1、About NSFOCUSCopyrightUnless otherwise specified,any text descriptions,document formats,illustrations,photos,methods,processes and other contents in this article are copyrighted by NSFOCUS and protected by relevant property rights and copyright laws.No individual or institution is allowed to copy or

2、 quote any part of this document in any way without the written authorization and permission of NSFOCUS.NSFOCUS,Inc.,a pioneering leader in cybersecurity,is dedicated to safeguarding telecommunications,Internet service providers,hosting providers,and enterprises from sophisticated cyberattacks.Found

3、ed in 2000,NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing,China,and Santa Clara,CA,USA,and over 50 offices worldwide.It has a proven track record of protecting over 25%of the Fortune Global 500 companies,including four of the five largest banks and six of the world

4、s top ten telecommunications companies.Leveraging technical prowess and innovation,NSFOCUS delivers a comprehensive suite of security solutions,including the Intelligent Security Operations Platform(ISOP)for modern SOC,Volumetric DDoS Protection,Continuous Threat Exposure Service(CTEM)and Web Applic

5、ation and API Protection(WAAP).All the solutions and services are augmented by the Security Large Language Model(SecLLM)and other cutting-edge research achievements developed by NSFOCUS.01Emerging generative AI attacks will intensify the focus on unique prompt content.Multi-modal attack methods and

6、model agent risks are emerging trends.Meanwhile,privacy compliance and data leakage pose significant security challenges for AI applications.02Generative AI will revolutionize security operations.LLM,acting as a“Security Copilot,”offers analytical,reasoning,and reporting capabilities.Additionally,LL

7、M technology is widely used in various attack prevention scenarios,including vulnerability mining,malware analysis,content detection and automatic penetration.03Risk management is evolving.It will transition from broad“all-risk”detection to precise,dynamic threat exposure management in response to d

8、iverse supervision methods and escalating attack intensity.04The demand for HRTI,HRTI platforms and HRTI applications will increase rapidly.05Ransomware remains the most detrimental form of cybercrime for organizations worldwide.Threats such as double and multiple ransom continue to grow,with ransom

9、 tactics becoming increasingly diverse.06Cyber warfare has accelerated the weaponization of Distributed Denial-of-Service(DDoS)attacks and is often the forward for advanced persistent threats(APT)and ransomware attacks.Attackers prefer to purchase dedicated cloud servers,and the attack mode begins t

10、o develop into intelligent strategy-based attacks.07Cloud security protection is shifting its focus toward Cloud Infrastructure Entitlement Management(CIEM)and Cloud Security Posture Management(CSPM),with identity and management at its core.Cloud-native security will be increasingly practical and ap

11、plied,from infrastructure security to cloud-native API security and micro-service security.08Privacy computing and confidential computing are opening new development avenues due to the ongoing formulation and enhancement of laws and regulations.Interconnection standardization and overcoming ecologic

12、al isolation are critical focal points in this context.09Intelligent Connected Vehicles(ICVs)encounter challenges in data security,functional safety,and Safety Of the intended functionality.To address these,a vehicle-road-cloud integrated security system is essential,providing comprehensive security

13、 governance capabilities.10As the low-altitude economy expands,the widespread adoption of Unmanned Aerial Vehicles(UAVs)highlights the critical importance of UAV security for further development.Emerging generative AI attacks will intensify the focus on unique prompt content.Multi-modal attack metho

14、ds and model agent risks are emerging trends.Meanwhile,privacy compliance and data leakage pose significant security challenges for AI applications.01210 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024The vigorous development of Generative Artificial Intelligence(GAI),especially the ke

15、y technological breakthroughs represented by the Large Language Model(LLM),has promoted a new round of the Arti-ficial Intelligence(AI)industrial revolution.For the first time,Gartner included“Generative Cybersecurity AI”as an Innovation Trigger in the Hype Cycle for Security Operations 2023.AI and

16、LLM applications represented by ChatGPT are gradually penetrating into key scenarios of various organizations.However,the current LLM is still immature.At the same time,with its capability improvement and application ex-pansion,potential security vulnerabilities and hidden dangers will lead to wider

17、 and more serious conse-quences.AI-oriented attack and defense has always been a hot topic in academic circles.Attack technologies against LLM are also constantly improving and becoming more complex,such as model reverse engineer-ing,data poisoning attacks,model theft,etc.,which pose a serious threa

18、t to the availability and confi-dentiality of LLM.Since its emergence,LLM has faced many unique risks,such as prompt word injection,role-playing,reverse inducement and other new attack techniques.At present,the detection and defense measures for LLM threats are insufficient in the face of attackers

19、ever-changing attack tactics.By 2023,classic DAN(Do Anything Now)attacks have emerged,which are executed by enticing LLM to perform any action,including potential risky behaviors,through carefully crafted prompts.In addition,there is a Grandma vulnerability,where the AI system is prompted to generat

20、e unexpected responses through role-playing and other means.These attacks target the features of natural language and are known as“prompts attacks”.Prompt attacks which combine traditional attack techniques like XSS attacks are also prevalent.Grandma VulnerabilityThe security measures implemented by

