Welcome to the Deepwatch ATI 2024 Annual Threat Report

Techniques Involving External Remote Services, User Execution, and Application Layer Protocol Will Continue to be Widely Observed

Our predictive analysis, leveraging advanced data analysis modeling techniques on historical cybersecurity data, provides a forecast for the upcoming year that is crucial for shaping cybersecurity strategies. We focused on the three most observed MITRE ATT&CK techniques - 'External Remote Services,' 'User Execution,' and 'Application Layer Protocol.'

The model anticipates a fluctuating yet consistently high occurrence for External Remote Services. Adversaries initially leverage external-facing remote services to access and/or persist within a network. This suggests threat actors' sustained reliance on this technique, necessitating continued vigilance and enhanced defensive measures in network security and access control protocols. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Often, remote service gateways manage connections and credential authentication for these services.

User Execution is forecasted to maintain a relatively stable presence. This stability implies continued reliance on users to interact with files and highlights the importance of ongoing user education and behavioral analysis as key defense strategies. Adversaries rely on user interaction for the execution of malicious code. User interaction may include installing applications, opening email attachments, or granting higher document permissions. Adversaries may embed malicious code into files such as Microsoft Word and Excel documents or software installers. Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user, especially in cases of trojanized software.

The Application Layer Protocol technique is expected to increase slightly in use. This uptrend underscores a growing sophistication in attack methods targeting application layers, emphasizing the need for robust application security and real-time monitoring systems. Adversaries take advantage of high-use protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many protocols, including those used for web browsing, transferring files, email, or DNS. For connections that occur internally, such as those between a proxy or pivot node and other nodes, commonly used protocols are SMB, SSH, or RDP.

These forecasts underscore the importance of adaptive and proactive cybersecurity strategies. While the consistency in some techniques reflects persistent threat vectors, the variations highlight the evolving nature of cyber threats. Organizations should prioritize resource allocation towards these identified areas, ensuring their defense mechanisms are robust and agile enough to respond to these projected trends.

Prevalence of AI in Malleable Tool Performance and Defense Evasion

The rapid advancement of AI's technical capabilities along with its increased availability to the general public has provided an easy way to leverage its capabilities without a high level of technical proficiency. While very few real-world examples of AI being used by adversaries have been noted, given AI's ease of use and available nature, its usage in malicious operations is expected to increase in 2024. One example of how threat actors can use AI is to enumerate various obfuscation variances of the same command/objective. While specific prompts requesting obfuscation routes for a command may be denied for violating content policies, bypassing these restrictions is not difficult.

Taking one command a malware sample needs to run and using AI to create a list of various obfuscated versions as backup paired with logic error handling is a simple example of how malicious developers and threat actors could use AI to add redundancy and flexibility to malicious code with minimal time investment. While partially automated, this still involves manual/static inclusion of the generated variants of the original command. Beyond using AI to enumerate commands, the idea of connecting an AI tool to a Command and Control (C2) panel and programming prompts based on status updates from infected endpoints reporting to the C2 server is not far-fetched given current AI tools’ compatibility with API’s and automated input. Doing so would allow a C2 server to dynamically create alternate commands/routes that would be returned to the infected client if a specific action is detected or blocked by Endpoint Detection & Response (EDR) or Antivirus solutions.

This type of dynamic adaptation enabled by AI would not only allow individual compromised hosts to adapt to defensive measures, but it could also allow the entire fleet of compromised machines to receive AI-generated code that has adapted since the original malware deployment to evade global updates to defensive measures such as CrowdStrike and Windows Defender.

Malware polymorphism is not a new concept, and malleable profiles and modularity of components have been around for decades. Still, the presence and availability of AI presents an opportunity to integrate these features with a lower skill level and time commitment.

For defenders, malicious code with access to the command and control server may act more like a human operator with complex problem-solving skills and more persistent and diverse actions at the procedural level. Malware with AI-based augmentation is significantly less likely to try an action, be blocked, and run out of error-handling mechanisms to achieve the objective. This persistence and adaptation, typically seen more with "hands-on keyboard" activity by human operators, will become increasingly available to automated malware strains. As the chances of evading defenses increase, defenders must pay more attention to alerts in a shorter time frame.

Rise of Non-Malware-Based Cyber Attacks in 2024

The threat landscape in 2024 may witness a significant shift in attack strategies, veering away from traditional malware-based approaches. Instead, threat actors may increasingly leverage compromised credentials to infiltrate systems and networks and employ various techniques to avoid the need to deploy malware and other tools. If it comes to fruition, this trend will highlight a tactical change where attackers use sophisticated methods to bypass conventional malware detection tools.

Compromised credentials may increasingly become a primary vector for cyber attacks in 2024. By utilizing stolen or weakly secured credentials, attackers can gain unauthorized access to systems without raising the usual red flags associated with malware. Attackers may then employ techniques that blend seamlessly with normal network behavior, avoiding files and making detection significantly more challenging for traditional security defenses.

While info stealers will still be used to harvest credentials, stolen credentials are often sold to other threat actors, separating the initial compromise from subsequent unauthorized activities, resulting in essentially two separate attacks. This separation will complicate the detection of post-credential theft activity. It will further complicate attribution and response efforts, as the link between the credential theft and the eventual unauthorized access is obscured, especially if the initial compromise occurred on devices outside the purview of corporate security.