2023 Cybersecurity Predictions

Increasing Instances of Critical Infrastructure (CI) Ransomware






Tom: Let’s start the conversation here. The Russia-Ukraine war is going to continue to fuel increased warfare in cyberspace against NATO nations, and one of the side effects will be more instances of critical infrastructure ransomware. Doug, Ron, care to flesh out that prediction?

Doug: I think we all look at the overall trends that are happening in the marketplace and certainly we see new threats coming out on a regular basis. We see increases in the macro level that impacts businesses as well. I think what may get lost in those larger numbers is that some of the key players in the marketplace reduced their attack frequency at the beginning of the year, and it was associated with what you just mentioned, associated with the key aspect that there’s a supply chain between Russia and Ukraine. While we’re all very sympathetic to Ukraine and what’s happening there, the reality is they have always been a high vector of attack, and so when you break that supply chain from a historical perspective of those who produce ransomware and those who use ransomware in the marketplace, you have an interruption. If you look at ransomware specifically, it has dropped off significantly. The claim rates in the insurance space have dropped steadily since December of last year, about when by chance the conflict began. Ultimately, we’re starting to see some of those groups regroup on each side of the border. Now, what that means is possibly an increase in ransomware continuing to happen over the next six to 12 months because now people on each side of that conflict have regrouped to both use, create, and ultimately launch ransomware attacks within their own political views. The only other thing I would add to that is, from a political views perspective, when you think about how the world will evolve from here is what influences will NATO and the U.S. have on Ukraine that could potentially also influence Ukraine’s activities within its own borders as well.

Ron: I’ll add I think the scariest part of this scenario is what we don’t know, and what I mean by that is what’s going on, what resources are in hand, what new exploits have been sort of harvested and either used or are even ready for use. You know, with state-based resources on both sides being spent to develop these tactics and techniques and exploits, it eventually acknowledges that those techniques are going to get released into the wild, into civilian space, and I think it’s going to wreak havoc on unprepared companies. You know, we’ve got rich targets in retail and healthcare. It just becomes something that we’re baking heavily into our threat intelligence gathering to keep us and them apprised, but I think that there’s some fallout that’s yet to even happen.

Budget Cuts and Cybersecurity





Tom: Prediction number two: Recession or no recession, inflation and unstable global economies will result in budget cuts across organizations, most importantly impacting IT and even investments in cybersecurity. Doug, Ron, please flesh that out.

Ron: Here’s an interesting thing, the cybersecurity industry itself has been reported to be recession-proof, and in a lot of ways, it is. There’s always innovation, there’s always a threat, there’s always going to need to be a fix, but that doesn’t mean that individual companies won’t place themselves at risk by reducing their technical staff or actually spending less on cybersecurity. While the industry may be recession-proof, cybersecurity spending is not, particularly among SME (small and midsize enterprise) companies, with smaller market organizations. There was a survey recently released by Infosecurity Magazine, and it said that essentially 44% of the respondents expect that their cybersecurity budgets are going to be cut in 2023. Of those respondents, 75% feel that such cuts are going to put their business at risk. This is an interesting one too: 58% of those that respond say that they’re more concerned about their cybersecurity posture than they were just six months ago. That’s a drastic shift in the comfort that people have right now, so smaller companies say they’re limited in their spend. They could fall victim to cybercrime.

Doug: I would just add, if you look at the industry when there’s any type of contraction, typically people are one part of that contraction, layoffs and various other aspects, investments in people. The security industry is extremely hard to 1). gain (i.e., attract and hire), 2). training is expensive because you have to continually train them, and then 3). obviously retain those [employees]. In a contraction, sometimes that is beneficial for larger companies that have larger security staffs, but it is very often a scenario where when you’re looking at 300,000 or 500,000 job deficiencies in the industry, there’s an opportunity for people to make moves into more stable companies as well. So you’ll see some people moving around. You see a lot of smaller companies that maybe were able to attract one person but can’t really afford to train them and do all the other aspects of that and really drive an opportunity for businesses to probably do what they should have done before, which is outsource some of those components, which is a fraction of the cost of trying to build those. You can’t forget about the regulatory impact — everything Ron mentioned plus all the regulatory changes, the billing for the new things that sometimes they have a hard time financially agreeing to do.

The Rise of Hacktivism





Tom: Prediction number three is about hacktivism. The rise in hacktivism will continue full force as political tensions in varied opinions of the meaning of free speech rage on. Ron, please explain.

