Humans are spectacularly bad at predicting the future. Which is why, when someone appears to be able to do it on a regular basis, they are hailed as visionaries, luminaries and celebrated with cool names like Nostradamus and The Amazing Kreskin.
Nostradamus made his fame on predictions about the distant future, but that technique has limited appeal today, because everyone has the short attention span of goldfish. So let me, as the CTO for AppSec at Imperva, a Thales Company, describe our five cybersecurity predictions about the coming year, and if they all happen you must address me thenceforth as The Amazing David Holmes (if you weren’t already).
Prediction #1: A Global 2000 company will lose significant intellectual property due to a prompt injection breach.
Generative AI has created a new killer app; the natural language interface to data. With the new interface comes a new threat vector: prompt injection. In 2025, a global 2000 company will lose significant intellectual property due to a prompt injection breach, jailbreak or other prompt error.
Prediction #2: AI investment will pass $1T at the peak of the hype.
As of Q4, the technology community has already passed $750b of investments in AI. Tech giants are rumored to be building entire new datacenters and powerplants just for AI compute. But initial customer use cases for GenAI will be rather pedestrian employee and customer portals, which, if successful, will generate some savings, but enough to make a return on this massive global investment? With prompt injection security still in its infancy, and a significant prompt-injection related breach (see above), 2025 will accelerate the plunge into the Hype Cycle’s “trough of disillusionment” faster than expected.
Prediction #3: A GenAI-enabled super hacking tool will redefine ‘script kiddies.’
GenAI is a tool, and tools can be used for both good and evil. Malicious actors are already using GenAI for reconnaissance, phishing campaigns and other “pre-breach” hacking activities. In a paper released at in March 2024, researchers evaluated different LLMs for the purpose of “post-breach” activities. Think of it like hooking GenAI up to Metasploit, lighting the fuse, and running away. According to the researchers, ChatGPT is better at hacking than the Llama-2 models FWIW. Researchers at Imperva have also written about how GPT-4 can be used to execute attacks autonomously, without prior knowledge nor human feedback.
So, now we have GenAI being used for both pre-breach reconnaissance and post-breach privilege escalation and lateral movement. We predict that in 2025, an enterprising group of attackers will combine the two phases into a single super-hacking tool that requires only the name of a corporate target to loose the LLMs of war. Then, when this super-hacking combo GenAI inevitably leaks (or get exfiltrated) defenders around the world will be scrambling.
Prediction #4: API Security will cross the chasm from early adopter to the early majority.
I recently attended the 2024 Forrester Security & Risk summit, where analyst Madelein van der Hout gave a breakout session on API security. According to her research, most enterprises are interested in API security but haven’t adopted it, yet. Or if they have, they are still very early in API security maturity, using solutions mostly just for API discovery and inventory (this jives with my own conversations with customers over the summer). But, ultimately, collecting API endpoints is only the first step because you’ll have to protect them at some point.
My fourth prediction is that 2025 will be the year that the early majority of enterprise organizations in North America will either adopt or will plan to adopt (within 24 months), API security solutions. They’ll join the early adopters in discovery, and some will progress to monitoring. The early adopters will be progress to risk analysis and finally some remediation.
Prediction #5: A significant OSS Supply Chain Attack succeeds.
This year, 2024, almost started off with a tremendous bang. Malicious nation state attackers, through months of disciplined social engineering, hijacked the maintenance of XZ utils, a widely-used opensource software (OSS) compression library. After taking over the development of the library, which is included in many modern Linux distributions, they painstakingly crafted a hidden backdoor within. They released the poisoned code and it began to spread through early beta distributions. One heroic network administrator noticed that the new code caused his SSH sessions to take a half second longer to connect. His personal investigation uncovered the backdoor. He raised the alarm, and the backdoor was removed. If it weren’t for him, that nation state group could have compromised all of the millions of Linux-based systems that power the modern internet.
Our prediction for 2025 is that an OSS attack like XZ Utils will actually succeed, now that all the other state actors saw how close the original attacker came to world domination. There’s nothing stopping a determined nation state from running operations like this on dozens of different OSS projects; they only need one or two to succeed. In fact, maybe they already have and we’re only going to find out about it in 2025.
So there you have it, the five wildest predictions for 2025 from Imperva. Looking at these as a group, you can see that there’s a bit of negative vibe here. Let’s hope we’re wrong about the super-hacking GenAI and the world-destroying OSS supply chain attack. But let’s also hope the world embraces API security in 2025. If these all happen, you know remember that “The Amazing David Holmes told you so!”
The post Imperva’s Wildest 2025 AppSec Predictions appeared first on Blog.
