Cybersecurity predictions for 2023. – The CyberWire
Experts anticipate that 2023 will bring more evolved ransomware, a push toward stronger cybersecurity within organizations, and many other trends, some extrapolated, others novel.
Geopolitics will continue to play a part in cyberattacks.
MIT Technology Review believes that cyber operations against Ukraine from Russian government-affiliated hacker groups will continue. Russia has attacked Ukrainian targets at least six times with wiper malware this year. Forbes reports that they believe that businesses unaffiliated with the government may become targets of state-sponsored attackers. Cyberattacks on infrastructure are expected to be seen, and disinformation campaigns are anticipated, as over 70 countries are due to hold elections next year.
Miles Hutchinson, Jumio CISO, says that he believes that more foreign governments will bring third-party hackers into their employment to target other nations:
“Following the start of the Russia-Ukraine war, we’ve seen a significant rise in hacktivism, and it’s likely these attacks will further evolve in 2023. Researchers found that out of a total of 57,116 DDoS attacks discovered in Q3 2022, the majority seemed to be politically motivated. In the coming year, we can expect to see military groups around the world increasingly rely on expert hackers to attack other nations’ critical infrastructure and private business operations. To defend themselves against politically motivated cyberattacks, both government agencies and private sector organizations will need to deploy robust network defense tools that can detect suspicious activity and vulnerabilities.”
David Mahdi, CSO and CISO Advisor at Sectigo, says that geopolitical conflict will still be prominent in 2023:
“With geo-political unrest in some of the most powerful cyber nations today, cybersecurity infrastructure is at stake. Nation-state-backed actors are threatening critical national infrastructure and cyber disruption. Given this situation and the ongoing war in Ukraine, these kinds of tactics are to be expected. The “saber-rattling” of nation-states will continue in 2023 at the detriment of governments’ and enterprises’ cybersecurity resilience.
“The next few months will be indicative of what the threat landscape will look like in 2023. Currently, we are still in the position that nation-states, if they wish to, have the capabilities to take down massive critical national infrastructure, such as the NHS. However, given the optics of this, it is unlikely that they would ever launch such a high-profile attack themselves. Instead, it is more likely that a state would sponsor threat actor groups to conduct illicit activities on their behalf. This is what we have witnessed this year with the mass emergence of hacking gangs launching attacks on national critical infrastructure on behalf of a nation-state. It is likely this pattern will continue in the coming months, a trend that will only accelerate in 2023.”
Asaf Kochan, Co-Founder of Sentra, believes that cyberattacks will focus on economic disruption:
“We’re entering 2023 during a period of tremendous global tension and economic uncertainty. If the past few years have been defined by ransomware attacks from organized hacking groups, we are now entering an era in which an increasing number of threats will come from state- sponsored actors seeking to disarm global economies. This poses a direct threat to specific sectors, including energy, shipping, financial services and chip manufacturing. These attacks won’t stop at stealing IP or asking for ransom. Instead, they will focus on proper disruption — compromising or shutting down critical operations on a national scale.”
Ransomware will continue to be an issue.
Ransomware attacks peaked this year, with the trend anticipated to continue into 2023, says Allan Liska, an intelligence analyst at Recorded Future, MIT Technology Review reports. Liska, however, also notes that there are signs that Ransomware-as-a-Service (RaaS) may be diminishing, given what has happened to gangs that have gotten too big; REvil, DarkSide/BlackMatter, Conti, and LockBit have all seen something bad happen to them. Forbes reports that an Accenture study said threat actors are using more aggressive, high-pressure tactics, even using double and triple extortion tactics. Insurance Business Mag reports that Sophos’ 2023 Threat Report believes otherwise, anticipating increased RaaS offerings, as well as other as-a-service offerings.
Tony Jarvis, Director of Enterprise Security, APJ, Darktrace, says that ransomware may be seen targeting third-party cloud providers, Security Brief Australia reports. “These third-party supply chains offer those with criminal intent more places to hide and targeting cloud providers instead of a single organisation gives attackers more bang for their buck,” says Jarvis. “Attackers may even get creative by threatening third-party cloud providers.”
