What Mend.io’s AppSec Experts Say About Cybersecurity
During Cybersecurity Awareness Month, we asked a panel of Mend.io’s finest minds what’s got their attention in the current cybersecurity landscape. We brought together Maciej Mansfeld, our Principal Product Architect; Rhys Arkins, VP Product Development, Sasha Sega, Head of DevOps; Tom Abai, Security Researcher; Shalev Sahar, Director of Information Security; and Maria Korlotian, Development Team Leader, to get their views on what are presently the most serious threats to cybersecurity, what new threats are likely to emerge, and the tools and tactics to address them. We also wanted to know what our experts do themselves to strengthen their personal cybersecurity, and what tips they have to help you keep your data and software safe. So, let’s dive in and find out what they said.
1. What do you think is the most serious threat(s) to cybersecurity right now, and why?
Rhys Arkins: Ransomware gangs seem like a high threat because almost any company could be a victim.
Sasha Segal: Legacy code does not get enough attention. It allows the discovery of security flaws years after they exist, and we probably discover only part of them. We don’t have time and passion to treat new code, we work on new features.
Maciej Mensfeld: Phishing and spear-phishing attacks using AI/LLM with context awareness. The use of AI for enhanced personalization of attacks on individuals using data from their online footprint. It allows for crafting more believable attacks. Moreover, these AI models can dynamically adjust their strategies based on user interactions, making their tactics more resilient and challenging to identify. Until recently, it was much harder or more complex to build a pipeline for attacks targeting especially less technical people.
One of the pressing cybersecurity threats is the vulnerabilities in Large Language Models (LLMs). These AI systems, while revolutionary, can unintentionally expose sensitive data or be manipulated for malicious outcomes. Given their vast training data and complexity, predicting risks or fully understanding their behavior is challenging.
Tom Abai: I think that emerging supply chain attacks like MoveIt, 3cx, log4j, MinIo, and many others, alongside the increasing numbers of zero days exploited in the wild, are the biggest threats right now because most firms do not really know how to handle this attack vector. Attackers are getting more and more sophisticated around this area, and they’ve found out that it’s easier to penetrate an organization through its supply chain than the old way through infrastructure.
Shalev Sahar: I believe that the biggest evolving threats derive from the growing adoption of AI. Some threats that will grow in the upcoming months will include the use of AI to learn and avoid patterns of common defense systems, for instance the use of AI to learn anti-bot patterns and bypass them, and the use of sophisticated phishing attacks to avoid current security systems and to appear much more realistic and genuine to end-users. Another threat is the high adoption rate of AI tools in companies. This presents an attack surface that is unprotected by most companies. (For example, injecting vulnerabilities in AI-generated code or data leak issues).
Maria Korlotian: The surge in AI has opened us up to many new attack vectors. The most severe threat is personalized attacks leveraging AI capabilities. AI-powered tools can craft highly targeted and convincing phishing messages, mimic trusted sources, and exploit individualized data to deceive users.
2. What do you think are currently the most effective tactics and tools to thwart these threats and why?
Rhys Arkins: Unfortunately, there are no simple answers other than “a holistic security approach”. Employing the principle of least privilege and locking down lateral movement within networks seem particularly valuable though, as they might mean the difference between a minor breach and a major one.
Sasha Segal: Treat legacy code with the same security awareness as new code. The damage from legacy code can be bigger than from new code.
Maciej Mensfeld: The primary defense against AI-enhanced phishing attacks is education. It’s essential to understand that many threats exploit human behavior more than technological vulnerabilities. Therefore, while tools and systems can provide a safety net, the first line of defense is always an informed user.
Tom Abai: I think that tools like SAST and SCA can help understand this risk, but by themselves, they are not enough. Organizations should set up a zero-trust policy and work a lot on the awareness of their employees, as people are always the weakest part of the chain. I also think that threat hunting and proactive investigations of the organization’s supply chain can help a lot with defending against those attacks.
Shalev Sahar: Two important tactics to tackle these threats will be the introduction of AI by security companies into the decision-making process of their security tools, to help identify and block such attacks. A second tactic is to enhance education for end-users to improve their ability to identify such attacks and avoid them, while also understanding the risks involved in using AI tools in their day-to-day work. It’s important to raise their awareness of the risks that accompany the advantages of AI, and how to avoid these risks.
