Max Havey [00:00:02] Hello and welcome to another edition of the Security Visionaries Podcast, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. Today, we're taking a look back at the year in threats with Ray Canzanese, Director of Netscape Threat Labs, digging into some of the trends he saw, as well as what surprised him about the findings for 2023. How's it going, Ray? How are you doing today?
Ray Canzanese [00:00:23] Hey, happy New Year, Max. Glad to see you again. Glad to be here talking cybersecurity again. No more cookies and pies.
Max Havey [00:00:30] Yeah, we're out of the cookies and pies. And we're almost out of the 2023 year end reflection season. This is capping us off here. We're out of predictions, we're out of resolutions. Let's talk. Let's look back at the year on threats and then see what we have in store for 2024 here. So to start things off here, as you look back at 2023, what were some of the biggest trends that you encountered looking back at that data?
Ray Canzanese [00:00:51] Yeah, sure. I'll give you three. Right. The first one's got to be generative AI. And what I mean by that is like a year ago, right? If we look back to the end of 2022, nobody was using generative AI for anything. Fast forward to today. We've got about 10% of all enterprise users every month that are using at least one of these cloud based generative AI apps. And even more than that, the amount of usage we're seeing of those apps growing exponentially. Right. So these things are just getting more and more popular by the minute. Number two Trojans, right? We saw Trojans as the most popular attack method attackers were using to to get into victim organizations and we've been seeing a lot of that infiltration be happening by delivering those Trojans over very popular cloud apps. And then I'd say number three is probably the continuing evolution of the extortion playbook. Right? This is, uh, it began as ransomware. Right. And then people stopped paying ransoms and it was like, okay, we'll disclose all your secrets publicly, right? If you don't pay our ransom, it's evolved a little bit more where we see now, it's like ransomware info stealers and wipers. And as you better pay that, ransomware pay that and pay that ransom fast, or I'm going to start breaking stuff and I'm going to start releasing data. Right. It's just more tools to try to incentivize victims to pay up.
Max Havey [00:02:19] Definitely. And among those trends, was there anything that really stuck out to you as a really big surprise? Was there anything that jumped out at you?
Ray Canzanese [00:02:25] Yeah. So it's not from one of the three things that I just said. And it's because it's hard to, I think, surprise me when it comes to the threat-related trends. I think the biggest thing that surprised me when we were looking at all this stuff at the end of the year, was that I was convinced from all the media that I consumed throughout the year that nobody was using Twitter anymore. Right. I would have expected Twitter use after the Elon Musk takeover based on what I had been reading, to be down significantly, but it was mostly flat. It was mostly like exactly the same as it was a year ago. So that's maybe the way you surprise me as a trend like that popping up, where obviously social media has its ebbs and flows. Right? We saw some platforms lose popularity like Facebook. We saw this gain popularity. But I was very surprised when I saw Twitter. They're right about the same levels. It was a year ago.
Max Havey [00:03:18] Definitely. I think that was the feel from a lot of folks, like someone else who's using Twitter for well over a decade. At this point. I was surprised to to hear that when I when when you brought that up there and this is Twitter being used for malware campaigns, for people using attacks and things of that sort?
Ray Canzanese [00:03:31] This is just overall Twitter use, right? This is just like people logging on to Twitter and looking at what their friends are doing or current events or whatever it is kids are using Twitter for these days.
Max Havey [00:03:42] Absolutely. I've always described this. I'd keep going back there being like, oh yeah, I know this is a laundromat, but this place used to serve really good burgers. That's how it that's how it feels most. It's going from there, though. A lot of stuff has been happening out in the world. So thinking about a lot of the geopolitical turmoil we've seen this year, have you seen this sort of play out in the cyber threat landscape at all? Is that something that's popped up among these sort of key trends that you've noticed it?
Ray Canzanese [00:04:04] Absolutely. We live in a world now where cyber operations, right, when we're talking about espionage, sabotage, information warfare, right, misinformation campaigns, all of that stuff, it's a like standard and central component of international relations. And so wherever you see geopolitical conflict, you are going to see cyber conflict mirroring that geopolitical conflict. It's just the way the world is now, obviously, for example, in Ukraine, we've seen and we've covered on our net scope throughout labs blog, multiple attacks targeting public utilities in Ukraine, targeting private citizens in Ukraine, targeting companies in Ukraine. And just because of that conflict and others throughout Asia, we've seen very high geopolitical threat group activity more than any other region.
Max Havey [00:05:05] Absolutely. And I think that makes a lot of sense, and that the trends that we're seeing elsewhere are going to be popular among the threat actors who are on all sides of these sorts of conflicts. Cyber warfare is just the latest frontier of all this. Going from that to other sort of trends that we've seen here, ransomware was a really big, broad trend going into 2023. Did it really dominate the conversations the way you were expecting it to? When we were thinking about things in 2022, coming into 2023.
