Forensic Analysis of 2025 and Predictions for 2026
Watch this to learn cybersecurity lessons from 2025 breaches and cybersecurity predictions for 2026 and beyond.
Watch this to learn cybersecurity lessons from 2025 breaches and cybersecurity predictions for 2026 and beyond.
Watch this webinar to hear VP of Forensic Investigations Aaron Willis and Deputy CISO Matt Heffelfinger discuss:
Hi, everyone. Welcome. I'm Heff. I am the director of the Threat Intelligence Center here at SecurityMetrics.
Joining me today is Aaron Willis from, the forensics department.
We call him the John Wick of forensics because he's that good, folks. Alright. You're in for a rare special treat today. In fact, every year, one time a year, we get together and we put our best predictions together. And this year, we've got some good predictions.
Yeah. And we actually have a few failures too, so we're gonna we're gonna look at those and see what we got wrong.
Yeah. So we'll give you our hits and our misses, but more importantly than that, we're gonna give you some thoughts and pathways that you can travel to protect your business based on what happened in the news. So let's talk about a look back first. Let's last year, we did an episode, and we got some things right, but we're we're humble. We'll we'll admit it when we get things wrong too. What did we get right last year in our predictions?
The enhancements that we saw in iframes. We predicted that we would see a kind of a a full scale attack, with counter offensive measures trying to get those iframes secure. You know, in the last few years, we saw a breach of those iframes where attackers were able to use various shenanigans and and basically circumvent the iframes. And so, you know, that really defeated a lot of business models out there that depended on the security of that iframe.
We figured we would see a lot of businesses adapt, to that threat and and we did. We saw a lot of, enhancements in iframes, a lot of, companies putting in control headers and sandboxing, limiting access to those sensitive areas in the browser like local storage. Yeah. And so we saw a lot of progress there, and there's some really nice solutions out on the market now.
Talk to me about the JSCrambler stuff that you're seeing. I I know that's a big area that you're involved in.
What what are you seeing around that space?
Well, jscrambler, very good friends of ours, really sharp guys over there. Yeah. They were combating j they were combating a lot of these iframe attacks.
They introduced their armored iframe, a lot of iframe hardening things.
For Root Security, talk to me about that.
They provide, their Payment Guard AI. That's integrating AI directly into the browser so they can see some real time threats and adapt to that. They also implemented some x frame options, forcing people to enable that sandboxing to to keep that thing secure and, make sure that they've got ongoing script verification, things like that. So really interesting use of AI by by FERoot.
Can I put you on the spot for a moment? And let let's talk about security metrics for a moment because I we're heavily into this space. What are some things that you're really proud of that when you look back on twenty twenty five, what are some things your team was able to accomplish or that you're excited about that happened in twenty twenty five in that space of stopping ecommerce threats?
Well, our shopping cart monitor really came into its own in twenty twenty five. Yeah. It was pretty neat to see it run and actually prevent, a lot of these attacks, you know, just real time detection. It's just awesome to see it working. We saw a lot of, attacks that previously before we had these type of tools would have gone on, know, potentially for years Unnoticed. Yeah. Without anybody doing it.
So It's really a tribute to the maturity of your team and the maturity of their knowledge, and and the tool itself is pretty remarkable.
You know, for a lot of people, they're still finding out about ecommerce threats. They're still trying to understand, do I need help or not? I think if anything, picking up the phone, giving a call to anyone that can help you in this space is critical. You cannot do this on your own.
It it's kind of a community effort, and there's a lot of really smart people out there. Fortunately, we've got quite a few of them here at SecurityMetrics.
We do. We do.
It but, yeah, the community really came together. We saw the implementation of eleven dot six dot one and six dot four dot three in PCI DSS. Yeah. That was really a direct response to these iframe circumvention attacks that that became prevalent.
That was one of our other predictions, wasn't it? You know, talk about the results from that. The implementation, the compliance was six point four three, eleven dot six one. What did we see come out of all of that?
We did predict that we're gonna see a massive rush of last minute merchants trying to to get compliant.
That was a mixed bag. We didn't quite nail that one. We didn't see the the huge rush that we expected. There was some. But, what caught us off guard was was how many times we saw merchants trying to get around that with different justifications. One of the things that we did predict was that some merchants would try to switch to full payment redirects.
Okay. Okay.
And that instead of using an iframe, you just send the customer off to somebody else and let them deal with it. We saw thirty percent increase in in the number of of merchants using full payment redirects. Wow.
That seems like a a massive number to have to encounter.
What about what we got wrong though, Aaron? I mean, we're not always right. Some of our predictions are off the the the trail, off the trade tracks. What did you what do we sign seem to, get wrong? Alright.
Well, if you remember all the way back in two thousand twenty three, I had a big prediction that I got wrong.
I I predicted that there would be a massive increase in the number of of e commerce hosts Okay.
That that would be, breached or have some sort of, compromise.
I was wrong in twenty twenty four. It actually went down. But I got vindicated in twenty twenty five. Unfortunately, that's not one I wanna be wrong on. But we saw a massive amount of data breaches on the host side. And, you know, we'll talk about some of those. Some of them were actually some of the biggest compromises in twenty twenty five.
