Cyber Security. 13.01.25

2024: A Cyber Security Review

Originally posted on LinkedIn.

With yet another year under our belt, I took some time to look back on the year that was 2024 and what happened in the IT & Cybersecurity space that shaped our year. Thankfully we didn't see a repeat of previous years cough Log4j cough and it was quiet for most over the Christmas/New Year break. We were also spared the high-profile breaches we saw in 2023, however, that's not to say 2024 didn't have its challenges for Australia.

Unfortunately, our allies across the ocean weren't as 'lucky', with the U.S. Treasury Department breached by Chinese state-sponsored attackers who accessed unclassified documents 🙈. It is good to see that authorities are trying to thwart cybercrime with Russian FSB raiding a scam call center. The center was making $1m per day in 'revenue', defrauding 100k people across 50 countries. We often speak about how these criminal organisations are run like a legitimate business, but it's insane to see actual raid footage inside the operations. The below footage looks just like a typical office with spreadsheets, CRM, motivation posters, and sales target tracking. Just another day in the office 🤯

Australian Government Beefing up Cyber Security Initiatives

The Australian Federal Government has set the goal for Australia to become ‘a world leader in Cybersecurity by 2030'. As Australia works towards achieving the '2023-2030 Australian Cyber Security Strategy', in November the Cyber Security Legislation Package was passed consisting of:

In a memorandum accompanying the bill, the Australian government warned: “Ransomware and cyber extortion attacks remain one of the most destructive types of cybercrime. These attacks present a persistent threat to Australia.”

The Cyber Security Legislative Pack includes measures to:

Mandate minimum cyber security standards for smart devices

As we've heard horror stories of IoT devices spying on us in our homes, security standards for smart devices is a great initiative. Like any passionate Penetration Tester, our team have done their own investigation and was able to hack smart home control software gaining them complete control, including uploading malware and accessing control systems to unlock doors, garages, etc. Checkout this article from ABC on how they hacked a robot vacuum. Whilst the standard for smart devices is yet to be determined, this is no doubt a move to align with international standards.

Introduce a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments

Whilst the Government recommends not to pay a ransom, it is not (yet) enforceable for impacted organisations to follow this guidance. With the new reporting obligation, businesses with a turnover of greater than AU$3 million who have paid a ransom must report within 72 hours of payment. Those who fail to pay will be subject to 60 penalty units, equivalent to a fine of around AU$19,800. In my opinion, the size of the fine is just a slap on the wrist for larger organisations who may want to sweep dirt under the rug, however it's still a move in the right direction.

Introduce a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents

Limited Use obligation means that Cyber Incident information shared with the NCSC will be protected and used solely for permitted cybersecurity purposes. Note that whilst not admissible in regulatory proceedings, this doesn't provide a ‘safe harbour’ from legal liability.

Establish a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned

The Government will form a Cyber Incident Review Board (CIRB) which will conduct reviews following significant cyber security incidents. I hope to see that the information gathered from these reviews will be shared with relevant businesses so we're stronger together!

Along with the Cyber Security bill, the Australian Government has updated the Protective Security Policy Framework (PSPF) and developed the Digital and Cyber Security Strategy (DCSS). The DCSS said Government are “progressively developing and refining its ability to securely manage its information and fulfil record-keeping obligations”.

Australian Government Protective Security Policy Framework

Digital and Cyber Security Strategy 2024–2026 (DCSS)

Managing your Attack Surface

Announced in July 2024, the PSPF Direction 002-2024 will require 'Australian Government entities to conduct a technology asset stocktake on all internet-facing systems or services to identify and actively manage the risks associated with vulnerable technologies they manage, including those they manage for other entities'.

Regardless of whether you're Government or not, it's good practice for organisations to implement External Attack Surface Management (EASM) to gain visibility and reduce risk of your attack surface. Some of the benefits of EASM include: Asset/Vulnerability Discovery, Risk Prioritisation and Remediation.

All businesses should have a program in place for Vulnerability Management, however the wider blast radius can be forgotten, and EASM ensures you have a holistic approach to keeping the bad guys and girls out. EASM will help you to collect wider vulnerability insights and risk across your Identity, Network, Cloud Resources and Applications, and how they all tie together to form attack paths. For more information about EASM check out our article on how EASM fits into a comprehensive cybersecurity strategy.

The Year of the Acquisition

One of my Mad Dog Predictions last year was 'Mergers, Acquisitions and Venture Capitalist buyouts will continue to increase in 2024' and by golly was that spot on. Along with some of our clients merging or being bought up by venture capitalists, the cybersecurity space was up for sale.

