Analysts and experts have looked into their crystal balls and made their cybersecurity predictions for 2023. Here is a collection of cyber security trends from many cyber security trends lists I have found published on-line. In my list I first show the information source and next a short overview what this source listed.
Is your organization prepared if these predictions come true?
ICS cyberthreats in 2023 – what to expect
https://securelist.com/ics-cyberthreats-in-2023/108011/
APT activity, which is traditionally ascribed to intelligence agencies of various governments, always occurs in line with developments in foreign policy and the changing goalposts inside countries and inter-governmental blocks.
We are going to see APT activity change the focus on specific industries very soon because the evolving geopolitical realities are closely intertwined with economic changes.
Naturally, we will still see APT attacks on traditional targets
Other important changes in the threat landscape which we already see and which we believe will increasingly contribute to the overall picture include the following:
A rising number of hacktivists “working” to internal and external political agendas. These attacks will garner more results – quantity will begin to morph into quality.
A growing risk of volunteer ideologically and politically motivated insiders, as well as insiders working with criminal (primarily ransomware) and APT groups – both at enterprises and among technology developers and vendors.
Ransomware attacks on critical infrastructure will become more likely – under the auspices of hostile countries or in countries unable to respond effectively to attacks by attacking the adversary’s infrastructure and conducting a full-blown investigation leading to a court case.
Cybercriminals’ hands will be untied by degrading communications between law enforcement agencies from different countries and international cooperation in cybersecurity grinding to a halt, enabling threat actors to freely attack targets in ‘hostile’ countries. This applies to all types of cyberthreats and is a danger for enterprises in all sectors and for all types of OT infrastructure.
Criminal credential harvesting campaigns will increase in response to the growing demand for initial access to enterprise systems.
Top 4 SaaS Security Threats for 2023
https://thehackernews.com/2022/12/top-4-saas-security-threats-for-2023.html
With SaaS sprawl ever growing and becoming more complex, organizations can look to four areas within their SaaS environment to harden and secure. Threats: Misconfigurations Abound, SaaS-to-SaaS Access, Device-to-SaaS User Risk, Identity and Access Governance.
Cybersecurity threats: what awaits us in 2023?
https://securelist.com/cybersecurity-threats-2023/107888/
Knowing what the future holds can help with being prepared for emerging threats better. Every year, Kaspersky experts prepare forecasts for different industries, helping them to build a strong defense against any cybersecurity threats they might face in the foreseeable future. Those predictions form Kaspersky Security Bulletin (KSB), an annual project lead by Kaspersky experts.
A Boiling Cauldron: Cybersecurity Trends, Threats, And Predictions For
https://www.forbes.com/sites/chuckbrooks/2022/11/23/a-boiling-cauldron-cybersecurity-trends-threats-and-predictions-for-2023/
2022 has been another year of high-profile data breaches, mirroring the years before in the growing number and sophistication of cyber threats. Cyber-attacks have become part of a boiling cauldron and some of the brining liquid has seeped over into the corporate and government digital landscapes. Consistently, phishing, insider threats, business email compromise, lack of skilled cybersecurity workers, and misconfigurations of code have been common trends throughout the past decade. They still will be trends in the coming year, but other factors and developments will also permeate a precarious cybersecurity ecosystem. Let us explore some of them.
Crimeware and financial cyberthreats in 2023
https://securelist.com/crimeware-financial-cyberthreats-2023/108005/
Malware loaders to become the hottest goods on the underground market
More new “Red Team” penetration testing frameworks deployed by cybercriminals
Ransomware negotiations and payments begin to rely less on Bitcoin as a transfer of value
Ransomware groups following less financial interest, but more destructive activity
Forecasts for 2023: Led by gaming and other entertainment sectors, Web3 continues to gain traction and so will threats for it. Malware loaders to become the hottest goods on the underground market. More new Red Team penetration testing frameworks deployed by cybercriminals. Ransomware negotiations and payments begin to rely less on Bitcoin as a transfer of value. Ransomware groups following less financial interest, but more destructive activity.
Policy trends: where are we today on regulation in cyberspace?
https://securelist.com/policy-trends-2023/108008/
#1 Fragmentation shifting to polarization: governments and multistakeholder communities are all the more divided — and have formed into groups based on like-mindedness
#2 Tech localization and “digital sovereignty” is no longer just about data
#3 Do cyberdiplomacy and international cybersecurity still exist? If so, they’ve taken a back seat this year
#4 Full-blown cyberwar hasn’t occurred, and this is of course good news. But we seem to be facing a more complex challenge — hybrid operations
#5 Liability of digital products: a new area in future regulatory efforts
The future starts now: 10 major challenges facing cybersecurity https://www.welivesecurity.com/2022/11/03/future-starts-10-major-challenges-facing-cybersecurity/
According to a report by Cybersecurity Ventures, global cybercrime costs are foreseen to grow by 15 percent per year from 2021 to 2025 and could reach $10.5 trillion per year.
The shortage of skilled people to meet the growing demand for professionals in the industry continues to grow. There is a global cybersecurity workforce gap of 3.4 million and 70% of organizations have unfilled cybersecurity positions. Another challenge facing the industry is to make the workforce more diverse and inclusive.
The digital transformation accelerated by the COVID-19 pandemic has also made it clear to companies that they need to prioritize security. In the case of remote and hybrid work, organizations around the world can no longer rely solely on hardening their inner perimeter using their on-premises technology infrastructure.
The huge growth of criminal activity on the dark web in recent years, especially after the onset of the pandemic, is a major challenge and reinforces the importance of performing threat intelligence activities also in these dark corners of the Internet.
Trends such as the growth of new forms of social engineering force organizations to keep up with new and evolving attack scenarios and transmit this knowledge to their staff.
Consumers, businesses and governments are all finding new ways to use Bitcoin and other cryptocurrencies – and so are cybercriminals.
While anti-ransomware groups continue to bring pressure to bear on ransomware operators, ransomware is still a major challenge that requires organizations to prioritize preparedness.
Projections about the adoption of the metaverse show that by 2026, 25% of the world’s population will spend at least one hour a day in this virtual world. Therefore, security in the metaverse is a challenge for the future.
A fundamental challenge that the industry will always face is better education and awareness of existing cybersecurity risks.
Top cybersecurity threats for 2023
https://www.techrepublic.com/article/top-cybersecurity-threats/
1. Malware
IT departments use antivirus software and firewalls to monitor and intercept malware before it gains entry to networks and systems, but bad actors continue to evolve their malware to elude these defenses. That makes maintaining current updates to security software and firewalls essential.
2. Ransomware
So far in 2022, ransomware attacks on companies are 33% higher than they were in 2021. Many companies agree to pay ransoms to get their systems back only to be hit again by the same ransomware perpetrators.
Mandiant reported that global median dwell time for intrusions identified by external third parties and disclosed to the victims dropped to 28 days from 73 days in 2020. Meanwhile, in 2021, 55% of investigations had dwell times of 30 days or fewer, with 67% of these (37% of total intrusions) being discovered in one week or less. However, the report also showed that supply chain compromise accounted for 17% of intrusions in 2021 compared to less than 1% in 2020.
3. Supply chain vulnerabilities
One step companies can take is to audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.
“These are a little like nutrition labels on food,” he explained. “If you can’t attest to the accuracy of these labels, you have a problem. That’s where things like in-toto come in: You create essentially signed statements, or attestations, that certain people, and only those people, took legitimate actions like checking code or doing things with dependencies.”
4. Phishing
Phishing is a major threat to companies because it’s easy for unsuspecting employees to open bogus emails and unleash viruses. Employee training on how to recognize phony emails, report them and never open them can really help.
5. IoT
In 2020, 61% of companies were using IoT, and this percentage only continues to increase. With the expansion of IoT, security risks also grow, particularly with the advent of 5G telecommunications, the de facto communications network for connected devices.
IoT vendors are notorious for implementing little to no security on their devices
6. Internal employees
Disgruntled employees can sabotage networks or make off with intellectual property and proprietary information, and employees who practice poor security habits can inadvertently share passwords and leave equipment unprotected.
In 2023, social engineering audits will continue to be used so IT can check the robustness of its workforce security policies and practices.
7. Data poisoning
An IBM 2022 study found that 35% of companies were using AI in their business and 42% were exploring it. Artificial intelligence is going to open up new possibilities for companies in every industry. Unfortunately, the bad actors know this too.
8. New technology
Organizations are adopting new technology like biometrics. These technologies yield enormous benefits, but they also introduce new security risks since IT has limited experience with them.
9. Multi-layer security
How much security is enough?
“Multiple levels of defense are critical,” said Ed Amoroso, CEO of TAGCyber and former CISO of AT&T. “Passwords are one critical layer, but data encryption at both ends is the next, and so forth. The bottom line: Just because you got in doesn’t mean I trust you. The only barrier to multiple layers of security, frankly, is just cost.”