Andrew Hollister, CISO at LogRhythm, says that he believes that ransomware operators will primarily move to file corruption instead of encryption:
“Ransomware has been an attack vector in continual development over the years and is perhaps the one common threat that keeps all CISOs awake at night. In 2023, we’ll see ransomware attacks focusing on corrupting data rather than encrypting it. Data corruption is faster than full encryption and the code is immensely easier to write since you don’t need to deal with complex public-private key handling as well as delivering complex decryption code to reverse the damage once the victim pays up. Since almost all ransomware operators already engage in double extortion, meaning they exfiltrate the data before encrypting it, the option of corrupting the data rather than going to the effort of encryption has many attractions. If the data is corrupted and the organization has no backup, it puts the ransomware operators in a stronger position because then the organization must either pay up or lose the data. Therefore, the importance of backing up critical business data has never been higher.”
Josh Bartolomie, Vice President of Global Threat Services at Cofense, believes that Russian threat actors will focus on ransomware efforts against Ukraine:
“As the conflict between Russia and Ukraine continues, we will see Russian threat actors double down on ransomware efforts as physical, on-the-ground tactics see little return. To make an even greater impact, threat actors will target countries that support Ukraine to ‘punish’ their allegiance to the country, targeting critical infrastructure like healthcare and energy.”
Claire Tills, senior research engineer at Tenable, says that extortion will be an issue in 2023:
“Extortion will be an increasingly disruptive force to enterprises in all industries in 2023. In the past year, we’ve seen threat actors of all motivations moving to extortion-only attacks and forgoing the more complex tactics like data-encrypting malware (ransomware). The notoriety and success of extortion groups like Lapsus$ means that other groups will continue to mimic their tactics.”
Mike Wiacek, CEO at Stairwell, says that the flashiest activity shouldn’t be the focus, but the real risk that ransomware and attacks exploit:
“Cybersecurity teams need to focus not on the flashiest ransomware activity, but on the real risk likelihood from issues that ransomware and other attacks exploit. Attackers will continue to find novel approaches for infiltrating organizations – and malware may not always be what it appears to be. (What looks like ransomware may actually be designed for data destruction, for example). To combat any potential risk, teams should be aware of adversaries, their TTPs, their weaknesses, and how the adversaries could be planning to take advantage of them. Security teams need to see around corners and have supplementary knowledge about activity within their systems to identify and correct weaknesses in real time.”
MIT Technology Review notes how mainstream crypto hacks have become in 2022, with “more than 100 large-scale victims in the world of crypto.” However, advancements in cybersecurity for the cryptocurrency industry are expected to continue. Co-founder of blockchain security company Zellic, Stephen Tong, anticipates a “big new wave” of cybersecurity experts into the industry, while CTO of crypto wallet app ZenGo, Tal Be’ery, says that “building blocks” are in place for cybersecurity advancements.
Automation, with a focus on artificial intelligence and machine learning.
Artificial intelligence and machine learning are anticipated to become models of automation in cybersecurity, Forbes reports, but they do have the potential to be abused by threat actors for malicious means. Polymorphic code, or code that constantly morphs to evade detection, has been seen in use in varying types of malware, and could be enabled by machine learning and AI. Fortinet says that they believe that the existence of machine learning will provide a boost to money laundering threat actors via automation of recruitment. The demand for AI cybersecurity products is anticipated to be valued at close to $139 billion in 2030, Forbes reports. DigiCert predicts that adversaries will shift toward targeting zero trust infrastructure, and may deploy AI and adversarial machine learning to find zero trust weaknesses.
Torq Co-founder and CTO, Leonid Belkind, says that security automation will continue its expansion:
“Rather than focusing on retroactively building workflows and processes based on historic attacks, security automation deployments will shift to a proactive approach to help prevent attacks before they happen. Part of this involves security teams harnessing early threat intelligence signals and building defenses against them into their workflows and processes. The result will be a comprehensive new offensive-capacity framework that combines the entirety of the security stack into the most powerful protection approach to date.”
Increase in bot attacks.
Forbes predicts an increase in bot activity in the coming year. Botnets are able to automate and expand cyberattacks as technology advances.
Tony Lauro, Director of Technology Security & Strategy at Akamai, says that bots will be addressed by leaders in 2023 due to the damage they can cause:
“Bots aren’t going on vacation. In 2023, it’s very likely we’ll see attackers “renting out” IP addresses as part of a bot proxy system, making it extremely hard to track them. Think of it like short-term vacation rentals, but for IP addresses. Because IP addresses are more commonly “home user” addresses, it makes it incredibly difficult to detect and differentiate between a “good” home user and a bot. Since bots cause so much harm and lost revenue in the long run, we’ll see more security leaders addressing this in 2023.”
Expanding attack surfaces, and expansion of IoT.
