1、Insights for future planningCybersecurity Forecast 20242IntroductionWhen thinking about the year ahead,some use the term predictions.”However,our thoughts on the cybersecurity landscape in the coming year have always been based on the trends we are already seeing,and so we feel“forecast”more accurat

2、ely captures our intentions.The Google Cloud Cybersecurity Forecast 2024 report is filled with forward-looking thoughts from several of Google Clouds security leaders,and dozens of experts across numerous security teams,including Mandiant Intelligence,Mandiant Consulting,Chronicle Security Operation

3、s,Google Clouds Office of the CISO,and VirusTotal.These individuals are regularly on the frontlines of the latest and largest attacks,and know what organizations and security teams need to be thinking about in the coming year.Technology advances,threats evolve,attackers change their tactics,techniqu

4、es and procedures(TTPs),and defenders must adapt if they want to keep up.The Google Cloud Cybersecurity Forecast 2024 report aims to help the cybersecurity industry frame its fight against cyber adversaries in 2024.“3AIImproved,professionalized,and scaled phishingGenerative AI and large language mod

5、els(LLMs)will be utilized in phishing,SMS,and other social engineering operations to make the content and material(including voice and video)appear more legitimate.Misspellings,grammar errors,and lack of cultural context will be harder to spot in phishing emails and messages.LLMs will be able to tra

6、nslate and clean up translations too,making it even harder for users to spot phishing based on the verbiage itself.LLMs will allow an attacker to feed in legitimate content,and generate a modified version that looks,flows,and reads like the original,but suits the goals of the attacker.With gen AI,at

7、tackers will also be able to execute these campaigns at scale.If an attacker has access to names,organizations,job titles,departments,or even health data,they can now target a large set of people with very personal,tailored,convincing emails.A malicious LLM may not even be necessary to create these

8、emails since there is nothing inherently malicious about,for example,using gen AI to draft an invoice reminder.Scalable information operationsA clever gen AI prompt will be all attackers need to create fake news,fake phone calls that will actively interact with recipients,and deepfake photos and vid

9、eos based on gen AI-created fake content.These operations could increasingly enter into the mainstream news cycle.With scalability of these types of information operations comes the risk of reducing public trust in news and(online)information,to the point where everyone will become more skepticalor

10、simply stop trustingwhat they see and read.This could make it increasingly difficult for businesses and governments to engage with their audiences in the near future.We judge that such gen AI technologies have the potential to significantly augment information operationsand other operations such as

11、intrusions in the future,enabling threat actors with limited resources and capabilities,similar to the advantages provided by exploit frameworks such as Metasploit or Cobalt Strike.Adversaries are already experimenting with gen AI,and we expect to see more use of these tools over time.4Interpreting

12、data,understanding threats,and shoring up defensesCyber defenders will use gen AI and related technologies to strengthen detection,response,and attribution of adversaries at scale,as well as speed up analysis and other time-consuming tasks such as reverse engineering.A big use case of AI is to drive

13、 how organizations will synthesize large amounts of data,and contextualize it in threat intelligence to then yield actionable detections or other analysis.We will see this come to fruition in 2024,with AI and gen AI providing the ability to augment human capability in analyzing and inferring actions

14、 to take from these large data sets.We will see new ways of overlaying customer specific data in a highly confidential way,giving organizations the ability to take significant action at speed and scale.This will be one of the bigger transformations for organizations leveraging AI for security purpos

15、es in the coming years,ultimately helping them to reduce toil,address threat overload,and close the widening talent gap.Gen AI and LLMs as a service for attacksLLMs and other gen AI tools will increasingly be developed and offered as a service to assist attackers with target compromises.They will be

16、 offered in underground forums as a paid service,and used for various purposes such as phishing campaigns and spreading disinformation.Weve already seen attackers have success with other underground as a service offerings,including ransomware used in cyber crime operations.5The Big FourChinaActivity

17、 from China will continue to be driven by long term priorities such as internal stability and territorial integrity,including issues related to Taiwan,Chinese regional hegemony and influence,and economic influence over key markets.Chinese cyber espionage actors will continue to preserve stealth,redu

18、ce opportunities for detection,and stymie attribution.We expect to see continued use of tactics such as zero-day exploitation,targeting of systems on the network edge,supply chain compromise,and botnets and proxy networks designed to disguise traffic both within a compromised network and between the

