Before we look forward to what cyber risks stand looming at the gates for 2023, it is appropriate that we take a moment to look back at the most critical cybersecurity events of the past year. To say 2022 was an eventful year for cybersecurity professionals would be quite an understatement.
As Andy Thompson says in a blog for Cyberark, the chaos surrounding 2022, included the familiar drip, drip, drip of unfilled cybersecurity jobs, depleted IT security staffs that struggled to deal with an expanding remote workforce, the escalating cloud and IoT universe and increased consequences of insecure digital acceleration, including greater risk exposure to ransomware threats and vulnerabilities across the software supply chain.
Thompson’s assessments of 2022’s biggest challenges include identity compromise which was a familiar theme across major 2022 breaches, including a high-profile incident involving a leading identity provider, to the rise in deceptive “MFA fatigue” phishing. Confronting the identity-centric challenges was of prime concern for government leaders and business executives that helped turn Zero Trust imperatives into motivating action items.
“Governments enacted stronger cybersecurity regulations to harden networks and protect access to sensitive data and critical infrastructure. Private sectors increased supply chain scrutiny to identify areas of weakness, such as embedded credentials and unmanaged secrets. Under extreme pressure, cyber insurance providers continued to ramp up requirements, making it even harder for organizations to purchase or renew policies. And several landmark legal cases placed breach responsibility and disclosure obligations on individuals, suggesting major changes ahead,” he adds.
The Hot Buttons for 2023
There is little doubt that the sophistication level of cyber criminals and their attack vectors has increased. Cybercrime has become a business and the assailants are more advanced in both their targets and methods. Dirk Schrader, VP of Security Research, and Michael Paye, VP of Research and Development, at data security company Netwrix in Frisco, Texas, both agree that the business of cybercrime will be further professionalized in 2023.
“The return of malware strains like Emotet, Conti and Trickbot indicates an expansion of cybercrime for hire. In particular, the growth of ransomware-as-a-service is enabling criminals without deep technical skills to make money, either by extorting a ransom for decryption keys or selling stolen data on the dark web or to a victim’s competitors. Accordingly, organizations should expect an increase in phishing campaigns. Vital defense strategies include timely patching and updating of software, as well as locking down network access with multifactor authentication (MFA) and privileged access management (PAM) solutions,” says Schrader.
Paye foresees an intensification in supply chain attacks ranging from the more complex enterprise organizations down to the small and medium businesses and managed service providers. “Adversaries will increasingly target these suppliers rather than the larger enterprises knowing that they provide a path into multiple partners and customers. To address this threat, organizations of all sizes while conducting a risk assessment need to consider the vulnerabilities of all third-party software or firmware. “
However, the threat vectors continue to multiply as the mobile workforce expands and networks are stretched to home offices and understaffed corporate facilities. Nadir Izrael, the CTO and Co-founder of Armis, an asset visibility and security company, sees the future of cybersecurity as being an agentless entity as employees continue to work from home and on their personal devices.
“By now, most are aware of threats like email phishing, but hackers have been using machine learning, even more, to steal logins and access private databases. This will accelerate in 2023. And in the office, workers are encountering a new landscape of post-pandemic IoT devices: hands-free, voice-enabled conference rooms powered by systems like Amazon Alexa For Business,” says Izrael. “The problem is these devices can’t be secured by legacy solutions – they’re inherently vulnerable. Cybercriminals go after the low-hanging fruit, so the easy targets give them the route to go deeper into a private network.”
He adds that in most offices, the devices themselves won’t matter as much as how they interact with the broader environment. The benefit of an agentless future means that organizations can share devices and not bear the CAPEX burden.
“The benefit of an agentless future means that organizations can share devices and not bear the CAPEX burden. In fact, increasingly the “devices” will not be owned at all by the organizations they serve. This will be an extension of much of the already adopted Cloud paradigm: you can get rid of logic that runs on-site and everything runs in a “cloud” – even if it’s a cloud of devices in the office. Ultimately: devices won’t matter. Their access matters.”
To that end, security experts like Chip Gibbons, the CISO at Thrive, a provider of NextGen Managed Services, figure that end-users are going to rank among the top cybersecurity threats in 2023 because of their multiple points of vulnerability.
“Business Email Compromise (BEC) will continue to be a top attack method from cyber attackers and the easiest way into an organization. With the increase in zero-day attacks, people are going to be looking at reducing their externally available footprint. Multi-Factor Authentication (MFA) will be ubiquitous, and nothing should be externally available without it,” explains Gibbons. “Most companies have embraced some form of work-from-home policy and there was a large scramble to get people secure and situated at the beginning of the pandemic. Companies should continue to evaluate their end-user workstation security and work on securing with DNS filtering, EDR, and email filtering.”