21、 LLM manufacturers alone cannot sufficiently address these attacks.Therefore,it is necessary to carry out risk assessment on LLM prompts and accordingly conduct defense detection on the user input and model output sides.At the same time,by optimizing and enhancing the prompt content and text structu

22、re on the service model side,defense detection is carried out against attacks such as escape attacks,role assumptions,and prompt disclosure,thus effectively increasing the 3attack cost against models.The multi-modal capability not only brings various business opportunities to LLM applications,but al

23、so brings them more diversified attack forms and security risks.When multi-modal interaction forms(such as text,image,sound and video)become the normal form of services,attack payloads also have more forms and complex combination modes,bringing new challenges to the defense system of organizations.A

24、s a key technology for the model to acquire external capabilities,while providing various capabilities such as graph database operation,file interaction and command execution for the model,the agent mechanism may also be manipulated by attackers in a multi-modal form to indirectly control the model

25、agent,resulting in more extensive attacks.The security of multimodal models is more complex than that of models trained on single-modal data,so multimodal content security is also a valuable research direction.When people use LLM,meeting privacy compliance and avoiding sensitive or private data leak

26、age have become major security challenges.At present,many countries have promulgated laws and regulations on privacy compliance.For example,data stakeholders are required to take a series of measures to protect the privacy and sensitive information of users,including the Gramm-Leach-Bliley Act(GLBA)

27、and the California Consumer Privacy Act(CCPA)in the United States,and the General Data Protection Regulation(GDPR)in the European Union,the Data Protection Act(DPA)of the United Kingdom,etc.However,at the same time,personal privacy and sensitive data leakage incidents caused by LLM began to occur.Fo

28、r example,Samsung workers leaked top-secret data by using the ChatGPT,and three recorded incidences occurred within 20 days after its introduction.This has prompted internal considerations to disable it again.Therefore,LLM applications will pay more attention to compliance in the future,and the buil

29、t-in privacy protection functions will be further strengthened.These protection measures include but are not limited to data encryption,desensitization,permission control,anonymization and fine access control mechanisms for user data.AI service providers can gain a competitive advantage by improving

30、 security.Security vendors can also launch relevant security products to meet the emerging AI security needs and reduce the risk of LLM and its data becoming targets for attacks.02Generative AI will revolutionize security operations.LLM,acting as a“Security Copilot,”offers analytical,reasoning,and r

31、eporting capabilities.Additionally,LLM technology is widely used in various attack prevention scenarios,including vulnerability mining,malware analysis,content detection and automatic penetration.5In 2023,intelligent security operation technology has become fiercely competitive.The pre-announcement

32、of the Microsoft Security Copilot technology platform undoubtedly kicked off the competition of cyberspace security LLM technology.Other manufacturers like Googles Sec-PaLM,and SentinelOnes Purple AI are closely following.It provides a brand-new interaction and task analysis paradigm for intelligent

33、 security operation technology,and offers great opportunities to upgrade the classic cyberspace AI technology stack from the dimensions of analysis,integration and collaboration.By comprehensively observing the technical system of LLM-driven security operation represented by Microsoft Security Copil

34、ot,we can see that generative AI based on LLM technology shows a number of significant technological advantages in the field of security operation,including:1)Semantic enhancement of security knowledge.With the exponential increase in parameter scale,LLM reserves domain knowledge+common sense,which

35、greatly alleviates the gap between datapatterns and security semantics,a core problem plaguing the development of cyberspace AI.This issomething that traditional small models(such as classic machine learning,deep learning,knowledgegraphs and other technologies outside of LLM)struggle to resolve.2)Th

36、e analysis logic of offensive and defensive fields was enhanced.The small-model technique ismainly good at statistical analysis of problems,and most of its ability lies in fit learning.However,thetask diversity and environment openness of cyberspace security lead to limited and easily attenuatedclas

37、sical fitting learning ability.Based on core frameworks such as large-scale parameter foundationand instruction learning,LLM already has a logical analysis foundation to support the learningscenarios with few samples and zero samples.It can efficiently extract key information from massivedata,form d

38、eep insights,and quickly screen out data critical to security operations.3)Enhancement of human-computer interaction decisions.The ultimate subject of cyberspaceconfrontation lies in humans.LLM technology has greatly promoted the level of interaction betweenlanguage models.The security team interact

39、s through the natural language-based security controlinterface,which greatly reduces costs and improves the experience.This is a major technologicalrevolution for analysis scenarios with complex objectives such as data,tools and documents in securityoperations.Specifically,LLM can greatly reduce the

40、 dependence on senior security analysis expertsand greatly improve the accuracy and automation level of advanced threat detection in daily alerttriage,attack traceback and investigation,malware analysis,report generation and other aspects.Of course,LLM is only one of the core capabilities in the int

41、elligent security operation technology system.Typical security analysis capabilities,such as unified disambiguated data graphs,complete tool support systems,specialized small model libraries and a unified execution framework supporting collaborative scheduling,are still the key foundation for exerti