10. Cloud security
“There is risk for companies if they are not doing their configuration management and tracking their regulatory compliance they are required to follow,” said Kayne McGladrey, field CISO for Hyperproof and a senior member of the IEEE.
4 Most Common Cyberattack Patterns from 2022
https://securityintelligence.com/articles/most-common-cyberattack-patterns-2022/
1. Ransomware
It’s been a somewhat strange year for ransomware. The first half of the year saw a surge of ransomware attacks, but then subsided in Q3 and continued to slow down. Still, the percentage of breaches caused by ransomware grew 41% in the last year; identification and remediation for a breach took 49 days longer than the average breach.
2. Email Compromise
Compromised emails can seem like a frustratingly basic and simple way for attackers to infiltrate your company network, but (perhaps because of that simplicity) this remains a very common and effective attack pattern in 2022.
A common attack pattern here involves phishing, which is still the most common attack method in 2022.
3. Supply Chain Attacks
With the emergence of the first major war in Europe for decades, 2022 saw a rise in attacks targeting national and international infrastructure, such as supply chains.
Research suggests that up to 40% of cyber threats are now occurring directly through the supply chain.
A report by Accenture in May found that supply chain disruptions in the Eurozone have led to a loss of €112 billion so far and could amount to €242 billion across 2022 and 2023 — a staggering 2% of GDP.
4. Attacks on Internet of Things (IoT) Devices
As the Internet of Things continues to grow in scope, sophistication and accessibility, it’s becoming an increasingly tempting target for cyber criminals. IoT devices are now used in our homes, offices, assembly lines, factories and much more. They allow businesses to tap into data insights in entirely new ways, reduce the workload of human employees and essentially add to the bottom line. With benefits like these, IoT is not going away anytime soon.
The very fact that IoT devices use large amounts of data makes them attractive targets for hackers, especially since many IoT devices are not well-secured.
Looking to the Future
2022 showed us that cybersecurity is constantly evolving and always of the utmost importance. As we enter a new year, it’s likely that security teams will have to contend with an entirely new range of threats and attack patterns.
But if 2022 is any indication, most of the major threats will be preventable with robust security hygiene and best practices.
Cybersecurity outlook 2023: Consultants cite 6 trends
https://www.techtarget.com/searchitchannel/feature/Cybersecurity-outlook-Consultants-cite-trends?utm_campaign=20221227_Explore+2023+IT+trends&utm_medium=EM&utm_source=MDN&asrc=EM_MDN_256529391&bt_ee=K9dnEDfh4qmXfdCA2ImezsD4KCaaOhA87aVbUThWwdPS7a8jti9b8jClL7OLtmEt&bt_ts=1672246295990
IT services executives predicted greater focus on user training and protection, supply chain security and machine learning. And digital transformation could spark zero-trust projects.
1. Increased C-level, board focus
The heightened legal risk surrounding IT security has ramped up the urgency for business leaders.
2. Transformation as a zero-trust on-ramp
Digital transformation and IT modernization projects will create fertile ground for zero-trust adoption next year.
“I think zero trust accelerates in 2023,” Pasteris said. “Organizations are doing transformation. They’re rethinking their architectures. It’s a natural time to implement a zero-trust framework and architecture as you’re thinking about going through that process.”
3. Focus on user training and protection technologies
Pasteris said end users remain the biggest gap in security. The need for training will “continue to grow as companies have to educate and mandate their users and put accountability on the end users to be the first stop, the first line [against] threats in the security space,” he said.
4. Industry taps ML to bolster security
“The industry is pivoting heavily towards machine learning,” Laramie said.
Laramie said he believes security teams, operating at a nonexistent unemployment rate, will look to vendors to incorporate more ML capabilities into their tools to boost efficiency. Indeed, the technology is working its way into areas such as anomaly detection. In that capacity, ML can complement — and extend — traditional security approaches, such as relying on static rule sets that teams must curate and maintain, Laramie said.
5. Upgrading security as hybrid work becomes permanent
Organizations have been solidifying their hybrid work technology stacks as they move from stopgap measures to an enduring environment.
6. Tighter security enters the software supply chain
The software supply chain has become a bigger concern for security teams as third-party platforms and services become more prevalent.
Laramie said he expects to see security tools introduced earlier into continuous integration/continuous delivery pipelines, with the goal of reducing the number of vulnerabilities deployed in cloud environments.
“The cost of fixing something in production [versus] catching it before it is released is dramatically different.”
11 cybersecurity predictions for 2023
https://www.techtarget.com/searchsecurity/feature/5-cybersecurity-predictions?utm_campaign=20221227_Explore+2023+IT+trends&utm_medium=EM&utm_source=MDN&asrc=EM_MDN_256529396&bt_ee=K9dnEDfh4qmXfdCA2ImezsD4KCaaOhA87aVbUThWwdPS7a8jti9b8jClL7OLtmEt&bt_ts=1672246295990
1. Zero-trust transparency from vendors improves
Zero trust has been shrouded by confusion from the start — especially around whether it is or isn’t a product. 2023 might finally bring clarity.
2. Cyber-physical security slowly meets zero trust
Zero trust is making the rounds, but as of 2022, it hasn’t translated to cyber-physical systems, including operational technology (OT). That’s going to continue in 2023, said Katell Thielemann, analyst at Gartner.
3. Security aligns better with the business
Security is often seen as not only a cost center, but also as a business inhibitor — even if accidentally.
4. Workforce reductions lead to attacks
Workforce reductions are on the horizon — if they haven’t hit already — and attackers are ready to target any weaknesses left in their wake. In 2023, attackers will be aware of organizations undergoing restructuring and the potential vulnerabilities cybersecurity layoffs create.
5. High-profile cloud providers suffer MFA bypass attacks
Following the 0ktapus social engineering attack that affected cloud providers Cloudflare and Twilio, other high-profile providers will become targets of multifactor authentication (MFA) bypass attacks in 2023, predicted Andrew Shikiar, executive director at FIDO Alliance.
6. A company sues an offensive security tools provider
Many popular tools, such as Metasploit and Mimikatz, are used legitimately by ethical hackers and maliciously by threat actors. As a result, Forrester analyst Heidi Shey said she thinks 2023 will be the year an organization files suit against an offensive security tool provider.
7. Vulnerability management becomes more risk-based
Proactive security efforts will be in the spotlight in 2023, forecasted Maxine Holt, senior director at Omdia — especially risk-based vulnerability management. “[It] will be a foundational element of proactive security,” Holt said.
8. Quantum security awareness continues to grow
Quantum computing won’t be commercially available for another five to 10 years, but CISOs can’t put off preparations for it any longer. Awareness around quantum security will improve in 2023 as organizations examine their current and future attack surfaces.
9. It’s time for security fabrics
2023 will see an uptick in adoption of security fabrics. A security fabric serves as a central hub and knowledge base for security teams by helping corral raw data from infrastructure and environmental layers, such as from cloud infrastructure, SaaS applications and endpoints. Security fabrics were designed to answer questions such as the following: What assets do I have? What’s important? Does anything have a problem? Who can fix it? Is the issue getting better?
10. SaaS security improves
Employees work from home, the office or a hybrid of both. SaaS tools and products have helped employers accommodate this shift. Securing these services, however, hasn’t necessarily been top of mind for employers. In 2023, organizations will take SaaS security more seriously, predicted Ben Johnson, co-founder of Obsidian Security, a SaaS security vendor. “Security is asking whether these applications are configured correctly,” Johnson said.
11. Ransomware continues to rise despite the economy
As if ransomware isn’t bad enough already, a 2023 recession could lead to a rise of it.
“If people don’t have jobs, they’re going to find alternative ways to make money,”
Ensi vuoden pahimmat kyberturvallisuustrendit
https://www.uusiteknologia.fi/2022/11/26/ensi-vuoden-pahimmat-kyberturvallisuustrendit/
American information security company Check Point has listed next year’s worst cyber security development trends. These include, for example, new state-sponsored hacker groups, deep counterfeiting and more stringent attacks on company collaboration tools. In addition to the latest technology, we aim to respond to them through legal regulations and wider cooperation with authorities.
