This post is part of our 2023 cybersecurity prediction series.
Michael Mestrovich, Chief Information Security Officer at Rubrik
The attacks aren’t going to stop.
Unfortunately, we will see more of the same in regards to cyberattacks in the coming year. Cybercriminals are making money hand over fist and until that changes, attacks will continue.
The need for machine learning and artificial intelligence will intensify.
The trend of more connected devices, driven by the Internet of Things, will accelerate as companies drive more automation to compensate for worker shortages. This combined with the general shortage of cyber professionals will force organizations to employ ML/AI at scale in order to keep up with the overwhelming volume of data that needs to be analyzed to hunt for cyber threats.
Cybercriminals will keep hitting where it hurts.
Cybercriminals, backed by Foreign Intelligence Services, will continue to target critical infrastructure systems on a global scale, including water, power, emergency services and transportation in an effort to foment chaos and erode trust in civil services.
Healthcare and education are two other sectors that will sustain cyberattacks, with the former having mortal consequences.
Private citizens will feel the impact.
As attacks will continue to hit services used by the general public, cybersecurity will become more of a hot-button issue - Federal and state agencies will need to step up their game and arm municipal service providers with the cyber defense measures they need to stay safe.
Properly prepared playbooks prevent pandemonium.
A playbook outlining best practices regarding cybersecurity (with institutional knowledge and guidelines) will be an essential part of municipal service providers response plan to attacks; they will not be able to afford top tier IT talent (which there is already a shortage of) so having a strategy supplemented by a rock-solid playbook will be the next best option.
Public sector+private companies=cyber defense dream team.
Partnerships between the public sector and private organizations will become increasingly important in order to enhance software security and put up a credible defense against nation-state attackers, who have a wealth of resources at their disposal.
Cyber criminals coordinate attacks, cyber defenders need to coordinate defense and response.
Steven Stone, Head of Rubrik Zero Labs
Ransomware will shift its primary focus away from encryption.
2022 saw a demonstrable rise in ransomware events involving data theft combined with encryption events. While this isn’t fully new to 2022, the attacker's preference for varied extortion options became clear over the last year. This trend is likely to accelerate over the coming year along with a growing focus on data destruction, to include a renewed focus on data backups. These increases are likely to see a corresponding decrease in the encryption events.
Why is this likely to happen? Three reasons are at play.
First, technology and shared best practices are improving ransomware victims’ ability to recover their data without having to pay the attacker for a decryptor. Tied to this, multiple public discussions have revealed paying for decryptors often results in lost data or follow-on ransom demands, which is why the FBI recommends against paying the ransom..
Second, cybercriminals have realized the “hack and leak” component of a ransomware event provides a second extortion option or subsequent way to monetize their efforts. This becomes more pronounced as regulations and governance requirements become more commonplace.
Third, it takes more technical work to make an effective encryption/decryption tool compared to stealing data and then choosing a range of methods to corrupt victim data. It’s likely a lower technical lift for ransomware actors to steal data, offer to “sell it back”, and if not threaten to publicly leak the data or sell to other malicious actors. At the same time, data destruction can place an extreme stress on the victim, which acts in the cybercriminal’s favor.
The most impactful intrusion vector will be SSO abuse.
As more organizations move to single-sign on (SSO) architectures, particularly as an effective way to manage hybrid environments, malicious actors know this is the best and most effective route to access their victims. 2022 had multiple high-profile intrusions leveraging malicious SSO with multi-factor authentication (MFA) abuse, which in turn is likely to accelerate this shift.
Malicious SSO use can be difficult to detect and respond to without effective safeguards in place. These additional challenges on defenders provide visibility gaps for malicious actors to evade detections. While it is unlikely malicious SSO use, particularly combined with MFA, will be the highest volume threat vector, it provides significant access and potential to remain undetected across an enterprise. Based on these combined factors, the most impactful intrusions of 2023 will combine these actions.
Low-level actors will produce high-level impacts.
The threat landscape continues to become more varied and diverse with each passing year. These changes are providing more capability for entry-level threat actors. The increased capability in turn produces much more substantive impacts to their targets.
In the past, a malicious threat actor had to conduct virtually all technical and monetization actions on their own. This technical standard, while not preventing all impacts, did effectively place some restraints on different threat actors. But that technical requirement is being largely replaced by an effective “intrusion gig economy” where tools, access, or malicious services can be purchased.
This is combined with a growing list of highly capable offensive security tools being leveraged for malicious purposes. Finally, 2022 provided significant media coverage for low-level actors producing large impacts to mature organizations. These combined factors are likely to produce more impactful intrusions in 2023 from threat actors with lower technical skill levels than any previous year.
Malicious actors learning cloud intrusions provide detection opportunities.
As organizations continue transitioning more of their operations to the cloud and SaaS applications, malicious actors must follow this migration. Put simply, intrusions will have to occur where victims run their operations and host their architecture. These transitions place significant strain on IT staff and often present stumbling blocks or lack of visibility. That’s the bad news.
The good news is threat actors have to make the same transition and stumble through cloud-native aspects of their work as well. This presents several robust detection opportunities based on potential errors in their tools and methods, lack of understanding cloud/SaaS fundamentals, or challenges moving across a hybrid environment.
New regulations will accentuate the cyber poverty line.
The cyber poverty line is a threshold dividing all organizations into two distinct categories: those that are able to implement essential cybersecurity measures and those that are unable to meet these same measures. This concept was first coined in 2011 by Wendy Nather, head of advisory CISOs at Cisco, and is often used when discussing budgets, security architectures, and institutional capabilities.
As multiple new government regulations and policies roll out globally, the number of requirements on every organization is growing at a rate requiring significant resources and capabilities. As one example, the new US Strengthening American Cybersecurity Act signed in 2022 creates reporting requirements and coordination with government institutions. As another example, Gartner estimates that by the end of 2024 more than 75% of the global population will be covered by some form of digital privacy regulations.
While these regulatory efforts will undoubtedly produce positive results, a large number of organizations will struggle to implement, comply, or even understand these same efforts. This is sure to increase the gap between organizations above and below the cyber poverty line instead of reducing the difference. This same growing distance is likely to also carry over into cyber insurance and related areas.
###
Comments