42、ng the value of LLM security.Therefore,combining the existing security analysis capabilities to form the core capability of intelligent assistant decision support will be a typical paradigm of security copilot driven by LLM in the future.While considering that generative AI technology provides new a

43、uxiliary decision support and analytical 610 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024capabilities for cybersecurity operations,we also see its great potential in key security areas such as vulnerability mining,malware analysis,content detection,and automation penetration,as well

44、 as the risks generated by exploitation by attackers.Vulnerability discovery is an integral part of cybersecurity and traditionally relies on the expertise and experience of security researchers.Using generative AI techniques to automate vulnerability mining can increase efficiency in discovering so

45、ftware vulnerabilities.However,attackers can use these tools to quickly identify and exploit new vulnerabilities,posing new challenges to cybersecurity.Malware analysis usually requires a lot of human resources to identify and analyze.Generative AI enables automated malware analysis and increases th

46、e effectiveness of defenses.However,malicious attackers are also using generative AI to create new types of malware in order to bypass existing detection mechanisms and make its identification and defense more difficult.Automated penetration testing is an important tool for evaluating cybersecurity

47、defense capabilities.AI technology can help to simulate attacker behavior and identify vulnerabilities in the testing.However,malicious AI tools can also perform automated attacks to discover and exploit system vulnerabilities less costly and more efficiently,posing a greater threat to the organizat

48、ion.Content detection is a key technology to identify and prevent the spread of malicious content.Advances in AI technology can help improve the accuracy and speed of content detection.However,the capabilities of malicious AI tools,such as generating realistic fake news or phishing emails and false

49、videos by deepfake techniques,present new challenges for content detection systems that need to evolve to identify and counter complex AI-generated content.To sum up,facing the two-sided nature of generative AI in cybersecurity,we must not only actively embrace the opportunities it brings and improv

50、e the intelligence level of cybersecurity operations,but also be alert to and actively respond to the risks and challenges that malicious AI tools may pose,and ensure the security and stability of cyberspace through comprehensive strategies and measures.At the regulatory level,legal oversight of AI

51、technology applications should be strengthened to ensure that their development and use do not harm the public interest.Public awareness of the potential risks of AI technology should be raised at the educational level,and responsible use of AI technology should be encouraged.In particular,at this s

52、tage,vigorously strengthen security awareness education around deepfake threats;At the technical level,develop defense strategies and techniques to identify and defend against attacks generated by malicious AI tools,improve the robustness of existing authentication mechanisms,and provide endogenous

53、security against deepfake threats.03Risk management is evolving.It will transition from broad“all-risk”detection to precise,dynamic threat exposure management in response to diverse supervision methods and escalating attack intensity.810 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024C

54、ontinuous Threat Exposure Management(CTEM)is expected to become a hotspot for the cybersecurity industry in 2024,mainly due to its understanding of the comprehensive security risk profile and ability to assess continuously.Risk governance has always been a topic in network security.Every new technic

55、al highlight or assessment method attracts wide attention from the industry.Today,we first analyze the outbreak and exploitation of vulnerabilities from the perspective of attacks.Vulnerability exploitation:According to the number of publicly released vulnerabilities collectedby NVD,more than 30,000

56、 new vulnerabilities were added in 2023.However,only around 500 high-risk vulnerabilities were found to have mature means of exploitation.That is to say,only 1.9%of the vulnerabilities will directly and quickly cause huge risks,while security administrators will be faced with tracking,identifying an

57、d fixing more than 30,000 vulnerabilities.Organizational capability:As risk detection ability improves,many organizations realize that the input-output ratio of comprehensive asset management and risk management is not economical.Asset and risk management is hard to achieve the goals because it is d

58、ifficult to implement across departments.Attack landscape:With the emergence of APT-as-a-service and Ransomware-as-a-Service,the attacklandscape becomes more challenging.Of the 500 odd vulnerabilities mentioned earlier,25%have been weaponized on the same day,and the remaining 75%have a weaponization

59、 cycle of less than three weeks,which also poses great challenges to security teams in discovering risks and fixing timeliness.Therefore,the new risk governance scheme must involve the following aspects:(1)It is necessary to have sufficient cognition of the harm,effectiveness and timeliness ofvulner

60、abilities;(2)Re-evaluate the fixing priority and solution based on sufficient understanding of the deploymentlocation,business attributes and defense capabilities of the system or asset where vulnerabilities arelocated;(3)It is necessary to continuously and uninterruptedly monitor the risk of overal

61、l IT assets to ensurethat problems can be found in time;(4)It is necessary to extensively expand the cognition of risks,including but not limited to passwords,identities,new media,software supply chains and digital assets for risk management;Based on the combination of the intranet attack surface an

62、d supply chain risk management platform,CTEM is trying to solve these four new challenges in risk governance with continuous monitoring,identification and VPT technologies.04The demand for HRTI,HRTI platforms and HRTI applications will increase rapidly.1010 Cybersecurity Trends for 202410 Cybersecur

