Bad Actors Employ Next-Gen Hacking Methods for InnovationAccenture's Valerie Abend on How Cybercriminals Are Able to Move Faster
The number of ransoms paid by organizations is on the decline, which is positive news. But we know that the criminals are always innovating. Valerie Abend, global cyber strategy lead at Accenture, said cybercriminals are constantly learning to accomplish their objectives and are increasingly adopting next-generation hacking techniques.
During times of macroeconomic uncertainty, she said, rates of fraud are likely to increase because it's easier to prey on vulnerable individuals who have lost their jobs due to layoffs. Bad actors are constantly changing their tactics specifically to accomplish their financial objectives. Also, attackers could potentially weaponize generative AI tools such as ChatGPT, so it's imperative for security operations centers to proactively leverage these capabilities.
"The bad guys are moving faster, and that's the balance of the challenge there because while we sit down and think about sandboxing new tools, they don't have to wait for any responsibility framework to actually go after and use these capabilities," she said. "There's no question that they are thinking of new ways of leveraging it, some of which haven't even been thought of by our teams yet."
In this video interview with Information Security Media Group at RSA Conference 2023, Abend also discusses:
- How cybercriminals are targeting enterprises with generative AI tools;
- The challenges faced by enterprises in complying with regulations;
- How to bridge the gap between the private sector and policymakers.
Abend advises C-suite executives on how to manage cyber risk and build resilient business strategies. With more than 25 years of experience, she has spearheaded enterprisewide and sectorwide security and resilience strategies, public-private partnerships and cybersecurity regulatory oversight strategies.
Anna Delaney: Hello, I'm Anna Delaney with Information Security Media Group. I'm very pleased to be joined by Valerie Abend, global cyber strategy lead at Accenture Security. Great to see you, Valerie.
Valerie Abend: It's great to see you, Anna. I appreciate it.
Delaney: So let's talk about a few interesting trends to start us off: next-generation hacking techniques. There's an interesting trend at the moment: the number of ransoms paid by organizations is on the decline, which is positive news. But we know that the criminals are always innovating. How are they responding to this? And what do you see in terms of how their techniques, their tactics are changing, adapting?
Abend: I think it's really smart to think about that, because they're certainly not going to stop innovating to accomplish their objectives, right? And in difficult times - and let's be honest, it's not an easy time, a lot of people are feeling distressed right now, maybe lost their job, or are in fear of losing their job. That is a really important moment for social engineering. And the bad guys know it. And so the rates of fraud are actually going to increase, because it's easier to prey on these kinds of individuals at this moment. So I fully suspect that they are changing their tactics specifically to accomplish their financial objectives by going after people, from their fear.
Delaney: There's been lots of discussion at the moment about generative AI tools, which is ChatGPT, and how the criminals can target large enterprises, small enterprises as well, small organizations, with those tools. How do you see them potentially weaponizing these tools?
Abend: Well, generative AI is the topic all of the time. I actually just recently had a conversation with a large product company that also works in transportation. And we were really thinking through how do you leverage generative AI and the power here to enable your business, but do it in a responsible way, bringing together the chief data officer and the chief information security officer for responsibility framework, and thinking through this together so that you can leverage these capabilities. But the bad guys are moving faster. And that's the balance of the challenge there. Because while we sit down and think about, "Hey, let's sandbox this, let's kind of dip our toe," they don't have to wait for any responsibility framework to actually go after and use these capabilities. And so there's no question in my mind that they are thinking of new ways of leveraging it, some of which haven't even been thought of by our teams yet.
Delaney: So where are the opportunities for large enterprises on the defender side? Can you share some use cases?
Abend: Absolutely. I think the one use case everybody's talking about is how to help security operations centers actually leverage these capabilities. Because there's so much data coming in. I actually think one of the interesting use cases might be around identity and access management, both internally for your own employees as well as externally with your customers. How do we use large datasets and these learning models to solve some of the point-in-time access, that's really important to run your business from a service availability perspective, but make sure it's only in a limited period of time, and that it's revoked in a timely fashion. I think there's a lot of opportunity that isn't yet being explored in identity access management that we can look to.
Delaney:What do you recommend enterprises do right now, in terms of adopting these tools? Where do they start?
Abend: Yeah, I think it's important that you actually have a framework, that you're very thoughtful about it, that you're meeting with the business, coming up with those business use cases, and working in responsible ways, but not waiting. I just think that when we see technology innovation, it's really important to harness its potential. And this is a great opportunity for all of us.
Delaney: So let's talk about regulatory changes, lots happening in the landscape, can be difficult for multinationals to know what applies to them, what responsibilities they have, how to ingest these changes. What challenges do you see them face at the moment when it comes to regulation?
Abend: So regulation is sort of an interesting one. I'm actually a former regulator myself. And I get a lot of questions from our clients, particularly in the governance space of our clients, not just with chief information security officers and their teams, but all the way up to the C-suite and the board specifically about this issue. And honestly, a lot of them want to see regulatory harmonization. They're seeing so much complexity, it feels like it's taking away resources and attention from doing the job that they need to do. But there's a balance here. And we're talking about - in many cases, critical infrastructure, 90% or more, which is owned and operated by the private sector, most of which actually isn't regulated. I think there's a lot of attention and focus on what is. But someone once said to me, "Valerie - when I was a regulator - why can't you just use what we do? Why do you have to do something specific, in my case, for the banking industry? Isn't it a stack on stack on stack?" I said, "No, the application monitoring the controls in a nuclear power plant aren't the same for your wholesale payment system." And it is important that while you might have a harmonized-based approach on certain aspects, that you then take tailored industry approaches that are specific to the risks of those businesses. And so there really is a very strong place here for industry-tailored regulation.