It is anticipated that there will be over 30 billion IoT connections in 2025, with an average of 4 applicable devices per person, according to Forbes. Increasing threat vectors, and the spread of the Metaverse, create opportunities for malicious activity, says KnowBe4 in a PR Newswire report.
Ryan Slaney, Threat Researcher at SecurityScorecard, says that he believes that people will demand a better security posture for their IoT devices:
“Connected devices have been historically known for their poor security posture. From vulnerabilities within baby monitors to critical bugs in home security systems, it’s just a matter of time before a malicious actor takes full control of a user’s smart home device. To protect the privacy and security of consumers and their homes, the U.S. government has confirmed plans for a cyber labeling program, set to launch in the spring of 2023. The initiative will help consumers make informed cybersecurity decisions about their IoT devices with easily recognized labels. With new regulations placing increased scrutiny on IoT device manufacturers in 2023, they will be compelled to significantly enhance security across their products.”
Wendy Frank, Deloitte’s US Cyber IoT leader, says that connected device visibility and security will be a major focus for many enterprises:
“IoT-connected devices have been deployed by most organizations over the years, but often without adequate security governance. As the number of IoT-, OT-, ICS- and IIoT-connected devices grows, the attack surface for the networks and ecosystems to which they’re connected grows as well, creating exponentially more security, data, and privacy risks. Leading organizations will focus in the year ahead on connected device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, , monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”
Emphasis on security awareness in organizational culture.
KnowBe4 says that companies are recognizing the importance of building a culture of security, rather than just training, and anticipate a continuation of this trend. Developing an awareness of cyberthreats and taking basic safety measures seriously are imperative in 2023, Forbes reports.
Eric Hart, Manager of Subscription Services at LogRhythm, anticipates an expansion in awareness training:
“Coming to the end of a year in which so many organizations fell victim to social engineering attacks, more organizations will look to invest in training their end users to better detect threats. The past year has seen some big names – the likes of Microsoft, Cisco and Uber – suffer breaches by way of multi-factor authentication (MFA) fatigue, phishing and other social engineering tactics.
“With threat groups like Lapsus$ introducing bribery tactics to lure credentials from internal users, many of today’s attacks have evolved beyond the basic phishing techniques that end users are trained to recognize. Organizations will look to reassess their training programs to ensure that users are familiar with the bribery and extortion tactics associated with the latest social engineering schemes. Threat actors are constantly searching for new inroads into networks. Organizations concerned with their security postures will be sure to educate their users on emerging threats.”
Jason Keogh, Field CTO of 1E, says he believes a positive digital employee experience is the future:
“In 2023, organizations will focus on driving a positive digital employee experience (DEX) without compromising security. Not only do draconian security controls lead to bad DEX, but they also cause users to find workarounds, which on balance creates an overall less-secure IT estate. Out of frustration with tough or confusing restrictions, they may, for example, create or store company data on personal devices or in personal cloud storage, or access company apps and data from unprotected personal machines. Better auditing and change control aligned to self-service and real-time capabilities are key to good security with good end-user experience. Looking ahead to 2023, organizations should implement real-time controls and exception handling to improve DEX and security—together.”
Pete Renneker, Deloitte’s US Technical Resilience leader for the Cyber Risk Services Infrastructure practice, says that an integrated view of different scenarios can improve organizational resilience:
“As the digitization of business continues, organizations are becoming more connected within the global marketplace thus expanding the attack surface and increasing the frequency and impact of disruptions. The multitude of supply chain, geopolitical, environmental and cyberattack events organizations are facing challenges to traditional risk programs and are drawing increased regulatory scrutiny. By leading with an integrated view of scenarios that threaten core business operations, organizations can employ new techniques and technologies which develop situational awareness to emerging threats and improve their ability to respond to disruptions.”
Social engineering, or, say, friend, step right up.
The increasing commonality of social media storefronts and commerce, as well as the ease with which you can be verified on various platforms, will increase the rate of social media scams into the coming year, KnowBe4 says.
David Anteliz, Senior Technical Director at Skybox Security, predicts an increase in spearphishing specifically, with prominence on LinkedIn:
“Spear phishing continues to be a successful form of social engineering plaguing organizations today. Spear phishing is sure to be a prominent attack vector in 2023. We can expect threat actors to place an increased focus on targeting individuals via fake accounts on LinkedIn. LinkedIn is a platform that has traditionally been less frequently associated with malicious behavior and widely trusted by users. Threat actors will seek to take advantage of this sentiment to access critical information.
