Virtualization Technology News and Information
Article
RSS
Fortra 2024 Predictions: Braving the Digital Risk & Email Security Landscape - 7 Predictions for 2024 from an Expert

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

Braving the Digital Risk & Email Security Landscape: 7 Predictions for 2024 from an Expert

By Eric George, Director of Solution Engineering, Digital Risk & Email Protection, Fortra

The digital future is here, folks. And while most of us in the cybersecurity space embrace the new technologies that have ushered it in (some of which we have introduced into the landscape ourselves), it's still important to remember that with digital transformation always comes some scrambling.

But with the advent of more cloud-based email security options out there - such as integrated cloud email security (ICES) solutions - moving from on-premise to a hybrid or purely cloud-based environment has never been easier (or shall we say, more streamlined. . .)

However, we're not the only ones to benefit from burgeoning advances in technology - cybercriminals are too and there are a myriad of surreptitious techniques emerging. Here are 7 that we are keeping our eye on in 2024:

Social engineering lures continue to diversify

Traditionally, attackers have leveraged email and SMS as the primary ways to attack enterprise targets and the public at large. As additional options for data sharing and access arise, attackers are also presented with less conventional, but effective, options for attack delivery. We've seen new lure delivery tactics to include scams that leverage QR Codes, lures that are delivered via search engine and social media ads, and scams that leverage collaboration tools, such as Slack and Microsoft Teams. To combat these threats, enterprises will need to combine advanced identity-based defenses with up-to-date and organizationally specific security awareness training programs, and making them engaging to boot.

Phishing attacks will become more believable and harder to detect

A combination of generative AI and advanced detection evasion tactics will combine to make attack lures more believable and harder to detect. In fact, the recent popularity of technologies, such as Chat GPT, are not going unnoticed by the criminal underground. By training such models on PII from data leaks that are readily available on dark marketplaces, attack lures that are much more personal and enterprise-specific can be created at scale. In addition to being more believable, detection evasion tactics ensure that the attacks only present themselves to the intended target and otherwise ‘play dead' for detection processes. This combined increase in plausibility and deliverability increases the attacker's ROI, as well as the damages incurred for businesses.

Mobile device targeting increases overall

Mobile devices have become an integral part of our lives and hold an assortment of valuable information - making them attractive targets for cybercriminals. In 2024, we can expect an increase in mobile-specific threats, including malware, vishing attacks, and phishing (or smishing) attacks targeting mobile users. Compounding the problem, mobile attacks are more difficult for the security community to prevent, track, and respond to than traditional attacks. While many advances have been made in mobile defenses, there is still a large gap in the protection as compared to traditional attack vectors.

ICES - more than enticing; it's becoming the new normal

The adoption of ICES solutions continue to gain in popularity. Organizations are migrating to cloud-based email solutions that are more than capable of covering the basics of enterprise email protection (antivirus, anti-spam, archiving, etc.) While cloud-based email providers, such as Outlook and Gmail, can often match the level of protection and capabilities provided by traditional secure email gateways (SEGs), additional protection is needed to combat advanced attacks, such as business email compromise, spear phishing attacks and more, many of which leverage brand and individual impersonation to gain entrance into email architecture. To fill this gap, organizations will look to cloud-based advanced email solutions that leverage data science (AI and machine learning) and organizational-specific intelligence (threat indicators).

Continued adoption of email authentication (DMARC)

Email authentication adoption and development will be driven by cyber insurance and government and industry regulation. We already see examples of email authentication being mandated at both the industry (ex., necessary for PCI compliance, bank TLDs, etc.) and government (ex., DHS mandates) levels. To obtain cyber insurance, DMARC continues to be included among required cybersecurity controls. A positive byproduct of the directives, the increase in required adoption has served as the catalyst for technical improvements to the DMARC framework that may help to motivate voluntary adoption by experts who were previously opposed.

Threat experts and data scientist UNITE

There's no doubt that data science and machine learning (ML) will take a greater role in the fight against cybercrime, but an expert data scientist can only get so far without threat-specific knowledge. Developing an effective machine learning model requires clarity and context on the problem to be solved, selection of the most effective and applicable algorithms, training on relevant threat data, and ongoing tuning according to performance on known outcomes. Both threat-specific and data science expertise applies throughout.

AI and ML - the good, the bad, and in the case of generative AI, sometimes the ugly

AI and ML will enhance capabilities on both sides of the cyber landscape - for good and bad. On the defensive side, those protecting the targets will use advanced data science to recognize the advanced identity deception attacks that are personalized and capable of evading traditional detection processes. However, malicious actors will continue to use generative AI to create more believable and personalized social engineering attacks.

One thing that's clear as we enter 2024 is that cyber attackers continue to innovate by adopting more sophisticated tactics and employing identity-based deception techniques via dark web marketplaces and other sketchy avenues-forcing SaaS technology providers like Fortra to out-innovate them. Luckily, new ICES solutions that have recently come onto the market, like Fortra's Cloud Email Protection, can supplement on-prem appliances, such as SEGs, as well as off-the-shelf security packages, like Microsoft 365. So whatever stage customers are at in their journey to the cloud, Fortra can make migrations more seamless and their overall email security defenses stronger.

##

ABOUT THE AUTHOR

Eric George 

Eric George is the Director of Solutions Engineering for Fortra’s Digital Risk and Email Protection solutions.

Eric began his career at PhishLabs as an analyst in its Security Operations Center. He then advanced to multiple lead roles and built considerable knowledge while specializing in the detection, analysis, and mitigation of account takeover attacks and other digital risks that target enterprises from multiple industries.

Eric then transitioned to Solutions Engineer, supporting sales and business development efforts before taking on his current role where he leads solution engineering, targeted intel, and technical client support efforts. PhishLabs was acquired by Fortra in October 2021 and since the acquisition, his team has expanded its scope to include Fortra’s Email Protection solutions.

In addition to his work at PhishLabs, Eric has held over 10 industry certifications including CISSP and serves as a Technical Malware Co-Chair for the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). He is currently completing a Master of Science degree in Information Security and Cyber Leadership.

Published Monday, December 11, 2023 7:33 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2023>
SuMoTuWeThFrSa
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456