A Reflection on Our 2024 Predictions

“Defend Your Time” is the podcast dedicated to helping security leaders get more out of their Microsoft security investments. Listen and subscribe through Spotify or Apple Podcasts. 

In this episode, Drew Perry retrospectively looks at his 2024 cybersecurity predictions.

 

As the year draws to a close, it’s the perfect time to look back and see how our 2024 cybersecurity predictions have unfolded. Let’s take a moment to reflect on where we hit the mark and where our forecasts may have been led astray.

1. AI Companies Suffer a Major Data Breach

 Prediction: A major breach of an AI company’s training data would expose the dark side of Large Language Models (LLMs) and the personal data they hoovered up. This will lead to new regulations akin to how the advertising industry faced scrutiny for data brokerage.

Reality Check: Nailed it! We saw a few noteworthy events unfold in the AI space in 2024. For example, due to an unsecured Azure Blob Storage configuration, Microsoft’s AI researchers inadvertently exposed 38 terabytes of sensitive data, including internal Microsoft Teams messages, private keys, and backups. This incident highlighted the importance of robust cloud security practices and sparked a broader conversation on improving data protection measures​. Microsoft is leading the charge here to prevent this happening again with their Secure Future Initiative and with my favourite motto, “Security above all else”. This is the way…

As another example of this prediction morphing into reality, Anthropic, another heavyweight AI company, suffered a significant breach when a contractor accidentally sent customer data to an unauthorised third party. While this breach didn’t expose AI training data specifically, it heightened concerns about AI companies handling of personal information​.

Further to this, a large amount of AI training data has recently been found exposed on the internet. It is a classic misconfiguration, although it is not overly sensitive in this case unless the Tensorboard run data has useful labelling.

Yes, it seems we still see configuration dashboards and databases being exposed directly to the internet. We are fighting the same battles of 20 years ago, and more needs to be done to minimise this problem as datasets grow larger and LLMs become more powerful. Maybe rolling out Microsoft Defender for Cloud or another similar solution could help?

These breaches didn’t just expose vulnerabilities in AI companies’ operational security but also pushed the conversation around AI regulation even further. In response, there has been a growing demand for new rules and frameworks to safeguard data used in AI training, setting the stage for tighter privacy controls.

In 2024, the cybersecurity landscape is saturated with AI references, but these can be grouped into three main categories to clarify the noise:

1. Security for AI: This focuses on protecting AI systems, such as models, configurations, and AI-based applications. It’s all about safeguarding the deployment of AI and defending against threats like unauthorised access to AI resources or attacks on models. Think of this as securing AI itself.
   
   
2. AI for Security: Here, AI is embedded within security products to improve detection, automate processes, and enhance responses. AI tools are being used to boost traditional cybersecurity measures like network, endpoint, and cloud protection, making systems smarter and faster at reacting to threats.
   
   
3. Security against AI: This involves defending against adversaries using AI to launch attacks, such as AI-generated phishing campaigns or deepfake impersonations. As AI evolves, so do the methods used by attackers, and security solutions must keep up to counter these advanced threats.

We are seeing a huge push in the AI for Security space with tools such as Microsoft Copilot for security, speeding up decision-making in security operations and making the lives of threat hunters easier. Let’s see where this goes over the coming months. Maybe soon we will reach AI and Automation utopia with SOC alert fatigue being a thing of the past.

2. Resurgence of Hacktivism and Homegrown Ransomware Operators

Prediction: 2024 will see a resurgence of hacktivism and homegrown ransomware operators from the West. Groups like Scattered Spider will inspire a new generation of bored Gen-Z hackers looking to make quick cash rather than just “lulz.”

Reality Check: Spot on! If there was one group that became the poster child of this prediction, it was Scattered Spider. They led the charge earlier in 2023 in the attack on MGM Resorts, which crippled casino operations for days and caused chaos in Las Vegas. What’s scary is how they got in—using social engineering to trick help desk employees into handing over credentials​.

