Reports

DataTribe Insights Report Q1 2024: Like Pinching a Nerve... Adversaries Reveal Systemically Important Pressure Points

The Rundown

1. Cyber Venture Deal Volume Down/Dollars Up

Looking at just deal volume doesn’t tell the whole story. Deal volume declined for the eighth quarter, but light was at the end of the tunnel. Capital invested increased by nearly 25% with a 35% year-over-year increase in mega-deals.

2. The AI Election and the Increasing Threat of Deepfake Audio

New Hampshire was the first primary this year and the first election to see the impact of deep AI fakes. Five thousand New Hampshire voters received deepfake phone calls that appeared to be from President Biden. But election interference is just the beginning. The ability to use deepfake audio to socially engineer people as well as trick automated voice-based authentication systems represents a new threat. When will AI defenses catch up, and what will they look like?

3. A Troubling Backdoor in Linux is Discovered. What Ones Haven’t Been Discovered?

In recent years, we have seen the damage done by vulnerabilities in open source software. However, the risks are getting ratcheted up as nation-state adversaries now are purposely placing attack back doors in leading open source libraries. Look for a software provenance ecosystem of vendors to emerge as detailed attestations of every aspect of the software development process become necessary and required.

4. An Attack on the “Colonial Pipeline” of Medical Payments

Cyberattacks are not good for your health and could become deadly if they affect our nation’s frontline healthcare systems. Much like the Colonial Pipeline attack in May of 2021, slowed gasoline deliveries on the East Coast of the United States, we saw how an attack on Change Healthcare halted pharmacy services nationwide, including those within hospitals, and significantly delayed the distribution of essential medications such as diabetes treatments, antipsychotics, and ADHD medications for over 10 days.

Introduction

Is the glass half-full or half-empty? It all depends on where you looked in the first quarter. If you measure success by deal volume, it is half-empty, but if you care most about valuations and total capital invested, the cup is overflowing.

Cyber had a first quarter that offered mixed signals about resilience in venture markets:

  • Core inflation remained persistent in the first quarter, and hope for interest rate cuts in the first half of 2024 has waned.
  • Deal volume declined to just over 1,100 deals, which marks the 8th straight quarter of declines and the lowest levels seen since Q4 of 2012. Despite the slump in volume, capital invested saw an increase of nearly 25% to reach $24.5 billion, which is back in line with pre-pandemic values.
  • While cybersecurity deals saw a slight pullback year-over-year in Q1, the sector outperformed the broader market, posting a 12.7% decline compared to the 32% decline in overall deals. The bulk of the decrease in the cybersecurity sector came at the seed round, which fell from 42 deals in Q123 to just 32, a 23% decline, this quarter.
  • Series A valuations increased more than 81% from the previous quarter. The seed stage, however, declined from the five-year high of $16 million to $10.5 million this quarter.
  • The first quarter of 2024 saw modest declines in the overall market for both Series C and D capital and a significant uptick in the Series E market from Q1 of 2023. Over 35% of these Series E deals occurred in the cybersecurity sector.In this quarter’s installment of DataTribe Insights, we dig into the latest venture market trends, examine the impact of AI deep fakes on the 2024 election, look at new software supply chain threats, and examine how attacks in the digital world are increasingly affecting physical safety.

Q1 State of the Market – Cyber Deal Activity

In the first quarter of 2024, global markets continued to grapple with economic uncertainty, as global conflicts, high interest rates, and inflationary pressures persisted. The venture market responded to these economic headwinds with an intensified flight to quality, underscored by a rebound to pre-pandemic levels of capital investment on the lowest deal volume seen in nearly twelve years.

YTD Capital Invested and Deal Count (PitchBook)

During the quarter, overall deal volume declined to just over 1,100 deals, which marks the 8th straight quarter of declines, and the lowest levels seen since Q4 of 2012. Despite the slump in volume, capital invested saw an increase of nearly 25% to reach $24.5 billion, which is back in line with pre-pandemic values. This can be attributed, in part, to a 35% increase in mega-deals year-over-year, with the largest of these accounting for nearly 16% of the total capital invested this quarter.

Deal Volumes by Quarter – Seed through Series B (PitchBook)

While cybersecurity deals saw a slight pullback year-over-year in Q1, the sector outperformed the broader market, posting a 12.7% decline compared to the 32% decline in overall deals. The bulk of the decline in the cybersecurity sector came at the seed round, which fell from 42 deals in Q123 to just 32 this quarter. While the sector declined year-over-year,, it also showed signs of recovery as it rebounded from the lows of Q4 2023, particularly at the seed round and in growth stage capital.

