As we wrap up a year marked by a global pandemic, a protracted war in Ukraine, soaring inflation, exorbitant gas prices, and relentless ransomware attacks, we nevertheless look to 2023 in cybersecurity with a bit of hopefulness. Why? Because the drum beat for Collective Defense is gaining momentum across the public and private sectors. What's more, IronNet has launched a proactive threat intelligence feed called IronRadar SM that detects and blocks malicious command and control (C2) infrastructure well before a cyber attack happens. IronRadar is based on our proprietary process of fingerprinting a server to determine whether it is a C2 as those servers are being stood up — and even well before an attack is initiated. In fact, to ring in the new year, we are offering a free 14-day trial of IronRadar to spread our hope in defending against the adversaries as one.
Still, we have a few 2023 cybersecurity predictions we would like to share ...
Anthony Grenga, IronNet Vice President of Cyber Operations
"2023 will be the year of Identity Access Management (IAM)."
Keeping up with who has access to your network will be crucial to prevent insider threats and data breaches, particularly as the tech industry continues to lay off hundreds of thousands of people. Organizations will have to recognize that some former employees may still have user access to some systems, so scrutinizing what IAM means to an organization will be essential as companies contend with off-boarding layoffs — while at the same time moving to SaaS applications.
Morgan Demboski, IronNet Threat Analyst
"We are seeing a rise of non-state, non-financially-motivated attacks (that is, hacktivist attacks."
I don’t think anyone had predicted the explosion of hacktivist attacks we saw this year in response to the Ukraine-Russia War. We saw a massive rise in cyber attacks by actors who aren't affiliated with a nation-state and aren’t looking for a profit, but are still conducting attacks for a political purpose. We’ll likely continue to see these hacktivist-type attacks in 2023; however, while hacktivist attacks in 2022 were primarily been characterized by DDoS attacks against websites, these groups may start to become more sophisticated and conduct cyber espionage operations or even destructive cyber attacks in 2023 as they gain their footing and acquire more resources.
Peter Rydzynski, IronNet Principal Threat Analyst
"Authentication methods will change to support new work environments."
We are going to see a continuation of the fact that the work culture has fundamentally changed from being “in the office” (where active directory and pure Windows deployments are the standard) to remote and hybrid environments. This shift is going to allow companies the flexibility to adopt different authentication solutions such as Okta or JumpCloud to perform ldap outside the space of a Windows environment. Accordingly, now is a good time for companies to dramatically change their security posture by rethinking the concept of a security perimeter. Indeed, the cat is out of the bag that remote work is here to stay, so companies must adjust their security approach.
Raj Sivasankar, IronNet Vice President of Product Management
"The cyber insurance industry will prompt all to rethink the security perimeter from a cyber risk perspective."
Rethinking the security perimeter is going to become even more fundamental from a risk perspective for CIOs and CISOs, especially because cyber insurance is becoming about ten times more expensive in 2023 (as well as the Lloyd's of London announcement that nation-state attacks will not be covered starting in March 2023). There will be great concern and fear of the cyber insurance fineprint and an organization’s ability to afford it.
Joey Fitzpatrick, IronNet Threat Analysis Manager
"As-a-service type offerings for threat actors will gain more popularity (PhaaS, MaaS, etc.)."
From Robin Banks (PhaaS) to the latest DuckLogs malware (MaaS), cybercriminals are continuing to become more niche in their development. Gone are the days of having to develop end to end solutions from gaining credentials / access to fully compromising an environment for low to mid tier actors. Just as modern society has progressed through specialization of the labor force, threat actors too will become increasingly more successful via specialization. The division of labor enables higher quality malware, as well as, lowering the price to play in regards to entering the world of cybercrime
Morgan Demboski
"Healthcare will continue to be pummeled by ransomware and may see an increase in triple extortion."
The healthcare sector will continue to be a hot target for ransomware. Since hospitals store a lot of personally identifiable information (PII) and have a low tolerance for systems being offline, they make an attractive target for ransomware operators looking for a quick payout. In 2023, we could actually see an observed increase in triple extortion, in which threat actors not only extort the hospital itself but also contact patients directly for a ransom by threatening to publish their stolen personal information. What’s more, healthcare systems are in an odd gray area where the U.S. government doesn’t have active force coverage in the event of a cyber attack (as we saw with the Colonial Pipeline), despite hospitals being classified as critical infrastructure.
