Barcelona cybersecurity congress

The bad guys are winning. That’s the glum takeaway from the just concluded Barcelona Cybersecurity Congress that saw some 11,000 cybersecurity experts from more than 100 countries in attendance. There’s a long list of reasons why cybersecurity experts find themselves on the back foot, but there is no doubt that cybercriminals are becoming increasingly sophisticated with the latest data showing a sharp uptick in sophisticated cloud attacks, even as the sheer number of cyberattacks threaten to become overwhelming.

That last point can’t be understated. According to Roberto Clavero, sales engineer for enterprise at Crowdstrike, one of the many presenters at the May 21-23 event, the number of cyberattacks is staggering as success often results in a lucrative payout by victims. Cyberattacks increased 28% in the first quarter of 2024, and companies were targeted an average of 1,380 times per week, according to a CheckPoint report.

The speed is which cybersecurity defenses can be breached is increasingly fast—down to 2.7 seconds in one instance, and no cybersecurity team is ready to handle attacks under two seconds, says Clavero. Alarmingly, cyberattackers spend as much as 62 minutes moving laterally through a targeted IT network to take advantage of vulnerabilities. Hackers are keen on discovering misconfigurations caused by human errors or the use of new technologies like 5G communications tech or newly-connected devices that security teams may not be as familiar with. The big numbers gap is that SIEM cybersecurity teams on average don’t detect the intrusion until 204 days later.

“This is a big problem,” says Clavero. “We need to bridge the numbers gap.”

By Crowdstrike’s count, there are 235 active cyber adversaries. Among the most dangerous are talented criminal cyber organizations like Scattered Spider, Cozy Bear, Cosmic Wolf and Labyrinth Chollma which are at the forefront of mounting cyberattacks via the cloud. Scattered Spider, a likely user of generative AI, is known for ransomware attacks actually formulated in the cloud while Cosmic Wolf attacks data stored in cloud environments. Labyrinth Chollma uses the cloud to deliver documents with malicious macros, and Cozy Bear uses tools to modify cloud services for its own purposes.

And while the popular imagination sees these kinds of groups manned by youthful Boris and Natasha-style crews and their Chinese, Iranian or North Korean counterparts, the group profile can be much different in reality. Scattered Spider, for example, is crewed by a mix of American and British hackers ranging in age from 18 to 24 years old, according to Clavero, who adds there simply isn’t enough talent on the side of the good guys to foil cloud attacks. Some companies say they have refused to pay ransomware demands but no one in the cybersecurity world believes them as it may take a month or more to recover from a ransomware attack by some estimates.

While many cyberattacks, particularly against industry, are driven by economic gain, that’s not exclusively the case. Geopolitics also can be a driving force, according to Pablo Bentanachs, consultant, Intelligence Advisory Services, EMEA, at Recorded Future. Hacks may be an indicator of a “developing prelude” to an actual attack, says Bentanachs, in which infrastructure is the target, citing an examination of China’s probes of Indian infrastructure as an example. Hacks may be indicative of “flash points” on the horizon as interest rises in the polar regions, for example. Other motivations can include economic and military modernization gains, global investment strategies and regional dominance ploys. From a Western perspective, the Big Four cyber adversaries are Russian, China, North Korea and Iran, adds Bentanachs.

Andrew Rose, the veteran chief security officer for SoSafe, perhaps cogently summarized the trending challenges now faced by cybersecurity professionals. Among them is a rise in global tensions in which cyber and kinetic attacks are occurring at the same time, the former often occurring under the guise of “hactivists” operating in support of national goals, a trend first recognized in the Ukrainian conflict, that allows nation states to deflect responsibility.

Crowdstrike, for example, has publicly identified cyber groups Sandworm and Ember Bear as being linked to Russia’s GRU military intelligence service, while Recorded Future notes the effectives of Network Battalion 65 on the Ukrainian side. Hacktivists also are standing up ransomware-as-a-service in dark web marketplaces that makes cybercriminal activity as easy as using a template.

Public sector infrastructure such as hospitals and crisis-oriented, victim-support organizations are proving to be underdefended, and Rose predicts “We’re going to see a lot more of this going forward.”

Disinformation, particularly in the United States, is another growing problem. Cyber criminals themselves are becoming more professional, using everything-all-at-once techniques such as pretexting in which voice calls, texts and email attachments as well as AI deepfakes and voice cloning are used to breach security.

Artificial intelligence also is allowing cybercriminals to “hyper-personalize” cyberattacks.

The anticipated threat of quantum hacking is poised like a sharp blade in the shadows. And the cybersecurity industry itself is fragmented and comprised of personnel working at high burnout rates due to lack of resources and a shortage of trained staff.

Bottom line: Cybersecurity operators have their backs against the firewall.