Yeah. And I'll tell you what, folks. If you stay to the very end, we are gonna throw out our predictions for twenty twenty six, and some of them are pretty good. I think we're gonna be right on a few of these.
We might be wrong too, but so stay tuned to the end as we we cover that issue. So okay. There were some news stories, Aaron. I mean, there were big news stories, and I I definitely wanna get to the cybersecurity news, and we'll share those here in just a minute.
But let's talk about let's stay in that that world of ecommerce for a moment. I know there were some breaches that maybe the audience missed. You know, you're going about your world, you're running your business, and you didn't hear about it. Walk us through what were your the ones that just stood out to you.
One of the things we didn't see coming was the increase in MFA fatigue.
Okay.
And what I mean by that is attackers figured out that they could exploit a common character flaw. That is if you spam enough MFA request that, you you get it on your phone, it says, is this you? Yeah. Yeah. And we noticed that just by default, humans would hit yes. And that led to a large number of breaches.
You know, they got around the the MFA by exploiting human characteristics.
We we throw out a lot of acronyms around here. Mean, that's the world of cybersecurity. MFA is multi factor authentication. It's one of the most hallmark standards that you need to implement in your business. And as you'll see as we talk about predictions for twenty twenty six, there's a shift, and there's a shift going towards things like password less ness. And we'll talk about passwordless, in in a little bit here, but give us the breakdown your biggest ecommerce breaches that happened twenty twenty five.
The biggest ones we saw were a lot of attacks on the supply side. Yeah. Supply chain attacks.
A lot of things around GitHub, Red Hat had an incident with their GitLab. That was in October.
That was one of my biggest predict yeah.
One of biggest Five hundred and seventy gigabytes of data stolen Wow.
On that one. And and you can imagine how many people that affected Red Hat. You know, they're a big player. Yeah.
A lot of people running on there. So that affected VPI settings and API keys, with a lot of big players, you know, IBM, Cisco. Yeah. All those guys are integrated with with Red Hat thing.
So And it's a challenge too. I mean, if you're a small business owner, chances are you have a lot of software in your business. A lot of third party software that's running right now where you may not have the knowledge or the visibility into that to know if it's secure or not. And that was the driving conversation I think we've had this year. All these third party breaches, these supply chain breaches that keep growing.
Yep. Another big one, Wix. So they had a critical authentication bypass, on their coding platform. It allowed unauthenticated access to private apps. Woah.
All handling all kinds of sensitive data.
Well, let's switch gears for a moment. Okay? You know, we look back a little bit on some of the threats back in twenty twenty five in the ecommerce space. Let's also talk about cybersecurity in general. There were a lot of stories, Aaron. Oh, yeah. I mean, you hit some of them.
It was a busy year.
My gosh, man. Now the the challenge for us, as people in front of you, front of the camera, is really figuring out what are the best stories from the news that you need to know about to protect your business. Now the one story actually, there was a bunch, Eric. The one story I I wanna start with is the Jaguar Land Rover. It was a cyber event. Do you remember when that happened?
Yeah. I do. Yeah. That was back in September.
September of twenty twenty five, and the bad guy was this group called scattered lapses hunters. They're twenty five year olds, eighteen year olds. They they were different groups, and they all kinda got together as a super group and started attacking, and they went after jaguar. Jaguars.
I don't know how you say it. Right? Is it jaguar or jaguar? I don't know.
Alright? But here's what happened.
You're talking about a one point nine billion dollars in losses, and and, of course, this was Oh, it's pounds.
Pounds. Thank you for correcting me. Yeah. It was pounds. So two point five billion two point five billion in United States money.
Right? But what the threat actors love to do is they love to pivot. They love to figure out a doorway that you left unsecured and then move from that one doorway maybe into the operational or manufacturing parts of your business, and that's exactly what happened here. The crazy part, Aaron, the craziest part about this entire story is Jaguar did not have cyber insurance and how it No.
The threat the threat actor you know how they got in? Vishing. Vishing is voice phishing. Alright?
So now imagine you're you're a you're a business owner. The threat actor finds some videos of you talking about your business on YouTube. The threat actor clones your voice, alright, and then uses that clone of your voice to get into the business. And that's what happened with Jaguar.
So here it is, folks. What do you do about it? Well, I gotta tell you, it's not just about being aware of the voice phishing or being aware of not having cyber insurance, but it's also about segmentation. And at Jaguar, they had very much of a lack of segmentation.
So this was one of the largest breaches. And and and and every story, by the way, every story we're gonna share with you right now is gonna have some sort of SMB, impact. Alright? So we're gonna try to break it down.
It may have happened at a big corporation, but there are lessons learned from each one of these breaches that you can take away for your small business.
Yeah. If you think about it, you know, even though it's a bunch of small businesses, two point five billion, that's that affects an economy. Wow. Yeah. That's a lot of money.
So another story that was hot in the news was that they called it the credential buffet. The credential buffet mega leak.
Yeah. Sixteen billion records.