There were 50+ acquisitions from cybersecurity businesses expanding their service/solutions, whether that be enhancing current capabilities, diversifying offerings or increasing market reach. We also saw 10+ acquisitions of cybersecurity business by private equity firms. The biggest acquisition of the year was Cisco buying Splunk for $28 billion, followed by Thoma Bravo buying Darktrace for $5.3 billion. I've put together a list below, however note this isn't definitive:

Knowledge is Power

There have been plenty of good articles, reports, and collateral published this year, and here are some that I found useful:

CISO Lens Benchmark 2024: Interesting to see that from the 2022 to 2024 Benchmark, the average increase was 40% for large budgets and 93% for smaller budgets. It's sad to know though that the average percentage of ICT spend on Cybersecurity was only 9%. OPEX made up 76% of the security budget, however we're still seeing a lot of businesses having a set CAPEX v OPEX budget. IAM is the number one priority, followed by maturing existing capability and Vulnerability Management. Insights from CISO Lens include:

Australian State Government budget slashes in FY25 are a key risk indicator
Audits are lost opportunities (and draining)
The Essential 8 is valuable but often misunderstood, leading to its perception as overrated
Staffing, a skills shortage, and economic headwinds

ASD Annual Cyber Threat Report 2023-2024: In the past year, ASD responded to 1,100+ Cybersecurity incidents, answered over 36,700 calls to the Australian Cyber Security Hotline and received over 87,400 cybercrime reports. The top cybercrime types for businesses were Email Compromise at 20% and Business Email Compromise (BEC) fraud at 13%. Scary and sad to hear that self-reported losses from BEC fraud almost reached $84 million.

ACID Cyber Security Governance Principles: The ACID’s Cyber Security Governance Principles offers a framework on how boards and businesses can have a top-down approach to Cybersecurity. Below are the 5 principles of cybersecurity to help develop best practices:

Set clear roles and responsibilities
Develop, implement, and evolve a comprehensive cyber strategy
Embed cyber security in existing risk management practices
Promote a culture of cyber resilience
Plan for a significant cyber security incident

CrowdStrike 2024 Global Threat Report: Throughout 2024 CrowdStrike tracked over 232 adversaries, revealing an increase in the speed and stealth of cybersecurity attacks. Some of the key takeaways from the report include:

An increase in Identity-based attacks
Cloud-environment intrusions have increased by 75% from 2022 to 2023. CrowdStrike also recorded a 583% increase in Kerberoasting attacks in 2023
GenAI lowers the entry barrier to threat landscape for less sophisticated threat actors
Attackers are targeting periphery networks
Attackers known for Big Game Hunting (BGH) expertise in 2023 are pivoting to data theft and extortion over ransomware
Third-party relationships exploitation makes it easier for attackers to hit hundreds of targets

Proofpoint State of the Phish: For Proofpoint's 10th annual State of the Phish report, they've reviewed and summarised how local nuances affect user behaviour for security awareness and email protection. Great to hear that Security Awareness Training (SAT) is proving successful in Australia with a decrease in successful spear-phishing attacks from 88% in 2022 to 56% in 2023.

IBM Cost of a Data Breach: The global average cost of a data breach reached US$4.88 million in 2024, as breaches grow more disruptive and further expand demands on cybersecurity teams. Breach costs increased 10% from the prior year, the largest yearly jump since the pandemic. 70% of breached organisations reported that the breach caused significant or very significant disruption.

Verizon 2024 Data Breach Investigations Report: According to the Verizon DBIR, 68% of breaches involved a human element, 32% of breaches involved Ransomware or Extortion and 28% of breaches involved errors. The DBIR witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach, with a 180% increase from last year.

AI-driven phishing and social engineering

I wrote last year about how GenAI and ChatGPT were being used for nefarious purposes to 'improve' phishing emails, and this has continued to grow in 2024. Along with AI being used to remove grammar mistakes and write phishing emails in professional and human-like writing styles, bots and hackers are getting smarter.

Large Language Models (LLMs) are being used to absorb current news articles and corporate websites to develop phishing emails that incorporate real-time details making phishing emails more believable and creating a sense of urgency/curiosity. AI chatbots are also being used to create fake websites, fake posts, fake profiles, and fake consumer reviews. We're seeing plenty of fake ads on Facebook with AI used to create fake comments from fake profiles.

Cyber criminals are using low volume, highly targeted Business Email Compromise (BEC) attacks to defraud organisations. Taking the next step using AI, hackers are using Telephone-Oriented Attack Delivery (TOAD) attacks, which combine voice and email phishing to trick users into giving over sensitive information through impersonation. I'm sure we've all received a call from a dodgy bloke pretending to be from the bank or the ATO. It's cool to see that O2 have created a granny AI scambaiter to combat vishing.

We're also seeing that threat actors are using WhatsApp and 'unsanctioned' apps to lure users way from communication through protected methods such as email, avoiding threat detection and protection. Impersonation of executives through text and deepfake is becoming a widespread issue. If your CEO is asking you to purchase Apple gift cards, don't believe the hype.