“Threat actors will disguise themselves as professionals looking to conduct surveys leveraging experts in various fields, giving them the perfect opportunity to obtain sensitive information from individuals and their organizations.”
Josh Yavor, CISO at Tessian, says that social engineering will be the root cause of many cyberattacks:
“In 2022 alone we’ve seen many high-profile companies across multiple industries fall victim to social engineering attacks. Social engineering is the leading cause because it works, is low cost, and when one path forward becomes more difficult – such as corporate email – attackers will shift to other communication methods. In fact, according to recent Tessian data, 56% of employees said they received a text message scam in the past year.
“While it’s a safe bet that 2023 will have plenty of headlines that are the result of social engineering, and that no organization is 100% safe, hope is not lost. We’re seeing attackers change their behaviors when social engineering tactics become more costly and difficult. That means some things are working, but we have so much work left to do. The question that should be top of mind for all CISOs as we head into 2023 is how their teams will approach making social engineering less reliable and more costly for attackers while extending the security umbrella to help cover risks outside of their reach.”
Critical infrastructure and OT security.
KnowBe4 anticipates the compromise of critical infrastructure next year, and references the ongoing nature of the Ukraine/Russia war as potential for increased likelihood.
Ramsey Hajj, Deloitte’s US and Global Cyber OT Leader, says that OT is seeing evolving threats in manufacturing and elsewhere:
“Cyber attackers are increasingly weaponizing Operational technology (OT) environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult. Organizations can implement cyber threat identification, detection, and prevention controls to address OT security risks by taking steps inclusive of increasing visibility to devices, implementing OT network segmentation, implementing security monitoring tools for the OT environment, correlating security information from OT and IT networks, and establishing security operations centers (SOCs) that address both.”
Coalition cybersecurity engineer Tommy Johnson says that critical infrastructure and nonprofit organizations need to be extra cautious:
“In analyzing the most frequently targeted industries and verticals, we noticed that organizations in critical infrastructure (manufacturing, materials, and energy, for example) experienced the highest volume of cyber claims thus far in 2022. We expect this to continue into 2023, with sophisticated attackers targeting organizations where they can maximize impact, especially regarding the ongoing geopolitical conflict.
“According to our data, nonprofits experienced the second-largest volume of cyber claims in 2022 (thus far). We expect this trend to continue into 2023, especially because November and December are the most prominent months for nonprofits to receive financial donations. Those funds will largely be put into use in January and February, making these organizations even more of a target at the beginning of the year.”
Increased efficacy and threat of deepfakes.
Deepfakes will advance in their ability to fool and damage reputations, KnowBe4 says. Due to the lack of knowledge around deepfakes, there is inadequate training around the topic.
David Mahdi from Sectigo says that he believes that deepfake phishing will ramp up in 2023:
“Virtually every single business relies upon email, chat, and video conferencing as fundamental modes of communication, especially in the era of hybrid work. Cyber-criminals are aware of companies’ reliance on them and are perpetrating a variety of attacks to profit from them. The idea is simple: get employees to send money or information by impersonating a person in a position of power. These days, employees may consider themselves experts at sniffing out untrustworthy communications so bad actors have added a new component to the scheme which we will see go mainstream in 2023: Artificial intelligence/machine learning (AI/ML) backed techniques, specifically deep fake phishing.
“Deepfake technology allows users to impersonate others with startling accuracy and we are going to see this technology continue to improve and become more mainstream in 2023. Bad actors can easily make autoencoders—a kind of advanced neural network— to watch videos, study images, and listen to recordings of individuals to mimic that individual’s physical attributes. Rather than deploy malware, perpetrators will increasingly rely instead on social engineering techniques and impersonation, making them notoriously difficult to prevent.
“Those in the security business should choose biometric authentication methods with care—and with the understanding that, as deepfakes become more sophisticated, those biometric authentication methods may be rendered much less useful. On the other hand, everyday individuals should monitor their accounts regularly, especially for banking, loan, and other financial services. Implementing email certificates is a quick and easy fix to decrease the chances of these attacks, combined with ongoing employee training.”
Impact of an economic recession on cybersecurity.
Tony Jarvis of Darktrace says that budget cuts are fueling more creative approaches to cybersecurity for CISOs, Security Brief Australia reports. “Rising cyber insurance premiums are one thing, but as more underwriters introduce exclusions for cyber-attacks attributed to nation-states, organisations will struggle to see the value in such high premiums,” he says. “In 2023, CISOs will move beyond just insurance and checkbox compliance to opt for more proactive cyber security measures in order to maximise ROI in the face of budget cuts, shifting investment into tools and capabilities that continuously improve their cyber resilience.”