Targeting the Threats for 2023
Ransomware and cyber extortion will remain among the top cyber threats in 2023. As cybercriminals’ tactics continue to evolve, they will increasingly favor exfiltrating data over encrypting it for cyber extortion. Governments will continue to strongly advise organizations not to pay ransoms and may even introduce legislation relating to this. That is what Cyril Noel-Tagoe, a Principal Security Researcher at Netacea, is forecasting, citing the fact that double extortion ransomware (where a copy of the data is exfiltrated before it is encrypted) has surpassed traditional ransomware as cybercriminals’ extortion tactic of choice.
“The threat of the exfiltrated data being leaked provides cyber criminals with a secondary lever with which to apply pressure on victims to pay up. However, as organizations adopt stronger backup and resilience measures, the primary impact is now being caused by data exfiltration, rather than data encryption. This may lead to some cybercriminals forgoing encryption entirely and refocusing of exfiltration efforts. There have already been notable cases of ransomware which either skipped or faked data encryption,” says Noel-Tagoe.
He also fears that the advancement of machine learning and artificial intelligence to fight potential cybercrime is similarly being used by cybercriminals as it becomes more advanced and accessible.
“Cybercriminals will utilize AI and machine learning in 2023 to power more sophisticated phishing campaigns. Cybercriminals will have access to an ever-growing treasure trove of data, from open-source data such as job postings to personal information leaked in data breaches, with which to craft highly targeted spear phishing lures,” continues Noel-Tagoe. “Researchers have already shown how next-generation language models such as OpenAI’s GPT-3 can be used to generate phishing content that “outperformed those that were manually created”. With GPT-4, the next evolution of the language model, rumored for release in 2023, the threat of AI-powered phishing becomes more severe.”
Another area of potential vulnerability is also a residual of a rapidly changing landscape of computer and network complexity. Quantum computing is a rapidly emerging technology that harnesses the laws of quantum mechanics to solve problems too complex for classical computers. As adoption increases, so do the security challenges admonishes Chief Information Security Officer of (ISC)² Jon France.
He insists that making infrastructures quantum-resilient is going to be more difficult than imagined, both for the public and private sectors. One major area of concern when it comes to quantum is national security.
“Governments have secrecy policies that last for decades…those policies are going to be threatened by quantum computing as the technology evolves, with much of the information under these policies being transmitted (and potentially captured in encrypted form) with algorithms that may not be quantum safe. Within the next 5-10 years, quantum technology will likely become commercially available, making it a very real threat to past and outdated encryption algorithms – many of which are used to conceal the nation’s top secrets. Quantum computing is going to be able to overcome complex roadblocks at speeds that will render multiple forms of current encryption useless,” France says.
For the private sector, trade secrets, intellectual property, financial data and more are at the same risk if a bad actor gets their hands on quantum computing capabilities and breaks the encryption keeping critical assets under lock and key. Building cyber resilience in preparation for quantum technology should have been an effort started a decade ago…but now is the second-best time.”
He predicts that In 2023, both the private and public sectors will experience increased awareness around the challenges associated with quantum resilience, and efforts will begin to take hold more significantly to prepare for quantum computing.
“Much of the encryption infrastructure in communication networks that keeps information safe now is deeply embedded, i.e., certificates, and will take years to transition to quantum resilient algorithms, posing a timeline issue for changeover before the general availability of quantum computing,” he adds.
A lesser-known cyber threat is seen by France as having additional lethal implications in the new year. While most organizations are not as familiar with wiperware attacks as its cousin ransomware, it has been a latent problem for almost a decade, with a dramatic increase in the number of attacks in 2022.
“The motivation behind wiperware is almost always to sabotage victims, especially during times of war, as we see with Russia and Ukraine. Seven different types of wiperware have been used to attack Ukrainian organizations in attempts to weaken their abilities to conquer Russia. We can anticipate a rise in nation-state-motivated wiperware attacks in 2023 as the Russia/Ukraine conflict continues, and we can expect to see other nations utilize these attacks in future conflicts now that they’ve become more prevalent on the global scene. Additionally, with the rise in wiperware, there’s likely to be a rise in phishing attacks, given that it’s the most common vector for distributing ransomware and wiperware,” presumes France.
Despite the attack morphing variations, Ransomware remains a constant threat and it has become a more complex adversary, according to Jon Check, the Executive Director of Cyber Protection Solutions at Raytheon Intelligence & Space. He stresses that any penalties for such attacks will have little to no effect as the next attacker will only become smarter and harder to catch, especially now that these attacks have become commoditized, and attackers are able to put money into researching and developing more sophisticated threats.
“We must combat this by bringing our best diverse thinking to the table while welcoming and inviting unique and diversified talent not always thought to be connected to the cybersecurity industry. The best ideas and most impactful solutions will come from taking a new path shown to us by an unexpected guide,” advises Check.
And let’s not forget the potential for increased incursions to your cloud infrastructure, the experts advise. Illumio CPO Mario Espinoza says with economic uncertainty looming, companies are looking to the cloud as an efficient way to tighten costs.
“However, as cloud adoption continues to accelerate, we’ll see more organizations leverage a lift-and-shift approach – moving an application and its associated data to a cloud platform without redesigning the app – tremendously increasing the attack surface in the cloud. Because of this, in 2023, we could witness an uptick in attacks targeting cloud infrastructure,” he says.
Sorting Out the Remedies
The adoption of Zero Trust Security models is becoming a driving force in a comprehensive cybersecurity framework for most large-scale organizations. But as Torsten Staab, a Ph.D., Principal Engineering Fellow at Raytheon Intelligence & Space reminds us, Zero Trust is a tool, not a product.
“Adopting Zero Trust Security across an enterprise requires careful planning and the use of complementary, multi-vendor solutions. For many organizations, adopting Zero Trust Security will be a multi-year journey. Establishing a solid ZT strategy up front and developing a phased, step-by-step implementation plan to avoid boiling the ocean and losing focus will be key to a successful Zero Trust Security implementation,” admits Staab. “Moving into 2023, look for additional ZT implementation guidance and recommendations from NIST and the U.S. Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA).”
Staab continues that as we head toward the Quantum Computing Era, adopting a Zero Trust architecture will become more important than ever. Zero Trust principles such as “never trust, always verify” and “assume breach,” coupled the PQC-inspired concepts such as Crypto Agility (i.e., the ability to seamlessly switch between classical and PQC algorithms and quickly replace compromised crypto algorithms if needed) will apply to any organization and be key for providing future-proof, next-generation cyber security.
Anusha Iyer, the President/CTO and Co-founder of API security company, Corsha agrees that Zero Trust as a framework makes a lot of sense for organizations leaning into hybrid deployments, scale, and automation. She states that is often the case with emerging cybersecurity trends, the government has been an early adopter and thought leader in Zero Trust with guidance like NIST 800-600 and CISA’s ZT Maturity Model. Next year, ZT adoption will naturally permeate further into commercial enterprises.
“There’s a phrase I hear a lot lately that I love, ‘Shift Left Shield Right.’ This to me gets the heart of getting Application Security strategies right. For 2023, I predict/hope AppSec will turn into a willing and empathetic collaboration between security teams and development teams to take a multi-dimensional approach to secure application ecosystems across today’s complex hybrid environments through cloud, on-premise systems, browser, mobile, and more,” Iyer says.
The One Constant in Cybersecurity – It Only Gets Harder
As with any challenge, there has to be leadership to confront it. As threats rise and cybercriminals develop slicker evasive tactics, it is the CISO, CIO and CSO that must provide the roadmap for creating a proactive approach to mitigating risk. Illumino CEO Andrew Rubin encourages C-suite executives to arm themselves now and initiatives that work.
“Security is a challenging and at times thankless task. The Uber breach verdict re-instigated a national conversation about the responsibility cyber leaders wield and how companies should be held accountable in the age of imminent digital risk. 2023 will be a challenging year for CISOs around the world, who have more work, more pressure, and less help,” predicts Rubin. “It will be critical for CEOs to not only ensure their cyber teams are supported but to also get on board with an “assume breach” mindset. Having the right tools and strategies in place to contain inevitable attacks will be critical for protecting not only an organization’s assets but also its people in the age of ransomware.”
Manish Mehta, the Chief Product Officer for Ontic contends that in 2023, cyber-physical convergence will be a focus for security teams. He insists that as the threat landscape becomes more complex and increasingly interconnected, organizations need to build a bridge between their physical and cybersecurity intelligence to better understand, navigate and address potential threats.
“Accomplished through frequent inter-team meetings and technology, collaboration among these two sectors is going to be key for mitigating risk to an organization and its employees,” Mehta suggests.
According to a recent report from McKinsey & Company, cyberattacks are proliferating, causing trillions of dollars of damage every year. The cybersecurity industry has a chance to step up and seize the opportunity. The report revealed that in 2021, organizations around the world spent around $150 billion on cybersecurity, indicating more than 12 percent annual growth, while revenue in the cybersecurity market was also expected to surpass $156 billion this year.
Alberto Yépez, the Co-Founder & Managing Director for Forgepoint Capital, believes this trend will continue in 2023 as the threat landscape grows increasingly more active and complex.
“More specifically, as ransomware continues to skyrocket, organizations will seek support modernizing their defenses, revamping threat detection, and response capabilities with the understanding that attacks are now inevitable. In order to proactively prepare, companies will consider new functions like breach simulations, refined training programs, cyber insurance and more,” says Yépez
He states that beyond attacks themselves, the cybersecurity market will be further fueled by regulatory compliance standards, cloud migration and global digital transformation across business and government, especially as the hybrid workforce model evolves from a pandemic response to a regular way of doing business.
“All of these components help organizations meet business needs, but also simultaneously complicate their cybersecurity posture and create the need for design-to-scale approaches. As a result, cybersecurity will continue to cement itself as a key enabler across business functions and organizations will prioritize proactive investment in 2023,” concludes Yépez
About the author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and the top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]