Cloud CISO Perspectives: What the past year tells us about our cybersecurity future

Welcome to the second Cloud CISO Perspectives for May 2024. In this update, Mandiant founder and outgoing CEO Kevin Mandia shares the highlights from his keynote address at the RSA Conference earlier this month.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security and CISO, Google Cloud

What the past year tells us about our cybersecurity future

By Kevin Mandia, strategic advisor, Google Cloud

Threat actors facing fewer consequences. Attackers accelerating the rate of offensive innovation. Ransomware evolving to data theft, to extortion, to potentially even now harassment. Boards of directors engaging more in cybersecurity, and private enterprises and public organizations cooperating more to advance security practices.

These trends were the hallmarks of the past year in cybersecurity, sourced from our 900 or so security consultants and more than 400 threat intelligence analysts based in 28 countries. They participated in more than 1,170 intrusion investigations in 65 countries, and tracked 719 new threat groups. You can watch my full keynote here, and I’ve provided the highlights below.

I ask that all of the folks in law enforcement, in the intelligence community, and in the private sector revisit some of the ways we do attribution. For the folks in different governments globally, look at what are the safe harbors and safe havens for the criminal actors. Can we modernize treaties with those nations so that we can impose more risks or costs? I think the time has come where we have to think about it. I know we have lots of task forces globally and we have lots of groups working on this problem and we all look forward to progress being made in that regard.

Attackers innovate, but defenders get better, too

Last year saw an increase in attack innovation, which I’ll summarize here:

• Defenders found 97 zero days in the wild in 2023, about a third of them by Mandiant and Google, and up from historical norms of 10 to 15 zero days per year.
• Those 97 zero days came from 31 vendors, up from seven vendors in 2018. The number of vendors being attacked is phenomenal, and it’s happening because cyber-intrusions are paying off.
• We saw 38% of initial intrusions come from exploits, continuing the recent trend but a change from 20 years of spearphishing on top between 1998 and 2019. (You can read more about the top three exploits in our annual M-Trends report.)
• Spearphishing is still a major threat and has evolved to focus on compressed archive files, Office documents, and hyperlinks in the email body and in attachments.
• We also saw Chinese Nexus espionage improve with 12 zero-day vulnerabilities, targeting edge devices, using custom malware packages and living-off-the-land techniques.
• We observed threat actors overcoming multifactor authentication by abusing push notifications and one-time passwords.
• They also have better OPSEC and evasion, using living-off-the-land techniques, developing custom malware, and targeting consumer and local infrastructure.

While all that sounds bad, defenders have been evolving, too. We are detecting attacks sooner than ever before, and more organizations are finding attackers on their systems on their own.

• We started recording the attacker’s global median dwell time on every case that we responded to in 2011, when we measured the dwell time at 416 days. In 2022, it had dropped to 16 days, and last year it dropped to 10 days.
• When we first started responding to breaches 20 years ago, nearly all breach notifications came from a third party. That’s now down to 54%, which I think is really good: You'd rather detect your own incidents than have a third party detect it because you can handle it discreetly and on your terms.

The big unknown factor right now is the impact of AI. While we expect attackers to benefit from it, it has the potential to tip the scales in favor of defenders. Importantly, there’s more to the defender’s side of the equation.

The ongoing evolution of ransomware

The recent changes we’ve seen in ransomware have been driven, in large part, by defenders getting better at dealing with ransomware attacks and the threat actors behind them. Every company has heard of ransomware, and most of them are preparing for it by identifying assets that matter, backing up those assets, securing those backups, shrinking identity access to reduce attack surface, and conducting worst-case scenario tabletop exercises.

However, threat actors have also adapted their tactics, techniques, and procedures. They’re creating more pain through sharing data with journalists, targeting executives, and ensuring that the pain level is exceptionally high. I don't want to give too many examples here because it can help share these techniques with other threat actors who may not have adopted them yet, but it's just amazing to me now that when you have been ransomed, it's more likely than not that you will be extorted. You can now expect to receive communications and other activities from the ransomware actors.

Board engagement is also trending up and to the right

Boards are definitely more engaged than ever before in cybersecurity. I think there's a couple of reasons that explain why, but very first and foremost, boards read the headlines and there's a lot of headlines about cybersecurity right now. Also, when the Security and Exchange Commission says to every publicly-traded company, more than 4,500 companies, you have to have the following reporting requirements annually on your risk management for cyber and your governance for cyber, you get the board's attention.

Boards are there to provide oversight to companies, and we are seeing that that oversight has been mandated and we have to communicate it. Between emerging sovereign data laws, privacy laws, cybersecurity standards, legislation, and regulations, boards are motivated to get engaged and stay engaged.

