Max Havey [00:00:02] Hello and welcome to another edition of the Security Visionaries Podcast, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. Today, we're taking a look back at the year in threats with Ray Canzanese, Director of Netscape Threat Labs, digging into some of the trends he saw, as well as what surprised him about the findings for 2023. How's it going, Ray? How are you doing today?
Ray Canzanese [00:00:23] Hey, happy New Year, Max. Glad to see you again. Glad to be here talking cybersecurity again. No more cookies and pies.
Max Havey [00:00:30] Yeah, we're out of the cookies and pies. And we're almost out of the 2023 year end reflection season. This is capping us off here. We're out of predictions, we're out of resolutions. Let's talk. Let's look back at the year on threats and then see what we have in store for 2024 here. So to start things off here, as you look back at 2023, what were some of the biggest trends that you encountered looking back at that data?
Ray Canzanese [00:00:51] Yeah, sure. I'll give you three. Right. The first one's got to be generative AI. And what I mean by that is like a year ago, right? If we look back to the end of 2022, nobody was using generative AI for anything. Fast forward to today. We've got about 10% of all enterprise users every month that are using at least one of these cloud based generative AI apps. And even more than that, the amount of usage we're seeing of those apps growing exponentially. Right. So these things are just getting more and more popular by the minute. Number two Trojans, right? We saw Trojans as the most popular attack method attackers were using to to get into victim organizations and we've been seeing a lot of that infiltration be happening by delivering those Trojans over very popular cloud apps. And then I'd say number three is probably the continuing evolution of the extortion playbook. Right? This is, uh, it began as ransomware. Right. And then people stopped paying ransoms and it was like, okay, we'll disclose all your secrets publicly, right? If you don't pay our ransom, it's evolved a little bit more where we see now, it's like ransomware info stealers and wipers. And as you better pay that, ransomware pay that and pay that ransom fast, or I'm going to start breaking stuff and I'm going to start releasing data. Right. It's just more tools to try to incentivize victims to pay up.
Max Havey [00:02:19] Definitely. And among those trends, was there anything that really stuck out to you as a really big surprise? Was there anything that jumped out at you?
Ray Canzanese [00:02:25] Yeah. So it's not from one of the three things that I just said. And it's because it's hard to, I think, surprise me when it comes to the threat-related trends. I think the biggest thing that surprised me when we were looking at all this stuff at the end of the year, was that I was convinced from all the media that I consumed throughout the year that nobody was using Twitter anymore. Right. I would have expected Twitter use after the Elon Musk takeover based on what I had been reading, to be down significantly, but it was mostly flat. It was mostly like exactly the same as it was a year ago. So that's maybe the way you surprise me as a trend like that popping up, where obviously social media has its ebbs and flows. Right? We saw some platforms lose popularity like Facebook. We saw this gain popularity. But I was very surprised when I saw Twitter. They're right about the same levels. It was a year ago.
Max Havey [00:03:18] Definitely. I think that was the feel from a lot of folks, like someone else who's using Twitter for well over a decade. At this point. I was surprised to to hear that when I when when you brought that up there and this is Twitter being used for malware campaigns, for people using attacks and things of that sort?
Ray Canzanese [00:03:31] This is just overall Twitter use, right? This is just like people logging on to Twitter and looking at what their friends are doing or current events or whatever it is kids are using Twitter for these days.
Max Havey [00:03:42] Absolutely. I've always described this. I'd keep going back there being like, oh yeah, I know this is a laundromat, but this place used to serve really good burgers. That's how it that's how it feels most. It's going from there, though. A lot of stuff has been happening out in the world. So thinking about a lot of the geopolitical turmoil we've seen this year, have you seen this sort of play out in the cyber threat landscape at all? Is that something that's popped up among these sort of key trends that you've noticed it?
Ray Canzanese [00:04:04] Absolutely. We live in a world now where cyber operations, right, when we're talking about espionage, sabotage, information warfare, right, misinformation campaigns, all of that stuff, it's a like standard and central component of international relations. And so wherever you see geopolitical conflict, you are going to see cyber conflict mirroring that geopolitical conflict. It's just the way the world is now, obviously, for example, in Ukraine, we've seen and we've covered on our net scope throughout labs blog, multiple attacks targeting public utilities in Ukraine, targeting private citizens in Ukraine, targeting companies in Ukraine. And just because of that conflict and others throughout Asia, we've seen very high geopolitical threat group activity more than any other region.