Remind your staff to follow the below steps and stay vigilant 😎

Think Before You Post Anything - Data = dollars and anything we post online can be used against us. Turn your social media profiles to private, be conscious of what you're posting online, and use your best judgment when accepting random friend/connection requests
Always Use Multi-Factor Authentication - Utilise a Password Manager and setup MFA for all of your important accounts
Use Vigilance to Avoid Scams - Curiosity killed the cat! Ads containing malware have appeared on Facebook so use a trusted ad-blocking extension on your browser. Don't buy into urgency and remember, if it sounds too good to be true it probably is
Question Everything - In this world of AI, voices can be imitated and AI-generated text is getting harder to detect. Use official links and reach out to contacts directly to confirm the legitimacy

Cloud vulnerability exploits

As businesses continue to adopt a 'cloud first' mentality, we're seeing new attack surfaces being created through the migration to cloud-based systems. Zero-day cloud vulnerabilities and misconfigured environments enable threat actors to access sensitive information. We're seeing a rise in cloud-conscious threat actors with attack vectors including:

Misconfiguration and inadequate change control
Insecure interfaces and APIs / third-party resources/software development
Accidental cloud disclosure
System vulnerabilities
Unauthenticated resource sharing

Organisations need to implement best practices like network segmentation, and private access controls, conduct regular cloud audits, and test recovery plans for backup. There are plenty of Cloud Security Posture Management (CSPM) solutions to help organisations with multi-cloud visibility, security, and compliance.

Generative AI

With the adoption of Gen AI, businesses should build/establish Risk Management and Governance frameworks to address the security, privacy, and ethical implications of AI solutions. One thing to consider is that when businesses put a blanket ban on ChatGPT or OpenAI tools, users will resort to using their personal devices, which means guardrails need to be in place to prevent data loss.

If you've gone down the Copilot path, The Missing Link offers a structured M365 Copilot Accelerator and Training Programme to support your AI adoption journey with Microsoft 365. Our approach includes technical readiness, leadership engagement, and end-user training, providing a smooth integration of AI tools into your team’s workflow. Key elements include;

Technical Readiness: Evaluate IT setup to ensure secure Copilot deployment
Team Training: Practical sessions to develop user skills and confidence with Copilot
Deployment Support: Comprehensive rollout support, including optional ad hoc technical assistance

2025 Predictions

Looking into the crystal ball, here are my Mad Dog predictions for 2025:

Invest in AI-driven Cybersecurity - Whether it be Security Orchestration, Automation and Response (SOAR) or Cybersecurity AI assistants to help with workflows or cyber queries, businesses will continue to invest in AI. An example of how AI can help with Security Operations is the ability to parse through alerts to create a list of priority items for triage and remediation. Likewise, when the CEO asks "Are you susceptible to X attack in the news?", you can ask the AI Assistant are we vulnerable to X CVE.
Supply Chain Security - Better the devil you know when it comes to supply chain/third party. Organisations will conduct regular perimeter checks, patch management and risk assessments to stay alert of vulnerabilities and weak points. When leveraging suppliers it's important to understand that whilst you're outsourcing function, you're inheriting their risk.
IT/IoT/IoMT Security - Whilst a lot of cybersecurity teams like to think their IT/IoT is air gapped, what actually goes on behind closed doors can leave a lot to be desired. As many IoT devices are built without security in place, businesses should invest in finding, fixing, and monitoring these devices.
Threat Intelligence - As more organisations seek to reduce their blast radius, we'll see a greater uptake of Threat Intelligence for a better understanding of what’s happening in the wild and better visibility of possible cyber threats/leaked information. Having seen first-hand sensitive information on the deep/dark web, it's worthwhile for businesses to see if they have any skeletons in the closet.
Identity-Based Attacks - Identity Sprawl and Machine Identity Exploits will allow attackers to exploit user and machine vulnerabilities. Businesses need to continue investing in least privilege access, not just for internal users but vendors/third parties as well.
Faster Exploitation - Google Time-to-Exploit (TTE) trends has observed the average TTE is five days, which is a significant drop from 32 days. Whilst I wish it wasn't so, with the increase in zero-day and n-day exploitation, organisations need to ensure they're on top of their patch management and have visibility into their environment. Check out this article from Aaron Bailey MSc(Cyber), MAICD on how 2,000 Citrix Netscalers were compromised.
Passwordless Authentication - As technology advances from the traditional password (okay boomer), the industry will look to verify a user’s identity without a password i.e. biometrics. It does beg the question 'what happens when our biometrics are compromised' though 🤔

Looking forward to a happy, successful and protected 2025 ❤️

Author

Thomas Naylor