SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present new and expanded risk for cybersecurity teams in 2023 and beyond.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Zero Trust and Identity and Access Management (IAM) – Zero trust is not a replacement for identity and access management (IAM), it is an extension in extremis. It is the extension of IAM principles from people to everyone and everything, everywhere and anytime. The difficulties in IAM are retained but are complicated by the complexity of installing it everywhere.
Nevertheless, zero trust is widely seen as an important part of effective cybersecurity. In 2023 we will see more vendors touting a complete zero trust product and/or methodology, and more businesses attempting its implementation.
Here we examine how this might progress through 2023.
Background
Zero trust is a natural evolution from the realization that company networks no longer have a perimeter that can be defended. With no perimeter to defend, every asset needs to be individually protected, and every access needs to be individually verified. Location means nothing – access to anything from anywhere must always be verified before it is granted.
It is a short step from this to realize such verification should apply within the network as well as from outside: east-west (where it is also called ‘microsegmentation’) as well as north-south. Achieve this, and you have fulfilled the journey to zero trust.
Zero trust is the replacement of a defensible data center perimeter with individual defensible asset perimeters – from one to potentially millions.
The DoD Zero Trust Reference Architecture, referred to in an OMB memorandum in January 2022, describes the concept: “Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Zero trust requires designing a consolidated and more secure architecture without impeding operations or compromising security. The classic perimeter/defense-in-depth cybersecurity strategy repeatedly shows to have limited value against well-resourced adversaries and is an ineffective approach to address insider threats.”
The OMB memorandum goes on to state, “This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024.” Two things are immediately apparent: firstly, there will be extensive activity within federal agencies through 2023 to fulfill this requirement (and associated vendor activity to help them achieve this); and secondly, it is no simple task. The trickle-down effect of federal mandates will ensure that adequately resourced private industry will follow.
“Zero trust represents a fundamental shift in the way in which organizations view and approach risk (and in turn security),” explains Chris Denbigh-White, cybersecurity strategist at Next DLP. “Moving through 2023 many organizations are going to realize that zero trust is not so much a destination as a means of conducting the journey of information security. Yes, technology will play a vital role in this journey but should never be confused with the end of the conversation, or indeed the end of the journey.”
It is worth noting that some vendors call their preferred route to zero trust ‘zero trust network access’ (ZTNA). You can get further details on ZTNA here – but within this article we will treat the two terms (zero trust and ZTNA) indiscriminately.
Problems and issues for 2023
“The most common mistake organizations make deploying zero trust or microsegmentation is underestimating the complexity of their network,” says John Yun, VP of product strategy at ColorTokens. “An effective zero trust implementation requires the knowledge of all servers, applications that run on the servers, and users authorized to use those applications.”
Matthew Carroll, CEO and co-founder of Immuta, warns that zero trust should not be considered a complete solution on its own. The problem that it seeks to solve is partly due to the massive increase in data sharing that has arisen through the growth of cloud-based SaaS infrastructures. This will result in an increase in data processing agreements (DPA) between companies and SaaS providers. “In 2023, we’ll see DPAs become a standard element of SaaS contracts and data sharing negotiations.”
He still fears that zero trust alone will not provide adequate security. “In 2023 we’ll see a major shift in data security architecture. This will include proper access controls that effectively balance access and security.” But he adds, “Zero trust won’t work using traditional approaches because there are too many endpoints.” Implementing a zero trust approach for access must still be integrated with adequate anomaly detection – zero trust for access should not be at the expense of internal visibility.
The effect of Covid-19 has increased the importance of a zero trust architecture. “The Covid-19 pandemic ushered in a new era of remote and hybrid working,” says Craig Lurey, CTO and co-founder at Keeper Security. “The explosion in the sheer number of endpoints, with an increasing amount of them accessed remotely, requires a higher level of security to tackle growing online threats. Under this new normal, zero trust is now the only realistic and comprehensive framework for securing modern, cloud-based data environments and distributed workforces.”
Joseph Carson, chief security scientist at Delinea, adds, “A zero trust approach will become more essential than ever as the transformation continues. Employees should have access only to what they need to efficiently do their job. This will ensure that an attacker’s ability to move within the larger business network is limited and the attack surface reduced.” But he also notes that this could raise privacy issues if employers impose conditions on personally owned computers.
“It appears remote work is here to stay and will increase into 2023,” says John McClurg, SVP and CISO at BlackBerry. “Enterprises should look to adopt a zero trust architecture and security model to truly secure their remote workforces. This model is defined by trusting no one and absolutely nothing by default – including users inside an actual network. By assuming every user, device or network is hostile, zero trust security forces everyone to prove who they are before access is authorized.”
The urgency of the pandemic and the consequent rush to implement remote working is in many cases causing problems for the integration of an overarching zero trust solution. “The majority of organizations today still struggle with allowing explicit access to applications and enforcing zero trust policies across their business. In fact, over 80% of organizations have found it difficult to implement a zero trust model, and that has a lot to do with the fact that many organizations have hybrid IT architectures,” explains Peter Newton, senior director of products at Fortinet.
The problem is that it is too cumbersome to have one set of policies for on premises and an entirely different set of policies for the cloud. Consequently, he says, “In 2023 we will see more IT teams shift to incorporate ZTNA across the entire network – from cloud to on-premises – for universal coverage under a single solution. And as ZTNA begins to go mainstream in the enterprise, we’ll start to see organizations transition away from a pay-per-user model and start to bake ZTNA directly into their security architecture for a more seamless and consistent user and management experience.”
At its root, zero trust is a major extension of identity and access management (IAM) – but IAM itself is a problem that has never yet been completely solved. “Organizations are still learning the concept of identity sprawl and the scale of their technical debt, which means that companies are just starting to realize the scale of the challenge,” comments Wade Ellery, field CTO at Radiant Logic.