Raj Sivasankar
"While necessary, government mandates for cybersecurity may not be as effective as expected."
The velocity of government mandates on the commercial sector will continue to increase in 2023, but companies and organizations will not pay enough attention to reporting mandates and/or they will not have the technical capability or capability to implement the mandates.
Additional commentary by Peter Rydzynski and Anthony Grenga
Mandates are necessary but will not move the needle in any massively significant way. They will not be the golden bullet to solving the cybersecurity problem. Breach reporting probably will increase, however, given the Uber CISO scenario of going to jail. The question is: When do data breaches lose sensitivity? We think the fear of prison time for not reporting breaches will push for more reporting.
Morgan Demboski
"The rate of massive ransomware attacks may slow down as adversaries turn attention to small- and medium-sized organizations."
As opposed to 2021, which was largely characterized by targeted attacks on large, high-profile organizations, we’ve seen the focus of ransomware attacks shift in 2022 to more small- and medium-sized businesses. I think this trend is very likely to continue in 2023 as threat actors realize big targets not only attract big backlash (like Colonial Pipeline and Kaseya) but also have stronger security measures and are less likely to pay a ransom. This context motivates threat actors – especially low-level affiliates that buy from a ransomware-as-a-service provider – to focus their attacks on small- to medium-sized businesses that generate less attention, have less cybersecurity resources, and are more vulnerable to exploitation.
Peter Rydzynski, IronNet Principal Threat Analyst
"We will see a turn toward preemptive measures with ransomware attacks."
I think “big game hunting” among ransomware groups is going to continue to decline because we're going to see more governments taking active measures against ransomware groups, including preemptive, active measures against groups (e.g., as seen already in Australia) against these groups before they even execute a ransomware infection.
Anthony Grenga and Peter Rydzynski
"Our attack surfaces are incredibly complicated, so broad pen tests will not be as effective in giving a prioritized look."
We're going to start seeing fewer broad pen tests with giant reports and more very surgical red team engagements instead to help organizations look at very specific processes that may be targeted. These engagements would allow organizations to identify where to lock down the attack surface in a targeted way. This decline in open, broad pen testing in isolation will give way to the rise of the purple team, where strong collaboration between defenders and pen testers is key.
Peter Rydzynsk
"Expect to see a rise in canaries."
Given that we continue to observe sophisticated attackers, such as China, Iran, and Russia moving rapidly with little care for the traces left on the network, I think there will be an increase in the use of canaries as an opportunity to get ahead of these really rapid threats. Furthermore, comparatively speaking, canaries provide a very cost effective solution for small organizations that may not be able to staff a full operations team to monitor the network.
Raj Sivasankar
"The buzz around zero trust will start to die down."
Zero trust was all the rage in 2022, but I suspect that it will fall off the radar next year because companies are going to realize that, once they start the zero-trust journey, they are going to face significant challenges in implementing a zero-trust architecture; doing so is very difficult for large organizations. Even if a zero-trust architecture is implemented, the probability of a breach doesn’t necessarily go down. In short, organizations will realize in 2023 that zero trust is too complex to implement for complex networks, especially when an organization is running custom-built, purpose-built applications.
Additional commentary by Peter Rydzynski and Anthony Grenga
Peter:
Trust is more of a principle that should be applied every time that you're building something or integrating something. In other words, zero trust should be the default thinking for all security and inherent into how things function generally. Zero trust is security.
Anthony:
Zero trust is a race to a finish that doesn’t exist.
Morgan Demboski
"We are likely to see more abuse of M&As."
In 2022, I saw a lot of cases where threat actors were specifically looking for companies that are going through the M&A process because they know that in all of that craziness, there's a higher likelihood they will be able to gain access and conduct post-exploitation activity undetected. We saw this M&A abuse in the case of a Chinese threat actor infiltrating a software company by targeting a network segment integrated from a prior acquisition. There’s a lot that can be overlooked when integrating one company’s technical infrastructure into another, and I think it's very likely that threat actors will increasingly exploit M&As to compromise organizations for espionage or ransomware in 2023.