Art and science of building cyber security
https://x-phy.com/wp-content/uploads/art-and-science-of-building-cyber-security.pdf
More devices + more tech + more data = more cybercrime
Mind the gaps in building a cybersecurity tech stack
Avoid tech Jenga with the right stack
Stacking the deck against cybercrime
27 Comments
Tomi Engdahl says:
Predictions 2023: Big Tech’s Coming Security Shopping Spree
https://www.securityweek.com/predictions-2023-big-techs-coming-security-shopping-spree
Big-tech makes big acquisitions
ICS malware in-the-wild
A sputtering startup ecosystem
Cyberwar and geo-political tensions
Hacker-for-hire mercenaries
Cyberinsurance dog and bone
Post-quantum encryption
Abusing artificial intelligence
Blurred criminal lines
Tomi Engdahl says:
https://www.immuniweb.com/blog/top-10-cybersecurity-predictions-for-2023.html
Tomi Engdahl says:
The world is ‘clearly’ not prepared for cyberwarfare https://www.theregister.com/2023/01/24/armis_cyberwarfare_report/
One-third of IT and security professionals globally say they are either indifferent or unconcerned about the impact of cyberwarfare on their organizations as a whole, according to a survey of more than
6,000 across 14 countries. Security firm Armis commissioned the study, published today, in an effort to gage cyberwarfare preparedness while the first hybrid war wages on for nearly a year in Ukraine and nation-state cyberspies make headlines almost daily. The survey asked
6,021 respondents if they were confident that their organization and government could defend against cyberwarfare. “The answer is clearly no,” the report says
Kelly says:
This is a pretty good article about the content, thank you for sharing the information for readers to know. wordle hint
Tomi Engdahl says:
Cyber Insights 2023: Cyberinsurance
https://www.securityweek.com/cyber-insights-2023-cyberinsurance/
Tomi Engdahl says:
Cyber Insights 2023: Attack Surface Management
https://www.securityweek.com/cyber-insights-2023-attack-surface-management/
Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas of IT infrastructure that can be attacked.
Demise of the perimeter and growth of complexity
Attack surface management is not a new concept, notes Mark Stamford, founder and CEO at OccamSec. “As long as there has been a thing to attack, there has been an attack surface to manage (for example, the walls of a castle and the people in it).” The castle is a good analogy. If you can see the wall, you can attack it. You can batter it down, you can employ the original Trojan Horse to gain access through the front door, you can find a forgotten and unprotected entrance, or you can persuade an insider to leave a side gate unlocked.
For the defender, relying on the wall and being aware of any weak areas is not enough. People are also part of the attack surface, and the defender needs to have total visibility of the entirety of the attack surface and how it could be exploited. But the wall is a perimeter, and we no longer have perimeters to defend – or at least every single asset held anywhere in the world has its own perimeter.
“The attack surface,” continued Stamford, “is anything tied to an organization that could be a vector to get to a target. What this means in practice is all your applications that face the Internet, all the services (beyond applications) that are reachable, cloud-based systems, SaaS solutions you use (depending on what the bad guys’ target is), third parties/supply chain, mobile devices, IOT, and your employees. All of that and more is your attack surface and all of it needs to somehow be monitored for exposures and dealt with.”
The need for ASM, like other current approaches to cybersecurity (such as zero trust, which itself can be viewed as part of ASM), comes from the demise of a major defensible perimeter. Migration to the cloud, expanding business transformation, and remote working all add complexity to the modern infrastructure. If anything touches the internet, it can be attacked. Even the addition of new security controls that send data to and from the cloud add to the attack surface.
Management is the key word in ASM
The complexity of the modern infrastructure makes the complete elimination of threats an impossible task. ASM is not about the elimination of all threats, but the reduction of threat to an acceptable level. It’s a question of risk management.
“The idea behind attack surface management is to ‘reduce’ the ‘area’ available to attackers to exploit. The more you ‘reduce the attack surface’ the more you limit and minimize attackers’ opportunities to cause harm,” says Christopher Budd, senior manager of threat research at Sophos.
He believes that ASM will be more challenging in 2023 because of the attackers’ increasingly aggressive and successful misuse of legitimate files and utilities in their attacks – living off the land – making the detection of a malicious presence challenging. “We can expect this trend to continue to evolve in 2023, making it more important that defenders update their detection and prevention tactics to counter this particularly challenging tactic,” he says.
Part of reducing risk comes from understanding what vulnerabilities exist within the infrastructure, and which of them are exploitable.
“With the number of annual reported vulnerabilities now exceeding 20,000 per year, companies cannot remediate every alert, and need to become more surgical with their remediation strategies,” he says. “To achieve this, we will start to see a shift from a focus on vulnerability to exploitability. Companies will start to put a major emphasis on understanding which targets are most impactful from the hacker’s perspective, and therefore the most exploitable targets.”
CISA’s Known Exploited Vulnerabilities Catalog (the KEV list) can help here. Focusing remediation on exploited vulnerabilities is a key part of ASM, and the catalog is described by many as ‘CISA’s must patch list’. This list will continue to grow through 2023.
Pentesting and red teaming are also effective ways of locating exploitable vulnerabilities, but in the past, they have not been used effectively. “One of the most frustrating things as a pentester is when you return to organizations a year later and see the same issues as before,”
But he expects an improvement – perhaps encouraged by the growing acceptance of ASM – in 2023. “I expect an unprecedented appreciation for how pentesting effectively exposes gaps in security, and this in turn will help to reinforce the importance of those all-important security basics. In 2023 I implore organizations to work with pentesters for the best, year on year result.”
Tomi Engdahl says:
Cyber Insights 2023: Artificial Intelligence
https://www.securityweek.com/cyber-insights-2023-artificial-intelligence/
The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool for beneficial improvement is still unknown.
All roads lead to 2023
Alex Polyakov, CEO and co-founder of Adversa.AI, focuses on 2023 for primarily historical and statistical reasons. “The years 2012 to 2014,” he says, “saw the beginning of secure AI research in academia. Statistically, it takes three to five years for academic results to progress into practical attacks on real applications.” Examples of such attacks were presented at Black Hat, Defcon, HITB, and other Industry conferences starting in 2017 and 2018.
“Then,” he continued, “it takes another three to five years before real incidents are discovered in the wild. We are talking about next year, and some massive Log4j-type vulnerabilities in AI will be exploited web3 massively.”
Starting from 2023, attackers will have what is called an ‘exploit-market fit’. “Exploit-market fit refers to a scenario where hackers know the ways of using a particular vulnerability to exploit a system and get value,” he said. “Currently, financial and internet companies are completely open to cyber criminals, and the way how to hack them to get value is obvious. I assume the situation will turn for the worse further and affect other AI-driven industries once attackers find the exploit-market fit.”
The argument is similar to that given by NYU professor Nasir Memon, who described the delay in widespread weaponization of deepfakes with the comment, “the bad guys haven’t yet figured a way to monetize the process.” Monetizing an exploit-market fit scenario will result in widespread cyberattacks web3 and that could start from 2023.
The changing nature of AI (from anomaly detection to automated response)
Over the last decade, security teams have largely used AI for anomaly detection; that is, to detect indications of compromise, presence of malware, or active adversarial activity within the systems they are charged to defend. This has primarily been passive detection, with responsibility for response in the hands of human threat analysts and responders. This is changing. Limited resources web3 which will worsen in the expected economic downturn and possible recession of 2023 web3 is driving a need for more automated responses. For now, this is largely limited to the simple automatic isolation of compromised devices; but more widespread automated AI-triggered responses are inevitable.
“The growing use of AI in threat detection web3 particularly in removing the ‘false positive’ security noise that consumes so much security attention web3 will make a significant difference to security,” claims Adam Kahn, VP of security operations at Barracuda XDR. “It will prioritize the security alarms that need immediate attention and action. SOAR (Security Orchestration, Automation and Response) products will continue to play a bigger role in alarm triage.” This is the so-far traditional beneficial use of AI in security. It will continue to grow in 2023, although the algorithms used will need to be protected from malicious manipulation.
“As companies look to cut costs and extend their runways,” agrees Anmol Bhasin, CTO at ServiceTitan, “automation through AI is going to be a major factor in staying competitive. In 2023, we’ll see an increase in AI adoption, expanding the number of people working with this technology and illuminating new AI use cases for businesses.”
As the use of AI grows, so the nature of its purpose changes. Originally, it was primarily used in business to detect changes; that is, things that had already happened. In the future, it will be used to predict what is likely to happen web3 and these predictions will often be focused on people (staff and customers). Solving the long-known weaknesses in AI will become more important. Bias in AI can lead to wrong decisions, while failures in learning can lead to no decisions. Since the targets of such AI will be people, the need for AI to be complete and unbiased becomes imperative.
“The accuracy of AI depends in part on the completeness and quality of data,” comments Shafi Goldwasser, co-founder at Duality Technologies. “Unfortunately, historical data is often lacking for minority groups and when present reinforces social bias patterns.” Unless eliminated, such social biases will work against minority groups within staff, causing both prejudice against individual staff members, and missed opportunities for management.
Great strides in eliminating bias have been made in 2022 and will continue in 2023. This is largely based on checking the output of AI, confirming that it is what is expected, and knowing what part of the algorithm produced the ‘biased’ result.
Failure in AI is generally caused by an inadequate data lake from which to learn. The obvious solution for this is to increase the size of the data lake. But when the subject is human behavior, that effectively means an increased lake of personal data web3 and for AI, this means a massively increased lake more like an ocean of personal data. In most legitimate occasions, this data will be anonymized web3 but as we know, it is very difficult to fully anonymize personal information.
