While 2023 was a difficult year for cybersecurity teams, 2024 is likely to be worse. In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.
By Flashpoint’s numbers, there were 6,077 recorded data breaches in 2023, with attackers accessing more than 17 billion personal records (up 34.5% on 2022’s figures). In the first two months of 2024, this increased by 429% over the first two months of 2023.
The US suffered more than 60% of all breaches in 2023 (3,804). This was a 19.8% increase over 2022’s figures. The first two months of 2024 have seen a further increase of 30% over the same period of 2023.
Ransomware attacks increased by 84% in 2023 over 2022. The first two months of 2024 saw a further 23% increase over the first two months of 2023.
Despite the large numbers involved, one attack and one attacker stood out during 2023: the MOVEit attacks (leveraging CVE 2023-34362), and the LockBit ransomware group. The MOVEit attacks account for 19.3% of all reported 2023 attacks. LockBit claimed 1.049 victims, around 20% of all known ransomware attacks in 2023.
LockBit’s operations were disrupted on February 20, 2024 when international law enforcement seized servers and arrested some individuals (Operation Cronus). LockBit rapidly created a new Dark Web blog and claimed that operations would continue as normal. Flashpoint is not so sure. Its report (PDF) says, “Indications are suggesting that Operation Cronos has had a more significant impact on their operations than they are willing to admit.” Time will tell whether, in what form, and to what extent LockBit may or may not resurface during 2024.
Such detailed figures beg one major question: how does Flashpoint gather its intelligence? Unknown unknowns bedevil all statistics. The firm recognizes this reality and stresses that its figures come from publicly recorded figures. The reality – if different – could only be worse, not better.
Flashpoint’s VP of intelligence operations, Ian Gray, explained the firm’s data collection methodology. Teams of analysts monitor the Dark Web’s leak sites, ransomware blogs, public disclosures, and known vulnerabilities from NVD (supplemented, added Gray, “with vulnerabilities that we’ve collected through other data sources such as social media.”)
The report separately notes, “One major blind spot occurs when enterprises strictly rely on the Common Vulnerabilities and Exposure (CVE) database, which is missing over 100,000 vulnerabilities—nearly a third of known vulnerability risk.” The effort and detail used in the collection of known threats leads Gray to comment, “It all gives us a bit of ground truth” in the firm’s intelligence collection and threat analysis.
Reinforcing Flashpoint’s ‘ground truth’ assertion, and shining a light on the CVE blind spot, is the report’s assertion, “As of February 2024, Flashpoint analysts have cataloged 330 vulnerabilities that were discovered being exploited in the wild, that still do not have a CVE ID.” These vulnerabilities apply to companies including Adobe, Apple, Google, Microsoft, Siemens, and SolarWinds.
The combination of incomplete CVE records and the variability of severity ratings dependent on which version of CVSS is used adds to the problem all companies face: triaging vulnerabilities for patching or other remediation. Flashpoint recommends using a Venn diagram analysis for known high severity vulnerabilities using ‘remotely exploitable’, ‘public exploit’, and ‘available solution’ as the vectors.
This process would isolate around 4600 vulnerabilities to prioritize from a total of 12285 vulnerabilities.
Notably, he sees only a limited role for AI in Flashpoint’s future. “I don’t see [AI] as something that could help identify future threats,” he told SecurityWeek.” I think that we still need to rely upon analysts to do that. It requires a lot of due diligence and just understanding the landscape – which I don’t think current AI models or tools can do. So, we’ll only be using gen-AI in limited use cases, primarily for summarization of what our human intelligence collects and analyzes.”
Flashpoint’s USP is that none of their intelligence is based on guesswork. The firm only gathers data that is publicly available – but it does it more thoroughly, and intelligently than individual companies could do for themselves. “That’s part of our value proposition. Everything we provide is out there and open source,” said Gray. “But there’s so much of it even if you have time to find it. Our methods find it and our analysts provide the curation and vetting.”
Related: Using Threat Intelligence to Get Smarter About Ransomware
Related: Mapping Threat Intelligence to the NIST Compliance Framework
Related: Threat Intelligence Firm Flashpoint Raises $34 Million
Related: Cyble Raises $24 Million for AI-Powered Threat Intelligence Platform
