Offensive Awakening: The 2024 Shift from Defensive to Proactive Security – Source: www.cyberdefensemagazine.com

Adversarial Cyber Exercises Are The New Mandate

By Stephen Gates, Principal SME, Horizon3.ai

After observing the cyber threat landscape in 2023, in the coming year we’re going to see a complete mind shift throughout enterprises and government entities worldwide. The trend forcing this change in thinking is the result of the massive number of successfully breached and subsequently extorted organizations who either paid their ransoms or watched their operations come to a halt last year. Never in the history of cybersecurity have so many organizations fallen to human-operated, ransom-based attacks as seen in 2023.

So, what is the “about face” we can expect to see? Simple. Organizations will finally realize they can no longer take a solely defensive approach to security. For decades, organizations have relied upon industry experts and best-practices guidelines that all recommended, “add layer upon layer of defenses”, only to watch this tactic often fail to deliver adequate protection. Many believe the only way organizations are going to get their arms around the escalation of successful extortion-inspired breaches is to go on the offensive, attack themselves with the same tactics, techniques, and procedures (TTPs) attackers are using, and finally find the reagents lying in wait within their IT and cloud environments that are enabling these attacks to succeed.

This change in thinking is going to take a new class of security solutions mainstream, especially those that are offensive in nature and are underpinned with offensive AI capabilities. These AI-powered offensive solutions will not be used to attack others. Instead, they will be used by organizations to attack themselves with AI-based technology that comes as close to mimicking attackers as possible. Therefore, offensive focused innovators will likely garner great interest in the security buyer communities. To be clear, this branch of AI has little to do with Large Language Models (LLMs) like ChatGPT and others. It has to do with purpose-built, autonomous systems that are capable of doing the exact same things attackers do – breach your networks and steal your data. Finally, organizations of all sizes will be able to see their own environments through the eyes of an attacker.

As a result of this change, younger security companies that offer purely defensive-based technologies will likely have increasing difficulty in raising new capital to stay afloat. Therefore, a significant consolidation movement is likely on the horizon this year in the security industry. Smaller security firms that have consumed their cash faster than anyone expected, primarily due to customers delaying purchases due to their own economic challenges, will be forced to either go into survival mode, close up shop, or sell to the highest bidder. Consolidators will be on the lookout to purchase moderately successful companies so they can grow their own customer base through inorganic methods.

The reason for this awakening is also based upon the change currently happening, especially in terms of the latest legislative actions. In nearly every piece of new and/or proposed legislation (designed to address the current threat landscape of course,) every one of them calls for a new approach to security that is now focused on assessments, self-assessments, risk assessments, and so on. And often, these words are joined by the notion of “continuous”.

When searching for those terms in the many pages of any new piece of legislation, you will see them peppered throughout these initiatives. This is a tell-tale sign that things are about to shift 180 degrees since the term “assessment” really means that organizations will be required to go on the offensive, using manual, automated, and autonomous adversarial exercises, and attack themselves so they can find their truly exploitable weaknesses before attackers do.

Since this is the case, we can expect investors will shift their interests too, follow this trend, and place their bets on innovative companies that can address the foreknown growing demand for offensive-based, continuous self-assessment solutions, especially if they are underpinned by AI and machine learning. These assessments are not the run-of-the-mill vulnerability scans or once-per-year pentest. These are real-world, ongoing cyber readiness exercises.

Not only are legislators pushing for continuous self-assessments, cyber insurance companies, manufacturers who rely on their massive third-party supply chains, military hardware/software buyers, and other similar parties will also likely begin to embrace this offensive-based assessment mindset and require partners and suppliers to do so as well. In other words, if you want to do business with premium buyers, you will now be required to provide self-assessment scorecards before buyers buy, when applying or renewing cyber insurance, or doing business with the government in the very near future.

Hold on tight, because in 2024, organizations are about to fully discover the overabundance of weaknesses already residing in their networks they previously knew nothing about – discovered by way of offensive-based security solutions that are ready for the mainstream.

About the Author

Stephen Gates brings more than 15 years of information security experience to his role as Principal Security SME at Horizon3.ai. He is a subject matter expert with an extensive hands-on background in security and is a well-known writer, blogger, presenter, and published author who is dedicated to conveying facts, figures, and information that brings awareness to the security issues all organizations face. He is reachable at Horizon3.ai and on X at @Horizon3ai