Max Havey [00:05:05] Absolutely. And I think that makes a lot of sense, and that the trends that we're seeing elsewhere are going to be popular among the threat actors who are on all sides of these sorts of conflicts. Cyber warfare is just the latest frontier of all this. Going from that to other sort of trends that we've seen here, ransomware was a really big, broad trend going into 2023. Did it really dominate the conversations the way you were expecting it to? When we were thinking about things in 2022, coming into 2023.
Ray Canzanese [00:05:30] Ransomware was absolutely dominant as expected and continued to grow as well. So extortion has been a big moneymaker for cybercriminals. And so when you have that much money being made, you're going to continue to see new groups try to get into that game. And so you'll see at Netskope Threat labs. We're going to cover this stuff all the time. New ransomware family released written in this new language targeting this new set of victims. New groups getting formed from old groups that have gotten broken up or splintered to members of old groups. Right. It's become this industry, right? Which is going to be very hard to break up. And I mentioned when we got started that we saw that extortion playbook that used to just be ransomware, then became ransomware and info stealers. Now it seems to be ransomware and info stealers and wipers, where it's just groups doubling down, leaking data, destroying data, doing anything they can do to get their victims to pay. And you've even seen a lot of groups in this past year who used to claim to be the good guys, right? Like we're extorting people, but the only people we extort are oil companies, right? We would never extort a hospital. Right. You're seeing a lot of groups now that don't draw that line anymore, right? That they're done trying to play that game of we're benevolently extorting people here to just extort everybody you can. Right. We're just here to make money off of anybody we possibly can, no matter what happens as a result.
Max Havey [00:07:15] Definitely. And I think it's especially interesting thinking about that sort of that shift that's taken place with the attackers. And is that something that you saw evolving over 2023? Because I remember with some specific different hacker groups that you talked about in, in past monthly threat reports about saying, oh, we're not going to target critical infrastructure, we're not going to target hospitals, but you're just seeing less of those sorts of ethical like mission or quote unquote, ethical mission statements within these groups.
Ray Canzanese [00:07:40] I would say previously, basically every group had a mission statement like that. And what we're starting to see now is groups that certain groups that lack such a mission statement, not that we never saw hospitals or critical infrastructure getting hit before. Right. It was just say, let's try our best to avoid doing that, right? One, because we're not trying to hurt or kill anybody. Right? We're just trying to make money. And two, when you start doing things that hurt and kill people, there is a different level of scrutiny that gets placed on you and you want to, if you're acting in a illegal enterprise, limit your exposure to law enforcement and geopolitical pressures as much as possible.
Max Havey [00:08:25] Of course, you don't necessarily want that kind of smoke that comes from targeting those sort of essential entities.
Ray Canzanese [00:08:31] Exactly.
Max Havey [00:08:33] Interesting. That's a very interesting approach. That sort of seeing the way that the hacker or not hacker, the attacker like ideology shifted in that way. That's an interesting approach. Yeah, we've.
Ray Canzanese [00:08:42] Even seen groups that during the extortion demand phase, they would say things like, we're the good guys here, right? There are other groups that are much worse than us that would have done much more terrible things than we did to you. So you should pay us as a thank you for not doing worse things to you. Once we got access to your network.
Max Havey [00:09:11] Yeah, the old you should be thankful I'm only doing this because I could be doing much worse things than this.
Ray Canzanese [00:09:15] Yes
Max Havey [00:09:17] And so going from there. Were there any sort of either sector or region specific trends that that stuck out to you as well? Or were the patterns the same among regions and sectors as things happened to 2023?
Ray Canzanese [00:09:29] Sure. So like the big picture, right. If we take a big step back, the big picture was cybercrime and extortion, right? That was the big story. No matter what industry or region you were working in, and Russia was on the other side of that in most circumstances, meaning groups operating out of or presumed to be operating out of Russia. When you start seeing the differences, the first place you start seeing differences is when you start to look at things regionally. Right. We already talked about Ukraine, right? And so if you look at just organizations in Asia and you look at that breakdown of criminal activity versus geopolitical activity, you see a much higher percentage of geopolitical activity in Asia surrounding especially that conflict in Ukraine. Latin America, also lots of geopolitical turmoil there also not very far behind in terms of how much geopolitical cyber activity we see there. Then I think the next layer where you start seeing differences is when you start peeling back, what sector am I working in, in which geography and who is targeting me there? So for example, we highlighted some of these groups in our latest report. You look at TA-505. They are a Russian criminal group. They mostly only target organizations in Asia and Europe. Right. So you don't have to really worry about them so much. Right? If you're based somewhere else in the world. Similarly APT-241 a geopolitical group affiliated with the Chinese government. It last year mostly targeted financial services organizations. And most of the organizations they targeted were in Singapore. Right. And so you start to look at the specifics in the nuance of what's going on. That's where the industry you're working in, and that geography of where you're located really determines what specific groups you're targeted with. And then each one of those groups obviously has their own sort of M.O. in terms of tools they use and tactics they use. Right. And if you're thinking about this from a defense point of view, it matters, right? It matters who's on offense, right? It matters because that's how you're going to target your defenses. Make sure that all of your tools protect against the tools that the attackers are using against you.