Ron: I feel really strongly about this one, and here’s where I would start. Let’s look at from 2020 to 2021, we already had a 100% increase in these essentially attack-for-a-cause types of scenarios. So that’s really hacktivism. But if you think about the world we live in now, it’s never been more polarized and politically charged than it is now. And that’s creating a split, it’s creating a divide, it’s creating a “win at all costs, I’m going to cancel you, I’m going to shut you down, I don’t like what you say, I’m going to stop you, and guess what, you have a big space on the internet and cyberspace, I’m going to attack that, and I’m going to shut you down there.” I mean, if you think about even among social media platforms with the recent acquisition that Elon Musk made of Twitter, there are certainly a lot of people on the other side of what he stands for that don’t appreciate that and may try to generate denial-of-service attacks against someone like Twitter. And if you think about this too, this is a warning too that we have to be careful about how we portray it because there could be scenarios where because of the political charge, and we’ve got healthcare entities for instance, let’s just take them, who may take a stance. We do provide abortions, we don’t provide abortions, we do provide trans care, we don’t provide trans care. Now, the message here is not to say, which side are you on? It’s to say, be prepared because no matter what side you’re on there might be an opposition that looks to take you down and compel social change. We’ve got ransomware for hire. What’s to stop a bad actor group from saying, hey, we’ll take them down and help your cause for a fee. Again, the message isn’t just to capitulate or say we’re going to change our social values, it’s just that you need to be prepared, particularly in incident response and how you’re going to deal with this. That way, you’re ahead of the game. Hacktivism, yeah, I do think that we’re going to see — we’re already seeing 200% plus here in ‘22 — we’re going to see more and more of that.

Stricter Cyber Insurance Requirements





Tom: Doug, cyber insurance providers will increase their scrutiny of the organizations they insure by requiring quarterly security reviews. Please discuss.

Doug: We’ve seen significant changes in cyber insurance over the last 18 months, and if you recall from what we said in the first part of this, ransomware drove claim rates up to a point where insurance companies weren’t obtaining their profit objectives, and in many cases, candidly, claim rates were exceeding 100%, which means they were paying out more than they were receiving as income. Two aspects changed there: Number one, the insurance rates went up, and number two, which is really the focus of this, is the acceptance rates of renewals and the acceptance rates of new applications started dropping off in many particular areas by 50%; in some areas, it’s even higher, like service providers, people that do IT, IT security. Those types of insurances have increased, and what we’re now seeing is them moving to a maturity of asking questions beyond the basic of “do you have multifactor authentication?” Now, they are actually asking: Do you have multifactor authentication and did you actually deploy multifactor authentication? Did you deploy that at an admin level? Did you do that on your VPN (virtual private network)? How does that get segmented within your network? Then, they’re moving on to things like patch management, they’re moving into service account management, they’re moving into a number of different areas that ultimately drive the way that we as a business and all of our colleagues in the business industry actually apply for, receive, and what is included and not included. Insurance is one of those things where, as we all know, the fine notes are the details you need to pay attention to. If you have cyber insurance and it excludes ransomware, I would say the value of that cyber insurance is probably not nearly as high as you need in the particular marketplace. Ultimately, the organizational changes that are going on here are forcing organizations to really plan ahead, and if you’re in front of a cyber insurance process to get a new policy and all of these things are a surprise to you, then you’re not going to be able to react for probably two, three, four, six months in some cases to get those controls in place, and the last thing most businesses want to do is go back as an owner or to the board or to investors and say, “I couldn’t attain cyber insurance.” So if you go in, make sure you’re prepared, make sure you understand the trends that are occurring there, not only the ones I just mentioned there, but they are moving to risk assessments, they are moving to providing and requiring particular services like MDR, having an IR (incident response) service on retainer, monitoring not just by EDR (endpoint detection and response) but actually monitor and manage that on a 24/7 basis. So all of those are changes. Unfortunately, there is not consistency across one particular carrier out there or multiple carriers out there; there’s not a standard they all follow, and so it’s a bit of a wild, Wild West just what to expect from each of them.

Accelerated Federal Guideline Introductions





Tom: Dustin, I want to bring you into the conversation for our fifth prediction, which is that the wave of new federal best practices and guidelines that we saw throughout 2022 will continue aggressively into 2023.

Dustin: The goal with regulatory compliance and best practices is to reduce the bad things that are happening. And we’ve seen this over the past decade, how things have evolved. We’ll continue seeing that as other industries and organizations are getting attacked more frequently. What worries me is when we don’t see consistency from framework to framework, so just like organizations get audit fatigue, compliance fatigue is also a real thing. So hopefully, we see some consistency from framework best practices and these new ones from the SEC (Securities and Exchange Commission) or Department of Labor that are coming out, following those existing best practices with an end goal in mind, which again is to drive to better cybersecurity practices. Then, also with the the new push for breach reporting, something that’s interesting is having that information available is one thing but doing something about it is something else, so hopefully the frameworks and the best practices that we see will continue to evolve to not only report more frequently but also take actions to reduce those incidents that do happen.