“In 2023, we are going to see more and more businesses slow down to speed up –they’ll recognize they need to put in an identity data foundation before they can justify building new, revenue-oriented projects that demand access to identity.”
For zero trust, he added, “As we move into 2023, senior decision-makers and security teams are discussing how they can achieve a granular-approach in real-time, and ultimately, they will come back to the issue of identity data management.”
More and more companies are recognizing the theoretical security benefits of zero trust and are starting their own journeys. In 2023, the difficulties in doing so will become more apparent – but it’s not all doom and gloom. “To a certain extent, factors such as internal politics, talent shortages, and economic conditions play a role in any IT project,” comments Hendra Hendrawan, security technical councilor at the Info-Tech Research Group. “Still, organizations with a good IT or cybersecurity strategy should embark on the zero trust journey with fewer frictions.”
At a high level, he says a successful IT implementation generally consists of well-documented processes, good selections of technology, and great talents. “Couple these with a solid security strategy, and achieving a zero trust architecture should not be a question of how but of when.”
That ‘when’ will be many years in the making. “Zero trust is a security model, not a product. Adopting zero trust across an enterprise requires careful planning and the use of complementary, multi-vendor solutions,” warns Torsten Staab, principal engineering fellow at Raytheon Intelligence and Space. “For many organizations, adopting zero trust security will be a multi-year journey. Establishing a solid zero trust strategy up front and developing a phased, step-by-step implementation plan to avoid boiling the ocean and losing focus will be key to a successful zero trust implementation.” But for 2023, he added, “Look for additional zero trust implementation guidance and recommendations from NIST and CISA.”
IAM issues
Foundational to implementing zero trust will be solving the existing IAM problems – and that will not be easy. The traditional approach has been to implement basic MFA involving a second-factor token delivered via a mobile phone – but such MFA is frequently broken by hackers.
“My prediction for 2023,” says Ben Brigida, director of SOC operations at Expel, “is that we will witness an increase in MFA push notification fatigue attacks. Why? Because they’re working. More and more, organizations are turning to cloud access identity providers for single sign-on capabilities. Attackers know that if they can get their hands on credentials for these platforms, they’ll get access to critical business applications—not just email. So, they’re sending multiple push notification requests to users and hoping the user will just approve one to make the notifications stop.”
Chris Vaughan, VP technical account management, EMEA and South Asia at Tanium, calls this an MFA push exhaustion attack. “This is where an attacker sends a large number of MFA acceptance prompts to users’ phone which may cause them to click accept to stop the barrage of requests. This has been largely successful in gaining access to user data and accessing IT environments.”
“Once considered a ‘silver bullet’ in the fight against credential stuffing,” adds Marcus Fowler, CEO of federal government for Darktrace, “it hasn’t taken attackers long to find and exploit weaknesses in MFA and they will continue to do so in 2023.”
John Stevenson, senior product director at Cyren, expands on the problem: “Phishing will remain an unsolved problem leading to countless account takeover attacks. As businesses enable MFA, phishers will update their tactics to defeat additional verification steps like one-time codes sent to phones or email addresses. So-called strong authentication methods that rely on mobile phones and email accounts (that were never intended to be identities) will be the first to prove insecure for high-risk use cases. Passwordless authentication won’t yet solve these issues due to insufficient lifecycle management solutions and incompatibility with legacy systems.”
John Pescatore, director of emerging security trends at SANS, sees an additional phone-based threat to identity management. “While mobile phones are more secure than desktops,” he comments, “we will also see a greater volume of stalkerware included in downloaded apps that target consumers.”
Pegasus spyware is a prime example of this threat – it can install itself on iOS and Android devices with zero clicks. Hackers are also creating malicious stalkerware apps and hiding them in app stores.
“As people become more accustomed to downloading family tracking software and giving away app permissions, the risk of having their keystrokes, locations, voice, and even photos and videos recorded for financial theft and other nefarious purposes will also increase.”
If second-factor one-time codes and passwordless authentication are not the solution to the IAM issue. an alternative must be found. Many have been suggested, from physical biometrics (including touchless fingerprinting) to behavioral biometrics and more.
“Touchless fingerprinting will emerge as the top authentication method,” claims Chase Hatcher, VP of technology and innovation at Telos. “In 2023, organizations with a pre-existing fingerprint database infrastructure will increasingly turn to touchless fingerprinting to perform remote biometric identity verification”, he says. “With regards to authentication, we’ll see identity platforms backed by multi-modal true biometrics face and fingerprint and ‘convenience biometrics’ embedded mobile solutions like faceID and touchID emerge.”
“In 2023, more people will protect their critical accounts with methods other than logins and passwords,” adds Ricardo Amper, founder and CEO at Incode. “When creating accounts, they will provide multiple factors such as biometrics, government-issued identity documents, and information from reliable sources to prove their identities. When authenticating access to these accounts, they will use biometrics, providing more security for their private data.”
Donnie Scott, CEO at Idemia, has a more specific US identity prediction for 2023. “In 2023, every jurisdiction that issues an identity will have deployed, be in the process of deploying, or considering the deployment of a digital form of mobile identity/mobile-driver’s license. Arizona was the first US state to adopt mobile IDs followed by Oklahoma, Delaware, and Mississippi. Up to 30 states, including Colorado, Hawaii, Ohio, and the territory of Puerto Rico, are in the process of making mobile IDs available to their residents. We will only see this increase.”
He is very upbeat about the potential. “The benefits of this model, where biometrics meets identity, are a citizen-controlled assertion of identity, backed by the Government’s high standard of proof against who that person is. This combination results in a high assurance, privacy protected model.”