Woah. Sixteen billion folks. That's like every person ever. Right? Mid June, it happened about June twenty twenty five.
It was this researchers working together to uncover a massive, and I'm talking massive aggregation of thirty exposed credential datasets, including about sixteen billion logins out of all those credential datasets.
That included Google and Apple logins.
Oh, that that had to be everybody. Right?
That it wasn't it wasn't a single breach. This was Alright. Just siphoning off credentials and just storing them out on the dark web.
When that happened, Aaron, I I thought there's gonna be a lot of people changing passwords. And it did feel like there's a lot of people talking about this, even though it was such a big story.
If you weren't in the circles, you you might not have heard about it.
Definitely not. So here you go. If you're if you're a small to medium sized business owner, why do you care about this story? Well, the obvious thing is password hygiene.
At your business, you gotta be concerned about that. Are you changing passwords aggressively? Or do you have a password policy in place? Are you are you following, right, like, the newest standards when it comes to password management for your business?
But there's more than that. There's a change in our industry. And I mentioned password list password list things, pass keys are the hot thing, Aaron. It just seems everywhere we go now.
Now with all the attacks we're seeing, especially with that MFA fatigue Yeah. That we talked about earlier, we've got to find something better that doesn't rely on on, you know, human characteristics to to be secure. Because, you know, as good as MFA is and we want everybody using MFA, don't get me wrong, but hackers have figured out ways around it.
And I would throw out the term, if you're a business owner, re you really need to be aware of things like phishing resistant multifactor authentication. That's really where your headspace wants to be when it comes to things like MFA, but there's more than that. And and I think, Aaron, there's a perception out there that MSS based codes, where you get a text code to your phone, are still safe, and the industry has really started pivoting away from that. So what is the third story I wanna share with you all? And I I this story is this story really bothered us in the security operations center.
We're talking about the Shai Hulud self propagating MPM worm.
That's the node packet manager.
Now this was a crazy attack. The first wave happened back in September, and then there was a second more devastating wave that happened in November. Bad guys essentially created malware and it went after developers. They pull that code from different software packages in order to to build their software. Right? Well, some of those packages were infected, and the infected then trickled down to anybody. Way more aggressive than anything we've ever seen.
Yeah. A lot of big companies got hit in that too.
Oh, man. I mean, I thought I thought every company in the world was using this package because it was such a a generic package. Is that the right word? No. It just was used everywhere.
Yeah. So here's the thing. Right? You're a small business owner, a medium sized business owner, maybe you're a smaller enterprise. Right? What do you do about it?
Well You've gotta get automated tools in there to to be scanning those open source libraries because, you know, they're open source. People can contribute and sometimes it doesn't get detected, especially with the AI tools and things that they're using. They can embed malware in ways that even a human reviewing the code and saying, no, this looks good.
You gotta you gotta really just not blindly trust, Aaron. Okay? And that's hard to do, especially when you're a business owner, you got a lot going on. True.
I know it sounds like a lot. Right? But if you have an IT person, hopefully you do. Hopefully, you can ask them, hey.
Can you get in there and maybe lock some files down? Can you get MFA? Can you get some more audits in there? Maybe even use hardware security keys in there.
Those automated tools help too. Scanning. Scanning that environment. Scanning that code base. There were some other stories.
I think one of the other stories, before we switch off to our predictions here, Anthropic AI. There was an AI orchestrated espionage campaign. Do you remember that story? That was big too.
Actually, plays into, to one of our two thousand twenty five AI predictions Wow. That we got wrong.
So here's the deal. Here's what went down. You have Anthropic. You have them going out there, and they're seeing stuff.
And one of the things they see is this cyber espionage campaign where an attacker started manipulating one of their tools, the Claude code tool. And then from there, they were able to orchestrate an attack. Really, it was autonomously attacked, and from our perspective, it was a new era. And by the way, Aaron, at first, I thought this entire thing was a fake made up story.
I didn't think this was real, and I needed, like, multiple sources to trust that this could actually happen. Folks, AI performed eighty to ninety percent of the attack using the the the tool here, manipulating the quad tool. That's phenomenal. Alright?
We're talking reconnaissance. We're talking vulnerability discovery, exploitation folks, credential harvesting, and then, of course, the exfiltration of the data all done by AI. Let that sink in.
Yeah. One of my AI predictions in twenty twenty five was that we would we would see AI assisted malware and ransomware going out there, but I I didn't I didn't see it coming that it was going to be fully autonomous.
Yeah.
And so, you know, I I would say ninety percent is probably pretty darn close to to fully autonomous, enough to get really scary.
This allows, you know, almost anybody that has any type of technical skill to go in and use these type of tools and and leverage the power of AI to launch an attack against your system.
So if I'm a small business owner, what I'm concerned about is, okay, AI is lowering the barrier for entry, alright, for these sophisticated attacks. What do I do with it? And I really as a business owner, I need to be thinking about how do I fight fire with fire? How do I leverage some of these AI security tools to help my business succeed and fend off these machine driven attacks?
I mean, you think about what point and click did in in digital cameras Oh, man. You know, it it turns, you know, a poor photographer like me, I could actually take a good picture.