19、 threat actors and a victim.Additionally,China is expected to continue development of a military and civilian force capable of launching disruptive and destructive operations,and campaigns in support of national political and military objectives.The potential for disruptive and destructive operation

20、s to be carried out by Chinese threat actors during times of active conflict poses a threat to organizations globally,and could impact essential daily life activities,critical infrastructure,and safety.RussiaWe expect Ukraine to remain a primary focus of Russian cyber threat activity in 2024 and bey

21、ond,with intelligence gathering,disruptive and destructive attacks,and information operations occurring at elevated rates.We will also continue to observe Russian cyber espionage operationslikely strategic intelligence gathering missionsoutside of Ukraine that are consistent with longstanding priori

22、ties,including targeting of government,defense,civil society and non-profits,and energy.Sanctions on Russia will continue to hurt technological and military innovation in the country.Russia will likely resort to increased intellectual property theft to compensate for lack of domestic expertise.This

23、behavior will be modeled after Chinese intellectual property theft that has occurred over the last few years.6North KoreaNorth Korea-based cyber threat activity has had an increased emphasis on financially motivated operations,notably targeting the cryptocurrency industry as well as other blockchain

24、-related platforms.In 2024,we expect North Korea to place even heavier emphasis on stealing cryptocurrencyand NFTsto fund their weapons and nuclear program in addition to enabling their cyber operations and infrastructure acquisition.Notably,we have observed the country run self-sustaining operation

25、s to diminish the financial strain on North Koreas central governing bodies.This approach to funding aligns with the regimes ideology of juche,or self-reliance leading to collective prosperity.In recent years we observed a relative increase in cyber crime campaigns being used to fund espionage opera

26、tions,and expect that trend to continue.We also expect North Korea will take advantage of opportunities to perform more supply chain compromises.IranWe expect that Irans geopolitical ambitions,economic development needs,competition with regional rivals Saudi Arabia and Israel,threats to regime stabi

27、lity and survivability,and surveillance of the Iranian diaspora and opposition groups will be key drivers of state-sponsored cyber threat activity in the coming year.We believe cyber espionage actors associated with Iran,as well as Palestinian and Lebanese threat actors,present an increased threat t

28、o Israel following Hamas multi-pronged kinetic assault on civilian and military targets in central and southern Israel on Oct.7,2023.We anticipate that Iranian threat actors are likely to conduct intelligence gathering,information operations,and potentially hybrid hack-and-leak or other disruptive a

29、nd destructive attacks.7Continued use of zero-day vulnerabilities(and edge devices)We have observed a general increase in zero-day vulnerability use since 2012,and 2023 is on track to beat the previous record set in 2021.We expect to see more zero-day use in 2024 by both nation-state attackers as we

30、ll as cyber criminal groups.One of the reasons for this is that attackers want to maintain persistent access to the environment for as long as possible,and by exploiting zero-day vulnerabilities(as well as edge devices),theyre able to maintain access to an environment for much longer than if they we

31、re to,for example,send a phishing email and then deploy malware.Security teams and solutions have become much better at identifying malicious phishing emails and malware,and so attackers will turn to other avenues to evade detection.Edge devices and virtualization software are particularly attractiv

32、e to threat actors because they are challenging to monitor.For cyber criminals,they know using a zero-day vulnerability will increase the number of victims and,based on recent mass extortion events,the number of organizations that may pay high ransomware or extortion demands.Cyber activity targeting

33、 U.S.electionsAs we move into a United States presidential election year,we will see nation states and other threat actors engage in a variety of cyber activity,including espionage and influence operations targeting the electoral systems,impersonation of candidates on social media,and information op

34、erations designed to target the voters themselves.We also dont expect operations to decrease following the elections.We will likely see an uptick in spear phishing and other attacks against the U.S.government as nation statesparticularly China,Russia and Iranseek to gain a decision advantage(potenti

35、ally during an administration change).These campaigns may feel more prevalent in 2024,as gen AI tools are leveraged to increase scale and operational tempo.Global forecasts8Rise of disruptive hacktivismIn 2022 and 2023,we observed a resurgence in the volume of hacktivist activity,particularly associ

36、ated with threat actors expressing support for Russia or Ukraine during the ongoing Russian invasion.Likewise,recent conflict between Hamas and Israel has been accompanied by a flurry of hacktivist activity.Observed activity includes distributed denial-of-service(DDoS)attacks,data leaks,and defaceme