But the problem for this, and virtually every other means of remote identification, is that ultimately it identifies a mobile phone and not necessarily the owner or current user of that phone. A compromised phone can still lead to a compromised identity. Absolute proof of personal identity for perfect zero trust is very difficult.
And we haven’t even mentioned machine identities, which are equally important in a zero trust architecture, and present their own problems.
Summary
“Modern security solutions that remove the implicit trust from users, devices, services, and workloads, regardless of the location will become the norm,” says Stefan Schachinger, product manager network security at Barracuda. “The ‘context’ of who, what, when, where, and how will become key security components in a world of continuous zero trust evaluation that will defend against ever more stealthy threats. In 2023, just detecting and blocking malicious events will no longer be sufficient. You need to investigate and remediate everything.”
Achieving a solid zero trust architecture won’t happen overnight. It’s not a product you can buy and run. It will require the integration of different security solutions – some of which may already be present while others will need to be purchased, implemented, and integrated, seamlessly. Many companies will start the journey in 2023, and many others will make progress – but getting close to the destination will probably take years.
Nevertheless, “Zero trust represents a new cybersecurity paradigm that offers numerous benefits to organizations of all sizes and industries. Deploying a zero trust approach to access management can be especially effective, creating a virtual ‘locking of shields’ between governments and the private sector,” says McClurg. “This allows for closer cooperation to better protect critically important infrastructure and services.”
“I like to keep this stuff abstract,” Steve Riley, field CTO at Netskope, told SecurityWeek. “I want to eliminate implicit trust from every layer: from the network, from applications, from virtual machines and from the data objects. Instead, I want the situation where every interaction is mediated by something, and the level of confidence in that interaction is measured by the context and the signal surrounding.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Venture Capital – We are in a period of huge turmoil. Cybercrime is increasing and becoming more destructive, driven by better organized criminals and geopolitically active nation states. And many commentators believe there is a strong likelihood of a global recession before the end of 2023.
Here we have one simple question: how will these political/economic conditions affect venture funding for cybersecurity firms during 2023?
Background
The bad news in any economic downturn is that business suffers, profits dip, staff are laid off, and budgets are cut. The better news for cybersecurity vendors is that they are somewhat insulated from these effects. Cybercrime is more likely to increase than decrease during a recession, and business must retain a strong cybersecurity posture if they wish to survive. The demand for strong and proven security controls will continue.
At the same time, the availability of capital for investment in new and growing cybersecurity firms remains constant and high, and is largely unaffected by short term economic downturns. This available capital is known in the venture capital industry as ‘dry powder’ (capital that is available and ready for use).
None of this means that all cybersecurity vendors will survive the downturn, nor that all will remain profitable. At the very least, profits are likely to dip as business is forced to do more with less resources. Dry powder isn’t money to burn, and the venture capital industry will adapt its priorities for new and further investment to the current realities.
One area that will stand proud despite economic headwinds is the cloud. “Cloud software is the deflationary force enabling productivity in a high inflation environment. Cloud-native is not an option, it’s a necessity,” wrote Battery Ventures in its State of the OpenCloud 2022 report published in November 2022.
Dry powder
Dry powder is raised from the VC industries’ limited partners (LPs). These might be pension funds, endowments, family offices, sovereign wealth funds, and corporations. “Most funds operate on a ten-year lifecycle, with funds typically being deployed over the first four or five years of a fund’s life,” explains Sidra Ahmed, investment principal at Munich Re Ventures – explaining the continued availability of investment funds despite current economic conditions.
According to Pitchbook data, there was approximately $290 billion of cumulative dry powder committed to venture capital as of the first half of 2022. It is these funds that are called on when venture capitalists invest in companies. It must be said, of course, that VC’s dry powder isn’t committed solely to cybersecurity firms although cybersecurity remains a favored investment area.
Different VC organizations tend to specialize in different areas. For example, “YL Ventures raised its $400 million fifth fund at the beginning of 2022, dedicated exclusively to investing in Israeli cybersecurity startups,” explains Yoav Leitersdorf, managing partner at YL Ventures. “This fund has been used to invest in only a small number of companies to date, all of which are still in stealth, in line with our very disciplined strategy of investing strategically in a select number of exceptional startups.”
VC organizations try to use all the funds they get from their LPs – but not at any cost. They still need to demonstrate value to the LPs. Bad investments will lead to difficulties in raising new funds, while not using the funds raised is like a business unit not using its whole annual budget – it might lead to a lower budget next year.
The difficulty for cybersecurity firms in raising investment funds in 2023 will not be because the funds don’t exist, but because the VC firms will be taking more concern over where the funds are invested.
Effect of an economic downturn
“The pace of investing is certainly going to change,” comments Ahmed. “With more uncertainty around budgets and sales cycles, investors will spend more time assessing deals that are able to withstand a time of austerity – companies with critical productions and solutions will be prioritized. There will be a lot more scrutiny of deals, valuations, and co-investors. Investors will also be focused on supporting their own portfolios.”
Jake Heller, partner at KKR and head of tech growth equity Americas, believes the impact is unlikely to be felt evenly. “We have already seen the pullback in public markets affecting fundraising for some growth and early-stage companies,” he said. “In general, we expect the tightening of funding conditions to continue into 2023; however, we believe that capital will continue to be available to entrepreneurs and management teams who are able to effectively manage costs and allocate capital to growth opportunities with high potential for returns.”
Translated to the market, this all implies that startups don’t necessarily have sales targets that they can miss and can possibly ride out a recession before they need to show sustained profits; mid-growth companies seeking growth funding are likely to suffer with lower-than-expected profits and be less attractive to VCs; while established firms preparing for an IPO will likely need to survive the recession before proceeding.
