What keeps CISOs up at night? Mandiant leaders share top cyber concerns

LAS VEGAS — An increasing volume of zero days — 97 total in the last year. The evolution of cyber extortion to now include physical threats and advanced coercion. More and more threat actors “living off the land.”

These are but a few of the top concerns that keep chief information security officers up at night, according to the top leaders of cybersecurity firm Mandiant, now a subsidiary of Google Cloud.

Speaking during a press conference at Google Cloud’s Next technology conference this week, Mandiant CEO Kevin Mandia convened Sandra Joyce, vice president of Mandiant Intelligence, and Jurgen Kutscher, vice president of Mandiant Consulting, to share their perspectives on the threat landscape and how it’s evolving. 

“There’s more of everything bad,” Mandia said of the cyber threat landscape, though he reasoned, “that doesn’t mean we’re at the trough of cybersecurity over the last couple of years. 

“We’re bringing far more awareness to the problems” and the cybersecurity industry has made “a lot of improvements,” he said. 

That said, there’s “more malware, more threat actors, they’re better at what they do and they’re more impactful when they’re successful,” Mandia explained.

CyberScoop compiled a list of the top concerns the Mandiant executives see CISOs experiencing today.

More zero days

According to Kutscher, zero days are increasing in number and sophistication, and that’s a big problem for security professionals who want a good night’s sleep. 

“I think when we look back at the last couple of years, quite honestly, right, there have been a lot of interesting trends in the cybersecurity space that CISOs have been struggling with. One of them, of course, is the number of zero days that we’ve seen in the last couple of years,” he said. “And that has given the attackers a new way of maintaining persistence.”

In particular, hackers are targeting security appliances and network perimeter devices to gain long-term access, Kutscher said, adding that traditional security technologies aren’t advanced enough to detect an intrusion on those devices.

“It makes detection very, very difficult,” he said.

Artificial intelligence favors defense

While all the buzz in the tech industry is around the great potential and major risks of emerging artificial intelligence capabilities, Joyce said of the more than 1,000 incidents Mandiant responds to in a year, “not a single one of them yet has AI as a major or essential component of it.”

“So we’re still in sort of an experimental phase when it comes to what threat actors are doing with AI,” she said. “And that creates an opportunity for … defenders to really lean into this.”

Because threat actors really haven’t taken a position of advantage in the AI space, Joyce said “the opportunity is now.”

Both she and Kutscher believe that head-to-head, AI currently favors the ability to defend against attacks.

“Very clearly, it’s giving us the upper hand,” Kutscher said. “I can’t predict the future of when attackers are going to start focusing on leveraging more AI — obviously, that remains to be seen. But as Sandra said, right now we have the advantage. It’s a benefit.”

Living off the land

Mandia said bad actors have gotten very good at imitating credentialed users. “There’s better OPSEC by the attackers,” he said. 

So-called “living off the land” techniques make it so that “you can’t distinguish between an attacker very easily and a threat actor. And that’s a problem because it means you don’t detect the attacks and they’re much more surreptitious,” he said.

“It’s one of the biggest changes that I think I’ve seen between 2023 and now,” Mandia said, and it’s led to breaches having far worse impact on victims because an attacker goes undetected for longer periods of time.

Cyber threats go beyond cyber

Joyce pointed to the rising levels of extortion that Mandiant has seen in recent years as one of the biggest concerns in the space. 

“The aggressiveness by which cyber criminals are operating, particularly groups that we’ve been tracking recently, are making a CISO’s job really, in some cases, a nightmare that they have to live through because they don’t just have to think about stolen data — they have to think about the well-being of the people that work for them as well,” Joyce said.

Years ago, cyberattacks were more “smash and grab,” she said, where “cyber criminals were asking for, you know, a small amount of cryptocurrency and then they give me back access to your photos of your grandparents.”

But in recent years, in the event of ransomware, “what CISOs are looking at now is not just the theft of data, not just the destruction of their operations, but it could be threats to their person, it could be threats to family members, very brutal coercion,” Joyce said. 

Outdated multifactor authentication

As cybercriminals become more sophisticated, they’re also increasingly targeting cloud infrastructure, Kutscher said. And that’s exacerbated when organizations rely on dated multifactor authentication tools. 

“We’re seeing a lot more focus on cloud infrastructure, which is not surprising given that a lot of organizations are in the cloud, right? We’re definitely seeing a lot more focus from attackers on that,” he said. “We’re also seeing them bypass multifactor authentication much more effectively, especially the more dated multifactor authentication technologies, for example, like sending SMS messages with a six-digit code, etc. We’ve seen attackers getting really, really good at bypassing those types of controls.”

Kutscher explained that “a lot of organizations still have a lot of these dated multifactor authentication technologies in use, and now we’re looking at, what do we need to do to mitigate the risks around that? Because we are seeing attackers being very effective at bypassing those to access cloud infrastructure, but also just simply gain access to any sort of environment.” 

Burnout

One of Joyce’s big takeaways from a recent trip to Ukraine was the level of burnout experienced by the nation’s cyber defenders, which can extend to its general population as well. She said it’s a direct result of the increased sophistication of attacks and the growing volume of zero days, which make it something that the average CISO has to deal with as well.

“So if you think about zero-day usage, it’s not just that the zero days are used,” Joyce said. “Think about the workflows that have to happen to ensure that that is patched, to determine how critical it is for that specific organization. That’s a spin-up of activity. And when we’re at something like the last year, over 90 zero days that were used. 

“New techniques mean that defenders have to be on the ball,” she said. “Now take the stakes way up and make that something where you’re defending in a conflict. So let’s say you’re in Ukraine — that just becomes even more of a burden in that space.”

In Ukraine, Joyce witnessed Russia using advanced cyber techniques concurrently with a missile strike on a power plant, a tactic that she said “terrified” Ukrainian citizens “because the lights are now off, it gives them the sense that their government can’t protect them.”

“But it’s all sort of intertwined with these advanced techniques that we’re talking about. So whether you’re a CISO thinking about this or whether you’re a Ukrainian defender or the Ukrainian population, these techniques have very far-reaching consequences,” Joyce said. 

Supply chain 

Supply chain attacks are nothing new, but their sophistication is growing, with some threat actors now moving through multiple levels of a supply chain before taking action against a victim. 

“Trying to trace that back, trying to understand where the attackers came from is extremely difficult,” Kutscher said. It’s one thing to spot them in your environment, he said, “but how would you eliminate them from your environment understanding where they actually came from and how they got there? It’s extremely difficult.” 

Mandia said the growing volume of zero days and the change in targets — traditionally hackers would attack major technology firms like Apple, Google and Microsoft — to smaller software service providers is a reflection of cybercriminals looking to take advantage of weak supply chains. 

“It’s more of the enterprise software companies and other software companies that are providing a service to somebody else. So you’re seeing kind of a tilting of the scales,” he said. “Supply chain is a big problem — CISOs are worried about it. Because all of the small companies that are making the innovative software today, a lot of these startups don’t have security staff. … So it creates sort of a backdoor insecurity to some extent.”