63、ity Trends for 2024After years of development,the Indicators of Compromise(IOC)of Threat Intelligence(TI)that can be automatically consumed by machines has entered a mature stage.However,with the outbreak of GPT technology in 2023,especially AIGC technology,the demand for human-readable intelligence

64、 is expected to develop rapidly.Compared with Machine-Readable Threat Intelligence(MRTI),Human-Readable Threat Intelligence(HRTI)shows its unique value and advantages in many aspects.The following is a comparison between them.MRTIHRTIDefinitionThreat intelligence data is presented in a machine-reada

65、ble and structured format that can be parsed and applied by computer programs or automated tools.Threat intelligence in the cybersecurity industry that has been collated,interpreted and summarized to be presented in a human-readable form so that it can be understood and applied by humans.Positioning

66、It focuses on providing rapid,accurate and automable threat analysis and response.It focuses on providing in-depth,comprehensive threat analysis and strategic decision support.ValueImprove the efficiency and accuracy of threat detection and response,and reduce the workload of manual analysis.Provide

67、 in-depth threat insight,technical and tactical intelligence,and strategic advice to help organizations develop targeted security strategies.FormStructured data is presented in API,XML,JSON and other formats to facilitate machine analysis and processing.Presented in the form of reports,abstracts,cha

68、rts or brief descriptions,including text reports and chatbots,to facilitate human reading and understanding.Processing SpeedQuickly process large amounts of data to enable real-time threat detection and response.The processing speed is relatively slow,and LLM promises to improve the challenges of sl

69、ow production and understanding.AccuracyThere may be false positives or negatives depending on the accuracy of automated tools and algorithms.Depending on the quality of the raw data corpus and the level of human-readable intelligence transformation,it is usually highly accurate.LLM technology readi

70、ness will also be an important factor.With the rapid development of LLM technology and more mature MRTI applications,the HRTI application scenarios and scope are expanding rapidly.(1)The scope of data involved in HRTI is gradually showing higher value.Traditional threat governancefocuses more on int

71、elligence data such as attackers IPs and vulnerabilities.However,human-readable open-source intelligence(data from the public web,deep web and dark web data)is playingan increasingly important role in the Russian-Ukrainian cyberwar in 2023 and important offensiveand defensive exercises.According to

72、NSFOCUS Threat Intelligence monitoring,the public webintelligence such as bidding and supply chains,leaked data exposed at the deep web,and high-value intelligence traded by hacker organizations at the dark web are all widely used in networkconfrontation.(2)The challenge of high production costs for

73、 HRTI is being undermined.With the rapid developmentof LLM technology in 2023,many links in HRTI production have been overcome,including intelligentdata classification,automatic knowledge extraction,text data understanding and HRTI report11generation.Updated AI models can even extract and understand

74、 multimedia data such as images and videos.According to media reports,some advanced intelligence agencies(such as the CIA)have begun to use AI technology to process and provide services for open-source intelligence.Intelligence collection channels include newspapers,radio,television,the Internet,etc

75、.(3)HRTI application products take on a new form.In addition to traditional human-readable reportsin the form of documents,chatbots such as ChatGPT provide more convenient and real-time HRTIapplications.The intelligent recommendation of AI technology is also conducive to the accurate HRTIpush.Accord

76、ing to third-party media reports,in 2023,the United States CIA is building a programsimilar to ChatGPT for use by the entire United States intelligence community.The project is expectedto provide strong support to the CIA,NSA,FBI and major national agencies.Another well-knownsecurity company in Isra

77、el,Cybersixgill,has launched Cybersixgill IQ products to provide the use ofHRTI by GPT.(4)Human-readable threat intelligence is being applied in new scenarios.On the one hand,with thematurity of LLM technology,HRTI can be quickly,automatically and accurately converted into machine-readable intellige

78、nce.As NSFOCUS observed in 2023,the intelligence agencies and well-knownbusiness intelligence companies of many countries have become skilled at automatically extractingMRTI from human-readable reports and updating it to the TI library on a daily basis to realizeautomated processing by equipment.Thi

79、s technology application trend is believed to be replicatedby more intelligence agencies in 2024.This will also speed up the use of HRTI.On the other hand,in addition to depicting current threats,HRTI can anticipate unknown possible security threats andhelp personnel take steps to construct defensiv

80、e positions ahead of time.For example,the researchreport on technology and tactics in Russia-Ukraine cyber warfare can provide experience for countriesnetwork security construction,and the detailed analysis report of blackmail against financial industrygiants in 2023 can provide inspection and handl

81、ing reference for organizations in the same industry.Itis predicted that in 2024,HRTI will expand more new patterns on traditional MRTI scenarios throughthe upgrade of better human-machine interfaces.As LLM technology continues to mature,the production of HRTI for decision-making and reference is be

82、coming increasingly popular and market-driven.This trend will be particularly evident when integrating the CTEM concept,raw intelligence from the dark web,hacker forums,telegram groups,and security professionals/hackers social media accounts(specialized security corpora),and localized data such as n

83、etwork alerts into traditional corpora.Compared with the MRTI products such as IOC services and threat intelligence platforms,new threat intelligence product forms may emerge in the future,such as an intelligent platform for access to multi-source human-readable intelligence corpus and generation an