“Market conditions had a dramatic impact on 2022 funding rounds, and we aren’t out of the woods yet,” says Leitersdorf. “The fallout is trickling from the top down. IPOs dropped this year from thousands to just over 100, the lowest number since 2016. There was a near stall in growth stages and a significant slowdown in Series C and D rounds, a steep decline in Series B rounds and a struggle to raise significant Series A rounds.”
In short, money is still available for attractive startups (seed and possibly A rounds), will require deeper consideration for growth equity (B, C and D rounds), and is much more difficult for pre-IPO companies (E rounds and above). In the last case, venture firms are looking closely at M&As to consolidate and strengthen their existing investments – but in all cases (apart from startups) venture firms will concentrate on further investments in their existing portfolios.
Outlook for startups
Leitersdorf remains upbeat on the prospects for investment in cybersecurity startups in 2023. “In today’s threat landscape, cybersecurity risks have become business risks. Organizations cannot afford to be lenient with threats to their assets, and executives now understand that security has a direct impact on their company’s reputation, business continuity and revenue,” he explains.
“Therefore, security will continue to be top-of-mind, as long as attacks continue to grow and evolve, demanding new and equally sophisticated security solutions. We see that investors are still eager to invest in the most promising startups in our industry with the greatest potential to lead their categories in the future. Capital will continue to flow to this necessary sector, as new and more challenging problem spaces continue to emerge.”
DataTribe, which describes itself as a cyber startup foundry (both an incubator and VC firm), is more circumspect. Funding will be harder, but potentially higher. John Funge, MD, explains, “Looking ahead, 2023 will be a slog for startups raising money. It will take longer for startups to complete next rounds as venture firms are both focusing more attention on their current portfolio as well as being more selective in new investments.”
He believes there will be fewer deals. “There will be a ‘flight to quality’ and the bar for attracting funding will be higher. Top startups that are hitting performance metrics will get funded at valuations not too far off historical. However, startups with a few words that previously would have gotten funded may find it hard to get funded at all — versus getting funded on less attractive terms.”
But he adds, “Historically, some of the most successful technology companies started during downturns. We don’t see it being any different this time around. It will be a tricky period to be a pre-IPO company, but likely an excellent time to be starting a new venture.”
Outlook for growth funding
Growth funding will become more difficult in 2023, and potentially more necessary. “We’ve already seen growth rounds plummeting in 2022, and this trend will most likely continue into 2023,” explains Leitersdorf. “Capital is available, but it will become increasingly expensive, and investors will prefer to use it in order to fuel innovative, early-stage startups that will require less capital at lower valuations.”
A particular problem for growth companies is in part historical. “The valuations of many growth-stage startups were significantly inflated in 2021 and were not based on sustainable growth metrics, revenue, or performance,” he continued. “Many of these growth-stage startups will be forced to raise funding in 2023 after scaling rapidly and burning through their capital in 2022. We, therefore, foresee an increase in growth rounds next year, most probably with unfavorable terms for founders, employees, and existing investors.”
But, adds Ahmed. “There is still a lot of capital available. Investors will be holding companies to their performance so we might see more down rounds into 2023.”
Bob Ackerman, founder of AllegisCyber and member of the board at DataTribe, agrees with this sentiment. “Undifferentiated and sub-critical mass cyber companies without truly compelling solutions are likely to be challenged as they go to the VC community for capital,” he said. “Investors will be materially more discriminating in the deployment of capital.”
Outlook for M&A consolidation
M&A activity has increased rapidly over the last few years. This trend will continue, driven by a number of different factors: desire among security users to consolidate their existing disparate security controls; a rush to the nearest exit point among startups; declining valuations making attractive targets; and a safe haven for further VC investments.
“The cybersecurity market is approaching bloated status,” comments Hank Thomas, CEO at Strategic Cyber Ventures. “There are too many vendors chasing the same dollars with similar technology. People in charge of purchasing decisions, often CISOs, are looking for more integrated security platforms and less point solution tools. PE firms and other later-stage investors are looking to bring in bigger players to serve as anchors for rollups and bolt on acquisitions.”
Will Lin, venture partner at Forgepoint Capital, agrees. “I believe that we’ll see security M&A significantly pick up in 2023. The main reason being that so many security companies have been created in the past couple of years. When so many of these companies, full of amazing talent, come up to the crossroads of M&A or raising their next round, I believe the market dynamics will re-shuffle in a way where M&A will be considered the best next step.”
Security vendors are seeking to support their users by consolidating point products from different vendors into integrated solutions from single vendors. “The rapid expansion of new security products has led to many organizations purchasing the ‘latest and greatest’ without having a strong integration plan in place,” explains Dave Gerry, CEO at Bugcrowd. “Without a clear deployment and integration plan, even the best security product will go underutilized. For the past few years, the industry has seen an incredible amount of M&A consolidation.”
This process will continue through 2023. “Security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack,” he continued. “This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.”
Ackerman agrees with this sentiment. “Investors will be materially more discriminating in the deployment of capital with a significant pick up in M&A activity as the market looks to consolidate point products into broader security platforms,” he suggests.
The second driver for M&A activity comes from the transition from early stage to growth requirements. Early stage is still attractive to investors — growth stage is more difficult. As startups burn through their early financing, they will find it more difficult to secure further growth funding — and may find an early exit an attractive option, bumping into the consolidation driver.
This process may be actively promoted by the VC industry. “A new wave of innovation is needed in the security industry. Things have become stale,” explains Thomas. “VC investment will still drive innovation since larger companies often lose the ability to innovate, especially in security. As a result, we will see large entities acquiring VC backed companies earlier as established PE backed platform companies make tuck in and bolt-on acquisitions to remain relevant.”