Congratulations. And That's a big moment. Right?
With AI, it's now point and click attack against your system. Know, put in the URL, click a few buttons, and your website is now under attack. Man. And and not just, you know, little, you know, piddly attacks.
These are powerful attacks that have a very good chance of succeeding and breaching your website because AI knows every vulnerability that they can see from the outside. You know, they don't have a human doesn't have to go scan through, you know, a database finding what components are available or have vulnerabilities to be attacked. The AI just knows, and it's, oh, here's this component, and it's got these vulnerabilities. Let's try all of these exploits.
And I think the takeaway for all of you, it doesn't matter. The the AI tool doesn't care. The bad guys use an AI. They don't care if you're a small business.
They don't care if you're a large enterprise. They're just going after victims. So if you're using AI right now in your business, maybe you have some AI agents that you're using to answer customer questions. You really gotta get some visibility into that code to make sure it is safe and secure, and that that's a key takeaway here.
Alright. You had one of these stories as we wrap up the stories part of it here. One of the stories that was huge in twenty twenty five, the sales loft, Drift, SolarWinds attack. That's a mouthful, Aaron.
Alright? But this was an interconnected breach. We're talking software as a service. It's a tool called Salesforce.
It's a integration with with this thing called Drift. Do you remember anything about that story? It was back in, I think, June June of twenty twenty five.
Yeah. It it was an OAuth token attack.
OAuth token attack. Right. Yeah.
Right. And and attackers basically able to bypass authentication and exfiltrated data from seven hundred and some organizations.
So we're talking about compromising the OAuth tokens in this third party integration with SalesLoft Drift to gain access. So they they seven hundred companies got impacted. Some of the biggest names out there, Zscaler, Google, I believe Cloudflare Yeah. Was involved in that.
I mean, luxury brands too, like Louis Vuitton. Oh, the humanity folks. Alright? What do you do about it?
Well, there's a couple things you need to understand. I think that third party stuff, all that third party integrations, the software that your business is using, you gotta get visibility into that kind of stuff.
It's a huge blind spot Yeah.
For these SMBs especially.
And again, automated solutions are really what you're looking for.
Yeah.
You know, things that can monitor that third party code.
What I was was really fascinated by this attack is we call these types of, attacks, folks, multi multiplier effect. Alright? And when we say multiplier effect, what we're talking about here is when the third party vendor that you're using, that piece of software gets breached, and then you have the hackers slowly gaining silent persistence control over your environment, then they move on to other businesses and they just keep doing that. It was such a a cascading waterfall effect.
Yeah.
And I mean And this happened. These were big name companies to, you know, these, you know, are are companies that you think you can rely on their security.
Yeah. Yeah. But this just goes to show you can't rely on third party security. You have to have your own.
Yeah. You do. Now, there were there were three other stories that I wanna touch on. We're gonna move through these pretty quickly here. Salt Typhoon. I wanna talk about Salt Typhoon because these guys were in the news for how persistent they attacked. They started back in December of twenty twenty four.
They snowballed from December into January attacking Cisco edge devices, and then from there, they pivoted. They went into about February, April or so. They started going after different Canadian telecoms, then they switched again. This is now March and July. They went after the US Army, the National Guard.
They're actually the ones that caught it.
And they're the ones that caught it. Yeah. Yeah.
So good on them.
Right? USA.
Now from there, we get into August through December, and then you start to see salt typhoon go after all of these companies, like over two hundred different companies. Right?
Companies like Verizon, AT and T, and and there's even stories out there how they went after the US house of reps, and they they did wiretapping, Aaron. I mean, these guys are massively good at what they do.
So what do you do about it? Right? And here's the takeaway, Aaron. When I look at this story in Salt Typhoon, I think as a business owner, maybe you have zero trust.
K? Maybe you've heard of that or maybe you're using zero trust. Well, what we're finding right now as an industry is zero trust is slowly fading away. And when we get to the predictions, I'm gonna share with you the prediction and the change with Zero Trust.
So stay tuned for that here in just a moment.
Aaron, one of the things that we protect, one of the the one of our clients well, actually, a lot our clients are k through twelve school districts. And this was a big story. It was PowerSchool. This was a third party vendor.
Alright? So all these school districts, they're all using PowerSchool software. Well, PowerSchool had a problem. They got breached.
And not just any small breach, the threat actor got in unauthorized access to the platform, the PowerSchool platform, and then from there got into the customer support portal. They did a bunch of account compromises and the portal did not have MFA.
MFA. Can you imagine that? No multifactor authentication.
On a piece of software that important, folks, they didn't have MFA. That story got me so ticked off. Sixty two million student records were caught up in this thing.
That's our kids.
But that's a lot of kids. That's my kid, your kid, folks. But then you've got nine point five million school teachers' data also caught up in this thing, and then the approach from PowerSchool. It didn't seem like they cared, and that really ticked me off as a person that loves cybersecurity and loves protecting clients to see that kind of stuff in the the the news.
So the takeaway here, it yeah. I know. I get it. Right? You're you maybe you're not a school district.