37、nts.Notably,in both contexts Mandiant Intelligence is tracking ostensible hacktivist groups that exhibit some greater than average capabilities,and significant alignment with narratives and objectives of the state they claim to support.While we cannot confirm ties to nation state operators at this t

38、ime,we note that Russian and Iranian groups have used false hacktivist fronts in the past.Mandiant Intelligence judges that the perceived success of such operations as providing sufficient plausible deniability increases the likelihood that states will use such cyber attacks against civilian and mil

39、itary targets,and we surmise that this could extend to the use of these tactics to achieve kinetic damage.Wipers become a standard capability in all nation state cyber arsenalsBefore the 2022 Russian invasion of Ukraine,Russian APT groups gained access to Ukrainian targets and launched a destructive

40、 attack that coincided with kinetic operations.Other nation states will copy this technique by adding wiper malware to their cyber arsenals.With tensions in the Taiwan Strait and other global security threats,2024 will likely see pre-placement of destructive wiper malware at strategically important

41、targets.Targeting of space-based infrastructureThe situation in Ukraine has demonstrated dependencies on space-based technologies(Starlink,for example,and other satellites and communications networks)during conflict.In 2024,we expect to see evidence of sophisticated state-sponsored cyber actors full

42、 spectrum Computer Network Exploitation capabilities to compromise space-based and associated ground support infrastructure and communications channels to interdict,disrupt,deny,degrade,destroy,or deceive an adversaryas well as to conduct espionage.9Attacks targeting hybrid and multicloud environmen

43、ts mature and become more impactfulIn 2023,Mandiant worked with VMware to remediate a zero-day vulnerability that allowed the attacker to execute code on guest virtual machines(VMs).Even though the impact of this vulnerability was limited to a single hypervisor,it proved that threat actors were targ

44、eting cloud environments looking for ways to establish persistence and move laterally.In 2024,we will see these techniques evolve to cross boundaries between cloud environments.Threat actors will look to exploit misconfigurations and identity issues to move laterally across different cloud environme

45、nts.Serverless services in the cloud more heavily used by threat actorsIn 2023,we saw an increase in cryptominers being deployed on serverless infrastructure.In 2024,we predict that cyber criminals and nation-state cyber operators will more heavily leverage serverless technologies within the cloud.A

46、ttackers will move towards serverless for the same reasons developers are adopting serverless;they offer greater scalability,flexibility,and can be deployed using automated tools.Extortion operations continueExtortion operations remain likely the most impactful form of cyber crime to enterprises and

47、 societies worldwide.Despite a stagnation in growth during 2022,advertisements for stolen data and extortion revenue estimates indicate that this threat is growing in 2023,and we anticipate this growth will continue in 2024 without a significant,market-wide disruption.10Espionage and“sleeper botnets

48、”Cyber espionage operations will continue to find more ways to scale their attacks while also creating additional OPSEC for their operations.Espionage groups will create“sleeper botnets”out of vulnerable Internet of Things,small office,home office(SOHO),and end of life devices and routers using a mi

49、xture of old and new exploits.These“sleeper botnets”will be used as needed,and discarded once caught or no longer useful,complicating efforts to track and attribute activity.These“sleeper botnets”will differ from traditional botnets where the number of devices were used to amplify attacks,such as DD

50、oS attacks.Revival of ancient techniquesWhile attackers are incorporating new techniques to evade detection,we expect to see some actors resurrect ancient techniques that arent widely covered.For example,in 2013,a researcher wrote a blog post about using undocumented SystemFunctionXXX functions inst

51、ead of cryptography functions in the documented Windows API.This technique didnt become popular until Q4 2022,when several security researchers began discussing it and releasing code snippets in their own blogs and on GitHub.At that point,more malware samples implementing this technique started popp

52、ing up on VirusTotal.We also observed recent use of an anti-virtual machine(anti-VM)technique detailed in a 2012 malware analysis book.The technique was not covered in detection rules because the hypervisor is not often used in many countries.Continued migration to modern programming languages by ma

53、lware authorsMalware authors will continue to develop more software in programming languages such as Go,Rust,and Swift.This is because the languages provide a great development experience,low level capabilities,large standard library,and easy integration with third-party packages.These languages and

54、 ecosystems enable rapid development of complex malware,making it cheaper to write new malware to evade detection.This means a churn in toolsets used by actors,and a corresponding need for new detection signatures.Unfortunately,these modern languages often bring a large runtime(Go)and/or use the lat