Leitersdorf expands on this possibility. “Large security vendors such as Microsoft, SentinelOne, Akamai, CrowdStrike, IBM, CyberArk and Okta are strengthening their corporate development divisions and doubling down on in-house investment funds (CVCs), looking for strong talent and tech,” he said. “These venture arms of large security vendors will most likely become increasingly active in both investments and M&A deals in the coming years and make the option of acquisition more attractive for struggling startups.”
One effect of a downturn in the economy is that company valuations are lowered. This is already happening, and is likely to get worse in 2023. On December 14, 2022, the Federal Reserve raised interest rates by half a point — and US stock markets fell. The intention was to put a curb on high inflation rates, but it simultaneously increases the likelihood of a recession in 2023.
If this happens, company valuations will go lower. This in turn will make companies with good products but reduced valuations an attractive target for larger companies with money — and of course VC firms. VC firms will likely be driven to use their dry powder on their own existing portfolios rather than look for different companies in which to invest.
The current market conditions look set to promote increasing M&A activity through 2023. “The current state of the global economy will also encourage hyperscalers to move toward an M&A cyber strategy,” summarizes Simon Chassar, CRO at Claroty. “Furthermore, start-ups will struggle as we see less investment from PE or VCs, therefore creating an opportunity for some of the larger cash-strong security control companies to gain market share at a relatively low price.”
What VCs look for…
2023 will be a year when the VC firms have money to invest, but the economic conditions will force them to be careful where they invest it. Cybersecurity will remain an attractive sector, but the security vendors will need to work harder to get new funding. Two questions come to mind: which security sectors are most attractive to the investors, and how do they choose a specific vendor?
Favored cybersecurity sectors
Heller believes that continuing digital transformation will provide new opportunities. “We believe that digital transformation, which has been accelerated by the global pandemic, will continue to create significant opportunities and challenges across industries and geographies,” he said. “These broader trends span new methods of collaboration, workforce transformation, cloud migration, automation and testing, supply-chain disruption, and digital adoption.”
Sidra says her firm is focusing on data and the threats it faces. “With rapid cloud adoption, companies are struggling to understand where their data sits and how to put sufficient security and controls around it.” Furthermore, she adds, “The penalties regarding sensitive data being breached are increasing at an exponential rate globally, making it even more of a priority for companies to be sufficiently protected.”
And there are new and still evolving threats to data. “As more companies adopt machine learning and analytical models to make data-driven decisions,” she continued, “there is now a need to protect data (and the models we build on the data) from being compromised. There are also questions around the validity of data and how to discern true data and information from coordinated disinformation campaigns and narratives.”
Leitersdorf adds identity to data as an area attractive to investors. “Malicious cyber actors have focused their most egregious attacks on two specific vectors in the past two years – data and identity,” he says. Attackers have leveraged the gaps, misconfigurations and problems surrounding credentials, identity, and access provisions to steal data. This will continue.
“Therefore,” he continued, “we have been focusing our attention on innovative security solutions that strive to tackle these problems and ensure that organizational security postures are strengthened accordingly.”
Favored companies
While different VCs may be attracted to different cybersecurity sectors, they must still choose which individual companies to support. “A large part of the decision is based on the management team and our perception of its ability to execute on the vision effectively, and evolve that vision over time,” said Ahmed. “Other criteria include tech differentiation, product vision, competition, size of market and TAM [total addressable market], and path to exit.”
Leitersdorf takes an almost identical stance. “The technology must be remarkable, deep, and innovative – that’s a given. However, even the most groundbreaking idea and cutting-edge tech won’t develop into a top-tier startup without an exceptional team,” he explained.
“We invest in strong teams that combine determination, talent, and an unrelenting passion for solving the most acute problem spaces in cybersecurity. The cybersecurity market is saturated with startups solving niche problems, and we’re looking for founders that stand out, go big and break the mold.”
The same goes for Heller. “Once we have found a sector we like, we generally look for companies that are market leaders or have a real competitive advantage. Cultural fit and alignment is also very important to us and in many cases, we have built relationships with the entrepreneurs and management teams we’re investing in over multiple years.”
The basic conclusion is that prospective vendors won’t get consideration without an excellent product in an expanding or vital sector. But where two attractive companies exist, the one with the stronger management team is more likely to succeed.
Summary
Acquiring venture capital in 2023 may be more difficult than it has been in recent years, but it remains viable and available. “In 2023, cyber will be softer but will remain a bright spot for investing,” explains Funge. “Compared to the nearly 24% year-on-year decline in deal activity across all verticals, cyber deal activity across all investment stages is down only 3%.”
What will change most is the decision-making process of the VC firms. They will still wish to invest, and probably at the same overall levels they have been investing. But fears of bad investments in a down economy will make them concentrate on areas that give them the greatest confidence. This may mean more money going to fewer companies. While B, C and D rounds might be left with difficult, declined, or down rounds. seed and startup A rounds might reach new heights. Any money left over will be focused into M&A.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Ransomware – The key purpose behind cybercriminality is to gain money. Extortion has always been a successful and preferred method to achieve this. Ransomware is merely a means of extortion. Its success is illustrated by the continuous growth of ransomware attacks over many years.
The evolution of ransomware has not been static. Its nature has changed as the criminals have refined the approach to improve the extortion, and the volume (generally upward) has ebbed and flowed in reaction to market conditions. The important point, however, is that criminals are not married to encryption, they are married to extortion.
The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions: the geopolitical influence of the Russia/Ukraine war, the improving professionalism of the criminal gangs, and more forceful attempts by governments and law enforcement agencies to counter the threat.