Right? But you have to demand better governance, risk, and control on whatever vendor you choose to bring in to your business. You gotta have better reviews done. In fact, there's such a thing out there called Secure by Design.
I'm sure you've heard of it. Yes. Yeah. Secure by Design is a certificate that you can request from whatever vendor you're deciding to do business with.
Ask them. Ask them. Hey. Before I sign a contract with you, are you Secure by Design?
K? That's one little tool that you can do to try to protect yourself. It's not a guarantee, but it's one little tool.
So They should also be demanding, Hef, that if they're logging into something and there's especially if there's sensitive data in there, if you don't get hit with some type of MFA prompt, demand it.
Get ahold of somebody and say, hey. This is not secure. We need MFA at this login. Absolutely.
Yeah. That's a it's a nonnegotiable for me. As I'm a business owner. That's the first thing I'm asking.
You got an MFA? You got an MFA on this? Especially business accounts, you know, crown jewels. Right?
The stuff that's important to run your business, I absolutely wanna know MFA is turned on. Yeah. Alright. Let's switch gears.
Let's now kinda get towards the back half of our program, and That is our predictions. I know you love this stuff, man. You love giving predictions. Do you wanna start with AI predictions?
Would that be okay?
Well, let's let's talk about our specific AI predictions from two thousand twenty five.
That's right. Yeah. Let's go back in time.
Yeah. So now I predicted four specific things.
Alright.
AI assisted malware. We talked about that a little bit already. But I also thought we'd see a huge data poisoning attack. We knew that that was a a potential.
And so we'll talk about how we did on that one.
Targeted AI attacks, these are where malicious AIs are specifically finding and identifying specific employees in the company and then targeting them with deep fakes or social engineering.
Great prediction.
And then I did have a a bonus prediction on crypto forensics. I predicted that we would see crypto and blockchain forensics taking a far more visible role and having a little bit, more, focus as more adoption of blockchain came in.
That makes sense. I know you're a big crypto blockchain kind of guy, so I could totally see why that is your bonus one. But, you know, what did you get right? What did we get wrong from twenty twenty five? AI predictions. What did we get right?
AI assisted malware and ransomware. Everywhere. Yeah. AI just completely lowered the bar, lowered the skill barrier for malware creation, faster development have Absolutely.
Better obfuscation. Oh, man. We saw some doozies where, malware that we used to see all in one lump where you could, you know, visually just spot, hey. There's the malware.
There's all the weird looking code. It's all encrypted.
We saw AI actually separating all that out. What? So that there's no block of code that you can just look at and see and say, oh, that's malware. Yeah. You know, they they used very natural language or or I should say very simple programming language that made it look like it wasn't doing anything malicious.
That's so dangerous.
Yeah.
What were we partially right about or, you know, what are we kinda get right, but maybe not?
AI targeting key employees. We did see AI enhanced phishing and vishing, some deep fake scans that were real.
Still mostly human directed though.
You know, that's one I did not quite see Yeah.
Didn't quite see coming that that somebody would actually use Claude and automate it in in a way that was just, you know, point and shoot.
Yeah. Yeah. I didn't think that was gonna happen. And I I again, I cannot stress this enough. I thought it was a fake news story.
Yeah. Just I mean, that's just just seemed that seemed like that was two or three year.
Now it's gonna be a prediction In the future.
In the future somewhere. The other one, we didn't see, mass data poisoning of AI models. We did see some, but, you know, it was really kind of intellectual tests, you know, tests in labs, things like that. And they showed that the potential is absolutely there.
Yeah. Yeah.
And and so we didn't get that quite right. There there were cases out there where they showed it was possible, but but I thought there would be a much larger data poisoning attack.
Yeah. I did too. And it just never seemed to just happen the way we thought it was gonna happen. And it's okay to be wrong.
You know? At least we're putting ourselves out there, folks, and just trying to give you some of our predictions. I know as we as we wrap up, we have two more very important things to cover, and that is predictions in the world of ecommerce. That is a big area where we are very skilled here at SecurityBetrics with our shopping cart monitor product.
Talk to me about your predictions. Where do you see it going in the world of ecommerce? What's gonna happen? What may not happen?
We've got to leverage AI because the attackers are. If we if we don't, we're gonna lose the war. I'm predicting in two thousand twenty six, we're really gonna see an arms race, in the AI ecommerce security space, especially in the browser itself.
Yeah. Yeah.
I think, you know, my predictions now is we're going to see a lot more AI powered defenses. We talked about some of them like, j scrambler and F e root. Yeah. Where they're integrating that AI. We of course are right there as well. We've got many projects in the lab. Some that are in development right now.
And we've got cases that we're implementing AI tools and just seeing phenomenal results.
So I I think the the automation and speed of faster AI detection is we're going to see a lot more of that. That's gonna, you know, reduce the time an attacker can spend on your system messing around. AI is going to be quicker to catch it than a than a human or a static script ever could.
Yeah.
Personalization and scale, empowering customers themselves. Yeah. We may see some client AI tools that that come into play where you can run AI on your local machines.
That would be so helpful for detecting these attacks.
Yeah. There's a negative side to that as well.