55、est compiler techniques(Rust)that make reverse engineering tasks more difficult.In other words,the benefits of packing and obfuscation without using a protector.11Developers targeted in supply chain attacks via software package managersIn recent years,supply chain attacks against NPM(the Node.js pac

56、kage manager)such as IconBurst have demonstrated how threat actors target software developers.In one particularly concerning scenario,a developer is compromised by installing a malicious package,which gives a threat actor access to the developers source code,and allows the actor to add a backdoor.Th

57、is is a low-cost,high-impact attack.As a result,the prevalence of these sorts of attacks is likely to continue to grow,particularly as threat actors shift to other,less monitored package managers such as PyPI(Python)and crates.io(Rust).We need to remain vigilant in monitoring these sources of softwa

58、re libraries.Growing prevalence of mobile cyber crimeIn 2024,we anticipate cyber criminals or scammers to continue employing novel social engineering tactics such as simulating domestic help services,messages from fake social media accounts,banks or government officials,and spoofed pop-up alerts to

59、trick victims into installing malicious applications on their mobile devices.Cyber insurance premiums remain steadyThe insurance market is known for fluctuations.A hard market indicates that premiums are rising and coverage is restricting,while a soft market indicates that premiums are decreasing an

60、d coverage is broadening.After a strong correction in the cyber insurance market over the past few years that was characterized by rising premiums and restricted coverage,the market is starting to soften.With more entrants in the market and insurers with ambitious cyber growth goals,the competition

61、is expected to provide much needed relief to the rising premiums the industry has been seeing.While we expect to continue to see a general trend towards restrictions in systemic risk coverage,its possible that insurers may broaden coverage in other ways to compete in this new landscape.12Consolidati

62、on around SecOpsIn 2024,we expect to see more consolidation in SecOps as customers increasingly demand integrated risk and threat intelligence in their security operations solutions.Customers are going to demand an integrated ecosystem that covers their entire network estatecloud,multicloud,on-premi

63、ses,and hybrid environmentsand will increasingly expect vendors to offer opinionated workflows,guidance,and content to jumpstart their security program out of the box.13Cyber activity around electionsIn 2024,Taiwan,South Korea,India,and Indonesia are some of the countries that will be holding electi

64、ons.We have previously observed cyber espionage,cyber crime,hacktivism,and information operations actors express interest in these pivotal events.We anticipate observing election lures being leveraged for scams,as well as intelligence gathering purposes.Chinas newly drawn out map could also become a

65、 cause of contention during Indias and Indonesias elections.JAPAC forecastsPig butchering”scams to be an ongoing problemPig butchering scams,which have elements of both cyber crime and human trafficking,will continue to be a problem in 2024 for JAPAC countries law enforcement.Pig butchering scams ar

66、e a type of online fraud in which scammers pose as potential romantic partners over extended periods of time in order to gain the trust of their victims.Once they have gained their victims trust,the scammers will begin to convince them to invest in various fraudulent financial schemes.An August 2023

67、 UN report detailed that many of these scammers are themselves victims,and have been trafficked and forced to work in scamming operations.In July 2023,2,700 people were rescued from forced cyber crime labor in the Philippines.The UN report claims,“the situation remains fluid:hundreds of thousands of

68、 people from across the region and beyond have been forcibly engaged in online criminality.”“14Shifting tactics,techniques and proceduresEndpoint detection and response solutions are becoming more widespread in the JAPAC region,and overall organizations are becoming more security mature.As a result,

69、well-resourced threat actors will increasingly leverage tactics intended to minimize opportunities for detection.We are already seeing this globally.Defenders in the region should prepare for exploitation of zero-days in security,networking,and virtualization software;targeting of routers and other

70、edge devices;and use of other methods to relay and disguise attacker traffic both outside and inside victim networks.15Disinformation campaigns in Africa In the digital age,disinformation has become a powerful tool for geopolitical influence.Russia and China are increasingly targeting African countr

71、ies with cyber campaigns designed to spread misinformation,sow discord,and undermine democratic institutions,and we do not see them slowing down in 2024.We expect to see Chinese and Russian groups targeting the rare earth minerals industry since they are essential for many high-tech products such as

