This is the second of a two-part collection of predictions from over 40 cybersecurity vendors.
Ian Pratt, global head of security for personal systems at HP Inc.
— Session hijacking – where an attacker will commandeer a remote access session to access sensitive data and systems – will grow in popularity in 2023. Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful. Session hijacking does not rely on exploiting a fixable vulnerability; it is about abusing legitimate and necessary functionality of remote session protocols – like Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA), and Secure Shell (SSH). Strong isolation is the only way of avoiding these kinds of attacks and break the attack chain. This can be done either through using a physically separate system, like a privileged access workstation (PAW), or virtual separation, via hypervisor-based approaches.
W. Curtis Preston, CTE, Druva
–– Multi-factor authentication (MFA) cyber attacks will skyrocket. The big takeaway from the cyber incidents of 2022 is that MFA, while incredibly important, is not infallible. We will continue to see a dramatic increase in the volume of MFA exhaustion attacks. Bad actors will overwhelm the victim with so many MFA requests that they eventually authorize one of them, and the attacker is in. In 2023, companies must look to make their MFA systems more resilient to these types of attacks.
Ron Brash, head of technical research and integrations, aDolus Technology
— I would like to have more honest conversations about the condition of our critical infrastructure assets. We generally take good care of revenue-generating systems (e.g., a turbine), but we are dropping the ball on networking infrastructure upgrades, tombstoning and virtualizing hardware, and most cybersecurity basics. Security can be done affordably and intelligently. We just need to apply common sense, avoid run-to-fail situations, and approach technology as an ongoing transition.
Jeremy Fuchs, cybersecurity researcher at Avanan
— In 2023, we’ll see the rise of attacks across all applications – from mobile to email to collaboration, etc. We expect to see more attacks that target every component of an organization’s infrastructure. Clever attackers will leave sample email attacks to phishing kits; the complex attacks will be their focus. These attacks will be multi-stage and multi-vector. It might start in the firewall and migrate to email. It might start via mobile and head over to your code and then to email. It might start in email, move to collaboration and then to the browser. In order to combat these attacks, enterprises, of all sizes, will need to take a more integrated approach to protecting these applications. It will require better threat intelligence and the best telemetry feeding security analytics for unparalleled coverage and vision.
Andrew Pendergast, EVP of product at ThreatConnect
— MaaS (malware-as-a-service) operators act like a business, because they are a business – just an illegal one. Their goals are to make as much money as possible selling their product and services. This entails making it as accessible, trustable, reliable, and easy to use as possible to their “market.” So, beyond just making sure their malware is effective, we can expect MaaS providers to continue to evolve their support and services to accommodate a broader set of customers and affiliates. This may involve innovations to grow the confidence in continued anonymity and reliability of payment transactions between them, even if the provider is compromised by law enforcement like leveraging blockchain-based smart contracts is one means that has been researched. Regardless of the specific innovations, the net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks.
Ronnie Fabela, CTO and co-founder, SynSaber
— For industrial control system cyber security, 2023 is a year for focus and opportunity. Never before has there been more regulation, government guidance, funding, and awareness making this year the time for execution. 2022 was relatively quiet for ICS specific attacks outside of the war in Ukraine, and the predicted cyber war never came to pass. Nonetheless ransomware attacks against enterprises are on the rise with ICS environments affected as collateral damage. While ICS specific ransomware is still highly unlikely, disruption of operations due to enterprise ransomware will continue. Thankfully ICS has the “home field advantage” and 2023 will be the year where we all collectively fight for the operator and secure our critical infrastructure.
Omer Gafni, VP surface at Pentera
— How many vulnerabilities do we have? Where are they? How do we remediate them? Companies assess their overall security posture based on the number of critical vulnerabilities in their environment, but the strategy is flawed. To effectively reduce risk you need to understand not only what vulnerabilities exist, but also which are exploitable and serve the hackers’ end goals. With the number of annual reported vulnerabilities now exceeding 20,000 per year, companies cannot remediate every alert, and need to become more surgical with their remediation strategies. To achieve this, we will start to see a shift from a focus on vulnerability to exploitability. Companies will start to put a major emphasis on understanding which targets are most impactful from the hacker’s perspective, and therefore the most exploitable targets. This will enable them to more clearly evaluate their true cyber risk and prioritize remediations to effectively reduce their organizational exposure.