And what is the negative side of all this?
We're gonna see more accelerated attacks. Stop. Bad actors No. Are are they're they're using AI to scan networks and find vulnerabilities and it's it's so fast now. Yeah. It blows my mind how quickly AI can hit a system. And within seconds, they know everything about you.
They do. They do. I I I wanna get to the forensic predictions here for twenty twenty six. But before we do, let's take a brief moment.
I I wanna give the audience some, SMB predictions. So small, medium, size business owner. What do you do? What do you need to know, right, for twenty twenty six?
One of my predictions I'm gonna throw out the to you is that passwords and SMS based text messaging is gonna start dying. Right? And that right now, we're seeing it. We're seeing AI tools can bypass a lot of this stuff.
So you need to prepare. You need to prepare for a world where pass keys and hardware based authentication is the new standard for MFA. Alright? It's coming a lot faster than you realize and that you gotta prepare for it.
We should talk about why that's so important.
Yeah. Why is that important, Aaron?
We see so many times where MFA is in place, but the the token or the action that that is that second factor Yeah.
Goes right to the same machine that initiated it. So, you know, maybe maybe it's it's coming to your your Gmail. The problem is, is if your machine is compromised and the attackers are looking, they can go through and and read your email faster than you can, because they're probably using the script to do it. Yeah. And as soon as that that MFA check comes in and you're looking at it on your laptop, which is where you sent, you initiated that request Yeah. The attacker already beat you to it, and you're gonna go and try to enter that MFA token and it's gonna say, already done or whatever, and you're gonna go, that's weird, let's do it again. Not realizing that there's a reason it didn't work.
Yeah. The first time.
And so Yeah. We we saw that over and over where where, you know, good, well meaning people got that request. It didn't work, and they just did another one without reporting it to anybody.
Heartbreaking. Yeah. Alright. Here's another prediction for you folks. That is the new target in small to medium sized businesses will be your AI agent.
So perhaps you have one of those agents running in your your environment. Maybe it's a customer service bot. Right? What are some other examples?
You know, we've got new AI agents that are are looking for malware.
They're looking for malware.
Yeah. You know, if they're there and they're present, the attackers are gonna know that they're there.
And they're gonna go look for them folks.
Gonna try to directly attack those. It's gonna be AI versus AI.
The trend in twenty twenty six is shifting away from targeting only your human employees and now compromising any sort of AI tools that you have running behind the scenes in your business. So you need to start preparing now.
On the ecommerce side, there's the new agent shoppers, AIs that go and do your shopping for you.
Oh, pretty cool. Pretty wild stuff.
Yeah. Can you imagine if it could go in and and order stuff using your account and then ship it to somebody else? Yeah.
Security metrics, we're known a lot for our governance risk, our audit skills. Right? So there's a trend happening right now at the enterprise level. This trend is slowly going to trickle down to the small to medium sized business level, and that is mandatory AI governance.
K? Things like ISO forty two zero zero one. What is that? Right? These are in, at some point, going to trickle down to you, and what that means are things like composite identity governance.
That's a big word.
Digital digital identities.
So these non humans that work in your business, these AI agents, for example, there's gonna be potentially requirements for you to track and regulate all of these digital identities, all these autonomous AI bots that are working for your business. You might have to track them at some point. I'm gonna say this may not happen in twenty twenty six, but I'm gonna predict that you're gonna start hearing more and more about these things.
I think it's coming faster than any of Israelites.
I think it is too. That's why I put it on there.
Now if you think about the the regulations that that have just been passed Yeah. In the last year, it's phenomenal.
It's it's a patchwork of legislations. There's nothing really happening critically at the federal level, but as you trickle down, all these individual states are starting to roll out requirements around AI governance. K? The last and final prediction I have for all of you is this. There is another trend called micro segmentation.
I'm seeing it a lot. I'm hearing about it a lot here in the security operations center from our clients, and I'm seeing it where SMBs, they're moving beyond zero trust. Okay? A lot of them are moving away from zero trust where they are assuming breach. Yeah.
Assume you're already breached.
And now the trend is assume compromise and you move your business towards things like containment security.
And if you think about it, there's a lot of not that it's a genius approach to take.
I think so. Yeah.
If you assume you're already breached and you're doing those containment measures, you're gonna have a level of security that that is unprecedented.
Unprecedented. Yeah. Alright. Let's wrap this up with your ecommerce predictions. I know you have quite a few.
Talk to me where you think the industry is going. Where do you see things happening in twenty twenty six? Ecommerce folks. Yeah.
We're going to see, these automated tools put a huge dent in the amount of iframe skimmers. You know, those skimmers that are getting injected into the into the browser when when the credit card data is being typed in. I I just from what we're seeing right now, those tools are highly highly effective. Could do.
And if you get those in place, that's gonna force the attackers to go somewhere else. And what they're gonna do is is they're gonna shift from visible JavaScript skimmers, and they're gonna focus on that back end, the supply chain, you know, abusing the supply chain like Gitlabs or or or GitHub. They're gonna hit those APIs, hit those pipelines, payment callbacks, they're gonna be doing that type of thing. Probably a lot more, how like retail fraud stuff, like refund fraud.