Doug: We’ve seen a little bit of a lull with CMMC (Cybersecurity Maturity Model Certification) this year because there were some policy changes and political changes that occurred there. I think from anybody that we’ve talked to, both on CMMC as well as the government side, I suspect that that’ll come back extremely strong in 2023, so the pause that we saw in 2022 is likely to come back with a vengeance in 2023.

More Cybersecurity Vendor Solutions Fall Victim to Breaches





Tom: Next, prediction number 6: In 2023, we will see more cybersecurity vendor solutions fall victim to breaches. Dustin, you’re going to explain why.

Dustin: I mean, the attackers are opportunistic, so if you’ve got a security vendor that is present in many organizations, why not target that. It’s the same reason we see so many vulnerabilities with common operating systems because the reach is much further. So that’s where organizations have to think about defense and depth, so do cybersecurity providers, and so the same things that we preached to our customers and clients of understanding appropriate laws and monitoring and having incident response in place are the same things that every cybersecurity vendor is going to have to prioritize to not be in the headlines like the recent ones that we’ve seen.

Zero Day Vulnerabilities and Zero Day Exploits





Tom: Ron, lucky seven is on you. Zero-day vulnerabilities are going to lead to a significant increase in zero-day exploits. What have you seen?

Ron: This isn’t something that no one else could have predicted. Let’s say that it’s like predicting yesterday’s weather. Of course, they’re going to go up, and here’s what the state we have is. We’ve got resources now on the bad actor groups that are concentrating on trying to find these zero days, these vulnerabilities, and if they do, then that’s gold for them. If the researchers or bounty hunters or cybersecurity companies or vendors find them, then OK, we can put out a solution, but once it becomes weaponized, now it’s an exploit. Zero-day exploits, those are really scary when you think about the things that have happened from at least a zero-day vulnerability standpoint across Microsoft, Apple, Google, the Chrome platform, Fortinet, just to name a few. We’re talking about companies that have a critical mass of users in the world and to be able to undermine one part of that system that gets bad actors to many, and so it becomes more of a plane crash versus the car crash, to use a comparison there. But interestingly, we’re going to see these I think go up exponentially when we talk about, again, all of the resources that are being put there. We’ve seen a double in zero days from ‘20 to ‘21. There are a couple of studies out now about the numbers here in ‘22; some say 18. There’s one study that says as many as 72 have been found in the first half of the year alone. One of the common elements of all these new zero days is that 50% of them are derived from previous bugs, and so we’re seeing a counter, but we’re seeing something else that’s exploited within a certain configuration, line of code, or firmware or something else that the bad actors are continuing to exploit. So it’s staying diligent about not just something that’s passed but just a constant look at everything that’s in your environment. Then, we’ve got these bad actors that are putting a lot of their resources into harvesting these themselves, not just state-based or government entities now that are in there harvesting these. We’re seeing businesses in the dark web or groups that are trying to harvest these so that they can use them for nefarious purposes or sell them on a premium on the dark web. We are going to see an increase in that because of the resources that are being lent to it and because of the explosion of numbers of different platforms that are getting, again, that critical mass in terms of users.

Exponentially More Mobile Device Attacks





Tom: The Eighth prediction: Mobile device attacks will increase exponentially. Dustin, this is yours.

Dustin: I think the mobile device focus is the path of least resistance for the attacker. It’s what everybody has on them, organizations are focused on connectivity and access for their end users, and so it’s one of those where phishing is easier when everybody always has their email in their pocket or focusing on an SMS (text) message for somebody to follow a link. It’s not necessarily about just exploiting an organization’s assets, it’s exploiting that end-user device to see what other access can be gained from it from user ID, password, or other connectivity. Also organizations with the adoption of bringing your own device is not slowing down, and so end users where the end-user control isn’t as maximized as maybe an owned device, it is a path where an attacker sees an opportunity.

Cybercriminal Competition Decreases Dwell Time





Tom: Our ninth prediction. Ron, this is for you. Competition among bad actor groups will result in a continued reduction in dwell time.