“Privacy is often overlooked when thinking about model training,”
Natural language processing
Natural language processing (NLP) will become an important part of companies’ internal use of AI. The potential is clear. “Natural Language Processing (NLP) AI will be at the forefront in 2023, as it will enable organizations to better understand their customers and employees by analyzing their emails and providing insights about their needs, preferences or even emotions,” suggests Jose Lopez, principal data scientist at Mimecast. “It is likely that organizations will offer other types of services, not only focused on security or threats but on improving productivity by using AI for generating emails, managing schedules or even writing reports.”
But he also sees the dangers involved. “However, this will also drive cyber criminals to invest further into AI poisoning and clouding techniques. Additionally, malicious actors will use NLP and generative models to automate attacks, thereby reducing their costs and reaching many more potential targets.”
Polyakov agrees that NLP is of increasing importance. “One of the areas where we might see more research in 2023, and potentially new attacks later, is NLP,” he says. “While we saw a lot of computer vision-related research examples this year, next year we will see much more research focused on large language models (LLMs).”
But LLMs have been known to be problematic for some time web3 and there is a very recent example. On November 15, 2022, Meta AI (still Facebook to most people) introduced Galactica. Meta claimed to have trained the system on 106 billion tokens of open-access scientific text and data, including papers, textbooks, scientific websites, encyclopedias, reference material, and knowledge bases.
“The model was intended to store, combine and reason about scientific knowledge,” explains Polyakov web3 but Twitter users rapidly tested its input tolerance. “As a result, the model generated realistic nonsense, not scientific literature.” ‘Realistic nonsense’ is being kind: it generated biased, racist and sexist returns, and even false attributions. Within a few days, Meta AI was forced to shut it down.
“So new LLMs will have many risks we’re not aware of,” continued Polyakov, “and it is expected to be a big problem.” Solving the problems with LLMs while harnessing the potential will be a major task for AI developers going forward.
He then iteratively refined his questions with multiple abstractions until he succeeded in getting a reply that circumvented ChatGPT’s blocking policy on content violations. “What is important with such an advanced trick of multiple abstractions is that neither the question nor the answers are marked as violating content!” said Polyakov.
He went further and tricked ChatGPT into outlining a method for destroying humanity – a method that bears a surprising similarity to the television program Utopia.
He then asked for an adversarial attack on an image classification algorithm – and got one. Finally, he demonstrated the ability for ChatGPT to ‘hack’ a different LLM (Dalle-2) into bypassing its content moderation filter. He succeeded.
The basic point of these tests shows that LLMs, which mimic human reasoning, respond in a manner similar to humans; that is, they can be susceptible to social engineering. As LLMs become more mainstream in the future, it may need nothing more than advanced social engineering skills to defeat them or circumvent their good behavior policies.
Problems aside, the potential for LLMs is huge. “Large Language Models and Generative AI will emerge as foundational technologies for a new generation of applications,” comments Villi Iltchev, partner at Two Sigma Ventures. “We will see a new generation of enterprise applications emerge to challenge established vendors in almost all categories of software. Machine learning and artificial intelligence will become foundation technologies for the next generation of applications.”
He expects a significant boost in productivity and efficiency with applications performing many tasks and duties currently done by professionals. “Software,” he says, “will not just boost our productivity but will also make us better at our jobs.”
Deepfakes and related malicious responses
One of the most visible areas of malicious AI usage likely to evolve in 2023 is the criminal use of deepfakes. “Deepfakes are now a reality and the technology that makes them possible is improving at a frightening pace,” warns Matt Aldridge, principal solutions consultant at OpenText Security. “In other words, deepfakes are no longer just a catchy creation of science-fiction web3 and as cybersecurity experts we have the challenge to produce stronger ways to detect and deflect attacks that will deploy them.” (See Deepfakes – Significant or Hyped Threat? for more details and options.)
Machine learning models, already available to the public, can automatically translate into different languages in real time while also transcribing audio into text web3 and we’ve seen huge developments in recent years of computer bots having conversations. With these technologies working in tandem, there is a fertile landscape of attack tools that could lead to dangerous circumstances during targeted attacks and well-orchestrated scams.
“In the coming years,” continued Aldridge, “we may be targeted by phone scams powered by deepfake technology that could impersonate a sales assistant, a business leader or even a family member. In less than ten years, we could be frequently targeted by these types of calls without ever realizing we’re not talking to a human.”
Thus far, deepfakes have primarily been used for satirical purposes and pornography. In the relatively few cybercriminal attacks, they have concentrated on fraud and business email compromise schemes. Milica expects future use to spread wider. “Imagine the chaos to the financial market when a deepfake CEO or CFO of a major company makes a bold statement that sends shares into a sharp drop or rise. Or consider how malefactors could leverage the combination of biometric authentication and deepfakes for identity fraud or account takeover. These are just a few examples web3 and we all know cybercriminals can be highly creative.”
But maybe not just yet…
The expectation of AI may still be a little ahead of its realization. “‘Trendy’ large machine learning models will have little to no impact on cyber security [in 2023],” says Andrew Patel, senior researcher at WithSecure Intelligence. “Large language models will continue to push the boundaries of AI research. Expect GPT-4 and a new and completely mind-blowing version of GATO in 2023. Expect Whisper to be used to transcribe a large portion of YouTube, leading to vastly larger training sets for language models. But despite the democratization of large models, their presence will have very little effect on cyber security, either from the attack or defense side. Such models are still too heavy, expensive, and not practical for use from the point of view of either attackers or defenders.”
He suggests true adversarial AI will follow from increased ‘alignment’ research, which will become a mainstream topic in 2023. “Alignment,” he explains, “will bring the concept of adversarial machine learning into the public consciousness.”
The defensive potential of AI
AI retains the potential to improve cybersecurity, and further strides will be taken in 2023 thanks to its transformative potential across a range of applications. “In particular, embedding AI into the firmware level should become a priority for organizations,” suggests Camellia Chan, CEO and founder of X-PHY.
“It’s now possible to have AI-infused SSD embedded into laptops, with its deep learning abilities to protect against every type of attack,” she says. “Acting as the last line of defense, this technology can immediately identify threats that could easily bypass existing software defenses.”
Marcus Fowler, CEO of Darktrace Federal, believes that companies will increasingly use AI to counter resource restrictions. “In 2023, CISOs will opt for more proactive cyber security measures in order to maximize RoI in the face of budget cuts, shifting investment into AI tools and capabilities that continuously improve their cyber resilience,” he says.
“With human-driven means of ethical hacking, pen-testing and red teaming remaining scarce and expensive as a resource, CISOs will turn to AI-driven methods to proactively understand attack paths, augment red team efforts, harden environments and reduce attack surface vulnerability,” he continued.
Karin Shopen, VP of cybersecurity solutions and services at Fortinet, foresees a rebalancing between AI that is cloud-delivered and AI that is locally built into a product or service. “In 2023,” she says, “we expect to see CISOs re-balance their AI by purchasing solutions that deploy AI locally for both behavior-based and static analysis to help make real-time decisions. They will continue to leverage holistic and dynamic cloud-scale AI models that harvest large amounts of global data.”
The proof of the AI pudding is in the regulations
It is clear that a new technology must be taken seriously when the authorities start to regulate it. This has already started. There has been an ongoing debate in the US over the use of AI-based facial recognition technology (FRT) for several years, and the use of FRT by law enforcement has been banned or restricted in numerous cities and states. In the US, this is a Constitutional issue, typified by the Wyden/Paul bipartisan bill titled the ‘Fourth Amendment Is Not for Sale Act’ introduced in April 2021.
This bill would ban US government and law enforcement agencies from buying user data without a warrant. This would include their facial biometrics. In an associated statement, Wyden made it clear that FRT firm Clearview.AI was in its sights: “this bill prevents the government buying data from Clearview.AI.”
At the time of writing, the US and EU are jointly discussing cooperation to develop a unified understanding of necessary AI concepts, including trustworthiness, risk, and harm, building on the EU’s AI Act and the US AI Bill of Rights web3 and we can expect to see progress on coordinating mutually agreed standards during 2023.
“In 2023, I believe we will see the convergence of discussions around AI and privacy and risk, and what it means in practice to do things like operationalizing AI ethics and testing for bias,” says Christina Montgomery, chief privacy officer and AI ethics board chair at IBM. “I’m hoping in 2023 that we can move the conversation away from painting privacy and AI issues with a broad brush, and from assuming that, ‘if data or AI is involved, it must be bad and biased’.”
Going forward
AI is ultimately a divisive subject. “Those in the technology, R&D, and science domain will cheer its ability to solve problems faster than humans imagined. To cure disease, to make the world safer, and ultimately saving and extending a human’s time on earth…” says Donnie Scott, CEO at Idemia. “Naysayers will continue to advocate for significant limitations or prohibitions of the use of AI as the ‘rise of the machines’ could threaten humanity.”
In the end, he adds, “society, through our elected officials, needs a framework that allows for the protection of human rights, privacy, and security to keep pace with the advancements in technology. Progress will be incremental in this framework advancement in 2023 but discussions need to increase in international and national governing bodies, or local governments will step in and create a patchwork of laws that impede both society and the technology.”
