What Trends to Expect for 2023?
At the end of 2020,
we alluded to the prediction made by Cybersecurity Ventures’ researchers
about the global annual cost of cybercrime by 2021:
6 trillion dollars.
Now,
from the same source,
the forecast offered for 2023 is $8 trillion.
In other words,
this would correspond to $667 billion a month,
$21.9 billion a day
and $913 million an hour.
As these costs grow
due to the increase in the number of threats and targets,
so does the demand for solutions.
According to Fortune Business Insights,
the global cybersecurity market will grow from $155.83 billion in 2022
to around $176.71 billion in 2023.
This value is not far from that reported by Gartner
for spending on information security and risk management products and services
for the same year:
more than $188.3 billion.
In this post,
after having reported some cybersecurity trends in 2022,
we will talk about other trends in threats and prevention measures
that we can expect for 2023.
Threat landscape
Phishing
Phishing,
a well-known social engineering tactic
whereby a person is tricked
into delivering information from
or installing malware on a system,
continues to be
one of the top attack or infection vectors in the world
and is likely to remain so in 2023.
It can often be easier for an attacker
to target and exploit human weaknesses
than to detect and take advantage of vulnerabilities
in an IT system.
What we can expect in the coming year is an increase
in the use of an even more sophisticated phishing technique.
We speak then of “geo-targeted phishing.”
In this one,
there is a more clever definition of the target.
It can be specific groups of people in particular locations.
The threat actor seeks greater effectiveness with,
for example,
more relevant clickbait containing industry-specific
and even brand-specific language.
This makes and will make these tactics more challenging to detect
than traditional phishing.
Ransomware
Phishing is indeed one way
in which criminals can perpetrate a ransomware attack.
Ransomware,
in which the threat actor can deny access to information
(even steal it)
or block the operations of a system to its owners or users
until they pay the ransom,
remains one of the most popular attacks worldwide.
Even despite the fact
that the authorities have already busted
and broken up several ransomware gangs.
Among the most active gangs
at the moment is LockBit.
The action of the BlackCat group has gained prominence
in recent months too.
To this gang,
a ransomware attack
on the Joint Command of the Armed Forces of Ecuador
has been attributed in the last month.
However,
this entity qualified what was reported in the media
as a groundless rumor.
Damages from ransomware in 2021 were estimated
at $20 billion
and are expected
to be around $30 billion by 2023.
It is also predicted that
by 2031 there will be a ransomware attack every 2 seconds,
up from every 11 seconds in 2021.
It’s shocking!
And heads up,
it’s apparently true that
many victims are not reporting the attacks,
nor will they ever report them.
This further complicates the understanding of the picture.
Supply chain attacks
Today it’s in vogue to target software supply chains
with ransomware attacks.
It’s even now trite to mention
what happened with SolarWinds.
But this has been followed by events like those
suffered by giants like Toyota, Nvidia and Samsung.
In supply chain attacks,
criminals exploit vulnerabilities such as the recent Log4Shell
in third-party software products
(e.g., from suppliers or partners).
This leads to the compromise of those
who rely on and make use of them,
including larger and better-established organizations.
Organizations that can invest enough attention and money
to secure their perimeter and on-premises systems,
but sometimes this is not the case
with the third-party software they use.
Therefore,
exploiting vulnerabilities in third-party software
acts as a gateway to these large organizations,
their systems, operations and data.
It has been reported that
software supply chain attacks in 2021 grew by more than 300%
compared to the previous year
and that growth is expected to continue in the coming years.
One of the associated risks
lies in the ever-increasing migration of data and services to the cloud,
especially clouds belonging to a small number of providers.
Then,
a single product or service fails,
and there could be too many victims to count.
By the way,
remember that
the responsibility for security incidents in the cloud
is not as many people think.
Deepfake
Advances in artificial intelligence (AI),
far from being the initial intention,
will continue to spell trouble.
Deepfake is the use of AI
for the creation and modification of audio and visual content
with false narratives that appear to come from reliable or authentic sources.