The cyberwar effect
The Russia/Ukraine war has removed our blinkers. The world has been at covert cyberwar for many years – generally along the accepted geopolitical divide – but it is now more intense and more overt. While the major powers, so far at least, have refrained from open attacks against adversaries’ critical infrastructures, criminal gangs are less concerned.
“The rate of growth in ransomware attacks is currently slowing slightly [late 2022] – but this will prove to be a false dawn,” suggests Mark Warren, product specialist at Osirium. “Currently, the most successful teams of cybercriminals are focused on attacking Ukraine’s critical infrastructure. The second that conflict is over, all the technology, tools and resources will be redeployed back into ransomware attacks – so organizations and nation states alike must not become complacent.”
One of the most likely effects of the European conflict will be an increasingly destructive effect from ransomware. This has already begun and will increase through 2023. “We are seeing an increase in more destructive ransomware attacks at scale and across virtually all sector types, which we expect to continue into 2023,” comments Aamir Lakhani, cybersecurity researcher and practitioner for FortiGuard Labs.
“Ransomware will continue to make headlines, as attacks become more destructive, and threat actors develop new tactics, techniques, and procedures to try and stay one step ahead of vendors,” agrees John McClurg, SVP and CISO at BlackBerry.
“We expect ransomware to continue its assault on businesses in 2023,” says Darren Williams, CEO and founder at BlackFog. “Specifically, we will see a huge shift to data deletion in order to leverage the value of extortion.”
There are two reasons for this move towards data deletion. Firstly, it is a knock-on effect of the kinetic and associated cyber destruction in Ukraine. But secondly it is the nature of ransomware. Remember that ransomware is merely a means of extortion. The criminals are finding that data extortion is more effective than system extortion via encryption. Andrew Hollister, CISO LogRhythm, explains in more detail:
“In 2023, we’ll see ransomware attacks focusing on corrupting data rather than encrypting it. Data corruption is faster than full encryption and the code is immensely easier to write since you don’t need to deal with complex public-private key handling as well as delivering complex decryption code to reverse the damage once the victim pays up,” he said.
“Since almost all ransomware operators already engage in double extortion, meaning they exfiltrate the data before encrypting it, the option of corrupting the data rather than going to the effort of encryption has many attractions. If the data is corrupted and the organization has no backup, it puts the ransomware operators in a stronger position because then the organization must either pay up or lose the data.”
It should also be noted that the more destruction the criminal gangs deliver after exfiltrating the data, the more completely they will cover their tracks. This becomes more important in an era of increasing law enforcement focus on disrupting the criminal gangs.
But there is an additional danger that might escape from the current geopolitical situation. Vitaly Kamluk, head of the Asia-Pacific research and analysis team at Kaspersky explains: “Statistically, some of the largest and most impactful cyber epidemics occur every six to seven years. The last such incident was the infamous WannaCry ransomware-worm, leveraging the extremely potent EternalBlue vulnerability to automatically spread to vulnerable machines.”
Kaspersky researchers believe the likelihood of the next WannaCry happening in 2023 is high. “One potential reason for an event like this occurring,” continued Kamluk, “is that the most sophisticated threat actors in the world are likely to possess at least one suitable exploit, and current global tensions greatly increase the chance that a ShadowBrokers-style hack-and-leak could take place.”
Finally, it is worth mentioning an unexpected effect of the geopolitical situation: splintering and rebranding among the ransomware groups. Most of the larger groups are multi-national – so it should be no surprise that different members might have different geopolitical affiliations. Conti is perhaps the biggest example to date.
“In 2022, many large groups collapsed, including the largest, Conti,” comments Vincent D’Agostino, head of digital forensics and incident response at BlueVoyant. “This group collapsed under the weight of its own public relations nightmare, which sparked internal strife after Conti’s leadership pledged allegiance to Russia following the invasion of Ukraine. Conti was forced to shut down and rebrand as a result.” Ukrainian members objected and effectively broke away, leaking internal Conti documents at the same time.
But this doesn’t mean that the ransomware threat will diminish. “After the collapses, new and rebranded groups emerged. This is expected to continue as leadership and senior affiliates strike out on their own, retire, or seek to distance themselves from prior reputations,” continued D’Agostino.
The fracturing of Conti and multiple rebrandings of Darkside into their current incarnations has demonstrated the effectiveness of regular rebranding in shedding unwanted attention. “Should this approach continue to gain popularity, the apparent number of new groups announcing themselves will increase dramatically when in fact many are fragments or composites of old groups.”
Sophistication
The increasing sophistication, or professionalism, of the criminal gangs is discussed in Cyber Insights 2023: Criminal Gangs. Here we will focus on how this affects ransomware.
RaaS
The most obvious is the emergence of ransomware-as-a-service. The elite gangs are finding increased profits and reduced personal exposure by developing the malware and then leasing its use to third-party affiliates for a fee or percentage of returns. Their success has been so great that more, lesser skilled gangs will follow the same path.
“It initially started as an annoyance,” explains Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, “but now after years of successful evolution, these gangs operate with more efficiency than many Fortune 500 companies. They’re leaner, meaner, more agile, and we’re going to see even more jump on this bandwagon even if they’re not as advanced as their partners-in-crime.”
The less advanced groups, and all affiliates of RaaS, are likely to suffer at the hands of law enforcement. “It is likely that there will be a constant battle between law enforcement agencies and ransomware affiliates. This will either be veteran/more established ransomware affiliates or new ransomware groups with novel ideas,” comments Beth Allen, senior threat intelligence analyst at Intel 471.
“Much like whack-a-mole, RaaS groups will surface, conduct attacks, be taken down or have their operations impacted by LEAs – and then go quiet only to resurface in the future. The instability within criminal organizations that we have observed will also be a contributing factor to groups fading and others surfacing to fill the void.”