Kevin Kirkwood, Deputy CISO at LogRhythm, says that cyberattacks will be prevalent during difficult financial times:
“When it comes to malicious attackers, organizations need to be acutely aware that we’re not talking about machines or software programs being at the other end of this, we’re talking about creative human beings who are motivated and will do whatever it takes to achieve their goal of receiving more money. As organizations balance international turning points with Russia’s war in Ukraine while scaling down operations, threats will inevitably continue to evolve as cybercriminals take this chance to up their attack game during the recession. Therefore, it’s crucial that all organizations are proactive with their security strategies and adopt endpoint technologies and other security solutions that provide preemptive capabilities.”
Rohyt Belani, CEO and Co-Founder at Cofense, says that the cybersecurity industry isn’t recession-proof:
“In 2023, we will see fewer resources and tighter security budgets in corporate settings thanks to economic uncertainty, resulting in subpar security posture across organizations. Because of this, threat actors will capitalize on this asymmetry and evolve faster, creating the perfect storm for an amplified number of breaches across all vectors in 2023, especially using email as an attack vector.”
David Mahdi from Sectigo says that financial instability will prompt the securing of cyber infrastructure:
“The economic downturn will force enterprises to decrease investments in cyber protection and therefore increase their vulnerability to an ever-evolving and dangerous slew of threats.
“As such, it will be critical for public officials to re-assess cybersecurity regulation effectiveness amid conflict and, more importantly, for institutions to fortify their cyber infrastructures.
“To remain secure, leaders should focus on the people and processes within organizations, as swiftly and as promptly as they’d adopt new technology to stay competitive. For the sake of their employees and the customers they serve, close monitoring of digital identities within public and private networks will prevent organization missteps. As the next year has many unknowns, enterprises will ensure procedures and regulations work hand-in-hand for cyber resiliency.”
Drew Perry, VP of Information Security & CISO at Serta Simmons Bedding, says companies will not push for returns to work to conserve funds:
“Driven by continued economic instability, there will be an acceleration of organizations going back to remote work on a larger scale as a way to save money on big, expensive office spaces. As workforces become increasingly distributed, CISOs will once again have to prioritize the support of secure collaboration and communication technologies required by this shift. In 2023, zero-trust networks, data loss prevention, information privacy and cross-border data transfers will all become increasingly critical for a workforce that can work from anywhere.”
The continued evolution of authentication methods.
Multifactor authentication is not the strong protector it once was, says Darktrace’s Tony Jarvis, Security Brief Australia reports. Jarvis says, “Once considered a silver bullet in the fight against credential stuffing, it hasn’t taken attackers long to find and exploit weaknesses in MFA and they will continue to do so in 2023. MFA will remain critical to basic cyber hygiene, but it will cease to be seen as a stand-alone set and forget solution. Questions around accessibility and usability continue to dominate the MFA discussion and will only be amplified by increases in cloud and SaaS along with the dissolution of traditional on-prem networks.”
Romain Basset, Director of Customer Services at Vade, anticipates phishing attacks targeting MFA and legitimate servers:
“We’ll see more phishing campaigns that are able to circumvent MFA by acting as a proxy with the real authentication system, or by tricking users who have MFA fatigue.”
John Pescatore, director of emerging security trends at the SANS Institute, believes MFA bypass attacks will increase significantly:
“We will see a continued movement away from using multiple-use passwords and towards adopting multifactor authentication (MFA), passkeys, FIDO 2 authentication and other additional layers of security. Companies like Apple and Google are also developing their own authentication token systems. This will all lead to a badly needed increase in security but also result in an explosion of attacks that aim to bypass such MFA approaches, including using stalkerware to take advantage of company executives and board of directors’ use of mobile phones to record their keystrokes and interactions.”
Stuart Wells, Jumio’s CTO, says that identity verification will be moved to multimodal biometrics:
“The era of passwordless authentication is well underway as businesses across sectors continue to adopt biometric identity verification. Biometric verification technology has improved significantly in recent years — so much so that it’s been ingrained in many everyday tasks, like unlocking our mobile devices. Even as facial recognition technology reaches upward of 99% accuracy, fraudsters have engineered workarounds through the likes of face morphs, deepfakes, digital image manipulation and the use of synthetic masks.