They weren’t messing around either; their ransomware-as-a-service (RaaS) model and slick use of SIM-swapping set them apart from the run-of-the-mill hackers. Beyond just MGM, Scattered Spider also targeted companies like Twilio, Riot Games, and Mailchimp, proving that bored youths with access to dark web tools and crafty tactics like MFA bombing could indeed wreak havoc​.

This shows that a robust 24/7 Security Operations Centre is needed to detect and respond to incidents quickly, with AI, automation, and prevention strategies (see The Death of the Password below) making a significant difference in reducing the impact of these attacks.

It almost seems petty or quaint to discuss hacktivism when we face disruptive extorsion attacks from ransomware operators. We are far from the days of DDoS attacks from LulzSec or the OG of the hacktivism world “Anonymous”. In 2024, we saw impressive efforts from law enforcement to take these ransomware operators down, including an impressive doxing effort by security researcher Jon DiMaggio.

Operation Cronos and Endgame have been influential worldwide in combatting ransomware.

Operation Cronos: This NCA-led operation targeted the LockBit ransomware group, one of the most harmful gangs globally. The operation involved taking over LockBit’s infrastructure and seizing its dark website. The operation exposed the identities of some of the group’s members and affiliates, including those in the UK, and helped recover critical data like decryption keys. Several arrests were made across Europe, with Ukrainian police also arresting affiliates involved in the attacks​.

Operation Endgame: A massive international police sweep across multiple European countries, including the UK, targeted ransomware networks and led to the arrest of four high-profile suspects. This operation was part of a broader initiative to disrupt networks that spread malware, including ransomware, through infected emails. The crackdown on these groups demonstrated how international cooperation can effectively combat ransomware networks​.

We also saw a rise in hacktivism—notably with groups targeting government entities in response to political events. Hackers from Western countries used ransomware attacks not just for cash but also for power, influence, and recognition. This wasn’t just hacktivism for the lulz; it was hacktivism to pay the bills. I think it’s time to make the most of your Microsoft E5 investment and stop more money hitting the pockets of ransomware operators.

3. The Death of the Password

Prediction: 2024 would mark the beginning of the end for passwords, as major players like Google and Microsoft push hard for passwordless authentication.

Reality Check: Halfway there! The progress on killing passwords in 2024 was impressive but not complete. Passwordless adoption saw a 400% increase, thanks to platforms like Google, which rolled out passkey support across its services​. Apple followed suit with passkeys in iOS and macOS, allowing users to authenticate with biometrics across devices​.

But the world isn’t password-free just yet.

Why do we need to kill passwords? Because humans are not designed to remember complex, long strings and like to reuse simple, short, easy-to-remember words. NCSC has made great progress in educating businesses to introduce passphrases to replace passwords. However, pass keys and passwordless can take us to another level of security and remove more friction simultaneously.

While enterprises are adopting passwordless logins at an accelerating rate, challenges remain, especially when integrating these technologies with legacy systems. It’s also clear that users are still getting used to a world without passwords, as education around passkeys, biometrics, and fallback methods like Yubikey is still needed​.

Microsoft, Google, andApple are all highly committed to a passwordlessfuture as part of their security strategies, with all three companies adopting passkeys and other passwordless technologies.

As we celebrate Cybersecurity Awareness Month, it’s the perfect opportunity for organisations and users to explore the benefits of passwordless. With phishing attacks and data breaches on the rise, the limitations of traditional passwords have never been more apparent.

Educational campaigns can focus on demystifying passwordless methods, offering practical advice on how individuals and businesses can start their journey toward a password-free future. Even as a first step, have you checked that MFA is at least enabled everywhere possible? Wouldn’t it be great to live in a world where you can instantly work without being slowed down by logging in with a hard-to-remember password? We are getting there.

Why do we care so much? Well, attackers are going after credentials and target identities. Simple as that. If we harden and secure the identities it significantly reduces the risk of compromise and gives more time back to your SOC!

Have you begun your journey to passwordless? As AI evolves, so do the threats, and the sooner we adopt stronger, easier-to-use security measures, the better prepared we’ll be.