Check out all the on-demand sessions from the Intelligent Security Summit here.
This past year was an impactful one across the cyber threat landscape. Ransomware continued to dominate the conversation as organizations of all sizes and industries suffered disruptions, often in a visible and public manner.
The war in Ukraine provided visible examples of a government leveraging both its official and unofficial cyber resources, with Russia using advanced intrusion groups, a larger cybercriminal ecosystem and a varied misinformation apparatus. All of these entities conducted a wide range of malicious cyber activities from destructive attacks, to espionage intrusions, to information operations.
More traditional threats also continued to impact organizations across the globe. Business email compromise remained one of the most financially damaging crimes. Cybercriminals discovered new ways to monetize their efforts while still leveraging tried and true methods. Various government organizations conducted wide-ranging activities to track individuals or steal intellectual property.
On top of all of this activity, some of the most high-profile intrusions were conducted by low-level actors like Lapsus$.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
In short, 2022 provided virtually every type of possible malicious cyber event, as well as the highest-ever volume of intrusions.
So, what might we expect for cybersecurity in 2023? Here are five predictions:
2023 cybersecurity: Ransomware will shift its primary focus away from encryption
In 2022, we saw a demonstrable rise in ransomware events involving data theft combined with encryption events. While this wasn’t new to 2022, attackers’ preference for varied extortion options became much clearer. This trend is likely to accelerate in 2023 along with a growing focus on data destruction to include a renewed focus on data backups. These increases are likely to see a corresponding decrease in encryption events.
Why is this likely to happen? Three reasons are at play.
First, technology and shared best practices are improving ransomware victims’ ability to recover their data without having to pay the attacker for a decryptor. Tied to this, multiple public discussions have revealed that paying for decryptors often results in lost data or follow-on ransom demands, which is why the FBI recommends against paying the ransom..
Secondly, cybercriminals have realized that the “hack and leak” component of a ransomware event provides a second extortion option or subsequent way to monetize their efforts. This becomes more pronounced as regulations and governance requirements become more commonplace.
Thirdly, it takes more technical work to make an effective encryption/decryption tool compared to stealing data and then choosing a range of methods to corrupt victim data. It’s likely a lower technical lift for ransomware actors to steal data, offer to “sell it back,” and if not, threaten to publicly leak the data or sell to other malicious actors. At the same time, data destruction can place an extreme stress on the victim, which acts in the cybercriminal’s favor.
The most impactful intrusion vector will be SSO abuse
As more organizations move to single-sign-on (SSO) architectures — particularly as an effective way to manage hybrid environments — malicious actors are realizing that this is the best and most effective route to access victims. This past year had multiple high-profile intrusions leveraging malicious SSO with multi-factor authentication (MFA) abuse, which in turn is likely to accelerate this shift.
Malicious SSO use can be difficult to detect and respond to without effective safeguards in place. These additional challenges on defenders provide visibility gaps for malicious actors to evade detections. While it is unlikely malicious SSO use, particularly combined with MFA, will be the highest volume threat vector, it provides significant access and the potential to remain undetected across an enterprise. Based on these combined factors, the most impactful intrusions of 2023 will combine these actions.
Low-level actors will produce high-level impacts
The threat landscape continues to become more varied and diverse with each passing year. These changes are providing more capability for entry-level threat actors. The increased capability, in turn, produces much more substantive impacts to their targets.
In the past, malicious threat actors had to conduct virtually all technical and monetization actions on their own. This technical standard, while not preventing all impacts, did effectively place some restraints on different threat actors. But that technical requirement is being largely replaced by an effective “intrusion gig economy” where tools, access, or malicious services can be purchased.
This is combined with a growing list of highly capable offensive security tools being leveraged for malicious purposes. Finally, 2022 provided significant media coverage for low-level actors producing large impacts to mature organizations. These combined factors are likely to produce more impactful intrusions in 2023 from threat actors with lower technical skill levels than in any previous year.
Malicious actors learning cloud intrusions provide cybersecurity detection opportunities
As organizations continue transitioning more of their operations to the cloud and SaaS applications, malicious actors must follow this migration. Put simply, intrusions will have to occur where victims run their operations and host their architecture. These transitions place significant strain on IT staff and often present stumbling blocks or lack of visibility. That’s the bad news.
The good news is threat actors have to make the same transition and stumble through cloud-native aspects of their work, as well. This presents several robust detection opportunities based on potential errors in their tools and methods, lack of understanding of cloud/SaaS fundamentals or challenges moving across a hybrid environment.
New regulations will accentuate the cyber poverty line
The cyber poverty line is a threshold dividing all organizations into two distinct categories: Those that are able to implement essential cybersecurity measures and those that are unable to meet those same measures. This concept was first coined by Wendy Nather, head of advisory CISOs at Cisco, and is often used when discussing budgets, security architectures and institutional capabilities.
As multiple new government regulations and policies roll out globally, the number of requirements on every organization is growing at a rate requiring significant resources and capabilities. As one example, the new US Strengthening American Cybersecurity Act signed in 2022 creates reporting requirements and coordination with government institutions. As another example, Gartner estimates that by the end of 2024, more than 75% of the global population will be covered by some form of digital privacy regulations.
While these regulatory efforts will undoubtedly produce positive results, a large number of organizations will struggle to implement, comply with, or even understand these same cybersecurity efforts. This is sure to increase the gap between organizations above and below the cyber poverty line instead of reducing the difference. This same growing distance is likely to also carry over into cyber insurance and related areas.
As these five predictions show, 2023 is certain to be as action-packed a year in cybersecurity as 2022 was. Fasten your seat belts.
Steven Stone is head of Rubrik Zero Labs at Rubrik.