Public-private cooperation continues to advance security practices

This past year has also been the best year since I started working in cybersecurity in 1993 for seeing defense accelerated by public and private sharing. While there are several examples of why this is happening now, such as the emphasis on secure by design, we have to talk about the impact of the Department of Homeland Security’s Cyber Safety Review Board’s report on a breach from 2023. They issued 25 recommendations for all cloud service providers and the U.S. government, but three of those recommendations really stand out:

1. Notify victims: Tell people when you believe they have been compromised.
2. Log and audit: Log and audit so you can find and better understand the security events on your network.
3. Be transparent: Cloud service providers should inform their customers including government agencies of vulnerabilities on their platforms, and inform customers of the security practices they are implementing so that they can make choices based on security as well as availability.

From the perspective of today’s CISOs, these five trends manifest as themes that they will face time and again: CISO liability, SEC guidance and compliance, threat landscape, supply chain security, incident preparedness and resilience, secure by design, and AI. So, if these are the things that you are thinking about as a CISO, you are right on par with thousands of CISOs.

You can watch my full keynote here. To learn more, you can contact Google Cloud’s Office of the CISO and come meet us at our security leader events.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• It’s time to replace phishing tests with a fire drill overhaul: Phishing and social engineering aren't going away as attack techniques, and one way to improve responses to them while making employees more secure is to adopt the planning and execution techniques used in fire safety drills. Read more.
• Sharing details on a recent incident impacting one of our customers: Google Cloud shares details of an incident impacting one Australian customer's use of Google Cloud VMware Engine. Learn what happened and how we're preventing it from happening again. Read more.
• More FedRAMP High authorized services are now available in Assured Workloads: Our commitment to empower federal agencies with advanced technology reaches a significant milestone today with the addition of more than 100 new FedRAMP High authorized cloud services. Read more.
• Coalfire evaluates Google Cloud AI: ‘Mature,’ ready for governance, compliance: Google Cloud recently asked Coalfire to examine our current processes and measured alignment and maturity toward NIST and ISO objectives for AI development. Here’s what they found. Read more.
• How to strengthen supply chain security with GKE Security Posture: To provide built-in and centralized visibility into your applications, we are introducing software supply chain security insights for GKE workloads in the GKE Security Posture dashboard. Read more.
• Restricting service account usage: The Resource Manager provides constraints that can be used in organization policies to limit the usage of IAM service accounts. Many of these constraints determine whether service accounts and other resources can be created or configured in specific ways, and these policies are now enforced on all new organization resources. Read more.
• Why hybrid deployments are key to secure PQC migration: We explore the advantages of a hybrid deployment in a world of post-quantum cryptography, take a deep dive into the reasons behind our recommendation, and offer guidance on how to implement hybrid schemes. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Holes in your Bitbucket: Why your CI/CD pipeline is leaking secrets: While investigating recent exposures of Amazon Web Services secrets, Mandiant identified a scenario in which client-specific secrets have been leaked from Bitbucket, Atlassian's code repository tool, and used by threat actors to gain unauthorized access to AWS. Read more.
• IOC Extinction? China-nexus espionage actors use ORB networks to make defense harder: Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where APT actors use proxy networks to conceal operations, evade detection, and complicate attribution. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

• A new way to measure and improve your cloud IR readiness: Incident response is by definition “reactive,” but ultimately how you prepare for incidents often determines the success of your response. Angelika Rohrer, an Alphabet cybersecurity expert who has created a new framework for measuring your IR preparedness, talks with hosts Anton Chuvakin and Tim Peacock about how smarter metrics can lead to more effective responses. Listen here.
• SAIF in focus: 5 AI security risks and SAIF mitigations: At Google Cloud Next, Shan Rao, group product manager, discussed five unique challenges when securing AI for cloud environments. He joins Anton and Tim to explore SAIF mitigations for AI risks, and the near-term future of AI security. Listen here.
• Defender’s Advantage: Looking deeply into ORB networks: Michael Raggi, principal analyst, Mandiant Intelligence, joins host Luke McNamara to discuss Mandiant's research into China-nexus threat actors using proxy networks known as “ORBs” (operational relay box networks), and what it means for defenders. Listen here.
• Defender’s Advantage: Investigations into zero-day exploitation of the Ivanti Connect Secure appliances: Principal analysts John Wolfram and Tyler McLellan join Luke to chat about their research into zero-day exploitation of Ivanti appliances, and share their thoughts on what else we might see from China-nexus zero-day exploitation of edge infrastructure this year. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.