Even though it started with,
for instance,
playful or recreational uses,
it is true that today it’s beginning to enter the dark side
for immoral purposes.
This is an increasingly accessible technology,
even for people with low technical knowledge.
Well-crafted audiovisual content
(with large amounts of data to support algorithm accuracy)
can give rise to captivating narratives
and make social engineering attacks even more effective.
In the inclusion of deepfake to cyberattacks,
the threat we will be able to notice over time
is the dissemination of information
aimed at manipulating people’s opinions about others
or even obtaining financial resources from them and organizations.
Pretending to be the CEO of a company in a virtual meeting
or sending a cloned voice message
can deceive employees to extract sensitive information or funds from them,
for example.
This use of AI is of increasing concern
as it can lead to more sophisticated cybercrime.
As Security Week shared,
“Deepfakes,
left unchecked,
are set to become the cybercriminals’ next big weapon.”
More worryingly,
it seems that deepfake detection mechanisms are lagging behind.
Internet of Things (IoT)
We had already mentioned in 2020
how worrying the growing number of IoT devices was becoming
and,
with it,
“the copious number of entry points
that will become available to cyberattacks.”
These devices
(e.g., sensors, scanners, vehicles, cameras, fitness watches),
beyond standard devices such as computers and smartphones,
will bring more opportunities for cybercriminals in 2023.
This will be because they tend to have fewer security controls
than those other devices
and thus expand the attack surface.
In concrete figures,
some expect that,
in the next five years,
there will be more than 64 billion IoT devices
deployed and connected in the world.
(Other sources
do not give such high numbers;
could it be due to a misunderstanding of what the IoT concept includes?)
Their increased presence means increased risk.
Their high prevalence as targets for cyberattacks
is expected to be a trend in the coming year.
Education and government
For the first half of this year globally,
according to a Checkpoint’s report,
the six industries
with the highest average number of attacks per organization every week
were education/research,
government/military,
ISP/MSP,
communications, healthcare and finance/banking.
The first two industries have been proving very attractive to threat actors
and are expected to remain so in 2023.
In the education sector,
there has been a partial influence of online learning growth
due to the pandemic.
Although face-to-face classes have been picking up this year,
the success of attacks against schools may mean that
they remain attractive targets.
In fact,
it has been pointed out
for some time now
how ill-prepared schools are to deal with cybersecurity risks.
System restoration or return of sensitive data
is what cybercriminals often offer in exchange for money from schools
which,
unlike,
for example,
commercial companies,
have been investing poorly in prevention and defense.
We were just writing this post
when we found out from The Record
that North Idaho College was forced to temporarily shut down its networks
due to a cyberattack.
In the government sector,
there will continue to be an influence
largely from the ongoing cyberwar
that has paralleled the nefarious and still active Russian invasion of Ukraine.
We will surely witness more attacks by hacker groups
linked to these governments
seeking to achieve high political as well as economic impact.
From Recorded Future,
they speak of Russian influence networks
that are practicing narrative manipulation operations
with the objectives of weakening and dividing the Western coalition
that favors Ukraine.
These networks seek to modify the positions of the European populations
so that they are instead in favor of Russia,
suggesting,
for example,
that the governments of the coalition are responsible
for the economic difficulties that their populations are going through.
Recorded Future further states that
this is expected to continue until the war’s end
and may even affect future political elections.
Preventive measures
In essence,
the trends in prevention for the coming year are likely to remain
the same as those that have been useful so far
in dealing with the recognized threat landscape.
There will undoubtedly be more predisposition
to implement and mature cybersecurity in organizations.
Already in our recent post on trends
that had a place in 2022,
we discussed the implementation of DevSecOps,
emphasizing the integration of security
from the beginning of product development
(“shift to the left” approach).
We mentioned controls such as multi-factor authentication,
which will continue to be in vogue,
often in addition to creating and using complicated passwords
to be constantly modified and maintained in password managers.
And we also referred to the identification of risk
in third-party software components,
which it’s prudent to start with the generation
of a “software bill of materials”
or detailed inventory of resources and dependencies used.