For the commercial use of AI within business, Montgomery adds, “We need web3 and IBM is advocating for web3 precision regulation that is smart and targeted, and capable of adapting to new and emerging threats. One way to do that is by looking at the risk at the core of a company’s business model. We can and must protect consumers and increase transparency, and we can do this while still encouraging and enabling innovation so companies can develop the solutions and products of the future. This is one of the many spaces we’ll be closely watching and weighing in on in 2023.”
Tomi Engdahl says:
Cyber Insights 2023: Criminal Gangs
https://www.securityweek.com/cyber-insights-2023-criminal-gangs/
Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics.
Tomi Engdahl says:
Cyber Insights 2023: The Geopolitical Effect
https://www.securityweek.com/cyber-insights-2023-the-geopolitical-effect/
While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea will all increase their activity through 2023 under cover of the European war.
Tomi Engdahl says:
Cyber Insights 2023: ICS and Operational Technology
https://www.securityweek.com/cyber-insights-2023-ics-and-operational-technology/
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.
SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.
There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.
“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.”
Tomi Engdahl says:
Cyber Insights 2023: Ransomware
https://www.securityweek.com/cyber-insights-2023-ransomware/
The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.
The cyberwar effect
The Russia/Ukraine war has removed our blinkers. The world has been at covert cyberwar for many years – generally along the accepted geopolitical divide – but it is now more intense and more overt. While the major powers, so far at least, have refrained from open attacks against adversaries’ critical infrastructures, criminal gangs are less concerned.
“The rate of growth in ransomware attacks is currently slowing slightly [late 2022] – but this will prove to be a false dawn,”
“Ransomware will continue to make headlines, as attacks become more destructive, and threat actors develop new tactics, techniques, and procedures to try and stay one step ahead of vendors,” agrees John McClurg, SVP and CISO at BlackBerry.
“We expect ransomware to continue its assault on businesses in 2023,” says Darren Williams, CEO and founder at BlackFog. “Specifically, we will see a huge shift to data deletion in order to leverage the value of extortion.”
There are two reasons for this move towards data deletion. Firstly, it is a knock-on effect of the kinetic and associated cyber destruction in Ukraine. But secondly it is the nature of ransomware. Remember that ransomware is merely a means of extortion. The criminals are finding that data extortion is more effective than system extortion via encryption. Andrew Hollister, CISO LogRhythm, explains in more detail:
“In 2023, we’ll see ransomware attacks focusing on corrupting data rather than encrypting it. Data corruption is faster than full encryption and the code is immensely easier to write since you don’t need to deal with complex public-private key handling as well as delivering complex decryption code to reverse the damage once the victim pays up,” he said.
“Since almost all ransomware operators already engage in double extortion, meaning they exfiltrate the data before encrypting it, the option of corrupting the data rather than going to the effort of encryption has many attractions. If the data is corrupted and the organization has no backup, it puts the ransomware operators in a stronger position because then the organization must either pay up or lose the data.”
It should also be noted that the more destruction the criminal gangs deliver after exfiltrating the data, the more completely they will cover their tracks. This becomes more important in an era of increasing law enforcement focus on disrupting the criminal gangs.
“In 2022, many large groups collapsed, including the largest, Conti,” comments Vincent D’Agostino, head of digital forensics and incident response at BlueVoyant. “This group collapsed under the weight of its own public relations nightmare, which sparked internal strife after Conti’s leadership pledged allegiance to Russia following the invasion of Ukraine. Conti was forced to shut down and rebrand as a result.” Ukrainian members objected and effectively broke away, leaking internal Conti documents at the same time.
But this doesn’t mean that the ransomware threat will diminish. “After the collapses, new and rebranded groups emerged. This is expected to continue as leadership and senior affiliates strike out on their own, retire, or seek to distance themselves from prior reputations,” continued D’Agostino.
RaaS
The most obvious is the emergence of ransomware-as-a-service. The elite gangs are finding increased profits and reduced personal exposure by developing the malware and then leasing its use to third-party affiliates for a fee or percentage of returns. Their success has been so great that more, lesser skilled gangs will follow the same path.
“It initially started as an annoyance,” explains Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, “but now after years of successful evolution, these gangs operate with more efficiency than many Fortune 500 companies. They’re leaner, meaner, more agile, and we’re going to see even more jump on this bandwagon even if they’re not as advanced as their partners-in-crime.”
The less advanced groups, and all affiliates of RaaS, are likely to suffer at the hands of law enforcement.
Changing tactics
As defenders get better at defending against ransomware, the attackers will simply change their tactics. John Pescatore, director of emerging security trends at SANS, gives one example: “Many attackers will choose an easier and less obtrusive path to gain the same critical data. We will see more attacks target backups that are less frequently monitored, can provide ongoing access to data, and may be less secure or from forgotten older files.”
Drew Schmitt, lead analyst at GuidePoint, sees increased use of the methodologies that already work, combined with greater attempts to avoid law enforcement. “Ransomware groups will likely continue to evolve their operations leveraging critical vulnerabilities in commonly used applications, such as Microsoft Exchange, firewall appliances, and other widely used applications,” he suggested.
“The use of legitimate remote management tools such as Atera, Splashtop, and Syncro is likely to continue to be a viable source of flying under the radar while providing persistent access to threat actors,” he added.
But, he continued, “ransomware ‘rebranding’ is likely to increase exponentially to obfuscate ransomware operations and make it harder for security researchers and defenders to keep up with a blend of tactics.”
Evasion and persistence are other traits that will expand through 2023. “We continue to see an emergence in techniques that can evade typical security stacks, like HEAT (Highly Evasive Adaptive Threats) attacks,” says Mark Guntrip, senior director of cybersecurity strategy at Menlo. “These tactics are not only are tricking traditional corporate security measures but they’re also becoming more successful in luring employees into their traps as they identify ways to appear more legitimate by delivering ransomware via less suspecting ways – like through browsers.”
David Anteliz, senior technical director at Skybox, makes a specific persistence prediction for 2023: “In 2023, we predict a major threat group will be discovered to have been dwelling in the network of a Fortune 500 company for months, if not years, siphoning emails and accessing critical data without a trace. The organizations will only discover their data has been accessed when threat groups threaten to take sensitive information to the dark web.”
Fighting ransomware in 2023
The effect of ransomware and its derivatives will continue to get worse before it gets better. Apart from the increasing sophistication of existing gangs, there is a new major threat – the worsening economic conditions that will have a global impact in 2023.
Firstly, a high number of cyber competent people will be laid off as organizations seek to reduce their staffing costs. These people will still need to make a living for themselves and their families – and from this larger pool, a higher than usual number of otherwise law-abiding people may be tempted by the easy route offered by RaaS. This alone could lead to increased levels of ransomware attacks by new wannabe criminals.
Secondly, companies will be tempted to reduce their security budgets on top of the reduced staffing levels. “Once rumblings of economic uncertainty begin, wary CFOs will begin searching for areas of superfluous spending to cut in order to keep their company ahead of the game,” warns Jadee Hanson, CIO and CISO at Code42. “For the uninformed C-suite, cybersecurity spend is sometimes seen as an added expense rather than an essential business function that helps protect the company’s reputation and bottom line.”
She is concerned that this could happen during a period of increasing ransomware attacks. “These organizations may try to cut spending by decreasing their investment in cybersecurity tools or talent – effectively lowering their company’s ability to properly detect or prevent data breaches and opening them up to potentially disastrous outcomes.”
“Only by supporting initiatives that prioritize well-being, learning and development, and regular crisis exercising can organizations better prepare for the future.”
But perhaps the most dramatic response to ransomware will need to come from governments, although law enforcement agencies alone won’t cut it. LEAs may know the perpetrators but will not be able to prosecute criminals ‘protected’ by adversary nations. LEAs may be able to take down criminal infrastructures, but the gangs will simply move to new infrastructures. The effectively bullet-proof hosting provided by the Interplanetary File System (IPFS), for example, will increasingly be abused by cybercriminals.
The only thing that will stop ransomware/extortion will be the prevention of its profitability – if the criminals don’t make a profit, they’ll stop doing it and try something different. But it’s not that easy. At the close of 2022, following major incidents at Optus and Medibank, Australia is considering making ransom payments illegal – but the difficulties are already apparent.
As ransomware becomes more destructive, paying or not paying may become existential. This will encourage companies to deny attacks, which will leave the victims of stolen PII unknowingly at risk. And any sectors exempted from a ban will have a large target on their back.
In the end, it’s down to each of us…
Ultimately, beating ransomware will be down to individual organizations’ own cyber defenses – and this will be harder than ever in 2023. “There’s no letup in sight,” comments Sam Curry, CSO at Cybereason. “Ransomware continues to target all verticals and geographies, and new ransomware cartels are popping up all the time. The biggest frustration is that it is a soluble problem.”