Max Havey [00:11:58] Definitely the sense of knowing your adversary. Like we were talking about last time you were on the pod here. Knowing your adversaries, the first step in knowing how to best protect yourself from said adversary, and more or less taking that sort of data to better fortify your defenses. As you look ahead at the year to come. So to circle back to a topic you brought up at the top of the pod here, generative AI, what kind of impact are we really seeing from AI in the threat landscape, and is it being used by the threat actors? Is it being used by defense teams? And if so, like at what sort of scale are we seeing this sort of happening?
Ray Canzanese [00:12:30] Yeah, it's an interesting question, right. Because for as long as I've worked in cybersecurity, there's been AI in cybersecurity, right. We were using AI to detect and block malware to reduce noise in the SOC. We've been using it to identify insider threats and other hard to detect threats for a long time. So as long as it's existed, it's been there because we're obviously as an industry trying to create better tools and do more with less. And all the things that AI promises. The sort of newest thing we see right in this past year is this idea that you can use these large language models as a copilot interface into these massive security data sets that we have, which is a really cool and really awesome thing to do with the large language model and feed it a bunch of data and be able to extract insights from the data. So that's certainly something new that we see people using in the past year. Now, from an attackers perspective, it's the same thing, right? Here's some new tools. Right. Why wouldn't I use some new tools. It's it's a silly example, but I often use this one right. When I write all of my code, I use an IDE, right? I've been using products from intelligent. Right. It makes writing code easier. It's this really nice interface. If I was writing bad code, would I use intelli-J? Right? Of course I would, right? These are tools that make writing code easier. Of course, I'm going to use the tools that make writing code easier, especially if those tools are free to use. Right? And of course, attackers are going to use all the tools at their disposal, right, to make what they are doing easier and more effective. The other thing that I think is interesting, though, is with something like AI and generative AI and all the hype around it and all the new tools, and which I don't know, Max, which of the 75 AI tools that you saw ads for this week are you using? Right? Do you remember how to log into them? Do you have to download something to use them? Right, with all of these questions. It's opportunity for attackers. Right. And so we've seen a lot of stuff that it's not even like using AI, but it's capitalizing on the fact that other people are using AI to try to trick them into visiting a phishing page and entering their Google credentials. From interacting with a fake ChatGPT bot that's just recording the entire conversation to see what they can use to even we've seen Trojans, right? If you Google, where do I download ChatGPT? I don't know what the results are at this moment, but we have multiple times had to report to Google. Hey, when you Google? Where do I download ChatGPT? The top results are like trojans and spyware and adware and all sorts of garbage. Because obviously you and I know you don't download ChatGPT.
Max Havey [00:15:22] And it's interesting in that regard to where it's it is AI as a means to deliver these phishing campaigns versus like using AI enabled threats. It's really just like the simplicity of what people don't know where to still get these tools. So finding ways to trick them around these tools is just the path of least resistance right now. And I know in that same vein, Colin Estep from your team also wrote about prompt injection attacks from earlier this year as well, which is more in that vein of using generative AI as an attack vector. But it's interesting to see that, like the vast majority of them aren't even doing that yet. It's still just the basic tricking people who are trying to find their way into generative AI.
Ray Canzanese [00:16:01] Right yeah, there's a ton of researchers that are acting with good intentions and bad intentions, are trying to get these AI apps to reveal things they shouldn't. Right? To leak information across users, right? There's all sorts of attacks on the AI apps themselves. There's attacks at companies that run AI apps, right, with the notion that they must have a lot of sensitive data. Right? If I wanted to break into a company and get access to some sensitive data, yeah, go for those AI companies. Right. So there's so many layers to this, right? Where you see just lots of different types of shifts in and how people are using these tools and how this sort of affects people's broader behavior and interactions. And it helps me write reports. Right? I write things, they go into Grammarly. Grammarly says, hey, you could have said this differently, and it would have been clearer and easier to understand, right, if I was writing something to convince somebody of something that was untrue, or to visit a phishing page. I could use the same tools, right? And it would help me just the same.