“These concerns will remain top of mind for enterprises heading into the new year, which paves the way for the rise of multimodal biometric adoption in conjunction with multimodal liveness. Introducing an additional level of biometric verification to the authentication process adds another layer of insulation between enterprises and malicious actors. Supplementing facial recognition with an additional biometric like voice or iris detection provides additional security for businesses seeking to verify their customers, patients, employees and other users. Additionally, adding multi-modal liveness detection further strengthens the protection the person is real. Techniques such as correlated mouth moment and speech, and detecting blood flow in the face all make the authentication process much harder to spoof.”
Miles Hutchinson from Jumio says that MFA fatigue will force the abandonment of the authentication method:
“Dating back to the mid-1990s with the inception of phishing, hackers have long employed the use of social engineering attacks for credential access and network breaches. Today’s hackers, however, aren’t hunting their next victims in AOL chat rooms — instead, they’re right beneath our fingertips spamming users into approving push notifications and sign-in attempts that grant outsiders inside access.
“The likes of Microsoft, Cisco and Uber, among other large-scale organizations, have all been struck by this multi-factor authentication (MFA) fatigue technique. The widespread success of this tactic, also referred to as prompt bombing, will soon force businesses to leave behind MFA strategies and search for verification alternatives. It’s likely that many organizations will begin to look toward passwordless authentication as the preferred method of authentication — and a sure way to avoid users falling victim to MFA fatigue.”
US Federal government push toward cybersecurity.
Aleksandr Yampolskiy, CEO and Founder of SecurityScorecard, believes that there will be an increase government moves toward security:
“According to Gartner, digital immune systems that deliver resilience and mitigate security and operational risks will be a key strategic technology trend in 2023. We’ve already seen considerable mentions of security by default practices in the past several months within CISA’s Strategic Plan for 2023 – 2025 and the White House’s Guidance on enhancing software supply chain security. In 2023, we’re going to see increased guidance and legislation surrounding secure development practices that include specific metrics and timelines for federal agencies. As technology companies seek government contracts in the coming year, it will be increasingly crucial that they collaborate with the public sector and look at these government regulations as a baseline to build foundationally secure software.”
David Anteliz of Skybox Security, anticipates that the increase in cybersecurity directives from the federal government will increase federal agencies’ likelihood of being targeted, saying:
“The Cybersecurity and Infrastructure Security Agency (CISA) has issued a number of new guidance this year. Most recently, Binding Operational Directive 23-01 mandates federal agencies to take necessary steps to improve their asset visibility and vulnerability detection capabilities in the next six months. In 2023, we will see threat actors ramp up their attacks before new cybersecurity controls are implemented ahead of 2023 deadlines. This increase in attacks will likely come in the form of supply chain attacks as malicious actors seek to do their worst before they get caught.”
Veronica Torres, Jumio worldwide privacy and regulatory counsel, says that Congress will have to agree on a national privacy framework in the coming future:
“We’ve seen considerable momentum surrounding data privacy in the U.S. over the past few years, as consumers and watchdogs continue flagging concerns over the innumerable amount of data technology companies are collecting and storing about them. While state-level regulations have been a great starting point in protecting consumers, they have also brought a number of challenges, such as compliance issues for businesses operating in different states.
“It’s only a matter of time before the U.S. comes to an agreement on a federal bill that creates a national standard for how consumers’ data should be handled and safeguarded. The American Data Privacy and Protection Act has already been making its way through Congress, and it’s highly likely we’ll see some version of this bill passing in 2023. Once a federal framework is established, tech companies will be required to implement additional measures that prioritize the privacy of their users.”
Josh Lospinoso, CEO of Shift5, believes that Hunt Forward will be the new norm for US cyber operations next year:
“Ukrainian defenders beat all odds in preventing cyberattacks from Russia this year, and one of the key reasons for this success is Cyber Command’s Hunt Forward operation in Ukraine. Hunt Forward shored up Ukraine’s defenses and highlighted the power of international collaboration in the face of cyber threats. While Cyber Command is sometimes met with skepticism and distrust upon arrival at foreign government offices, the operation in Ukraine is proof that Hunt Forward works, and it will become the norm for US operations in 2023.”
Matt Warner, CTO and Co-Founder of Blumira, believes that the DOJ will crack down on ransomware payments:
“Ransomware and ransomware as a service will forever be a threat to small businesses and enterprises alike. Data has value, and cybercriminals know they can exploit this for monetary gain. As the threat landscape continues to evolve, in 2023, the Department of Justice (DOJ) and other federal agencies will become more serious about halting ransomware payouts, and start cracking down on businesses that pay ransomware demands. In the coming years, we’ll see broader solutions and stricter protocols to prevent organizations from paying known criminals. Additionally, with the upheaval in the crypto market, access to bitcoins and related cryptocurrencies may become increasingly difficult as regulations are created.”