Maria Korlotian: Acknowledging that anyone can be a target and prioritizing preventive measures help create a more secure online environment. Rejecting the “I’m too smart to be scammed” approach is crucial; cybercriminals use increasingly sophisticated tactics that can fool even the most informed individuals, emphasizing the need for a humble and vigilant stance in the face of evolving cyber threats.
3. What new threats do you think will emerge in the near future and how do you think that security technology will evolve to address them?
Rhys Arkins: The recent ransomware attacks evidently employed social engineering to gain access. No doubt the use of spoofed voice through modern AI techniques could make this an even greater threat in the future.
Sasha Segal: Hackers could pretend to be someone in my team and obtain secret information such as passwords. The solution is to better identify when humans are operating in digital space. Maybe a keyboard with a fingerprint scan on each button, or a scan integrated into the cellphone touch screen.
Maciej Mensfeld: Deepfakes in cyber espionage. Deepfakes, powered by AI, will be used in cyber espionage, creating highly realistic but entirely fake video or audio recordings, potentially leading to misinformation, scandals, or false flag operations. I think that there’s going to be a new branch of IT security focused on faked data and information detection and detection of machine-generated content.
Tom Abai: I think the era of AI, and LLM’s in general, is something new in IT, and with every new technology comes new security issues. Organizations will need to adjust to that and start thinking about how they are defending their AI products from leaking sensitive data and keeping their products safe to use. Another thing is the use of AI by cyber criminals, as we already see tools like FraudGPT, WormGPT, DarkBard, and many more, that take advantage of this new technology to set up amazing social engineering campaigns alongside new malware that’s getting developed with the aid of AI.
Shalev Sahar: AI will be the buzzword in the security world, moving forward. Use of AI in attacks will grow, allowing attackers to be more sophisticated in bypassing current security mechanisms. The potential is unlimited, starting from adaptive DDoS attacks, application attacks that will be able to fool current defenses, adaptive malware, and other forms of attack. The same will happen to security systems. Security defenses will be introduced that will be able to “learn” how attacks work and respond accordingly. Security tools will be able to adapt and respond to attacks by analyzing logs and making automatic decisions based on past data.
Maria Korlotian: We will hear more about AI-driven deepfake attacks and the proliferation of misinformation campaigns. Security technology must evolve by integrating AI-powered detection systems that can identify and debunk deepfakes and misinformation more effectively. Additionally, the emphasis on digital literacy and cybersecurity education will grow, empowering individuals to critically evaluate online content and contribute to a more resilient digital society.
4. What steps do you personally take and recommend to keep your own cybersecurity safe? How often do you implement them and why?
Rhys Arkins: I avoid being given privileges unless I have no option but to need them. It’s a good feeling to not need access to production systems.
Sasha Segal: Don’t trust anything or anyone in cyberspace. Always look for red flags. I am always doing this.
Maciej Mensfeld: I use Two-Factor Authentication on all supported platforms. The Yubikey adds an extra security layer, guarding against unauthorized access even if my password gets compromised. My family’s digital safety is also important to me. I’ve incorporated 2FA into their online routines, securing shared and mutual services. I keep all devices updated. They’re set to auto-update, safeguarding against known vulnerabilities. Major updates are manually checked monthly. I use a password manager for robust, distinct passwords across accounts. Passwords are refreshed after a known breach. And finally, all my data is being backed up in real-time.
Tom Abai: Something that I always keep in mind is “don’t believe anything you see.” My passwords are always stored in a password manager and not in the browser, as it’s easy for an attacker to grab them from there. I try to keep my and my family’s digital identity footprints as low as I can because, now it takes just one video to get into the wrong hands and something bad, like deepfake, can happen. Regarding the supply chain threat, I use plugins to check the open-source packages I use, and I try to validate the code of the packages/IDE extensions before I install them.
Shalev Sahar: There are many things I implement day to day, starting from educating my family members on the risks online, avoiding exposing personal information on social media, avoiding clicking links from unknown sources, and using multi-factor authentication everywhere. Although we cannot completely avoid exposing information regarding our lives and habits, we can drastically control what information gets exposed and the ability of hackers to make conclusions from this information that will assist them in attacks.
Maria Korlotian: I mainly focus on the weakest link and limited trust principles. In addition to safeguarding my cybersecurity, I extend all practices to my family and friends, educating them about the latest trends and ensuring best practices are implemented on their end. A proactive approach is essential to create a good shield against evolving cyber threats.
Applications run our digital economy. At Mend.io, we keep them safe while maintaining your productivity.