Max Havey [00:17:06] Exactly. Yeah. So what we're seeing right now is we're just the tip of the iceberg here. We're gonna continue to see these grow and develop as we get further into 2024 and well beyond there.
Ray Canzanese [00:17:15] Absolutely.
Max Havey [00:17:16] And looking back at 2023 holistically here, Ray, if you had to sum up the threat trends of 2023 in one takeaway what springs to mind for you.
Ray Canzanese [00:17:25] I'd say that one takeaway is that attackers keep getting better at hiding, and the fact that we're all using cloud apps now for darn near everything gives them lots of opportunities to hide. Right. So we've seen them using popular cloud apps to spread malware. We've seen some attackers use those same apps as command and control channels. Right. Why use command and control infrastructure when you can just send yourself some DMs on Twitter. Right. So it's just becoming they're becoming better at hiding, right? Which makes it harder for those working in cybersecurity to differentiate between good and bad. And that trend of attackers getting better and better at stealth and blending in, that's going to continue, right? It's not like they figured out the secret, and that's what they're going to do forever. They've figured out how to operate effectively right now, and they will continue to operate that way until it becomes very difficult for them to operate that way, because the cybersecurity industry has been gotten better at finding them there, and they'll shift again.
Max Havey [00:18:40] Exactly. They're always finding a new a new backdoor in a new way into whatever walled garden we're trying to work in. In that same vein, then, Ray, what's one piece of advice you'd impart to security leaders who are taking in this data from something like the Cloud Threat Reports reflection on 2023.
Ray Canzanese [00:18:56] Yeah, I'd say focus on what adversaries are currently doing that is successful. Right. So for example, what they're doing right now that's successful. They're targeting and abusing cloud apps. Right. So then what do I do with that information? I try to rein in cloud app use. Right? I don't let my users just use whatever the heck they want to use on a whim all the time. I find the apps that everybody's using right? The the Google Workspaces, the Microsoft 365, and I make sure that they're closely monitored, they're heavily locked down, and that I know exactly what's going on there in case of, uh, a breach or an insider threat. And I make sure that, you know, I'm, I don't have those blind spots. Right? Like, I'm monitoring, I'm inspecting all of my network traffic, and I'm doing everything I can right to defend against what attackers are doing now, with one caveat, which I would say I'm ready to adapt as soon as that landscape changes. I didn't write that down as one I'm going to focus on for all of 2024, and I'm not going to revisit that or make any changes right until, uh, 2025. Know if that changes. So just be prepared to adapt and change along with it.
Max Havey [00:20:16] Yeah, that adaptability seems like the one thing that every that's the resolution for every security leader these days is you have to keep evolving as the landscape and the attackers and the threat vectors continue to evolve.
Ray Canzanese [00:20:26] Absolutely. And it's tough, right? Because you don't want to overdo it in that regard, where every new news article about some new threat, you drop everything you're doing and you focus on that one. Right? So there's a balance between never changing and never adapting. Right. And hyper adapt these daily ebbs and flows, which don't really represent major changes that would require a sort of strategic change.
Max Havey [00:20:57] Absolutely. And Ray, as I as I come to the end of my questions here. Where can folks go to find out more from the, uh, from your cloud and threat report year in review for 2023. Where can folks find this to dig further into this data and take a look?
Ray Canzanese [00:21:12] Yeah absolutely. You can go to. Net scope.com/threat labs. You'll find that report there. You'll find my mailing list there. And you'll find a bunch of other content that we regularly put out on the threats and trends that we are seeing.
Max Havey [00:21:27] Very cool. Right. Thank you so much for joining us today. As always, it's an ever enlightening conversation about the way the the threat world is changing, and you always have such a good perspective to bring up. So thank you so much for joining us.
Ray Canzanese [00:21:37] Thanks for having me, Max.
Max Havey [00:21:38] Excellent. You've been listening to the Security Visionaries podcast, and I've been your host, Max Havey. If you enjoyed this episode, please share and subscribe to Security Visionaries on your favorite podcasting platform. There you can listen to our back catalog of episodes and keep an eye out for new ones dropping every other week, hosted either by me or my co-host, the great Emily Wearmouth. And with that, we will catch you on the next episode.
Why Netskope 
){kind=icon}