Changing tactics
As defenders get better at defending against ransomware, the attackers will simply change their tactics. John Pescatore, director of emerging security trends at SANS, gives one example: “Many attackers will choose an easier and less obtrusive path to gain the same critical data. We will see more attacks target backups that are less frequently monitored, can provide ongoing access to data, and may be less secure or from forgotten older files.”
Drew Schmitt, lead analyst at GuidePoint, sees increased use of the methodologies that already work, combined with greater attempts to avoid law enforcement. “Ransomware groups will likely continue to evolve their operations leveraging critical vulnerabilities in commonly used applications, such as Microsoft Exchange, firewall appliances, and other widely used applications,” he suggested.
“The use of legitimate remote management tools such as Atera, Splashtop, and Syncro is likely to continue to be a viable source of flying under the radar while providing persistent access to threat actors,” he added.
But, he continued, “ransomware ‘rebranding’ is likely to increase exponentially to obfuscate ransomware operations and make it harder for security researchers and defenders to keep up with a blend of tactics.”
Warren expects to see criminal ransomware attacks focusing on smaller, less well-defended organizations. “State actors will still go after large institutions like the NHS, which implement robust defenses; but there are many small to mid-size companies that invest less in protection, have limited technical skills, and find cyberinsurance expensive – all of which makes them easy targets.”
This will partly be an effect of better defenses in larger organizations, and partly because of the influx of less sophisticated ransomware affiliates. “We can expect smaller scale attacks, for lower amounts of money, but which target a much broader base. The trend will probably hit education providers hard: education is already the sector most likely to be targeted,” he continued.
He gives a specific example from the UK. “Every school in the UK is being asked to join a multi-academy trust, where groups of schools will be responsible for themselves. With that change comes great vulnerability. This ‘network’ of schools would be a prime target for ransomware attacks; they are connected, and they’re unlikely to have the resilience or capabilities to protect against attacks. They may have no choice but to reallocate their limited funds to pay ransom demands.”
But it won’t just be more of the same. More professionalized attackers will lead to new attack techniques. Konstantin Zykov, senior security researcher at Kaspersky, gives an example: the use of drones. “Next year, we may see bold attackers become adept at mixing physical and cyber intrusions, employing drones for proximity hacking.”
He described some of the possible attack scenarios, such as, “Mounting drones with sufficient tooling to allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords or even dropping malicious USB keys in restricted areas in hope that a passerby would pick them up and plug them into a machine.”
Marcus Fowler, CEO of Darktrace Federal, believes the existing ransomware playbook will lead to increased cloud targeting. “Part of this playbook is following the data to maximize RoI. Therefore, as cloud adoption and reliance continue to surge, we are likely to see an increase in cloud-enabled data exfiltration in ransomware scenarios in lieu of encryption,” he said. “Third-party supply chains offer those with criminal intent more places to hide, and targeting cloud providers instead of a single organization gives attackers more bang for their buck.”
Evasion and persistence are other traits that will expand through 2023. “We continue to see an emergence in techniques that can evade typical security stacks, like HEAT (Highly Evasive Adaptive Threats) attacks,” says Mark Guntrip, senior director of cybersecurity strategy at Menlo. “These tactics are not only are tricking traditional corporate security measures but they’re also becoming more successful in luring employees into their traps as they identify ways to appear more legitimate by delivering ransomware via less suspecting ways – like through browsers.”
Persistence, that is, a lengthy dwell time, will also increase in 2023. “Rather than blatantly threatening organizations, threat actors will begin leveraging more discreet techniques to make a profit,” comments JP Perez-Etchegoyen, CTO at Onapsis. “Threat groups like Elephant Beetle have proven that cybercriminals can enter business-critical applications and remain undetected for months, even years, while silently siphoning off tens of millions of dollars.”
David Anteliz, senior technical director at Skybox, makes a specific persistence prediction for 2023: “In 2023, we predict a major threat group will be discovered to have been dwelling in the network of a Fortune 500 company for months, if not years, siphoning emails and accessing critical data without a trace. The organizations will only discover their data has been accessed when threat groups threaten to take sensitive information to the dark web.”
Fighting ransomware in 2023
The effect of ransomware and its derivatives will continue to get worse before it gets better. Apart from the increasing sophistication of existing gangs, there is a new major threat – the worsening economic conditions that will have a global impact in 2023.
Firstly, a high number of cyber competent people will be laid off as organizations seek to reduce their staffing costs. These people will still need to make a living for themselves and their families – and from this larger pool, a higher than usual number of otherwise law-abiding people may be tempted by the easy route offered by RaaS. This alone could lead to increased levels of ransomware attacks by new wannabe criminals.
Secondly, companies will be tempted to reduce their security budgets on top of the reduced staffing levels. “Once rumblings of economic uncertainty begin, wary CFOs will begin searching for areas of superfluous spending to cut in order to keep their company ahead of the game,” warns Jadee Hanson, CIO and CISO at Code42. “For the uninformed C-suite, cybersecurity spend is sometimes seen as an added expense rather than an essential business function that helps protect the company’s reputation and bottom line.”
She is concerned that this could happen during a period of increasing ransomware attacks. “These organizations may try to cut spending by decreasing their investment in cybersecurity tools or talent – effectively lowering their company’s ability to properly detect or prevent data breaches and opening them up to potentially disastrous outcomes.”
One approach, advocated by Bec McKeown, director of human science at Immersive Labs, is to treat remaining staff as human firewalls. “I believe that 2023 will be the year when enterprises recognize that they are only as secure and resilient as their people – not their technologies,” she says. “Only by supporting initiatives that prioritize well-being, learning and development, and regular crisis exercising can organizations better prepare for the future.”