(Something that we will,
in fact,
be implementing in Fluid Attacks' SCA scans
in the near future.)
So it will definitely remain crucial for organizations
to achieve optimal recognition of their components,
interconnecting systems
(including IoT devices and remote working equipment,
of course)
and assets.
They must also identify why the latter may be attractive to threat actors.
From there,
they must seek to understand what risks they face
and how they may be vulnerable.
Human and technological vulnerabilities then come into question.
As we already know,
it has become very attractive for attackers to manipulate the human factor
in order to infiltrate organizations’ systems.
And this will continue to be the case.
By 2023,
therefore,
the recommendation and implementation of cybersecurity training
for the staff of organizations
will remain trends.
Yes, training.
It’ll always be necessary to go beyond awareness.
It’s not just about recognizing the existence of a problem.
It’s about learning methods for dealing with threats and crises.
The training must be part of security plans,
which include other prevention strategies,
incident response methods and strengthening of defenses.
According to a survey conducted by UpCity,
only 50% of small businesses in the U.S.
had a cybersecurity plan for this year.
Nonetheless,
incidents continue to make organizations aware
that cybersecurity is an area in which they need to invest.
And as we mentioned at the beginning,
the investment will grow.
As Gartner says,
cloud security is expected to be the strongest growth category
in the next two years.
In addition,
the demand for technology that facilitates secure remote and hybrid work
will continue to grow.
With the prevalence of remote and hybrid practices,
adopting a zero-trust approach,
where restricting access and verifying everything is at the core,
will continue to be a trend.
It is prudent to remember that
security threats can also be inside each organization.
As Gartner says,
in network security,
the transition from virtual private networks (VPNs)
to zero trust network access (ZTNA)
is expected to keep increasing.
In this product or service,
as they share in their glossary,
The applications are hidden from discovery,
and access is restricted via a trust broker
to a set of named entities.
The broker verifies the identity,
context and policy adherence of the specified participants
before allowing access
and prohibits lateral movement elsewhere in the network.
This removes application assets from public visibility
and significantly reduces the surface area for attack.
On another point regarding technology,
artificial intelligence will continue to be quite useful
in the development of automated security systems.
Among them will be threat and incident detection and reporting systems
that achieve pattern recognition thanks to evolving databases.
This same pattern recognition process will continue to be used
in Fluid Attacks
but for detecting files or components
most likely to contain security issues
and thus optimize the assessments
by our ethical hackers and tools.
Indeed,
vulnerability detection tools will keep proliferating in the market.
It should be clear that
owning such solutions without clearly defined strategies
can lead many organizations to end up cluttered with technology
with duplicated functionality
and lots of scattered data,
including many false positives.
At Fluid Attacks,
we will continue to see human intervention as necessary in security testing.
In the long term,
manual penetration testing
and red teaming
will still be highly valued due to their effectiveness.
Don’t forget the former is a requirement today
in standards such as PCI DSS
and the latter in frameworks such as TIBER-EU.
In 2023,
we will continue recommending a combination of manual and automated methods.
While the latter delivers vulnerability reports at high speed,
it focuses on known vulnerabilities,
often superficial,
and brings with it high false positive and false negative rates.
Manual work is essential for greater accuracy and scope.
As we stated in our previous State of Attacks report
(and perhaps we’ll do so in the next one),
in a whole year of security testing,
the manual intervention of our ethical hackers was indispensable
for identifying all vulnerabilities of critical severity
in our targets of evaluation.
Next year,
we will continue recommending that
you keep your applications or other IT systems
under continuous assessment as a preventive measure.
Use our Continuous Hacking service,
and don’t let threat actors catch you by surprise in 2023
(or even right now).
Do you want to be part of the trend in cybersecurity implementation?
Get started now for free!
Try our 21-day free trial,
in which our tools will detect vulnerabilities in your software
and report them in our Attack Resistance Management platform (ARM).
The main goal is for you
to achieve early remediation of these security issues
so that you can ensure security
for your organization and your users.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/what-trends-to-expect-for-2023/