84、d recommendation of human-readable intelligence after integration with multiple AIGC engines.05Ransomware remains the most detrimental form of cybercrime for organizations worldwide.Threats such as double and multiple ransom continue to grow,with ransom tactics becoming increasingly diverse.13Ransom

85、ware is still the most harmful form of cybercrime to organizations around the world.In 2023,under the dual and multiple ransomware patterns,the threat of ransomware continued to grow,forming more ransomware groups and more diversified and complicated modes driven by interests.If the ransom is not pa

86、id,ransomware attackers will usually threaten their victims to paralyze a key business process,sell secret data on the public,dark or deep web,or sell them to competing companies for unfair competition.At the same time,ransomware groups may also launch fierce network attacks and use DDoS and other a

87、ttacks to cause business paralysis.In recent years,in addition to the above-mentioned forms of extortion,these attackers may also voluntarily provide leaked data to the media to damage the reputation of victim organizations.Besides,they may extend their hands to the victims third-party partners to f

88、urther expand the scope of attacks by extorting ransom,making it more difficult to respond.Interestingly,as the United States and other countries have adopted mandatory cybersecurity incident reporting systems,including data leakage,ransomware groups have also added a form of blackmail:If no ransom

89、is paid,the attacker will report the security incident to the regulator,thus causing reputational and regulatory losses to the victim.This shift from double to multiple extortion undoubtedly brings greater challenges to the security protection of organizations.It can be seen that in the future,organ

90、izations should not only prevent ransomware attacks but also discover and block internal cyberattack activities in a timely manner.More importantly,they should also prevent data leakage within organizations.These three points are equally important in the security protection of organizations to minim

91、ize the harm caused by ransomware attacks.In 2023,the intensity of benefits-driven APT attacks continued to increase,which is especially obvious in the field of ransomware attacks.Some veteran APT groups,such as Lazarus,have been accused of engaging in multiple cyber robberies and ransomware attacks

92、 for profit.The top ransomware group LockBit set a record for the number of ransom attacks and total ransom amounts in 2023,with 522 1410 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024organizations extorted in the first half of this year alone.As of the first half of 2023,the United S

93、tates alone had paid LockBit$91 million in ransoms.In addition,ransom attacks utilizing 0-day vulnerabilities in network devices are increasing,targeting well-known brands including Citrix,Cisco,and Fortinet.In 2023,the Lockbit ransomware group executed a series of attacks exploiting the Citrix Blee

94、d vulnerability,affecting major enterprises including Boeing and the US branch of the Industrial and Commercial Bank of China(ICBC),resulting in significant losses across critical sectors like global freight and finance.The 0-day vulnerability has become a favored attack method for ransomware attack

95、ers due to its unknown nature and difficulty in prevention.Attackers can exploit these vulnerabilities to quickly gain system permissions,and then implant ransomware for data encryption and ransom requirements.It is expected that 0-day vulnerability exploitation will continue to increase in ransomwa

96、re attacks in 2024.With the increasing threat of ransomware,cyber insurance has also developed rapidly in recent years.In 2022,the global cybersecurity insurance market reached$12.1 billion.Cyber insurance can provide certain economic guarantees for insured organizations to help repair or mitigate t

97、he losses caused by ransomware attacks.According to Coalitions H1 2023 Cyber Claims Report,the frequency of claims for ransomware attacks increased by 27%in the first half of 2023,and the largest factor contributing to this peak was a significant increase in frequency in May.At the same time,ransomw

98、are claims also reached a record level of severity,with average losses exceeding$365,000,soaring 61%in six months and 117%in one year.Ransom requirements have also increased,with an average ransom amount of$1.62 million in the first half of 2023,up 47%from the previous six months and 74%from last ye

99、ar.Interestingly,36%of Coalition policyholders opted to pay a ransom in the first half of this year.The multiple ransomware patterns make the compensation scope of cyber insurance more complicated and uncertain.In addition to direct ransom payment,multiple losses such as reputation loss and business

100、 interruption may also be involved,making it difficult for insurance companies to identify losses and compensate.On the other hand,cyber insurance has also attracted the attention of ransomware attackers.They are more likely to target cyber-insured organizations,which are more likely to pay ransoms.

101、Another interesting service to watch is the extortion negotiation service.The ransomware negotiation service is usually used as part of the emergency response to security incidents.It helps customers analyze the incident process and the scope of ransomware impact from a professional perspective,anal

102、yze the negotiability of ransom,negotiate with attackers on behalf of customers to minimize losses,and help customers communicate with law enforcement and regulatory agencies.In some cases,helping customers with payment and financial operations will also be part of the ransomware negotiation service

103、.06Cyber warfare has accelerated the weaponization of Distributed Denial-of-Service(DDoS)attacks and is often the forward for advanced persistent threats(APT)and ransomware attacks.Attackers prefer to purchase dedicated cloud servers,and the attack mode begins to develop into intelligent strategy-ba