Median Pre-Money Valuation Seed and Series A (PitchBook)

The story of the quarter was valuations, which showed large increases from Q423 in growth stage capital. This trend was especially prevalent in the cybersecurity market, where series A valuations increased more than 81% from the previous quarter. It should be noted that series B valuations were up substantially in Q124 as well — with the caveat that the volume of series B deals is low making the quarterly trend data volatile. The seed stage, however, posted modest declines from the 5-year high of $16 million, to $10.5 million this quarter. This increase in valuations, when paired with the decrease in volume, points to a bifurcated market, wherein the top companies are seeing strong valuations in an increasingly competitive landscape for VCs, while other companies struggle to find investors.

Deal Volumes by Quarter – Series C through Series E (PitchBook)

The first quarter of 2024 saw modest declines in the overall market for both Series C and D capital, and a large uptick in the Series E market from Q1 of 2023. More than 35% of these Series E deals took place in the cybersecurity sector. This increase in Series E deals is likely attributable to delays in IPOs with an IPO market that has been stagnant since 2022.

Investment Categories of Cyber-centric Investors (Source: PitchBook)

* Cyber-centric Investors are those VC firms with more than 50% of their completed deals involving a cybersecurity company.

This quarter, we thought it’d be interesting to analyze the data by investor type: cyber-centric vs. other investors to see if there are investing differences.

This quarter, the top Cybersecurity VCs made investments across five different categories – AI & Autonomous Security, Data Security, Operational Technology (OT) Security, Software Development Lifecycle (SDLC) Security and Penetration Testing as a Service. Each of these categories followed emerging trends in the cybersecurity ecosystem, including an 87% rise in cyber-attacks against OT companies, as reported by Dragos, and the increasing prevalence of software supply chain attacks, which, according to the Identity Theft Resource Center’s (ITRC’s) Annual Data Breach Report, are up more than 2600% since 2018. The largest of these categories, AI & Autonomous Cybersecurity, remains at the bleeding edge of both cyber defense and cyber-attack capabilities and cyber-focused investors seem poised to continue following this trend into the coming quarters.

Investment Categories of All Other Investors (PitchBook)

Among the remaining investors, three key categories stood out, representing over 50% of their cybersecurity deal volume during the quarter. These were financial technology (fintech), compliance, and services. The largest of these categories, compliance, consists of companies working to help meet FEDRAMP, DoD Zero Trust, and other government regulations and accounted for nearly 15% of total cyber deal volume in Q1. The next largest category, fintech, is made up of companies providing cybersecurity products tailored to financial sectors, with a majority of these focusing on the security of smart contracts for decentralized finance. The final of these categories, services, comprises companies providing MSSP, MDR, or consulting services in the cybersecurity sector.

Cyber-centric Investors vs Broader Market (PitchBook)

Comparing the two types of investors shows little overlap in the kinds of cybersecurity companies being targeted, with only data security and AI having a noteworthy presence among both groups. Further, cyber-centric investors opted to avoid more established categories, such as services and compliance, instead focusing their capital into emerging sectors such as AI and SDLC security. One other notable difference is the aversion among cyber-centric investors to the decentralized finance and smart contract security market, which was of particular interest to other investors this quarter. With these clear differences in the investment market, it’s worthwhile to monitor these sectors in the coming quarters.

In short, the venture market continued its pullback in Q1, with increased valuations and mega-deals, such as Anthropic’s $4 billion Series D, offsetting an otherwise muted investment market. The cybersecurity vertical, while faring better, was not immune to market forces, and posted modest declines. Despite this, rising valuations and falling deal flow present a market that is ripe for category-leading startups.

No DNA Needed, Just a Minute of Your Voice

On January 21st, five thousand New Hampshire voters received an exciting surprise: a call from the President of the United States. Last-minute, in the run-up to the New Hampshire primary, President Biden was pushing to get out an important message: “Your vote makes a difference in November, not this Tuesday.” What? Thankfully, a few savvy voters quickly realized that, apart from the nonsensical message itself, it was unlikely that the President was calling and reported the incident to authorities. From there, an investigation ensued. After a month, it was revealed that the whole thing had been a stunt by a political operative on a mission to demonstrate the need for action by regulators on deepfakes in politics. It worked. Just two weeks later, on February 8th, the FCC made AI-generated robocalls illegal. The deepfake of President Biden’s voice was produced for $150 by a street magician from New Orleans who does social media content on the side. Needless to say, this technology has been democratized.