He believes there are ways to stop the delivery of the malware, and there are ways to prevent its execution. “There are ways to prepare in peacetime and not panic in the moment, but most companies aren’t doing this. Saddest of all is the lack of preparation at the bottom of the pyramid in smaller businesses and below the security poverty line. Victims can’t pay to make the problem go away. When they do, they get hit repeatedly for having done so. The attackers know that the risk equation hasn’t changed between one attack and the next, nor have the defenses.”
Tomi Engdahl says:
Cyber Insights 2023: Regulations
https://www.securityweek.com/cyber-insights-2023-regulations/
The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often in conflict with the second and third.
Transatlantic data flows
Privacy is the headline battleground going forward, and amply illustrates the conflict between voter demands and national economies. This can be seen in the unsettled but multi-year attempt to find a legal solution to the transfer of personal user data from Europe to the US. Economics demands it, but European law (GDPR) and swathes of European public opinion deny it.
At the time of writing, it is almost certainly illegal to transfer PII from Europe to the US. The Privacy Shield – the second attempt at finding a workaround to GDPR – was declared illegal in what is known as the Schrems II court ruling. The wording of that ruling almost certainly eliminates an alternative approach known as ‘standard contractual clauses’.
During 2022, the European Commission (EC) and the US Biden administration have worked on developing a replacement for Privacy Shield. The ball was obviously in the US court, and on October 7, 2022, Biden issued an Executive Order to implement the EU-US Data Privacy Framework agreement – sometimes known as Privacy Shield 2.0.
This was enthusiastically greeted by US business.
So, during 2023, transatlantic PII data flows will become legal under the new framework, but that framework will be challenged as unconstitutional in the European Court.
Federal privacy law
The US government has been seeking a federal privacy law for around a decade but is probably no closer to achieving one. Progress was made during 2022, but the midterms kicked the bill into the long grass while the lawmakers concentrated on more pressing career issues. The question is whether it can be retrieved during 2023.
Mitzi Hill, a partner at the Taylor English Duma law firm, thinks it is unlikely. “I remain doubtful,” she said. “It is a complex topic both technically and legally. It is made more complicated with every new state law, because that is a new set of factors to consider in drafting any federal legislation.”
The California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, with enforcement beginning on July 1, 2023. It is an extension of the existing CCPA, which is already possibly the strongest privacy act in the US (and largely modeled on GDPR). While it is somewhat more friendly to small businesses, it gives consumers more rights, places more requirements on organizations, and establishes an enforcement agency.
The consumer demand for privacy is strong, but not absolute – and often depends on what is received in return for giving up personal information. Consider Google, widely acknowledged as one of the primary collectors and users of PII. Despite this, consumers continue to consume Google because of the ‘free’ services the company offers in exchange. The result is that it is difficult for lawmakers to know exactly what their voters really want.
One area worth watching in 2023 is whether the FTC picks up the mantle of a ‘federal’ privacy regulator. Noticeably, the FTC includes failures in consumer privacy to be a potential deceptive practice – and deceptive practices are firmly within the FTC bailiwick.
“The FTC may become even bolder about privacy matters in the next couple of years,” suggests Hill. “It recently adopted an enforcement action that is targeted to a particular CEO and any future business he may join.”
Trickle-down regulated security
Although Biden does not believe in trickle-down economics, he nevertheless makes use of trickle-down cybersecurity. He cannot pass federal laws for private industry without the support of Congress – but he can (and does) issue executive orders that become mandatory instructions for federal agencies and strong trickle-down recommendations for private industry.
If security vendors must conform to certain requirements before they can sell into the government, the size of the government market makes it a commercial if not legal requirement to conform. Furthermore, if federal agencies are required to apply certain cybersecurity methodologies, much of private industry will also take heed.
Both conditions were introduced in May 2021 with Executive Order 14208, spurring activity in zero trust, and introducing the software bill of materials (SBOM). Both are intended to counter the growing supply chain threat, and both will remain top of mind for companies during 2023.
“SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use,” comments Tom Pace, CEO at NetRise.
The federal government described the requirements for SBOMs in an OMB memorandum published on September 14, 2022. “This is going to cause a cascading effect in the private sector,” continued Pace, “since obviously the federal government does not manufacture all its own software and firmware – in fact very little is manufactured in house.”
There will be a bedding-in period before SBOMs achieve their end – and attackers are likely to increase their own efforts in the meantime. “Highly visible attacks on the software supply chain start with access to the weakest link. As we head into 2023, it will be important for businesses of all sizes to be engaged as new secure software development practices are defined,” warns John McClurg, SVP and CISO at BlackBerry.
The regulations jungle
The trajectory for regulations is to increase, and they are increasing rapidly. These include state-level, federal level, and overseas national level that may impact US companies with operations in those countries. An example of the last could be Australia’s current plans for a new more aggressive attitude toward cybercriminals. Part of this will be to make ransom payments illegal in Australia.
One question to be decided is how that might impact American companies with an Australian operation that gets ransomed. Will the American parent, where ransom payments are not illegal, be able to pay the ransom on behalf of the Australian operation?
And one to watch…
Elon Musk has completed his takeover of Twitter, and his swashbuckling management style has caused ructions even before the end of 2022. These are not relevant to us. What may be relevant, however, is his adherence to the constitutionally protected concept of free speech; and the potential for Musk’s new Twitter to operate at a lower level of moderation than the old Twitter. Noticeably, in late November 2022, Musk reinstated almost all the accounts that had previously been suspended for spreading misinformation.
As a quick aside, on November 17, 2022, a group of Democrat senators asked the FTC to investigate any possible violations by the platform of consumer-protection laws or of its data-security commitments. The FTC had already said it is “tracking recent developments at Twitter with deep concern”.
Europe, however, thinks differently. The EU already has a new Digital Services Act that will kick in from January 2024. It doesn’t make platforms directly responsible for any unknown illegal content, but does require them to remove it once they are informed that it is illegal. It will also impose greater transparency on how algorithms work and are used. It is aimed at platforms that reach more than 10% of the EU population; that is, have at least 45 million EU users – that includes US big tech companies such as Twitter and Facebook. Non-compliance could lead to fines of up to 10% of annual
Finally
Martin Zinaich, CISO at the City of Tampa, once suggested to SecurityWeek, “If it ain’t required, it ain’t gonna happen.” We may have reached the point, with better organized cybercriminals and more aggressive nation states, where it must happen and therefore must be required.
Ron Kuriscak, MD at NetSPI, certainly believes so. “Regulations need to become much more mature, stringent, and punitive. We must hold organizations more accountable for their inaction in the area of cybersecurity… Organizations will be held accountable for basic cybersecurity hygiene. If they are unable to meet the most basic standards a regulator will require a third party to take over cybersecurity program execution (they will be mandated to cover the associated costs). Similar to the FDA, we will start seeing industry-aligned compliance regulations with real penalties that will force real compliance and organizational change. The key will be enforcement and penalties.”
But don’t expect much from the federal government in 2023. “On federal government cybersecurity issues,” explains Robert DuPree, manager of government affairs at Telos Corporation, “Congress has been more active and effective but further progress in 2023 will be hampered by the fact that some longtime cyber policy advocates and experts from both parties – including Sen. Rob Portman (R-OH), Rep. Jim Langevin (D-RI) and Rep. John Katko (R-NY) – are retiring and won’t be around in 2023. Their absence will leave a tremendous void when it comes to pushing ‘good government’ cybersecurity issues through Congress.”
Tomi Engdahl says:
Cyber Insights 2023 | Supply Chain Security
https://www.securityweek.com/cyber-insights-2023-supply-chain-security/
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be remediated.
SecurityWeek Cyber Insights 2023 | Supply Chain Security – The supply chain threat is directly linked to attack surface management (it potentially represents a hidden part of the attack surface) and zero trust (100% effective zero trust would eliminate the threat). But the supply chain must be known and understood before it can be remediated.
In the meantime – and especially throughout 2023 – it will be a focus for adversaries. Why attack a single target when successful manipulation of the supply chain can get access to dozens or even hundreds of targets simultaneously.
The danger and effectiveness of such attacks is amply illustrated by the SolarWinds, log4j, Spring4Shell, Kaseya, and OpenSSL incidents.
The missed wake-up calls
Supply chain attacks are not new. The iconic Target breach of late 2013 was a supply chain breach. The attackers got into Target using credentials stolen from its HVAC provider, Fazio Mechanical Services – that is, via Target’s supply chain.
The 2018 breach of Ticketmaster was another supply chain breach. A Ticketmaster software supplier, Inbenta, was breached and Inbenta software was modified and weaponized. This was automatically downloaded to Ticketmaster.
Island hopping is another form of supply chain attack. In 2017, Operation Cloud Hopper was revealed. This disclosed that an advanced group, probably APT10, was compromising managed service providers to gain access to the MSP’s customers.
Despite these incidents, it has only been in the last couple of years, fueled by more extensive incidents such as SolarWinds, that industry has become cognizant of the full threat from increasingly sophisticated and wide-ranging supply chain concerns. But we should not forget that the 2017 NotPetya incident also started as a supply chain attack. Software from the Ukrainian accounting firm M.E.Doc was weaponized and automatically downloaded by the firm’s customers, before spreading around the globe. Both SolarWinds and NotPetya are believed to be the work of nation state actors.