104、sed attacks.1610 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024DDoS attacks have become an indispensable weapon to paralyze network systems in cyber warfare.Emerging DDoS attacks,such as HTTP/2 Rapid Reset and SLP reflection amplification attacks,are constantly emerging.Both attackers

105、 and defenders are struggling to upgrade their technology in order to discover new offensive and defensive strategies.DDoS attacks are no longer limited to traditional network layer attacks,but extend to application layer attacks and reflection attacks.Attackers use new media such as IoT devices and

106、 virtual private servers to increase the complexity of attacks,making detection and response increasingly difficult.With the commercialization and SaaS-delivery mode of attack tools,it becomes easier to obtain them without even requiring skills from attackers.Looking at the cyberspace battle of the

107、Israeli-Palestinian conflict in 2023,the hacker groups that initiated DDoS did not always act independently.Organizations with common interests interact to rapidly form wartime coalition.These groups operate separately in peacetime,but they quickly join forces for shared interests to increase their

108、offensive power in the face of conflict.Examples include the Cyber Operations Alliance(C.O.A Agency),Killnet and Anonymous Sudan and other hacker groups in the Israeli-Palestinian conflict.In addition,some hacker groups will also temporarily form and participate in attacks due to their own interest

109、demands.DDoS attack mode changes from straightforward resource exhaustion to intelligent strategy attack.Intelligent strategic attack means that the attacker can adaptively select or predefine the strategy path according to the environment of the attack target,and intelligently adjust its own attack

110、 mode and behavior.Different from early attack tools,intelligent strategy-based attacks not only execute the attack steps in a predetermined sequence,but also dynamically adjust the strategy according to the real-time situation,so as to save attack resources and circumvent traditional detection and

111、defense mechanisms,and finally maximize the attack effect.Pulse attacks,as evidenced since 2018,generate extremely high traffic peaks for a short period of time,then stop suddenly and re-initiate after a certain interval to circumvent the automatic defense mechanisms triggered by protective equipmen

112、t.By 2021,carpet-bombing attacks appeared.DDoS attacks were carried out on a large number of IP addresses.Although the attack traffic borne by a single target IP address was small,it should not be underestimated in total.Such attacks bypassed the scrubbing policy of the DDoS defense system and had a

113、n impact on the user business of the entire IP segment.By 2023,new testing types of DDoS attacks are emerging that will allow attackers to scope targets,gauge defense strength,and assess follow-on efforts.In this case,the initial DDoS attack may serve as a reconnaissance attack to conserve attack re

114、sources and set the stage for subsequent more accurate attacks.After using real hosts,botnets and reflective nodes,attackers gradually prefer to purchase dedicated cloud servers Virtual Private Servers(VPS)as the attack source.For a long time,large botnets mainly rely on IoT devices such as routers,

115、printers and cameras to carry out attacks.However,these devices have limited processing power and typically require the traffic generated by hundreds of thousands 17or millions of units to damage a target.Nowadays,attackers are no longer limited to IoT devices but use VPS provided by cloud service p

116、roviders.The VPS offered by cloud providers was originally designed to enable small business start-ups to create high-performance applications at a lower cost.These VPS networks have more powerful computing performance and network bandwidth.Attackers can purchase or invade multiple VPS to build a ne

117、w botnet for attack activities.In addition,there are clues that DDoS is gradually becoming the forward of advanced persistent threats and ransomware attacks.Increasingly,DDoS attacks attempt to distract incident response teams from larger security incidents.DDoS attacks themselves may be just smoke

118、bombs.The purpose of the attack is no longer just simple network disruption but also to confuse and divert the attention of defense personnel toward the surface,thus creating conditions for more secretive and targeted penetration activities behind the scenes and launching APT attacks with greater ha

119、rm.07Cloud security protection is shifting its focus toward Cloud Infrastructure Entitlement Management(CIEM)and Cloud Security Posture Management(CSPM),with identity and management at its core.Cloud-native security will be increasingly practical and applied,from infrastructure security to cloud-nat

120、ive API security and micro-service security.19At present,cloud computing security mainly focuses on two aspects:cloud infrastructure security and cloud application security.The former tends to shift from workload security to control plane security,while the latter increasingly focuses on the securit

121、y of cloud-native systems.In the field of cloud computing infrastructure security,the previous industry mainly focused on the Cloud Workload Protection Platform(CWPP),that is,paying attention to workloads at the cloud host or container level to detect and protect corresponding threat events.However,

122、a series of major security incidents in 2023 mostly involve identity,management and exposed surface rather than workloads.For example,in May 2023,Toyota Connecteds cloud misconfiguration caused large-scale data exposed to the Internet for many years,mainly because Toyota Connected did not carry out

123、correct access control on the cloud storage service it used;In September 2023,Microsoft AI research team accidentally exposed 38TB of private data on GitHub,due to SAS token permission configuration error,which led to unauthorized access to Azure Blob Storage;In November 2023,The sensitive data of M

124、PD FM,a UK government contractor,was leaked because the Amazon S3 bucket used by it was incorrectly configured with access permissions.In fact,as early as 2018,Gartner first proposed Cloud Security Posture Management(CSPM)in the report Gartner Top 10 Security Projects for 2018 to detect and prevent