Ray Canzanese [00:05:30] Ransomware was absolutely dominant as expected and continued to grow as well. So extortion has been a big moneymaker for cybercriminals. And so when you have that much money being made, you're going to continue to see new groups try to get into that game. And so you'll see at Netskope Threat labs. We're going to cover this stuff all the time. New ransomware family released written in this new language targeting this new set of victims. New groups getting formed from old groups that have gotten broken up or splintered to members of old groups. Right. It's become this industry, right? Which is going to be very hard to break up. And I mentioned when we got started that we saw that extortion playbook that used to just be ransomware, then became ransomware and info stealers. Now it seems to be ransomware and info stealers and wipers, where it's just groups doubling down, leaking data, destroying data, doing anything they can do to get their victims to pay. And you've even seen a lot of groups in this past year who used to claim to be the good guys, right? Like we're extorting people, but the only people we extort are oil companies, right? We would never extort a hospital. Right. You're seeing a lot of groups now that don't draw that line anymore, right? That they're done trying to play that game of we're benevolently extorting people here to just extort everybody you can. Right. We're just here to make money off of anybody we possibly can, no matter what happens as a result.
Max Havey [00:07:15] Definitely. And I think it's especially interesting thinking about that sort of that shift that's taken place with the attackers. And is that something that you saw evolving over 2023? Because I remember with some specific different hacker groups that you talked about in, in past monthly threat reports about saying, oh, we're not going to target critical infrastructure, we're not going to target hospitals, but you're just seeing less of those sorts of ethical like mission or quote unquote, ethical mission statements within these groups.
Ray Canzanese [00:07:40] I would say previously, basically every group had a mission statement like that. And what we're starting to see now is groups that certain groups that lack such a mission statement, not that we never saw hospitals or critical infrastructure getting hit before. Right. It was just say, let's try our best to avoid doing that, right? One, because we're not trying to hurt or kill anybody. Right? We're just trying to make money. And two, when you start doing things that hurt and kill people, there is a different level of scrutiny that gets placed on you and you want to, if you're acting in a illegal enterprise, limit your exposure to law enforcement and geopolitical pressures as much as possible.
Max Havey [00:08:25] Of course, you don't necessarily want that kind of smoke that comes from targeting those sort of essential entities.
Ray Canzanese [00:08:31] Exactly.
Max Havey [00:08:33] Interesting. That's a very interesting approach. That sort of seeing the way that the hacker or not hacker, the attacker like ideology shifted in that way. That's an interesting approach. Yeah, we've.
Ray Canzanese [00:08:42] Even seen groups that during the extortion demand phase, they would say things like, we're the good guys here, right? There are other groups that are much worse than us that would have done much more terrible things than we did to you. So you should pay us as a thank you for not doing worse things to you. Once we got access to your network.
Max Havey [00:09:11] Yeah, the old you should be thankful I'm only doing this because I could be doing much worse things than this.
Ray Canzanese [00:09:15] Yes
Max Havey [00:09:17] And so going from there. Were there any sort of either sector or region specific trends that that stuck out to you as well? Or were the patterns the same among regions and sectors as things happened to 2023?
Ray Canzanese [00:09:29] Sure. So like the big picture, right. If we take a big step back, the big picture was cybercrime and extortion, right? That was the big story. No matter what industry or region you were working in, and Russia was on the other side of that in most circumstances, meaning groups operating out of or presumed to be operating out of Russia. When you start seeing the differences, the first place you start seeing differences is when you start to look at things regionally. Right. We already talked about Ukraine, right? And so if you look at just organizations in Asia and you look at that breakdown of criminal activity versus geopolitical activity, you see a much higher percentage of geopolitical activity in Asia surrounding especially that conflict in Ukraine. Latin America, also lots of geopolitical turmoil there also not very far behind in terms of how much geopolitical cyber activity we see there. Then I think the next layer where you start seeing differences is when you start peeling back, what sector am I working in, in which geography and who is targeting me there? So for example, we highlighted some of these groups in our latest report. You look at TA-505. They are a Russian criminal group. They mostly only target organizations in Asia and Europe. Right. So you don't have to really worry about them so much. Right? If you're based somewhere else in the world. Similarly APT-241 a geopolitical group affiliated with the Chinese government. It last year mostly targeted financial services organizations. And most of the organizations they targeted were in Singapore. Right. And so you start to look at the specifics in the nuance of what's going on. That's where the industry you're working in, and that geography of where you're located really determines what specific groups you're targeted with. And then each one of those groups obviously has their own sort of M.O. in terms of tools they use and tactics they use. Right. And if you're thinking about this from a defense point of view, it matters, right? It matters who's on offense, right? It matters because that's how you're going to target your defenses. Make sure that all of your tools protect against the tools that the attackers are using against you.
Max Havey [00:11:58] Definitely the sense of knowing your adversary. Like we were talking about last time you were on the pod here. Knowing your adversaries, the first step in knowing how to best protect yourself from said adversary, and more or less taking that sort of data to better fortify your defenses. As you look ahead at the year to come. So to circle back to a topic you brought up at the top of the pod here, generative AI,