All forms of supply chain attacks will increase in 2023, and beyond. Chad Skipper, global security technologist at VMware, specifically calls out island hopping. “In 2023, cybercriminals will continue to use island hopping, a technique that aims to hijack an organization’s infrastructure to attack its customers,” he warns. “Remote desktop protocol is regularly used by threat actors during an island-hopping campaign to disguise themselves as system administrators. As we head into the new year, it’s a threat that should be top of mind for all organizations.”
Attacks will increase
That supply chain attacks will increase in 2023 and beyond is the single most extensive prediction for 2023. “Supply chain attacks happen when hackers gain access to a company’s inner workings via a third-party partner, a method that provides them with a much greater amount of privileged information from just one breach,” explains Matt Jackson, senior director security operations at Code42. “This type of attack already rose by more than 300% in 2021, and I anticipate this trend will continue in 2023, with these attacks becoming more complicated and intricate.”
Lucia Milică, global resident CISO at Proofpoint, worries that despite all the wake-up calls so far, “We are still a long way from having adequate tools to protect against those kinds of digital supply chain vulnerabilities. We predict these concerns will mount in 2023, with our trust in third-party partners and suppliers becoming one of the primary attack channels.”
The result, she added, is, “We expect more tension in supply chain relationships overall, as organizations try to escalate their vendors’ due diligence processes for better understanding the risks, while suppliers scramble to manage the overwhelming focus on their processes.”
Jackson added, “Because many third-party partners are now privy to more sensitive data than ever before, companies can no longer rely on their own cybersecurity prowess to keep information safe,” he said.
“Supply chain attacks purposefully target the smaller organizations first because they’re less likely to have a robust cybersecurity setup, and they can use those companies to get to the bigger fish,” he continued. “In the next year, companies will become even more diligent when deciding on an outside organization to work with, creating an increase in compliance verifications to vet the cyber tools used by these prospective partners.”
Interestingly, despite all the warnings of an escalating threat, Christopher Budd, senior manager of threat research at Sophos, notes, “Unlike two years ago when the SolarWinds attack put supply chain attacks high on people’s radar, supply chain attacks have faded from prominence.” This may be a misleading premise. The discovery of a vulnerability in a widely used piece of software, such as the log4j vulnerability, will be used by individual cybercriminals and nation state actors alike.
However, targeted attacks such as that against SolarWinds requires resources and skill.
The software supply chain
The primary growth area in supply chain attacks will likely be the software supply chain. “Over the past few years,” explains Eilon Elhadad, senior director of supply chain security at Aqua, “increasing pressure to deliver software faster has widened attack surfaces and introduced severe vulnerabilities.”
New tools, languages and frameworks that support rapid development at scale are being targeted by malicious actors, who understand the widespread impact that results from attacks to the software supply chain.
“In 2023,” Elhadad continued, “software supply chain threats will continue to be a significant area of concern. These attacks have a larger potential blast radius to allow hackers to impact entire markets and wreak havoc for organizations.”
Eric Byres, founder and CTO at aDolus, agrees. “Software supply chain attacks will continue to increase exponentially in 2023,” he said; “the ROI on these attacks is just too sweet for professional adversaries to resist.” He notes that supply chain attacks have increased by 742% over the last three years.
Much of the software supply chain threat comes from the growing reliance on open source software libraries as part of the ‘increasing pressure to deliver software faster’. Zack Zornstain, head of supply chain security at Checkmarx, believes the software threat will particularly affect the open source supply.
“We believe that this threat of compromising open source packages will increase as malicious code can endanger the safety of our systems, ranging from ransomware attacks to the exposure of sensitive information, and more. We expect to see this as a general attack vector used both by cyber firms and nation-state actors. SBOM adaptation will help clarify which packages we’re using in applications, but we will need to invest in more controls to ensure the safety of those packages,” he said.
“Organizations should be on high alert for supply chain attacks if they use open-source software,” warns Kevin Kirkwood, deputy CISO at LogRhythm. “Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.”
If the source code of an open source software library either has – or can be engineered by bad actors to have – a vulnerability, then every company that downloads and uses that code becomes vulnerable.
“In 2023,” continues Kirkwood, “we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that uses third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins.”
Venafi’s Matt Barker, president of cloud native solutions, adds, “We’re seeing many instances of vulnerable code brought inside their firewall by developers trying to go fast using unverified code from GitHub, or copypasta from Stack Overflow.”
He continues, “Thankfully, we’ve reached a collective sense of focus on this area and are seeing tremendous developments in how we tackle it. This is only going to increase through 2023 as we see more start-ups popping up and open source tools like cosign and sigstore designed to help it. Biden’s SBOM initiative has helped bring attention to the requirement, and The OpenSSF is leading in this charge.”
Mark Lambert, VP of products at ArmorCode, expands on this. “As the software supply chain continues to get more complicated, it is vital to know what open source you are indirectly using as part of third-party libraries, services (APIs) or tools. This is where SBOM comes in,” he said. “By requiring a disclosure of all embedded technologies from your vendors, you can perform analysis of those libraries to further assess your risk and react appropriately.”
The SBOM
Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity introduced the concept of a software bill of materials (SBOM), effectively if not actually mandating that software bought (or supplied) by government agencies be accompanied with a bill of materials. It described the SBOM as “a formal record containing the details and supply chain relationships of various components used in building software,” and analogous to a list of ingredients on food packaging.
While the advantages of the SBOM may appear obvious in helping software developers understand precisely what is included in the open source libraries they use, it must be said that not everyone is immediately enthusiastic. In December 2022, it emerged that a lobbying group representing major tech firms such as Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks was urging the OMB to ‘discourage agencies’ from requiring SBOMs. The group argued that the requirement is premature and of limited value — but it didn’t ask for the concept to be abandoned.
It is the complexity and difficulty in both compiling and using an SBOM that is the problem — and it is these concerns that will drive a lot of activity through 2023. The value of the concept outlined in the executive order remains undiminished.
“Incidents such as Log4shell [log4j] and the most recent SpookySSL vulnerabilities [CVE-2022-3602 and CVE-2022-3786] will push the adoption of a software bill of materials as a core component of achieving effective incident response, while efforts will continue in maturing the SBOM ecosystem (adoption across sectors, tooling, standardization around sharing and exchanging of SBOMs and more),” explains Yotam Perkal, director of vulnerability research at Rezilion.
“One of the big challenges I see in the year ahead is that this is more data for the development teams to manage as they deliver software,” notes Lambert. “In 2023, organizations are going to need ways to automate generating, publishing and ingesting SBOMs – they will need ways to bring the remediation of the associated vulnerabilities into their current application security programs without having to adopt whole new workflows.”
As part of this process, Michael Assraf, CEO and co-founder at Vicarius, said, “We predict that a new market will evolve called binary software composition analysis, which will look for software files that are different from what was pre-packaged and shipped. Automated techniques can utilize machine learning that will find this discrepancy, which will be vital in knowing where your risk lies and how large your attack surface can potentially be.”
Tomi Engdahl says:
Cyber Insights 2023 | Supply Chain Security
https://www.securityweek.com/cyber-insights-2023-supply-chain-security/
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be remediated.
Tomi Engdahl says:
Data Protection
Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse
https://www.securityweek.com/cyber-insights-2023-quantum-computing-and-the-coming-cryptopocalypse/
The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.
SecurityWeek Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse – The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away. The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade.
At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.
Tomi Engdahl says:
The Security and Storage Outlook for 2023
Feb. 15, 2023
Before looking ahead to what 2023 has in store, let’s take a breath and think about what aspects from 2022 will impact the discussion.
https://www.electronicdesign.com/technologies/embedded/article/21260134/digistor-the-security-and-storage-outlook-for-2023?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS230216072&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R
The geopolitical climate shifted dramatically in 2022, with the Russian invasion of Ukraine taking place in February. While Russia seemed to expect a quick takeover of Ukraine, their actions turned into an extended war that also galvanized European nations and caused the U.S. to evaluate its foreign policy while supplying material to Ukraine.
Another outcome of the conflict has turned a spotlight to the always complex U.S.-China relationship, especially the China-Taiwan connection. We’re asking more loudly and frequently about the role of China in our supply chains given increased tensions.
Now add in the erratic economic climate of 2022 with its continued supply chain and inflationary pressures taking their toll on many businesses’ once-predictable ability to offer a reliable outlook on their results/revenue/delivery to customers.
2022 is only partially in our rearview mirror since these events will continue to influence the coming year. What can we expect?
Security breaches will continue.
It’s not a stretch to say that there will be a headline-making security breach in 2023. (Several occurred in 2022, including successful breaches at household names Microsoft, Red Cross, as well as Costa Rica’s national health service, to name a few.) There also will be many attacks that we never hear about because they will be thwarted.
