By: Kim Scott

For CEOs it’s a recurring nightmare: waking up to a call saying, “We’ve been hacked.” How did it happen? “We don’t know. We’ve never seen this before.” This bump in the night is happening frequently. GenAI is going to accelerate the appearance of these previously unknown attacks. While some technology tries to target unknown attacks, our defensive tools are best at protecting from known threats. A new set of tools is needed. These tools need to both find and remediate the unexpected attacks. Technologies implanting fine grained, non-centralized, behavioral analysis, and dynamic low latency remediation will be the key foundations of these tools.

Examples of Unexpected Attacks

The MGM casino 2023 attack resulted in estimated costs of $100M. How it happened is still not fully known or publicly shared, but it’s been widely shared that the attack started with Phishing ploy that gave the attackers credentials needed to deploy their ransomware. Most of today’s tools struggle to detect these types of attacks as they tend to resemble normal operations.

Recently, Microsoft Azure announced an attack where the hackers were able to take over targeted accounts using credentials obtained through phishing techniques. There is suspicion that the attackers may have updated Multi-factor Authentication (MFA) information to enable them to remain resident in the systems longer. This type of attack is difficult for today’s technologies to detect quickly. Often an attack of this type isn’t detected by a cyber security monitoring tool, but rather through a series of end users reporting unexpected system behaviors.

Not all things that go bump in the night can be attributed to known causes. In May 2024, AT&T announced that about 70 million current and formal AT&T clients have personal information such as Social Security Numbers and/or pass codes on the dark web. They haven’t yet announced how the data was exfiltrated or even if the data came from AT&T or one of AT&T’s vendors. At the time of this writing, AT&T has shared that they are still investigating.

Sometimes it’s not a specific business that’s targeted, but rather a tool. For example, the MOVEit file transfer service attack targeted a zero-day vulnerability that opened the door to an SQL injection attack. No one expected that the file transfer service that was in common use across enterprises — government, education, etc. — could be exploited. One source estimates that the MOVEit attack has already affected over 1,000 organizations and 60 million individuals worldwide.

An executive can wake up to an attack on a totally different organization resulting in the crippling of their organization. In February of 2024, many health care providers, hospitals, pharmacies, etc. woke up to find that they weren’t going to get paid. The non-payment wasn’t for anything in their systems, but because Change Healthcare Group (a health care payment system), had been crippled by a ransomware attack. As of this writing, many health care providers have still been forced to lay off staff and restrict services. Once the information has been encrypted in a ransomware attack, restoration operations can be expensive, time consuming, and often not fully successful.

In these examples, multiple vulnerabilities were leveraged to breach the system. While today’s solutions do a reasonable job correlating data across security technologies, monitoring solutions tend to sample data due to the vast quantities of security alerts. Centralized monitoring solutions may correlate information over time to detect anomalies. However, tools leveraging such strategies tend to insert latency into the detection process which can cause expensive delays in detection or detection after it’s too late. In addition, the tools are reliant upon the data sampling choices and may miss important information.

Detection and Defensive Approaches

In the examples above, several common deficiencies were exploited. Social engineering, phishing, and poor security hygiene were all cited techniques used in the exploits. It’s not publicly known what caused the AT&T hack at this time, as the company is still researching and hasn’t released information regarding their investigation.

With the millions of dollars per year spent on cybersecurity, why are these attacks still difficult to detect?

Social engineering attacks target employees by leveraging their inclinations and convincing them to give attackers what they need for access and control. Often, there are security gates in place, but the attackers create a sense of urgency persuading the