Ron: I think there’s a couple things in place. Certainly the bad actors that are competing — and I’ll get to that — but there’s some good news here, some optimism is that the amount of dwell time may not be as as high because the detection has become stronger or able to find, ok, they’ve been in, we can kick them out, we can contain whatever it is and keep them from getting back in. Certainly there’s some good news in there, but we look at the number of days that actors will persist or dwell in an environment. Again, comparing ‘20 to ‘21, just for statistical purposes, 24 days to 21 days that they are dwelling in a client environment before they actually exploit or do something to that effect. Now, we expect that to drop here into the teens, and a big reason is a race to the exploit or to the score. We’ve got a lot of money at stake here in terms of ransomware. Now, we’ve got just tens of thousands of different variants of ransomware here now that are at play. So yeah, there’s a lot of competition among bad actor groups to get in and score before somebody else does. They don’t have as much time to look around anymore because if it’s vulnerable and you found it, unless you’ve got a zero day, then chances are there’s another bad actor group that can find it and exploit it as well. So I think we’re going to see that dwell time continue to go down. The answer of course is greater diligence using MDR (managed detection and response) and then just being diligent in your threat intelligence and putting it all together.

Zero-trust Security Gains Momentum, But Execution Will Lag





Tom: Our 10th prediction is about zero trust. Zero trust security model will continue to gain momentum, but actual implementation and execution particularly in healthcare is going to lag. Dustin, you’re going to explain.

Dustin: The idea of zero trust has been around for over a decade. Absolutely love it in theory, but it’s like anything from implementing security controls; it takes time and money, re-architecting networks, and then user adoption. Multifactor authentication, same type of thing where it’s a great security solution, but how many organizations don’t actually have it implemented, who don’t actually have it implemented on email for example? So you look at zero trust, and spreading that out through an organization’s network is not going to be easy to actually implement. Healthcare — especially if you slow down patient care based on the iterative authentication steps and then reduced access based on segmentation — that’s something that’s not going to be widely adopted right off the bat. And while it’s a great idea and it’ll really help from a security and incident spread reduction standpoint, the actual ability for an organization to put it in place and still continue to run their business as they want is going to be very, very difficult.

True MDR Service Providers Will Prevail





Tom: We’ve talked about MDR quite a bit throughout this conversation as part of our 11th and last prediction. Prediction is: There will be a reckoning in the managed detection and response market separating true MDR service providers from those drafting off marketing hype and offering only elements of threat detection and response. Ron, this is for you, but Doug I want to give you a chance to weigh in as well before we wrap up here.

Ron: We’ve got this solution as MDR as Gartner has labeled it, and you know there are a lot of times where, hey, there’s a market and somebody put the sale in my yard saying I sell this. I think that people have jumped on this to be relevant in the marketplace, various MSPs (managed service providers) and MSSPs (managed security service providers). The true essence of managed detection and response really embodies several different looks, multiple feeds into a correlated platform that can be not only monitored but also an added element of preventand then dynamic detach, which implies a level of hunting, and of course the “R” part of it, the response. What happens if there is something? You can’t just bat it over the fence anymore. We have to make sure that we’re working with the customer from the incident’s start to the recovery.

Doug: Yeah, I think to Ron’s point, we all aspire for security to be fully automated, doesn’t need people, you don’t need to think about it, it doesn’t create friction in the system. That’s not the reality that we live in, and realistically, as I tell my kids who hopefully are going into cybersecurity, they probably don’t have to worry about their career for the rest of their lives either. That’s an unfortunate situation and awareness, but the reality is we’ve all seen new technologies come into the marketplace. They provide better levels of protection. There’s no doubt about it, EDR is evolved to be better than AV in some cases, not all cases, but at the end of the day, you’ve got to have a good visibility across EDR, across network, across logs, across APIs (application programming interface), and that’s going to provide protection across premise, SaaS (software as a service), cloud, mobile, everything that we’ve talked about here. And to Ron’s point, most people believe that inherently, as you buy these new technologies, they just work and they just provide extra protection and extra blocking, and that’s not the reality that we even see in the more advanced EDR space, which is why MDR providers are out there now, is to take all of that noise that still needs to to be analyzed at a human level, turn that into actionable events or take action on behalf of the client, be able to respond to data, make sure that ultimately the responses are appropriate. But we see over and over again where the industry launches a new product — back in my day was like IPS, then it became EDR, then it became lots of things that were just gonna magically block everything bad — and what we see today is a higher volume of things that you still need to deal with more than ever before, and that’s not because these technologies didn’t get better. It’s simply because they still need to be managed, they need to be adjusted to the customer environment, new threats come out every moment, and that just doesn’t magically happen yet in the world. AI and machine learning and all those things are absolutely improving but far from magic yet today.