At the end of 2020, we alluded to the prediction made by Cybersecurity Ventures' researchers about the global annual cost of cybercrime by 2021: 6 trillion dollars. Now, from the same source, the forecast offered for 2023 is $8 trillion. In other words, this would correspond to $667 billion a month, $21.9 billion a day and $913 million an hour. As these costs grow due to the increase in the number of threats and targets, so does the demand for solutions. According to Fortune Business Insights, the global cybersecurity market will grow from $155.83 billion in 2022 to around $176.71 billion in 2023. This value is not far from that reported by Gartner for spending on information security and risk management products and services for the same year: more than $188.3 billion. In this post, after having reported some cybersecurity trends in 2022, we will talk about other trends in threats and prevention measures that we can expect for 2023.
Phishing, a well-known social engineering tactic whereby a person is tricked into delivering information from or installing malware on a system, continues to be one of the top attack or infection vectors in the world and is likely to remain so in 2023. It can often be easier for an attacker to target and exploit human weaknesses than to detect and take advantage of vulnerabilities in an IT system. What we can expect in the coming year is an increase in the use of an even more sophisticated phishing technique. We speak then of "geo-targeted phishing." In this one, there is a more clever definition of the target. It can be specific groups of people in particular locations. The threat actor seeks greater effectiveness with, for example, more relevant clickbait containing industry-specific and even brand-specific language. This makes and will make these tactics more challenging to detect than traditional phishing.
Phishing is indeed one way in which criminals can perpetrate a ransomware attack. Ransomware, in which the threat actor can deny access to information (even steal it) or block the operations of a system to its owners or users until they pay the ransom, remains one of the most popular attacks worldwide. Even despite the fact that the authorities have already busted and broken up several ransomware gangs. Among the most active gangs at the moment is LockBit. The action of the BlackCat group has gained prominence in recent months too. To this gang, a ransomware attack on the Joint Command of the Armed Forces of Ecuador has been attributed in the last month. However, this entity qualified what was reported in the media as a groundless rumor. Damages from ransomware in 2021 were estimated at $20 billion and are expected to be around $30 billion by 2023. It is also predicted that by 2031 there will be a ransomware attack every 2 seconds, up from every 11 seconds in 2021. It's shocking! And heads up, it's apparently true that many victims are not reporting the attacks, nor will they ever report them. This further complicates the understanding of the picture.
Supply chain attacks
Today it's in vogue to target software supply chains with ransomware attacks. It's even now trite to mention what happened with SolarWinds. But this has been followed by events like those suffered by giants like Toyota, Nvidia and Samsung. In supply chain attacks, criminals exploit vulnerabilities such as the recent Log4Shell in third-party software products (e.g., from suppliers or partners). This leads to the compromise of those who rely on and make use of them, including larger and better-established organizations. Organizations that can invest enough attention and money to secure their perimeter and on-premises systems, but sometimes this is not the case with the third-party software they use.
Therefore, exploiting vulnerabilities in third-party software acts as a gateway to these large organizations, their systems, operations and data. It has been reported that software supply chain attacks in 2021 grew by more than 300% compared to the previous year and that growth is expected to continue in the coming years. One of the associated risks lies in the ever-increasing migration of data and services to the cloud, especially clouds belonging to a small number of providers. Then, a single product or service fails, and there could be too many victims to count. By the way, remember that the responsibility for security incidents in the cloud is not as many people think.
Advances in artificial intelligence (AI), far from being the initial intention, will continue to spell trouble. Deepfake is the use of AI for the creation and modification of audio and visual content with false narratives that appear to come from reliable or authentic sources. Even though it started with, for instance, playful or recreational uses, it is true that today it's beginning to enter the dark side for immoral purposes. This is an increasingly accessible technology, even for people with low technical knowledge. Well-crafted audiovisual content (with large amounts of data to support algorithm accuracy) can give rise to captivating narratives and make social engineering attacks even more effective.
In the inclusion of deepfake to cyberattacks, the threat we will be able to notice over time is the dissemination of information aimed at manipulating people's opinions about others or even obtaining financial resources from them and organizations. Pretending to be the CEO of a company in a virtual meeting or sending a cloned voice message can deceive employees to extract sensitive information or funds from them, for example. This use of AI is of increasing concern as it can lead to more sophisticated cybercrime. As Security Week shared, "Deepfakes, left unchecked, are set to become the cybercriminals' next big weapon." More worryingly, it seems that deepfake detection mechanisms are lagging behind.
Internet of Things (IoT)
We had already mentioned in 2020 how worrying the growing number of IoT devices was becoming and, with it, "the copious number of entry points that will become available to cyberattacks." These devices (e.g., sensors, scanners, vehicles, cameras, fitness watches), beyond standard devices such as computers and smartphones, will bring more opportunities for cybercriminals in 2023. This will be because they tend to have fewer security controls than those other devices and thus expand the attack surface. In concrete figures, some expect that, in the next five years, there will be more than 64 billion IoT devices deployed and connected in the world. (Other sources do not give such high numbers; could it be due to a misunderstanding of what the IoT concept includes?) Their increased presence means increased risk. Their high prevalence as targets for cyberattacks is expected to be a trend in the coming year.