Okay. Refund fraud.
Yeah. I think we're gonna see a lot more of those type of attacks just because we're making it so much harder for these easy skimmers to go and grab credit cards from every single transaction.
So your job's gonna get a lot of harder. Your team's Yeah.
Yeah. So it's gonna get harder to detect longer, you know, longer investigations trying to figure out where in the world the the data is leaking from.
What else do you see out there happening?
I I think we're going to see a lot more attackers going to ground.
What does that mean, going to ground? They're instead of having an active presence on a website, they're going to embed their malware in an area that's gonna leave very low noise, but they're going to maintain persistence, and they're gonna wait.
They're gonna wait for an opportunity to get back in. So I think we're gonna we're gonna see a a little bit of more quiet attacks. But really, they're gonna be injecting back doors during that quiet period.
So essentially, as you guys scan a shopping cart, you may not see anything happening.
Yeah. We're scanning the front end. Right? Because that's where the attackers went. They they went front end.
They're gonna go back on the server and and try to to get a stronger foothold so they can have the time necessary while we're all focused on the front end. Yeah. They're gonna be building much more stealthy attacks on the back end. And again, if you're using an iframe and you're posting directly out to to your payment gateway Yeah.
You're in a really good position, but you still have to protect that web server because even if they can't get the credit card, ransomware is still the number one thing going on out there. Not going away. And if you wanna fill a world of hurt, a ransom attack can really, really impact your business.
Man. I know there's a lot of other things going on out there in terms of predictions.
Regulatory pressure and insurance requirements are probably gonna force a lot more full forensic validations. What what I mean by that is they're not gonna accept reports anymore of, hey. We didn't find anything. They're gonna say, no. We know you're leaking card data.
Spend the money and and and figure out where it's going because we we know, you know, everything's pointing back to you. Yeah. Yeah. And so, forensics is gonna become mandatory again, not just an optional look at it, see if you can figure out what's going on and and give us a report back.
I know you guys you have shared with me a bunch of times here as we wrap this up. You have shared with me a bunch of times where, you know, the client says, we hired another firm to find stuff. They didn't find anything.
And then I hired you guys, and you guys almost instantly find something that these other knuckleheads could find. I mean, that's impressive.
Yeah. We we've we've been quite successful at finding, some very stealth sneaky attacks. We saw a a rise last year of, iterative attacks where they're not grabbing every single credit card. They kinda just stay in stealth mode and then every once in while pop up and grab.
Wow. And so we were we were focused on those type of things and and we found that these attacks that they the attackers are putting conditional statements in their code. What? Creating the perfect environment so that that until that condition is met Yeah.
And it might be based on an IP address or could be based on a timestamp or an expensive product in a shopping cart. Yeah. You know, all these things. So if you're not looking for those things, if your tool is just sitting around watch watching, you know, to make sure transaction looks good, you might not be triggering those conditional attacks.
So Aaron, we've got a few audience questions. Do you have time? Can we get to these Some of these questions, by the way, you all have created are pretty darn good. You know, if we did not get to your question today, feel free to shoot us an email.
We'll do our best to try to answer your question and and get to it. Let's start with an ecommerce security question. This is on the minds of a lot of our audience members, and the question comes in. It seems like hackers are not trying to break the iframe as much as they used to, but instead they're looking to exploit the blind spots of the host page.
Is that true? What can you do about it? What are your thoughts there, Aaron?
Yeah. We did see attackers kind of moving away from the iframe a little bit. It's still there, still present, so do not, you know, don't don't step away from trying to protect that iframe. Get that iframe secured. However, they are trying to exploit the blind spots of the host pages.
To do this, you really need three things going on in your ecommerce environment. You've got to have FIM, which is file integrity monitoring. That has to be in place on the web server. So many times we go into an investigation and find out that the merchant has no clue what file integrity monitoring even is or it's misconfigured or worse, it's configured but nobody's watching the alerts. Yeah. So on the server side, you absolutely have to have file integrity monitoring. That that protects against changes in that shopping cart environment that are gonna allow script to get injected server side.
Yeah. Yeah.
The other thing, put your payment in the iframe. Now that is the best thing still that you can do is get it in an iframe, posting out directly to the payment gateway, not back to your server, not just writing the form on your page and collecting the data there. That leaves it exposed to any script on the outside. K. You wanna do that. And then the third is you've gotta have something like shopping cart monitor.
That's going to protect what's going on in the browser To make sure scripts aren't getting injected in through all those third parties that we talked about.
Okay.
If you do those three things, you're really protecting that environment. And by no means, that's not all you need to do.
But those are my top three.
Do those things Solid answers.
And you're going to, you're going to be protecting your web server from anybody trying to get in and exploit that. Again, multi factor authentication and we hit that one hard in the presentation.
Yeah, we did.
Still do that, but make sure your admin pages are protected, your shopping cart admin portal.
A lot of automated tools, you can configure them to monitor those login pages as well.
And so make sure those things are protected.
This is a good the next question we have, Aaron, is pretty good. And it's good because one of our predictions was the rise of AI.