125、cloud infrastructure risks in advance,continuously managing the security posture of IaaS and PaaS.Nowadays,CSPM functions are constantly enriched and iterated.At present,CSPM tools include not only cloud configuration and management but also new capabilities such as Data Security Protection Manageme

126、nt(DSPM)and Cloud Infrastructure Entitlement Management(CIEM)(How to Make Integrated IaaS and PaaS More Secure Than Your Own Data Center,2023).These new capabilities address the aforementioned threats to identity and data.Unlike CWPP,CSPM pays more attention to tenant security.If the Access Key ID/S

127、ecret Access Key of an organization is leaked,attackers can access cloud storage,virtual private cloud(VPC),cloud database,Kubernetes cluster and other cloud services purchased by the organization without authorization,and steal sensitive data through different attack paths,which is one of the main

128、reasons for frequent cloud security incidents in recent years.Through CSPM,organizations can perceive their own cloud services,the topological relationship between services,the access permission corresponding to services,and the possible attack paths for these cloud services.Then combined with the c

129、orresponding detection and response capabilities,they can effectively solve the security problems at the cloud tenant level.The report IDC FutureScape:The Worldwide Cloud 2024 Predictions predicts that by 2024,23%of organizations will use AI technology to empower cloud-native application protection

130、platforms(CNAPP)and CSPM.Among them,CSPM will focus more on automation and intelligence and improve the ability to automatically identify cloud security misconfigurations through AI algorithms.Amidst the evolution of agile practices and the construction of new infrastructure,the cloud-native ecosyst

131、em that is characterized by containerization,orchestration,and microservices technologies is experiencing rapid growth.Organizations have started to invest in cloud-native security,and the object of security operation has shifted from underlying cloud infrastructure to microservices.For the sake of

132、2010 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024security construction,the security team either conducts security verification and reinforcement on the cloud-native environment or deploys third-party security products to ensure the security of the cloud-native environment.But even t

133、hen,its hard to answer the question of whether a cloud-native system is secure because risks can arise from a lack of timely updates or wrong policies in security products.In fact,there have been cases of breaking through cloud-based platforms or applications in both real attacks and red and blue te

134、aming exercises.Considering the frequent changes in cloud services and the huge scale of cloud computing applications,it is difficult to achieve completeness only by manual evaluation.Therefore,Cloud Native Breach&Attack Simulation(CNBAS)will become the development trend of cloud-native security.On

135、the one hand,CNBAS can rely on attack weapons against cloud computing ATT&CK matrix to automatically,continuously,and harmlessly simulate attacks in the cloud environment;on the other hand,it evaluates the overall security maturity of the system with reference to the compliance requirements and matu

136、rity evaluation mechanism for cloud-native systems.It is foreseeable that more and more BAS vendors will provide the capability of cloud-native security verification.Similarly,CNAPP vendors also need security verification to prove the effectiveness of their protection capabilities and security polic

137、ies.In addition,an increasing number of development teams are embracing the application-oriented(microservices)agile development model,and more and more application interactions are changing from traditional Web applications to API microservices based on cloud-native technology stack.However,this tr

138、ansformation brings several challenges including functional componentization,proliferation of services and complex configuration.Unmanaged microservices will be the attackers focus and a huge risk in cloud-native environments.It is foreseeable that in 2024,security services towards cloud-native APIs

139、 and microservices will be further developed to effectively address the growing number of security threats.With eBPF and API security as the technical base,build microservice application-oriented security capabilities,including east-west zero trust microservice microsegmentation,API threat protectio

140、n,service call observability and security governance.08Privacy computing and confidential computing are opening new development avenues due to the ongoing formulation and enhancement of laws and regulations.Interconnection standardization and overcoming ecological isolation are critical focal points

141、 in this context.2210 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024Both confidential computing and privacy computing are key technologies for the secure transfer of data elements.Their ultimate goal is to support the security of data elements in the process of multi-party transfer,bu

142、t there are also common challenges at the implementation level:interconnection between products and ecosystems.The architectures of mainstream confidential technologies are quite different.Some provide virtual machine-level security protection and isolation,while some provide process-level security

143、protection and isolation.The operating systems and images used by platforms with different processor architectures are different,which makes the application architecture of confidential computing poorly compatible and difficult to interconnect.Privacy computing also involves multiple open-source pro

144、jects,and the architectures and interfaces of privacy computing platforms vary among different vendors.Therefore,user applications need to spend extra costs in the process of cross-platform migration and development,which hinders the promotion of new applications.Promoting confidential computing and

145、 privacy computing applications for secure collaborative computing and secure data transfer,as well as standardizing interconnection frameworks,can break through ecological isolation between different manufacturers and platforms.By formulating unified interface standards and protocols,interconnectiv

146、ity among different architectures or applications from different manufacturers can be achieved,ultimately reducing user application migration and development costs and ensuring safe data transfer and use.In 2024,the important trend in secure data flow will be the implementation of applications suppo