Roya Gordon, OT/IoT security research evangelist at Nozomi Networks
— As threat actors use the “store now, decrypt later” (SNDL) technique in preparation for quantum decryption, governments take steps to prepare against this future threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its post-quantum cryptography initiative to prepare and safeguard critical infrastructure companies during this transition. As CISA rolls out this guidance, more companies will shift their focus to safeguarding their data now to reduce the risks of quantum decryption later. Also, as AI technology becomes more advanced, attackers are using AI-driven techniques such as machine learning to automate their malicious activities, making them more difficult to detect and disrupt. For example, some threat actors have been able to use AI-powered bots to conduct reconnaissance on potential targets by scanning networks for weaknesses and then exploiting those weaknesses without needing any human intervention. Additionally, these attacks can target multiple systems simultaneously, making them harder to defend against.
Jeff Shiner, CEO of 1Password
— End users are becoming increasingly conscious and demanding of their data privacy. In 2023, it’s going to be a requirement for companies versus an active choice. From Apple’s recent announcement on their new encrypted iCloud backup option to Twitter’s plan for encryption of direct messages, we’re already seeing encryption and privacy by default becoming the norm. While some companies think that focusing on customer privacy means leaving money on the table – long term trust with users will outweigh any short-term monetization.
Reza Morakabati,chief information officer at Commvault
— Bad actors have become increasingly deceptive at infiltrating company systems, making it challenging for security and IT departments to keep their most important asset, their data, safe. To combat this continuous rise in threats, we are and will continue to see regulations and government involvement in Information Security, specifically as it relates to ransomware threats. The recent release of the U.s. Department of Defense Zero Trust Strategy and Roadmap is just one example, indicating a move toward increased regulation. As we shift into this responsibility model, where new groups like a company’s board of directors want to be informed of relevant security measures, it will be critical to provide a safe sharing environment for companies to exchange information on active incidents with government agencies or other companies – identifying and addressing threats immediately, if not before an attack takes place. Regulations on disclosure requirements make this a very difficult task to navigate around and measures will need to be taken to address the pain points.
Devin Redmond, CEO and co-founder, Theta Lake
— Fines for unmonitored communications will extend across sectors and geographies. The over US$2 billion in fines imposed on U.S. banks for failing to capture chat communications are the thin end of the wedge for regulatory focus. Firms from all sectors and all geographies should be prepared for regulatory scrutiny of their ability to capture, monitor, retain and retrieve all relevant communications. From the U.K. Information Commissioner’s call for a review into the government’s use of private messaging apps to the reported U.S. federal agency scrutiny of private equity and asset management firms, there’s no slowing down of investigations into record-keeping failures.
James Mignacca, CEO, Cavelo
— Attackers will shift focus to cloud providers and target dark data. Midsized companies are moving to cloud service providers en masse. Most adopt five cloud service providers at a minimum and we expect to see that number continue to climb. When it comes to liability ownership, cloud services are in a tricky spot; the provider holds the data and so many companies assume their data is safe. Next year cloud security and preventative breach controls will be heightened because of the realization of shared duty across cloud service providers and their customers. For IT and security teams, this means implementing additional layers of due diligence and control checks including data inventorying that accounts for orphaned or unclassified dark data.
Jamon Camisso, developer experience engineer, Chainguard
– Sigstore will kill off PGP with the fire of a thousand suns. Ok, probably a little optimistic on my part, but keyless signing, and widespread adoption of digital software signatures across projects like Kubernetes can only grow at this point. Especially since Sigstore is so easy, and PGP is hard.
Almog Apirion,CEO & co-founder of Cyolo
–– In 2023, and beyond, we will to see more significant breaches on a larger scale. In fact, the expectation is to see well-funded hacker groups go for the ‘whales’ – focusing on brand recognition. Companies such as Microsoft or Amazon that everyone leverages at a personal and corporate level will become those major targets. Future attacks will focus on the ability to exploit stolen credentials as the primary reason for breaches – taking examples from the past few years like SolarWinds, Dropbox, and Uber. In addition, the exploitation of credentials will not only come directly from the companies themselves, but from vendors that do not hold to the same security standards.