Education and government
For the first half of this year globally, according to a Checkpoint's report, the six industries with the highest average number of attacks per organization every week were education/research, government/military, ISP/MSP, communications, healthcare and finance/banking. The first two industries have been proving very attractive to threat actors and are expected to remain so in 2023. In the education sector, there has been a partial influence of online learning growth due to the pandemic. Although face-to-face classes have been picking up this year, the success of attacks against schools may mean that they remain attractive targets. In fact, it has been pointed out for some time now how ill-prepared schools are to deal with cybersecurity risks. System restoration or return of sensitive data is what cybercriminals often offer in exchange for money from schools which, unlike, for example, commercial companies, have been investing poorly in prevention and defense. We were just writing this post when we found out from The Record that North Idaho College was forced to temporarily shut down its networks due to a cyberattack.
In the government sector, there will continue to be an influence largely from the ongoing cyberwar that has paralleled the nefarious and still active Russian invasion of Ukraine. We will surely witness more attacks by hacker groups linked to these governments seeking to achieve high political as well as economic impact. From Recorded Future, they speak of Russian influence networks that are practicing narrative manipulation operations with the objectives of weakening and dividing the Western coalition that favors Ukraine. These networks seek to modify the positions of the European populations so that they are instead in favor of Russia, suggesting, for example, that the governments of the coalition are responsible for the economic difficulties that their populations are going through. Recorded Future further states that this is expected to continue until the war's end and may even affect future political elections.
In essence, the trends in prevention for the coming year are likely to remain the same as those that have been useful so far in dealing with the recognized threat landscape. There will undoubtedly be more predisposition to implement and mature cybersecurity in organizations. Already in our recent post on trends that had a place in 2022, we discussed the implementation of DevSecOps, emphasizing the integration of security from the beginning of product development ("shift to the left" approach). We mentioned controls such as multi-factor authentication, which will continue to be in vogue, often in addition to creating and using complicated passwords to be constantly modified and maintained in password managers. And we also referred to the identification of risk in third-party software components, which it's prudent to start with the generation of a "software bill of materials" or detailed inventory of resources and dependencies used. (Something that we will, in fact, be implementing in Fluid Attacks' SCA scans in the near future.)
So it will definitely remain crucial for organizations to achieve optimal recognition of their components, interconnecting systems (including IoT devices and remote working equipment, of course) and assets. They must also identify why the latter may be attractive to threat actors. From there, they must seek to understand what risks they face and how they may be vulnerable. Human and technological vulnerabilities then come into question. As we already know, it has become very attractive for attackers to manipulate the human factor in order to infiltrate organizations' systems. And this will continue to be the case. By 2023, therefore, the recommendation and implementation of cybersecurity training for the staff of organizations will remain trends. Yes, training. It'll always be necessary to go beyond awareness. It's not just about recognizing the existence of a problem. It's about learning methods for dealing with threats and crises.
The training must be part of security plans, which include other prevention strategies, incident response methods and strengthening of defenses. According to a survey conducted by UpCity, only 50% of small businesses in the U.S. had a cybersecurity plan for this year. Nonetheless, incidents continue to make organizations aware that cybersecurity is an area in which they need to invest. And as we mentioned at the beginning, the investment will grow. As Gartner says, cloud security is expected to be the strongest growth category in the next two years. In addition, the demand for technology that facilitates secure remote and hybrid work will continue to grow.
With the prevalence of remote and hybrid practices, adopting a zero-trust approach, where restricting access and verifying everything is at the core, will continue to be a trend. It is prudent to remember that security threats can also be inside each organization. As Gartner says, in network security, the transition from virtual private networks (VPNs) to zero trust network access (ZTNA) is expected to keep increasing. In this product or service, as they share in their glossary,
The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.
On another point regarding technology, artificial intelligence will continue to be quite useful in the development of automated security systems. Among them will be threat and incident detection and reporting systems that achieve pattern recognition thanks to evolving databases. This same pattern recognition process will continue to be used in Fluid Attacks but for detecting files or components most likely to contain security issues and thus optimize the assessments by our ethical hackers and tools. Indeed, vulnerability detection tools will keep proliferating in the market. It should be clear that owning such solutions without clearly defined strategies can lead many organizations to end up cluttered with technology with duplicated functionality and lots of scattered data, including many false positives.
At Fluid Attacks, we will continue to see human intervention as necessary in security testing. In the long term, manual penetration testing and red teaming will still be highly valued due to their effectiveness. Don't forget the former is a requirement today in standards such as PCI DSS and the latter in frameworks such as TIBER-EU. In 2023, we will continue recommending a combination of manual and automated methods. While the latter delivers vulnerability reports at high speed, it focuses on known vulnerabilities, often superficial, and brings with it high false positive and false negative rates. Manual work is essential for greater accuracy and scope. As we stated in our previous State of Attacks report (and perhaps we'll do so in the next one), in a whole year of security testing, the manual intervention of our ethical hackers was indispensable for identifying all vulnerabilities of critical severity in our targets of evaluation.
Next year, we will continue recommending that you keep your applications or other IT systems under continuous assessment as a preventive measure. Use our Continuous Hacking service, and don't let threat actors catch you by surprise in 2023 (or even right now). Do you want to be part of the trend in cybersecurity implementation? Get started now for free! Try our 21-day free trial, in which our tools will detect vulnerabilities in your software and report them in our platform. The main goal is for you to achieve early remediation of these security issues so that you can ensure security for your organization and your users.
Recommended blog posts
You might be interested in the following related posts.
An OffSec Exploitation Expert review
Towards an approach that engages more than SCA and SBOM
An interview with members of our hacking team
A brief overview of this recent EU draft regulation
What is invisible to some hackers is visible to others
Increase the board's cyber savvy with these reads
Soon it will be a must in cybersecurity due to NIS2
Toyota's ancient and recently disclosed data leaks