Delaney: Are there other lessons learned from that time as a regulator for organizations now, in terms of harmonizing those efforts?
Abend: There are a number of them. The first is, I think a lot of private sector want to intrude, come to the table, in a conversation with the regulators. The challenge is different regimes around the world can handle that conversation, even legally in different ways. Some allow for open conversation, some don't. And you have to be sensitive to that. But when you approach that conversation, it's important to understand that the regulator is there, not just with a job to do, but that job is written in statute. And they have an obligation, they are actually overseeing, in many cases, by a legislative branch to fulfill that mission. And it's important that they actually show that they're fulfilling that obligation. And so helping them understand how best to fulfill that obligation, and being a partner at the table in a way that the legal construct allows it is the most productive way to work on that issue.
Delaney: Well, let's look at the SEC and changes they're implementing. They're imposing stricter rules about cyber expertise. At the board level, what are the changes we need to know about?
Abend: So, many folks have seen the SEC weigh in at different points in time - 2011, 2018. And then they published an interim for comment, proposed guidance, which would increase the amount of transparency and reporting that boards would have to do and companies would have to do around how they're handling cybersecurity, both incidents as well as various governance issues, also including expertise on the board. And I think this is really important, I actually think it's important to create transparency, unintended consequences have to be looked at. That's why you have a comment period. But I think a lot of companies are struggling with what constitutes cyber expertise on a board. I have a lot of colleagues who are chief information security officers - very bright, very good at operations. But they don't know governance. They're not really understanding how the governance model works. And by the way, if they are on boards, they have to expand beyond just cyber, they have to look at all the other aspects of that fiduciary responsibility. And then I have other friends, colleagues who are board members on big publicly held companies. And they are desperate for that knowledge, but don't want to appear as though they don't know what they're talking about. And so I really hope that we kind of have constructive conversations, and that we bring these groups together closer to actually enable that better. I think a lot of people are armored up in that room, maybe too curated in how they're having that conversation. And we can do better.
Delaney: Now I know you work in centers working with government to help bridge the gap. So tell us more about that?
Abend: Well, I think we're working with government, with key leaders across the private sector. And that's a really important place for a large global enterprise like Accenture, with the footprint that we have. Because when we make a change, when we lead with that change, we're not just credible, but we have real practical hands-on knowledge about why it works that way. So it's everything, from the analyst all the way to the boardroom. I think a lot of times I see fancy PowerPoints, but that's not going to make the change. You really have to help meet people where they're at, draw them into the conversation and give them practical approaches. And that's the gap that we're bridging between private sector, critical infrastructure, policymakers, government leaders to make that conversation better.
Delaney: How do you think these changes are going to impact the industry as a whole?
Abend: Well, I think it's a really exciting time. You know, there's always going to be challenges, but I like to talk about what you can do about those challenges. I think as an industry as a whole, you know, honestly, there's going to be some changes around how we build things securely from the start. And that's where everyone wants to get, how do we, not just sort of hold people accountable, but actually get them excited and knowledgeable about doing it. One thing that I've noticed is that we've not done a great job and need to do a better job of actually explaining what the tailored and specific accountabilities are for every single member of the C-suite. I think about it, if you're the chief marketing officer, digital trust in your brand is really important. So how do we help you understand what that accountability looks like from a cyber perspective? And then empower and enable not just you but your entire team, so that when you're held accountable as a chief marketing officer on that, it's actually real for you and then taking that and moving to the chief human risk officer, moving to the chief financial officer, etc. So I'm really excited about that change.
Delaney: Well, I know that Accenture has news to announce this week. Can you spill the beans?
Abend: Yeah, it's a big RSA for us. And I'm really excited about it. At RSA, we will be announcing a new partnership with Google. And that partnership will actually help us leverage Google's chronicle capability, which is all about data analytics. And I think they're known for that data analytics capability to further empower our managed detection and response capability. And I'm really excited about that, the future of using large language models to really expand and make the speed of what we do in that MxDR capability come alive for all of our clients in a really big way. Additionally, I think most people know that Google acquired Mandiant, and Accenture is partnering with Mandiant on crisis management response, incident response and threat intelligence. And I think the power of all this coming together, it's going to really be a game changer for our clients. The second thing we're announcing is in terms of our partnership with Palo Alto Networks. And this is exciting as well, because so much of what has changed is really that hybrid remote work environment. And you're talking about so many devices all throughout the world. And it's really hard to understand how to secure all of that. People talk about SASE and securing these edge capabilities. And we're really bringing new intellectual capability to that around diagnostics, and really cutting through the noise of all of that, signal to really identify where are your weakest points, and what do you need to do to make sure you're focused on closing those vulnerabilities fastest.
Delaney: All this news certainly reflects the theme of the event, 'Stronger Together'. So Valerie, this has been excellent. Thank you so much for sharing your expertise.
Abend: Thank you for the opportunity, and I really enjoyed it. Thanks.
Delaney: Thank you so much for watching. For ISMG, I'm Anna Delaney.