So, Q124 marked what may have been the world’s first political interference using robocalls and deepfaked voices. That didn’t take long.

A.I. is not new. From Alan Turning in the 1940s to the WOPR (“whopper”) in the 1983 movie WarGames, A.I. has been around for a while and has, over the years, come in and out of favor. So, what is different in this latest ChatGPT-spurred wave? The new, disruptive (almost magical) capability is the “generative” aspect of generative A.I. Whether it’s text, voice, images, or movies, it has become trivial to create quality content. In addition to content generation, LLMs have another key superpower: mimicry. Combining effortless content generation with mimicry gives you the ingredients for at-scale, high-fidelity spoofing in any media format.

While much has been written about the very real and concerning application of A.I. to mass produce hyper-realistic phishing emails and disinformation, less focus has been placed on another pressing issue: voice spoofing. MIT and Google have demonstrated that you can create a convincing voice model for someone with just a one-minute sample of that voice. Such voice clones can be used in two insidious ways: 1) social engineering and 2) to defeat voice biometric authentication systems.

It’s long been a social engineering trick to urgently pressure a finance team member to wire funds, often with faked emails from a top executive. This tactic can now be scaled and made more effective with a convincing phone call from company leadership to a finance team member or a child asking their parent for money. In recent years, there have been a number of high-visibility heists based on deepfaked voices. For instance, in 2020, two years before generative A.I. went mainstream, fraudsters made off with $35 million(!) by tricking a bank manager at a Hong Kong-based bank into making a wire transfer using a voice clone.

The issue with voice biometric authentication is perhaps even more alarming, given how many financial firms currently depend on voice identification. For years, voice I.D. technology has held a lot of promise to streamline security in customer service and has emerged into a sizable industry. Overnight, it seems generative A.I. has potentially made the entire idea of voice-based authentication obsolete. The risk posed by deepfaked voices is well-known to the industry, and a lot of work is being done to solve the problem. Just a couple of weeks ago, on April 8th, the Federal Trade Commission (FTC) selected the winner of their Voice Cloning Challenge to develop technologies to counter voice spoofing. It’s unclear whether the solutions that voice-based authentication providers are working on will be secure enough. And even if they are secure, will they provide sufficient peace of mind for companies and customers to continue trusting them?

Like a speedboat, A.I. is racing across the water, leaving new security risks in its wake. Inevitably, the market will respond in time by creating new products and technologies to address these new risks. However, as the defenses catch up in the medium term, we will be living through a period of elevated risk in AI-affected areas. Whether from the President of the United States, your boss, or your child, we must approach inbound phone calls more vigilantly. If you have an important account where authentication is based on voice, you may consider asking the service provider how they are mitigating deepfake voice spoofing or just request an alternate form of authentication entirely.

XZ Utils Backdoor Highlights Danger of Open-Source Supply Chain Attacks

In late March, a backdoor stemming from a multi-year hacking campaign, suspected to be nation-state driven, was discovered in XZ Utils, an open-source command-line data compression utility, is included in many Linux distributions. Luckily, the discovery occurred before this infected version saw widespread use, all thanks to a developer stumbling upon it while debugging a performance issue in OpenSSH that the backdoor had caused.

While attacks targeting libraries as widely distributed as XZ Utils haven’t been common; zero-day vulnerabilities in open-source libraries — both maliciously introduced and otherwise — are becoming increasingly prevalent. The most severe of these vulnerabilities, Log4Shell, caused massive upheaval in 2021 when it affected 22 million applications and resulted in more than one million attempted attacks within 72 hours of its disclosure. Unlike the XZ backdoor, however, the Log4Shell incident stemmed from a bug introduced unintentionally and laid dormant for more than eight years.

This incident underscores the potentially catastrophic nature of malicious code-commit attacks, and while unintentional vulnerabilities like Log4Shell can go undetected for years, the XZ Utils backdoor showcased the remarkable ability of the security community to unveil malicious activity promptly and efficiently. Unfortunately, where upwards of 70% of typical production software consists of free and open-source libraries, the allure of these attacks is ever-growing. While this incident displayed the potential for resilience against malicious contributions within the open-source community, the protective measures available are few and far between. Had this vulnerability not impacted performance, it may not have been caught, and the content of this article would have a much darker tone.