Supply chain attacks and SBOMs.
Software supply chain attacks have solidified the need for organizational use of a Software Bill of Materials (SBOM), DigiCert reports. Wide adoption is predicted in the coming year, following a 2021 US executive order requiring software sellers to provide federal agents with an SBOM.
Kevin Kirkwood from LogRhythm, believes that supply chain attacks are still a major threat to users of open-source software:
“Organizations should be on high alert for supply chain attacks if they use open-source software. In recent years, hackers have become more strategic when it comes to exploiting open-source software and code. 2023 will be no different. Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.
“Most folks think of ‘supply chain attacks’ as an attack on the physical pipeline that will keep folks from being able to produce physical products. Software supply chain attacks are similar in nature to the physical world. Developers use libraries, executable code and code snippets to complete their software products. If those elements are compromised and malicious code is inserted into those elements, the end product that the developer has produced becomes a vehicle for threat actors to compromise the product and potentially gain entry to the system that houses the software.
“In 2023, we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that utilizes third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins. Without a robust scanning program and a ‘curated zone’ for source code and plugins, companies will continue to be at risk.”
Michael Posey, Pre-Sales Engineer at Vade, anticipates an increase in supply chain and hijacking techniques all around in the coming year:
“As users become more proficient at spotting and reporting common phishing scams from well-known brands, we will see hackers adjust their strategy, including impersonating suppliers or customers. I expect more supply-chain attacks and hijacking.”
Sharon Chand, Deloitte US’ Cyber Risk Secure Supply Chain leader, believes that complex supply chain security risks will continue to emerge:
“Today’s hyperconnected global economy has driven organizations to heavily depend on their supply chains—from the components within their physical and digital products to the services they require to run their day-to-day operations. This critical interdependence makes supply chain security and risk transformation an imperative for today’s globally connected businesses. Organizations now require a holistic approach, which includes shifting away from point-in-time third-party assessments toward real-time monitoring of third-party risks and vulnerabilities in inbound packaged software and firmware components. For instance, this includes implementing leading practice techniques around ingesting Software Bill of Materials (SBOMs) and correlating the output to emerging vulnerabilities, identifying risk indicators such as geographical origin of the underlying components, and providing visibility to transitive dependencies. Organizations are also focusing on deploying and operating identity and access management (IAM) and Zero Trust capabilities that better enforce authorized third-party access to systems and data and reduce the consequences of a compromised third-party. The threats introduced into the supply chain continue to evolve in complexity, scale, and frequency, so organizations need to continue the momentum with innovating and maturing their supply chain security and risk transformation capabilities.”
Rob Brown, Co-Founder and Vice President of Business Development at RKVST, believes in scaling SBOMs:
“Organizations often use manually intensive, outdated processes to assess risk and share information across their software supply chains. But the general trend toward digitalization and the need to scale software bill-of-material processes will accelerate the move away from these legacy approaches and toward more scalable, efficient and automated SBOM and other processes.”
The importance of threat intelligence.
Geektime reports that threat intelligence is a key part of blocking cyber threats, giving you an early look at risks, and contextual threat-related intel.
Tonia Dudley, Vice President and CISO at Cofense, believes that crowdsourced threat intelligence will be increasingly relied upon in the coming year:
“As threat actors continue to share what works on their side in terms of attack vectors and tactics, security leaders and cybersecurity organizations will increase their communication with each other in 2023 on what is working best to defend against threat actors. This crowd-sourced threat intelligence will allow organizations to learn how to better defend themselves.”
Seagate predicts that in the next year, automation will expand and open doors for those with specialized skills to bridge the cybersecurity skills gap.
Tech devices, better for both good and evil.
Michael Innes, President at VisionTek, discusses upcoming shifts in tech devices, hardware, and demand:
“With the influx of new tech devices in recent years, universal compatibility and maximum efficiency will be king in winning over consumers. We know USB-C and Thunderbolt connections are gaining popularity – especially given recent legislation. Successful companies will be those who focus on the ability to connect to as many devices as possible while also charging with the highest efficiency allowed.
“Crypto mining fueled tremendous GPU and PC hardware growth over the last 3 years and created massive shortages in the industry, however this will begin to wane in 2023. This decline in scope will reduce manufacturing demand, open more production capacity, and normalize inventory levels. Prices will drop and other applications in the PC space will fill the void, like VR.”