72、 smartphones,computers,and electric vehicles.By gaining control of these resources,Russia and China can strengthen their economic and strategic positions in Africa.Another way that Russia and China will use disinformation to influence Africa is by supporting authoritarian regimes.These regimes often

73、 crack down on dissent and restrict access to information.This makes it easier for Russia and China to spread their propaganda and undermine democratic values.Disinformation and focus on Africa is a long-run game,and we see 2024 as a year of peak activity on this front.European Parliament elections

74、a likely targetEuropean Parliament elections in June will be an attractive target for threat actors conducting both cyber espionage and information operations.Russia poses the most obvious threat given its high levels of activity across Europe.Since the invasion of Ukraine,APT29 has been highly acti

75、ve in targeting government entities across the continent while pro-Russian information operations have attempted to sow division within Europe.These efforts will likely intensify in the run-up to the election.Russia has a track record of using information operations to disseminate information stolen

76、 in cyber espionage campaigns.This makes it essential for European governments to understand the various links between information operations and network intrusions.European elections could also face a wider spectrum of threats beyond Russia.Belarus-nexus threat actors have become increasingly activ

77、e in recent years,and technical support to information operations taking place in Eastern Europe.Pro-Chinese information operations have also ramped up the scope and scale of their campaigns across multiple European countries.European governments should ensure they understand the range of techniques

78、 adopted in information operations in order to build proactive and resilient defenses.EMEA forecasts16Olympics 2024 broadens the attack surface in Paris(and beyond)During the 2024 Summer Olympics in Paris,we expect to see cyber criminals targeting ticketing systems and merchandise,particularly throu

79、gh a surge in phishing campaigns requesting financial information or credentials.Public authorities and banks need to remain vigilant.We may also see geopolitical activity that involves using the Olympics to try to destabilize and put pressure on France,and through it Europe and the style of politic

80、al regime associated with it.The Olympics will also likely be a target for misinformation and disinformation,whether directly linked to the event(ticket sales,for example)or indirectly linked to it(accommodation rentals,public transport).17ConclusionWhile new technologies will aid security teams,the

81、y can also expand the attack surface.In 2024,the rapidly evolving world of gen AI will provide attackers with new ways to conduct convincing phishing campaigns and information operations at scale.However,defenders will use the same technologies to strengthen detection,response,and attribution of adv

82、ersariesand more broadly reduce toil,address threat overload,and close the widening skills gap.Next year we expect to see continued activity by The Big FourChina,Russia,North Korea,and Iranas they conduct espionage,cyber crime,information operations,and other campaigns to achieve their individual go

83、als.Since organizations are becoming better at security,many of these attacks will involve techniques to evade detection,including use of zero-day vulnerabilities and the targeting of edge devices.Everyone should be prepared for global activity around the myriad major events being held throughout 20

84、24,including the U.S.,European Parliament and other elections,as well as the Summer Olympics in Paris.Additionally,as major global conflicts continue into next year,be prepared for an uptick in disruptive hacktivism.The cybersecurity landscape is constantly evolving,sometimes in new and unexpected w

85、ays.Defenders,often with limited resources,have the monumental task of keeping up.The Google Cloud Cybersecurity Forecast 2024 report is our way of helping security professionals prepare for the certainties and uncertainties of the year ahead.We hope our knowledge from the frontlines helps you feel

86、ready.18Willi Ballenthin Dan Black Sarah Bock Anton Chuvakin Jamie Collier Vivek Chudgar Charles deBeck Vicente Diaz Eric Doerr Renato Fontana David Grout Scott Henderson Mike Hom Renze Jongman Dan Kennedy Cris Kittner Karen Kukoda Steve Ledzian Yihao Lim Keith Lunden Jens Monrad Joseph Pisano Fred

87、Plan Ofir Rozmann ContributorsOur Cybersecurity Forecast 2024 report features insights from Google Clouds security leaders,including:Charles Carmakal,CTO of Mandiant Consulting Sandra Joyce,VP of Mandiant Intelligence Sunil Potti,GM and VP of Cloud Security Phil Venables,Chief Information Security Officer Many others across Google Cloud also contributed to the report:Mike Raggi Alice Revelli Nick Richard Matt Shelton Monica Shokrai Daniel Sislo Genevieve Stark Kelli Vanderlee Alden Wahlstrom Dominik Weber Richard Weiss Jess Xia 2023 Google LLC 1600 Amphitheatre Parkway,Mountain View,CA 94043.