147、rted by new technologies to solve problems in real scenarios and dispel customers concerns in the data transfer process.Relevant solutions can support the interconnection of products and data among multiple parties and gradually expand the circulation scope and participation ecology of the entire da

148、ta element.09Intelligent Connected Vehicles(ICVs)encounter challenges in data security,functional safety,and Safety Of the intended functionality.To address these,a vehicle-road-cloud integrated security system is essential,providing comprehensive security governance capabilities.24Intelligent Conne

149、cted Vehicles(ICVs)are facing many challenges,including functional safety,information security,personal safety and public security.With the intelligent,networked and digital development,the increased complexity of in-vehicle software has led to an increase in the failure rate of automotive electroni

150、c and electrical systems.Complex scenarios and various uncertain long-tail effects have also caused greater driving safety risks.At the same time,network attacks and data breaches against ICVs are increasing year by year.So,creating a security system that combines vehicles,roads,and the cloud is cru

151、cial.This system ensures safety,governance,and coordination across vehicle security,road infrastructure,cloud-based control,and V2X(vehicle-to-everything)communication.According to Upstreams 2024 Global Automotive Cybersecurity Report,between 2019-2023,incidents disclosed in the clear web(media)have

152、 increased by over 50%,reaching 295 reported incidents in 2023.In 2023,the Automotive and Smart Mobility ecosystem experienced a sharp increase in incidents targeting backend servers(telematics,applications,etc.)as well as infotainment systems.Server-related incidents grew from 35%in 2022 to 43%in 2

153、023;infotainment-related incidents nearly doubled,increasing from 8%in 2022 to 15%in 2023.New attack vectors based on IoVs are constantly emerging.For example,1)For the new T-BOX,remote control hijacking attacks based on information leakage of in-vehicle communication module and forged digital signa

154、ture attacks based on Vehicle-to-Vehicle(V2V)communication protocol have appeared;In the intelligent driving mode,automated driving algorithm attacks based on generative adversarial networks(GAN)have emerged.2)Through attacks on the charging interface of electric vehicles,attacks on ICVs can spread

155、to the power grid infrastructure and even public utility systems through charging equipment.In light cases,it may cause personal property losses of users;in serious cases,it may lead to accidents caused by charging and social power system failures,or even threaten the national power lifeline.The pur

156、pose of building a vehicle-road-cloud integrated system is to achieve efficient intrusion detection and quick response capabilities against typical IoV security threats.Through this system,it is expected to realize the lifecycle security protection and unified security management of each ICV busines

157、s system,ensuring that the security is visible,controllable and credible.Here are some details about the system:2510 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024The terminal(vehicle/roadside)security protection system mainly deals with cybersecurity threatsincluding near-field attac

158、ks,remote attacks(including cloud-based attacks),in-vehicle attacks andattacks to the cloud,representative vehicle functional security threats(such as vehicle battery SOC,abnormal temperature,etc.)and driving safety threats(such as expected functionality safety failure,etc.).It can monitor security

159、threats and actively defend vehicles and roadside equipment.It alsofeeds back security risk data in real time,and links with the cloud for timely response to realizeclosed-loop security protection.V2X(Vehicle-to-Everything),V2V(Vehicle-to-Vehicle)and V2I(Vehicle-to-infrastructure)communication meet

160、the requirements of cross-domain identity authentication to ensure securecommunication.V2C(Vehicle-to-Cloud)and I2C(Infrastructure-to-Cloud)communication have the capabilities ofidentity authentication and data encryption to ensure secure communication between vehicles,road infrastructure and cloud

161、control platforms in the domain.10As the low-altitude economy expands,the widespread adoption of Unmanned Aerial Vehicles(UAVs)highlights the critical importance of UAV security for further development.2710 Cybersecurity Trends for 202410 Cybersecurity Trends for 2024As Unmanned Aerial Vehicles(UAVs

162、)security will become increasingly prominent as they are widely used in various fields.Instances of drones being employed for malicious purposes or becoming targets are frequently observed.There are cases that UAVs have been used for near-source attacks:The attacker invaded the internal network of a

163、 company through Wi-Fi by using some electronic devices carried by two UAVs.There are also some criminals who cracked the geofence system of UAVs,enabling them to break the original flight restrictions and fly in the height limit zone or no-fly zone.In the area of security research,researchers have

164、also identified a number of worrying vulnerabilities.Among the high-risk vulnerabilities disclosed in 2023,the remote code execution vulnerability in the UAV operating system attracts particular attention.Once this vulnerability is exploited,the UAV may be completely controlled by attackers.There ar

165、e also firmware signature verification bypass vulnerabilities,which expose firmware files to the risk of malicious tampering.To deal with these potential security problems,applying the principle of security first is necessary throughout every stage of UAV development and application.In addition to t

166、he laws and regulations on security requirements for UAV flight and service management,security products,services,and solutions for UAV systems and their data will also inevitably increase with continuous technological innovation and market demand.The detection and protection products,services and solutions that have appeared in the market at present and may be launched in the future are summarized as follows: