Don’t slouch on cybersecurity posture: Experts warn that 2023 will usher in new attack methods and models — and continued use of tried-and-true cyberthreat favorites.
While nearly two-thirds (63%) of cybersecurity practitioners reported spending more on cybersecurity in 2022 than in 2021, attacks continue to proliferate — and accelerate — as cybercriminals grow more wily and their methods are increasingly commoditized.
“Financially motivated crimes such as ransomware, blackmail and selling access tokens will continue to gain popularity and will be the top adversaries in 2023,” said Ben Johnson, CTO and cofounder of Obsidian Security. “With the increase in economic uncertainty, as well as the recent midterm elections and shifts in power, groups like Anonymous will come back and conduct vigilante missions.”
With the holiday season swiftly approaching, and 2023 right behind it, several security leaders share their predictions for the cyberthreat landscape — and what organizations can do to fight back.
Willowy security perimeters increase cyberthreats
Notably, mobile workplace trends will continue to create new blind sports for enterprises, said Patrick Harr, CEO of SlashNext.
With more email protections in place, attackers are increasingly turning to personal communication channels such as LinkedIn, WhatsApp and Signal. And more people are working on the same device for their business tasks and their personal life at the same time, “which is a significant blind spot,” said Harr.
Once an individual user is compromised, it just becomes a matter of penetrating laterally through an organization from an external foothold, he said.
“The single biggest threat to any company is not machine security anymore — it is truly the human security factor,” said Harr. “That is why these attacks on humans will continue to increase, because humans are fallible.”
Jason Rebholz, CISO of Corvus Insurance, agreed that the shift in the cyberthreat landscape is amplified by changing external security perimeters.
“Boundaries are no longer defined by office network location; the external boundary is now amorphous,” he said. “It extends to the user account, third parties, and wherever the organization’s data resides. We have entered a time in which networks are formless and data sprawl is near limitless.”
And, Harr said, the top causes of ransomware are spear phishing, credential stealing and business email compromises.
Another critical area of concern is insider threat, which can be even more problematic in a downturn. This is when an employee, either maliciously or unintentionally, uses their authorized access to steal, share or otherwise expose an organization’s sensitive data.
“At the end of the day, the security policy should always be to not trust anything,” said Harr, “and to verify everything.”
Rise of as-a-service models
Ransomware-as-a-service (RaaS), cybercrime-as-a-service (CaaS) and malware-as-a-service (MaaS) will continue to proliferate, as they offer hackers — including those with little or no coding skills — low-priced access, predicts Derek Manky, chief security strategist and VP of global threat intelligence at FortiGuard Labs. And, new a la carte services will emerge.
“CaaS presents an attractive business model for threat actors with varying skill levels, as they can easily take advantage of turnkey offerings without investing the time and resources up front to craft their own unique attack plan,” said Manky.
On the other end of the spectrum, creating and selling attack portfolios-as-a-service offers a simple, quick and repeatable payday for seasoned cybercriminals. Threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering videos, audio recordings and related algorithms more broadly for purchase.
Automation of cybercrime
Also, attackers employing more targeted methods will likely hire “detectives” to gather intelligence before launching an attack, said Manky. Reconnaissance-as-a-service offerings may serve up attack blueprints, including an organization’s security schema, key cybersecurity personnel, the number of servers they have, known external vulnerabilities and even compromised credentials for sale, to help a cybercriminal carry out a highly targeted and effective attack.
Organizations can combat this with cybersecurity deception coupled with digital risk protection services, he said.
“Luring cybercriminals with deception technology will be a helpful way to not only counter [reconnaissance-as-a-service] but also CaaS at the reconnaissance phase,” said Manky.
Cybercriminals will also soon being using (if they aren’t already) machine learning (ML) to recruit money-laundering mules. Automated services that move money through layers of crypto exchanges will make the process faster and more challenging to trace. Money laundering-as-a-service (LaaS) could quickly become mainstream. Also, beware of the commoditization of the tried-and-true favorite — wiper malware, said Manky.
“The move to automation means that money laundering will be harder to trace, decreasing the chances of recovering stolen funds,” he said. “Looking outside an organization for clues about future attack methods will be more important than ever.”
Threats from nation-state attackers, lone wolves
While there is growing concern from Russian state actors, the biggest U.S. nation-state cyberattack threat comes from China. The country has set a goal to dominate 20 major global industries. The fastest way to achieve that goal is through cyber espionage; cybercriminals can gain access to intellectual property, chip designs and healthcare information, said Harr.
“That is absolutely something we must pay attention to,” he said.
At the same time, don’t underestimate the ability of, for instance, a 14-year-old lone wolf hacker who can infiltrate and compromise an environment and cause lasting damage. This scenario has already played out through social engineering attacks on Uber and Twitter.
“With the proliferation in access to the cloud, automation and shared software repositories, it has never been easier to be a successful bad actor,” said Harr.
Furthermore, the metaverse, digital twins, and other advanced technologies will present new security challenges.
“The metaverse will eventually reach beyond gaming into nearly all aspects of business and society,” said Harr.
This new type of digital interface will present unforeseen security risks — for instance, avatars could impersonate other people and trick users into giving away personal data. Also, expect to see more holographic-type phishing attacks and fraud scams as the metaverse develops.
“Folks will have to fight AI with stronger AI because we can no longer rely solely on the naked eye or human intuition to solve these complex security problems,” said Harr.
Manky agreed that virtual cities and online worlds will be new attack surfaces. While new online destinations open a world of possibilities, “they also open the door to an unprecedented increase in cybercrime in uncharted territory.”
For example, an individual’s avatar is essentially a gateway to personally identifiable information (PII), making them prime targets for attackers, he said. Biometric hacking could also become “a real possibility” because of the AR- and VR-driven components of virtual cities. This makes it easier for a cybercriminal to steal fingerprint mapping, facial recognition data or retina scans and then use them for malicious purposes.
And, digital wallets, crypto exchanges, NFTs and any other digital currencies will be under even more attack, experts agree.
Quantifying cyberthreat security risk
Amidst all this, cyber insurance will become a core part of understanding cyber risk and building resiliency, said Vincent Weafer, CTO of Corvus Insurance.
Cyber insurers will need a deeper and more dynamic understanding of organizations’ cyberthreat risks and IT systems to build resilience, he said. Partnering with third-party providers will allow insurers to gain greater risk insights and set new expectations for policyholders.
Also, expect to see more investment in quantifying security risk, said Corvus’s Rebholz.
Cyber insurance carriers will lean into partnerships with technology companies to fuse security data with insurance and risk-modeling insights, he said. The net result will be more accurate risk quantification, which will help keep policyholders safer.
“In the new year, building cyber resiliency will be a critical priority business leaders won’t be able to ignore,” said Weafer. “This can take a variety of forms, from developing larger initiatives and partnerships with insurtechs, to building cyberskills through regular employee training.”
Fighting advanced attacks with advanced methods
Experts agree that cybersecurity training is necessary — but it shouldn’t be the only line of defense.
Organizations should adopt threat modeling and, particularly amidst increased regulatory scrutiny, implement compliance programs. Also, identity verification will be crucial to success, particularly in the metaverse, many say.
Experts expect security solutions to increasingly be enhanced with ML and AI; this can detect attack patterns and stop threats in real time. Backup and recovery tools will also help organizations reevaluate their security practices.
Furthermore, expect advances in identity proofing, password-less authentication, auditing and change control, and adaptive risk-based orchestration, experts say. Also, Kubernetes platforms with security built in by default to become the norm.
Ultimately, it comes down to implementing broad, integrated, automated platforms and tools, said Harr.
And, he emphasized, “just remember that your people are your most attacked vector and the most unprotected aspect of your security posture.”
CISA growing into its own
The Open Source Security Foundation offered “prescriptions” for the year ahead: Industry and government must be alert to protect critical infrastructure against cyberattacks, as producing software bills of materials (SBOMs) will now be enough to secure the software supply chain.
Notably, “the government must make cybersecurity a civic duty in 2023,” according to the cross-industry consortium.
Obsidian Security’s Johnson, agreed, saying that the Cybersecurity and Infrastructure Security Agency (CISA) “came into its own in 2022.”
“This next year, we’ll see CISA drive better, more resilient security, especially in critical infrastructure — increasing the sector’s maturity as a whole,” he said.
The post A new year, new cyberthreats, methods, protections appeared first on Venture Beat.