The changing cyber labor market.
Seagate predicts that in the next year, automation will expand and open doors for those with specialized skills to bridge the cybersecurity skills gap.
John Pescatore of the SANS Institute believes that companies need to go on the offensive to attract cyber talent:
“Cyber professionals need to close the skills gap to understand what attackers are exploiting and why. Next year, we will see more offensive training and increased focus on threat hunting to improve hunt-to-detection time and examining endpoints and network traffic for anomalies to detect attacks and prevent them from causing damage. This will be especially important with an expanded attack surface from a continued hybrid workforce. At the same time, organizations won’t be able to hire during the recession and will need to upskill and make their staff better trained to defend against attacks. As such, we will also see a rise in purple teaming so that security professionals can practice with each other on penetration testing, uncovering, and defending against the newest cyberattacks.”
Sachin Bansal, Chief Business Officer of SecurityScorecard, believes that hiring and retention of cyber talent will be a challenge for the public sector:
“The cybersecurity skills gap that has plagued the security community for the last several years won’t be closing any time soon. Research reveals that 80% of organizations suffered from at least one data breach in the past 12 months due to a lack of cybersecurity talent or awareness. The public sector is especially at risk, with more than 700,000 unfilled cybersecurity positions as of July 2022. In 2023, the inability to hire and retain appropriate talent to defend against a high volume of attacks will leave the public sector highly vulnerable. To fill the widening cyber skills gap, the public sector must improve compensation packages to prevent losing talent to well-paid roles within the private sector, as well as expand diversity within their workforce.”
Deborah Golden, Deloitte’s US Cyber & Strategic Risk leader, says that the talent search and outsourcing will evolve due to a talent shortage and growing labor costs:
“With the breadth, complexity and frequency of cyber security risks exponentially increasing by the day and the increased pressure from stakeholders (regulators, boards and employees) to manage cyber security risks – organizations have a huge demand for skilled and experienced cyber talent. This need compounded by cyber talent market shortages, particularly of highly trained specialized skill sets, makes attracting and retaining niche, hard-to-find talent extremely difficult. Organizations are scrambling to fill required positions, impacting their ability to manage cyber risks. As this talent shortage continues to grow, more organizations will consider alternatives such as outsourcing and management of core cybersecurity functions. To remain agile and optimize operational processes, organizations will need to focus on hiring and retention of niche cyber talent along with outsourcing strategies.”
Almog Apirion, CEO and Co-Founder of Cyolo, anticipates the recruitment of service industry workers for cybersecurity positions:
“More companies, in addition to larger enterprises like Amazon, will look to fill the empty positions within their own organizations by ramping up specific training to transform service industry workers into security professionals.
“Service industry workers have the basic skill sets, and with additional on-the-job training, companies may shift their focus and employ these individuals. The caveat for 2023 is how organizations moving to this new model will be able to train and reskill employees to meet the security skills criteria needed.”
Steve Winterfeld, Advisory CISO at Akamai, says that retention needs to be a focus:
“Staffing pains within the security department of financial institutions will stabilize as the great reshuffling fades out. It is critical for organizations to stabilize their staff after a period of high turnover. As the economy slows, people will be less likely to change jobs, but the best ones will still be at risk of being lured away as cyber skills are still in high demand. The banking and financial industry is very complex and thus requires a more comprehensive period of onboarding and training. If organizations don’t invent in this area, they will likely incur higher costs while battling staff retention issues.”
Matt Warner of Blumira, says that low-noise cybersecurity solutions can help close the skills gap:
“The cyber skills gap is an issue for businesses of all sizes, but the impact on small and medium-sized businesses is unparalleled and unique. SMBs are prime targets for attacks but often lack the resources to pay competitive salaries in a market where experienced candidates are in high demand. Ten years ago, SMBs weren’t regarded as attractive targets for breaches or ransomware attacks, but now they’re seen as low-hanging fruit – making the risk even more significant. The talent shortage looming over the cybersecurity industry has left positions critical to the security of SMBs vacant and, therefore, businesses even more vulnerable.
“With this, SMB IT leaders must prioritize partnering with security companies to reduce their attack surface and increase visibility across their environments. With such high demand for security professionals to detect and respond to threats, it can be easy to overwork the individuals that businesses do have. That’s where threat detection and response solutions that create minimal work for admins – not products that generate endless noisy alerts – become critical.”