An increased attack surface is here to stay.
Spurred by the onset of the COVID-19 pandemic, the number of people working from home tripled from 2019 to 2021 to 27.6 million, or nearly 18% of the U.S. workforce, according to the U.S. Census Bureau. While some workers are returning to their offices, the work from home phenomenon looks to be here to stay.
Security Measures
Data security was often overlooked in the rush to keep workers productive—even for companies and government agencies with sensitive data. Organizations will start to catch up in 2023.
IT departments are now better prepared to make sure company computers have self-encrypting storage devices with secure authentication methods, including multi-factor authentication. When it’s time to provision new workers with computers or go through a refresh cycle, encrypting data and securing access will be commonplace.
Zero trust will continue to gain traction.
Today, authenticated identity matters more than physical location or secure perimeter defenses. The implications for an enterprise implementation are many—and the task of rearchitecting away from VPNs isn’t easy.
However, the simpler it is to include security features for laptops and other user devices, such as pre-boot authentication (PBA) for securing data at rest, in a zero-trust environment, the wider the protection of access to devices, networks, and data becomes.
Government mandates will gain further traction in 2023.
The 2021 executive order to improve the nation’s cybersecurity contained language to protect data at rest and in transit. And in 2022, the U.S. Office of Management and Budget put a zero-trust architecture (ZTA) strategy into motion. It takes time for agencies and enterprises—let alone individuals—to understand the implications, seek security gaps, develop the architecture, and then implement data-security solutions.
Machine learning and artificial intelligence.
ML and AI will be more widely used to address cybersecurity—as well as to craft new attacks. While not necessarily visible to all of us in everyday life, ML and AI tools are increasingly available and more sophisticated.
Security is a budget priority.
Despite an uncertain economy that may have an impact on technology acquisitions and deployment, cybersecurity spend, while not entirely recession-proof, is certainly recession-resistant. That’s because the very existence of an organization can come into question without adequate defenses.
Kathryn says:
I hope that you will keep putting out more useful content in the future.
Tomi Engdahl says:
THE FUTURE OF CYBER IS AUTOMATED MOVING TARGET DEFENSE https://blog.morphisec.com/automated-moving-target-defense-gartner
Moving Target Defense (MTD) technology is the next evolution in cybersecurity, and unlike the technologies that came before it, rather than focusing on detection and reaction, it is preventive. MTD is based on a basic premise taken from military strategy, that a moving target is harder to attack than a stationary one. MTD uses strategies that orchestrate movement or changes in IT environments across the attack surface to increase uncertainty and complexity for attackers.
Tomi Engdahl says:
China Accuses U.S. of Hacking Huawei Servers as Far Back as 2009 https://time.com/6315912/huawei-us-china-hacking/
China accused the U.S. of infiltrating Huawei Technologies Co. servers beginning in 2009, part of a broad-based effort to steal data that culminated in tens of thousands of cyber-attacks against Chinese targets last year.
The Tailored Access Operations unit of the National Security Agency carried out the attacks in 2009, which then continuously monitored the servers, China’s Ministry of State Security said in a post on its official WeChat account on Wednesday. It didn’t provide details of attacks since 2009.
Tomi Engdahl says:
Marvell disputes claim Cavium backdoored chips for Uncle Sam https://www.theregister.com/2023/09/19/marvell_disputes_claim_that_cavium/
Cavium, a maker of semiconductors acquired in 2018 by Marvell, was allegedly identified in documents leaked in 2013 by Edward Snowden as a vendor of semiconductors backdoored for US intelligence. Marvell denies it or Cavium placed backdoors in products at the behest of the US government.
The allegations surfaced in the PhD thesis of Dr Jacob Appelbaum, “Communication in a world of pervasive surveillance: Sources and methods:
Counter-strategies against pervasive surveillance architecture.” Appelbaum’s thesis was published in March 2022 and received little public attention until mentioned in security blog Electrospaces.net last week.
Tomi Engdahl says:
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity.
Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well. The increase in Chinese language malware activity indicates an expansion of the Chinese malware ecosystem, either through increased availability or ease of access to payloads and target lists, as well as potentially increased activity by Chinese speaking cybercrime operators.
Tomi Engdahl says:
Attacks on 5G Infrastructure From Users’ Devices https://www.trendmicro.com/en_us/research/23/i/attacks-on-5g-infrastructure-from-users-devices.html
With the growing spectrum for commercial use, usage and popularization of private 5G networks are on the rise. The manufacturing, defense, ports, energy, logistics, and mining industries are just some of the earliest adopters of these private networks, especially for companies rapidly leaning on the internet of things (IoT) for digitizing production systems and supply chains. Unlike public grids, the cellular infrastructure equipment in private 5G might be owned and operated by the user-enterprise themselves, system integrators, or by carriers. However, given the growing study and exploration of the use of 5G for the development of various technologies, cybercriminals are also looking into exploiting the threats and risks that can be used to intrude into the systems and networks of both users and organizations via this new communication standard. This entry explores how normal user devices can be abused in relation to 5G’s network infrastructure and use cases.
Tomi Engdahl says:
Intel Launches New Attestation Service as Part of Trust Authority Portfolio
https://www.securityweek.com/intel-launches-new-attestation-service-as-part-of-trust-authority-portfolio/
Intel announces general availability of attestation service that is part of Trust Authority, a new portfolio of security software and services.
Chip giant Intel announced on the second day of its Intel Innovation 2023 event the general availability of an attestation service that is part of Trust Authority, a new portfolio of security software and services.
The new attestation software-as-a-service, codenamed Project Amber, is the first service in the Intel Trust Authority portfolio. It offers a unified and independent assessment of trusted execution environment (TEE) integrity and policy enforcement, as well as audit records.
It enables organizations to independently verify the authenticity and integrity of an environment, and ensure that the data and workloads inside that environment have not been compromised. It also helps ensure compliance with privacy and data sovereignty regulations.
The attestation service can be used with Intel confidential computing, including on premises, in multi-cloud or hybrid environments, and at the edge.
https://www.intel.com/content/www/us/en/security/project-amber.html
Tomi Engdahl says:
Staying on Topic in an Off Topic World
https://www.securityweek.com/staying-on-topic-in-an-off-topic-world/
Learning how to keep discussions on-topic is an important skill for security professionals to learn, and it can allow them to continue to improve their security programs.
Have you ever been in a meeting where someone keeps taking the discussion off topic? Have you ever tried to get answers to straightforward questions when speaking with someone, only to have them constantly going off on what seem to be tangents? Have you ever been part of an email thread or chat group where the discussion just seems to go around in circles?
We might not want to believe it, but this is often a tactic employed by certain personality types. In other words, it is seldom the case that a person cannot focus or is scatter-brained. Rather, it is far more likely that they are deliberately trying to derail what should be a relatively straightforward discussion.
You might ask why a person would do this. Different people have different motivations, but typically people do this for one of the following reasons:
They are looking for control/power (knowledge is power after all)
They are looking to hide information (perhaps because they are embarrassed by something or perhaps because it undermines an ulterior motive they have)
They do not know the answer but do not want to admit to that
They do not want to accept responsibility for a poor decision or a mistake they may have made
They are looking to avoid being exposed for having lied and/or hidden information in the past
This is not an exhaustive list – there may be other motivations as well, of course. My point here is that if we as security professionals find that we are having a difficult time getting straight answers, there is usually a reason. Unfortunately, we cannot expect these types of people to change. Instead, we must learn how to compensate for this type of personality in order to continue advancing the state of our security programs.
Tomi Engdahl says:
UK Minister Warns Meta Over End-to-End Encryption
Britain’s interior minister warned Meta that out end-to-end encryption on its platforms must “not to come at a cost to our children’s safety”.
https://www.securityweek.com/uk-minister-warns-meta-over-end-to-end-encryption/
Tomi Engdahl says:
https://www.securityweek.com/hacker-conversations-casey-ellis-hacker-and-ringmaster-at-bugcrowd/
Tomi Engdahl says:
You Can Use An Old Tape Deck As A Distortion Pedal
https://hackaday.com/2023/09/21/you-can-use-an-old-tape-deck-as-a-distortion-pedal/
Distorted guitars were a big part of the rock revolution last century; we try to forget about the roll. As a youth, [David Hilowitz] couldn’t afford a loud aggressive amp, a distortion pedal, or even a proper electric guitar. This experience ended up teaching him that you can use random old audio hardware as a distortion effect.
[David’s] guitar journey started when he found a classical guitar on a dumpster. He learned to play, but longed for the sound of a proper electric guitar. Family friends gifted him a solitary pickup, intending he build a guitar, but he simply duct-taped it to his steel-strung classical instead. The only thing he lacked was an amp. He made do with an old stereo system and a record pre-amp. With his his faux-electric guitar plugged into the microphone input, he was blessed with a rudimentary but pleasant distortion that filled his heart with joy.
https://www.youtube.com/watch?v=FjJ9PeTciqc