So, how do we fix this? First, as highlighted in a LinkedIn post by Chainguard’s CEO, Dan Lorenc, software projects must incorporate provable provenance tracking of every software component they use. Both its ingredients, through standards like the software bill of materials (SBOMs) and every step in the software development process through detailed attestations, such as those laid out in the Supply-chain Levels for Software Artifacts (SLSA – “salsa”) framework or tracked via a platform like Fianu.

Another strategy that can be layered in involves value-add organizations reviewing and enhancing open-source libraries to offer hardened versions. In this way, the cost of producing these hardened libraries is spread across all the customers. For example, companies OpenZeppelin are doing this for Web3 smart contracts. Despite their improvements over the current state, neither of these approaches directly addresses the fundamental issue—that the efficient and effective production of open-source software relies on a high degree of trust in the responsible actions of its developers.

One radical, maybe controversial, idea could be to require open-source contributors to link their contributions to their identity in a non-transferable or replicable manner. The ability to track the provenance of every change back to a specific person enables each contributor to build a comprehensive history of their actions on any project, providing a developer reputation (while platforms like GitHub are built around a similar concept, a developer’s “identity” is connected to anonymous accounts). Contributions from developers with little to no reputation would require meticulous review from more trusted developers, and being linked to a suspected supply chain attack would see a developer’s reputation greatly decreased—potentially barring them from any future open-source contributions.

While we don’t have such a solution to offer, we welcome hearing from anyone with ideas to achieve this in a way that respects both the privacy and the time of those willing to contribute to open-source projects.

The “Colonial Pipeline” of Medical Payments Gets Hacked

In the first few months of 2024, corporations were rocked by several major security breaches. High-profile organizations like AT&T and Microsoft faced significant security lapses, and a third-party breach exposed customer data at Bank of America. The most consequential of these incidents was a devastating ransomware attack on Change Healthcare, orchestrated by the notorious ALPHV/BlackCat group. This attack, launched on February 21, 2024, deeply affected a vast network of pharmacies and healthcare providers. The attack crippled providers’ ability to process prescriptions and verify insurance. This significantly disrupted daily operations and endangered essential patient care.

Change Healthcare, a primary provider of revenue and payment cycle management for the U.S. healthcare system, processes an astonishing 15 billion transactions annually, equating to $1.5 trillion in health claims. The cyberattack impacted 21 critical areas of its operations, severely affecting systems that manage provider payments and insurance reimbursements. The impact of this assault was widespread, halting pharmacy services nationwide, including those within hospitals, and significantly delaying the distribution of essential medications for more than ten days. Further, many patients were left unable to afford necessary medicines. For example, medications for irritable bowel syndrome, which can cost $1,100 without insurance, quickly became unaffordable for most as their copay cards ceased to function.

In response to this crisis, UnitedHealth Group, the parent company of Change Healthcare, has been actively working to mitigate the damage and assist healthcare providers in recovering from the disruption. In a significant move, UnitedHealth Group confirmed it paid the attackers $22 million to regain control of their systems. Change Healthcare is projected to suffer losses of around $1.6 billion due to the attack, with $872 million already spent on recovery efforts in the first quarter alone and an additional $800 million anticipated by the end of the year.

The frequency and sophistication of these cyberattacks are escalating, prompting a shift in perspective to view these incidents not just as financial crimes but as severe threats to human life. A 2020 ransomware attack on a hospital in Düsseldorf, Germany, tragically underscored this point when delayed emergency services led directly to a patient’s death.

Over the past five years, the healthcare sector has become a prime target for cybercriminals, seeing a marked increase in the severity of attacks. From 2020 to 2023, the industry witnessed some of the most significant breaches in its history as the number of ransomware attacks accelerated. According to a December 2022 JAMA Health Forum study, the annual number of such attacks has doubled since 2016. The financial toll is severe, with the average cost of a healthcare data breach reaching $11 million in 2023, up 53% from 2020.

Faced with these ongoing challenges, the U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are intensifying their efforts to identify and uncover any breaches of protected health information and ensure HIPAA compliance. This series of events serves as a critical wake-up call, emphasizing the urgent need to bolster security measures to protect sensitive patient information and prevent the severe disruptions that future attacks might cause.