stumbling, falling down, inept, unable to speak at all. Maybe being fed food like an infant or something.
David: And then the news
Matthew: And then the news headline there is going to be like, you know,
David: like, baby food,
Matthew: completely Here comes the airplane. Or, we're going to [00:43:00] see one with Trump. Now I think that since Trump, Biden's got kind of the, that's what, that's what the Fox, Fox is saying about Biden is that he's too old and he can't.
And the left is saying about Trump That he is always assaulting someone or talking something. So I think the difference is for Biden, they're gonna show him as that. And for Trump, he's either gonna be assaulting somebody, or he'll be talking shit about his own followers. Like, he'll be like, Ah, these guys are such idiots, I can't believe they're voting for me, or something like that to try and
David: So you're going to have a choice between incompetence and asshole.
Matthew: Yeah, I think so. Cause I don't think that a deepfake showing Trump as being incompetent would stop anything. And I don't think that, well I mean, we've already seen with the whole dark Biden thing. Like people love Joe Biden talking shit about his, you haven't seen the dark Biden stuff? No. So he apparently called Trump an asshole or something, and like in private he talks about him how he's an asshole.
So
David: asshole. So that's not, so that's supposed to be a true thing that happened. It's
Matthew: to be a true thing, and people love it.
David: and it.
Matthew: but the problem is with Trump people love that too, so like what deepfake could you do with Trump that [00:44:00] would actually work? Like that's why I was thinking like talking crap about his own people. Being like, oh, they're such idiots for voting for me. Like, if you had a deep fake of that, that might sway some people.
David: I think what you'd have to do is, what's the core of what people like about Trump? And you need to disabuse him of that.
Matthew: So
David: I think one of the things I've heard, at least, is that people think he's in tune with the common man and his their concerns.
Matthew: So, if
David: you were to show that he doesn't really care about those concerns, he's just doing it,
Matthew: Treating them like
David: suckers. Saying,
Matthew: Oh, yeah, forget about
David: border, I don't care.
Matthew: You know, but they're going to vote
David: me anyway because I told them to. I think something
Matthew: like that might work. You know what, I didn't even think. If they could do a deepfake Biden phone call with like Burisma or something like that.
Where Biden accepts like money from Hunter. Because that would feed into Well, supposedly
David: that phone call exists.
Supposedly the, because supposedly the Burisma people have the copy of is what I heard. Of course, that could just
Matthew: be one of those
David: things, a QAnon thing or something. I don't know.
Matthew: I'm surprised nobody's created [00:45:00] that deepfake already. Like, if there's already Hm. Interesting. I don't know. Yeah. I also think there's gonna be a non political one. Someone like a journalist is gonna piss off someone rich. And they're gonna create, you know CSA material or something, or something to smear them.
David: Hmm.
Matthew: So, cause I think it's within the realm of deep bake, we just need someone to kind of do it. Like, I don't know, I
David: Yeah.
Matthew: or maybe like Elon Musk I'm surprised nobody's done anything like that with Elon Musk, or Zuck, or, you know, any of the really rich, I don't know.
David: Maybe we'll see that.
Matthew: You
David: know, I was just thinking more about that phishing toolkit you were mentioning before. But I was thinking this would be pretty simple if you had your own
custom built AI. Because you had a form, you wouldn't even know, need to know that much, because if you had let's say if I was going to develop a phishing toolkit for
Because you could approach it two ways, or maybe
Matthew: both at the
David: same time.
Is
Matthew: have the, the, the
David: the target.[00:46:00]
Matthew: And then you have the intermediate.
David: So for the target side, and you could actually use the same form for both, but you just have to designate one as the other. So let's say someone wanted to
Matthew: attack you.
David: You fill out
Matthew: the form and
David: it's got your name,
Matthew: the
David: the, the URL to your LinkedIn, the
Matthew: the URL
David: to your Facebook,
Matthew: the URL
David: to, you know, a list of social media things about that have information about you and say, okay, he's the target.
Alright? And say, they're going to use me as an intermediary.
Matthew: So,
David: they would use my name, my LinkedIn, and that's about all for me. Because I don't have any
Matthew: other people.
David: But then they could target you with an appeal based on your social media that would influence you from a source,
Matthew: pretending
David: to be me, using the information it knows about me as a, as a, viable source of the phishing email
Matthew: to you.
So you get
David: [00:47:00] sides of that saying,
Matthew: What's
David: most going to appeal to Matt from someone he knows in a way that that person would interact with them. And I think that would be not too difficult to
Matthew: build for spearfishing.
David: It could be pretty successful in targeting someone
Matthew: It really depends. The problem is there's nothing about our interactions really online.
I wonder if the easier Well,
David: would work better if you and our social medias overlap. So, you had a Facebook account, I had a Facebook account. We're sharing stuff across those Facebook
accounts. Stuff like that, I think, would be more impactful. Actually,
Matthew: you know what, I wonder if it would be better for targeting.
Like you put your target in and then it goes and checks out all of their various social media and sees who they're connected with. And looks for like places they're connected in more than one.
David: Mm hmm.
Matthew: Like looking for that overlap. Cause, and then suggest a target. Like, here are the people that they, you know, have the most
David: an intermediary
Matthew: yeah. Sorry. Yeah. Yeah, you know, they have [00:48:00] connections on Instagram and Facebook and LinkedIn to this person. Right. Versus just LinkedIn, which might imply that, you know, they work together. Although, depending on the type of fish you want to do, maybe the LinkedIn one still makes the most sense.
Because that's the, you know, versus this one's only on Facebook, so they're probably not a professional contact. Right.
David: So you Well, I mean, I mean that makes complete sense though 'cause you will only have to fill out the target information then. 'cause if I put in your name, your LinkedIn, your Facebook and whatever, then all it has to do is cross reference against what you've already given it. It doesn't have to actually find anything else.
'cause it just does that cross reference automatically.
and
Matthew: then once you select the target, it does what you talked about before, and like, goes and tries to dive in and find more information, find the interactions they've had. Hmm.
David: Yeah, I think that would be fairly trivial to do.
Matthew: So you'll have it by next week?
David: Well, for a normal person it would be trivial. For someone who is handicapped like me, it would take a lot longer.
Matthew: Yeah. Yeah. I wonder [00:49:00] That might be an interesting project. I've been looking for a project to try and get better at coding with. And, I know. It might be interesting.
Alright.
David: And that's all we have for today. Well, all the predictions we have for today.
Have more predictions
Thank you for joining us and follow us at SerengetiSec on Twitter and subscribe on your favorite podcast app.