Edward Liebig, global director of cyber-ecosystem at Hexagon AB
— We’ll see a catastrophic attack on the energy grid in 2023. The skills gap, recession and tensions abroad are forming a perfect storm for a major attack on the power grid. Energy experts sounded the alarm in June of 2022 that the electric grid in the U.S. wouldn’t be able to withstand the impacts of climate change, and as Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the U.S.’s infrastructure as well. At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the U.S. electric power infrastructure for years. The combination of these factors makes the U.S.’s power grid more vulnerable to cyber attacks than it has been in a long time.
George Gerchow, CSO and SVP of IT, Sumo Logic
— Security orchestration, automation and response (SOAR) will continue to exist but will be increasingly absorbed into other security platforms and the term will die out as it becomes baked into overall security. SOAR will converge with security information and event management (SIEM) and acquisitions will continue to contribute to vendor consolidation.
Don Boxley, CEO and co-founder, DH2i
— In 2023 SDP (software defined perimeter) will finally pull ahead of VPNs as the dominant technology for remotely connecting people and devices. One of the most critical drivers here will be awareness and acceptance. More and more IT professionals are already using it successfully to connect to cloud or on-premises applications from wherever they are – the airport to the home office to the local coffee shop, and they are talking abos as the dominant technology for remotely connecting people and devices. One of the most critical drivers here will be awareness and acceptance. More and more IT professionals are already using it successfully to connect to cloud or on-premises applications from wherever they are – the airport to the home office to the local coffee shop, and they are talking about it.
Jenny Buckley, SVP at ISN Software
— Sixty-two per cent of system intrusion incidents stem from an organization’s supply chain. The rise of phishing-resistant authentication technologies in 2023 should lead to a higher percentage of system intrusions due to threat vectors like malware. Since external supplier reliance is increasing, they may see heightened cybersecurity due diligence placed on vendor assessments before and after procurement.
The most critical component of managing cybersecurity supply chain risk is standardizing a third-party risk management program across all supply chain participants. Suppliers should be categorized according to criticality then required to submit evidence to relevant supply chain stakeholders that proves their cybersecurity posture on a tiered, risk-level basis. Even as cyberattacks evolve, the communication channels established in this program will facilitate a two-way conversation between parties that will allow all stakeholders to keep their sensitive data secure.
Wil Klusovsky, chief security architect, Avertium
— Hacking has been loosely linked to some casualties in recent years, but the current environment suggests the weaponization of IoT and OT to drive catastrophic outcomes is on the rise, especially as nation-states increasingly turn to cyberwar instead of actual war to levy attacks on opponents. Expect more exploitation of IoT/OT devices in this context. Further, advancements in edge computing and 5G will begin to challenge some of the traditional security companies have in place, with new tooling needed to protect these devices at a deeper level. This will be prevalent in the manufacturing and automotive industries in particular.
Tamas Kadar, CEO, SEON Technologies
— Fraudsters are defeating multi-factor authentication(MFA) with greater ease than ever before. These security checkpoints, often asking you to install an app that generates one-time passwords to complete your purchase, are required by many online businesses – but if there’s a wall, fraud digs a tunnel. Links in emails, apparently from trusted brands, might be phishing attacks that scrape MFA one-time passwords as you enter them. In 2023 we expect more online accounts to be breached this way, particularly for businesses getting complacent behind their MFA-based security. For businesses with no MFA whatsoever? No tunneling gear means easy prey for all the fraudsters.
Bob Rudis, VP data science, Grey Noise Inc.
— Expect daily, persistent internet-facing exploit attempts. We see Log4j attack payloads every day. It’s part of the new ‘background noise’ of the internet, and the exploit code has been baked into numerous kits used by adversaries of every level. It’s very low risk for attackers to look for newly-exposed or re-exposed hosts, with the weakness unpatched or unmitigated. This means organizations must continue to be deliberate and diligent when placing services on the internet.