And, you know, if you're a business owner and you're not looking at all of these bots or AI tools or agents that you have running right now in your business, it could get you in some trouble. Right? You could get potentially breached. So the con the question is the rise of vibe coding. I love vibe coding by the way. I'm a huge vibe coder.
Tell tell tell our audience what vibe coding is. Vibe coding? That's a new buzzword.
Yeah. It is a new buzzword. It's really about using AI tools and being able to write queries or questions and telling the software to write some kind of code for you.
So for example Using natural language.
Natural language. Yeah. So let's say you wanna create an app. Right? Well, you don't have to know coding anymore, folks.
All you have to do is be able to use one of these Vibe coding tools and say, make an app that can do this, this, and this. And guess what? The app will pop it out for you. Okay?
So the problem though is, does it have security? Right? Is it secure or not? So the question is, what about third party iframe integrations?
What about AI modules? How do you know the code is secure? And this is a tough question to answer. I mean Yeah.
Tools are really awesome in the hands of a skilled coder. Yeah. Yeah. And if you're not doing security related things, knock yourself out.
They're a lot of fun to play with. You can do some really cool things. But when you're in a production environment and you're taking people's credit cards, you cannot rely on AI to give you secure code. It's not there.
We're not there yet. Yeah. And so, you know, your programmer that knows what he's doing can use AI to do some really cool things and be much more effective and productive.
And they should know that you gotta go back and you gotta read through every single line of code that the AI gives you.
I will say this too. I mean, if you are trying to do vibe coding, maybe you are trying to make an app for your business. Right? The best thing you can do is start to really understand queries about security. So asking the a the tool, the vibe coding tools, hey, debug this code, do a security audit of this code, and you might have to ask that question multiple ways, multiple different queries to try to ensure and even after you've done all that, there's no guarantee.
I mean, if you're not a coder and you don't know what secure code looks like Yeah.
It could be a challenge. Are you gonna know to ask the AI, hey, make sure to sanitize and validate all user Yeah.
Are you gonna know to validate not just input coming in from from the web form, but input coming in from your database because maybe your database gets hacked. Are you gonna know to tell the AI, hey. Don't trust the code coming from my database. You know, make sure that's all validated and sanitized.
Hey. Big time. We've got time for one more question, and I wanna get to a cybersecurity question Sure. Because that's my baby.
Alright? Let's talk about this question here. It sounds like zero trust is becoming less and less important, but what are the things we still need to follow for best security practices? So I mentioned this in the in the presentation.
I said, yeah. It's a trend, and there's no guarantees that this trend is gonna continue. But from where I sit, what I see on the front lines of this war is that zero trust seems to be having less and less importance. And you're start starting to see things like we're moving away from that world of zero trust to things like micro segmentation, and you're going to assume breach.
You're gonna assume a level of constant compromise. And I know not everyone wants to hear that, but really from my perspective, what I see Aaron answering this question is it still comes down to the fundamentals, folks. And the fundamentals are basic cyber hygiene. Okay?
Things like MFA, things like good password policies and audits, and things like, you know, monitoring your network and turning on alerts. I mean, all of these little things add up.
There's a whole bunch of them.
Yeah. One of the things that we've had great success with is our Shopping Cart Inspect. Well, that's a pre forensic, designed to go through and just look and see what vulnerabilities are present on your checkout pages.
So helpful.
So many times we go in and we find major vulnerabilities that could lead to a breach. Sometimes we find that a breach has actually happened and nobody had any idea. Yeah. And so that's a really low cost solution. That's designed to be minimally invasive.
We need nothing really more than a URL to to get started.
And and that that really goes a long way to just giving you a good understanding of what's going on with your website. We look at every single script.
We look to see what vulnerabilities are are there and and Very helpful.
We look at that payment process to see if if it's already been exploited or if there's a potential for it to be exploited.
My gosh. So there you go, folks. Indeed, we are happy that you joined us. If we missed your question, feel free to go ahead and submit it.
We will get to it as soon as we can. Feel free to share this, and if you find something of value or importance, we encourage you to share with your IT person. And as always, you know, we are on the frontline war here. We're on the frontline battle lines.
We see the cyber news stories as they happen. We share these news stories every single week. You can get in your inbox a list, a curated list of the latest cyber news, the top breaches that are happening, the newest trends, and the latest phishing examples. That's the part that I'm really proud about, how we know what's happening in the world of phishing, and we share that with everyone that would like to subscribe.
You can find that link below, and please, we encourage you to to subscribe and and follow those links.
I'm subscribed. You're subscribed? Alright. It is a fantastic I mean, I I I love getting that because as much as we are on the front lines and seeing it, stories come in from this guy all the time. Was like, I had no idea that was happening.
Didn't know. Yeah. So there you go, folks. Thanks for joining us. Again, I'm Hef. I'm the director of the Threat Intelligence Center.
I manage the security operations center. We're threat hunting every hour on the hour for our clients. And we have Aaron from our forensics and ecommerce side of the house. Again, thanks for joining us.
We look forward to talking with you sometime in the future.
Thanks everybody.
.svg)