Done correctly, she believes this can be achieved in a resource- and cost-effective manner. “Adopting a psychological approach to human-driven responses during a crisis – like a cybersecurity breach – will ensure that organizations fare far better in the long run.”
But perhaps the most dramatic response to ransomware will need to come from governments, although law enforcement agencies alone won’t cut it. LEAs may know the perpetrators but will not be able to prosecute criminals ‘protected’ by adversary nations. LEAs may be able to take down criminal infrastructures, but the gangs will simply move to new infrastructures. The effectively bullet-proof hosting provided by the Interplanetary File System (IPFS), for example, will increasingly be abused by cybercriminals.
The only thing that will stop ransomware/extortion will be the prevention of its profitability – if the criminals don’t make a profit, they’ll stop doing it and try something different. But it’s not that easy. At the close of 2022, following major incidents at Optus and Medibank, Australia is considering making ransom payments illegal – but the difficulties are already apparent.
As ransomware becomes more destructive, paying or not paying may become existential. This will encourage companies to deny attacks, which will leave the victims of stolen PII unknowingly at risk. And any sectors exempted from a ban will have a large target on their back.
While many foreign governments are known to be, or have been, considering a ban on ransom payments, this is unlikely to happen in the US. In a very partisan political era, the strength of the Republican party – with its philosophy of minimal government interference in business – will make it impossible.
In the end, it’s down to each of us…
Ultimately, beating ransomware will be down to individual organizations’ own cyber defenses – and this will be harder than ever in 2023. “There’s no letup in sight,” comments Sam Curry, CSO at Cybereason. “Ransomware continues to target all verticals and geographies, and new ransomware cartels are popping up all the time. The biggest frustration is that it is a soluble problem.”
He believes there are ways to stop the delivery of the malware, and there are ways to prevent its execution. “There are ways to prepare in peacetime and not panic in the moment, but most companies aren’t doing this. Saddest of all is the lack of preparation at the bottom of the pyramid in smaller businesses and below the security poverty line. Victims can’t pay to make the problem go away. When they do, they get hit repeatedly for having done so. The attackers know that the risk equation hasn’t changed between one attack and the next, nor have the defenses.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse – The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away. The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade.
At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.
Here we are going to examine the why, what, and how we need to prepare for that cryptopocalypse – but first we need a few definitions to ensure we’re all singing the same song.
CRQC: A quantum computer capable of running Shor’s algorithm and cracking current PKI encryption.
Cryptopocalypse: The point at which the existence of CRQCs are able to turn our currently encrypted data into plaintext.
Quantum safe: Cryptography that is believed to be resistant to CRQCs, but cannot be proven to be so.
Quantum secure: Cryptography that is provably secure against CRQCs, and cannot be broken.
Post quantum cryptography (PQC): A term for cryptography designed for the post CRQC era, but one that doesn’t differentiate between ‘safe’ and ‘secure’.
The cryptopocalypse
The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption. Since public key encryption is used to secure almost all data in transit, both between separate IT infrastructures and even within individual infrastructures, that data will become accessible by anyone with a sufficiently powerful quantum computer.
“That means that all secrets are at risk,” explains Bryan Ware, CEO at LookingGlass; “nuclear weapons, banks, business IP, intelligence agencies, among other things, are at risk of losing their confidentiality and integrity.”
But this is not a threat for the future – the threat exists today. Adversaries are known to be stealing and storing encrypted data with the knowledge that within a few years they will be able to access the raw data. This is known as the ‘harvest now, decrypt later’ threat. Intellectual property and commercial plans – not to mention military secrets – will still be valuable to adversaries when the cryptopocalypse happens.
“Even if a cryptographically relevant quantum computer is still years away, the time to start preparing is now,” warns Rebecca Krauthamer, co-founder and CPO at QuSecure.
The one thing we can say with certainty is that it definitely won’t happen in 2023 – probably. That probably comes from not knowing for certain what stage in the journey to quantum computing has been achieved by foreign nations or their intelligence agencies – and they’re not likely to tell us. Nevertheless, it is assumed that nobody yet has a quantum computer powerful enough to run Shor’s algorithm and crack PKI encryption in a meaningful timeframe.
It is likely that such computers may become available as soon as three to five years. Most predictions suggest ten years. Note that a specialized quantum computer designed specifically for Shor does not need to be as powerful as a general-purpose quantum computer – which is more likely to be 20 to 30 years away.
It is difficult to make precise predictions because the power of a quantum computer comes from the number of qubits that can be used. This is further complicated by the instability of qubits that require a high number of additional qubits used solely for error correction. Consequently, the number of qubits that can be ‘used’ (logical qubits) is much less than the total number needed (physical qubits).
It has been suggested that as many as 1,000 physical qubits may be required for each logical qubit. This will depend on the quality of the error correction in use – and this is an area of intense research. So, at some time in the next few years, as the number of physical qubits increases, and the number of required physical qubits per logical qubit decreases, quantum developers will have a quantum computer able to crack PKI. It has been estimated that this will require between approximately 1,000 and 2,000 logical qubits.
To put some flesh on this skeleton, we can look at an announcement made by IBM on November 9, 2022: a new 433 qubit Osprey processor. This was accompanied by a roadmap that that shows a progression toward a 4,000 plus qubit quantum computer, codenamed Kookaburra, due in 2025.
Error correction is being approached by a new version of IBM’s Qskit Runtime software that allows ‘a user to trade speed for reduced error count with a simple option in the API’. This is supported by a new modular IBM Quantum System Two able to combine multiple processors into a single system with communication links. System Two is expected to go live in 2023, around the same time that IBM expects to have a 1k+ qubit processor codenamed Condor.
System Two will be a building block in what IBM calls quantum-centric supercomputing. Scott Crowder, the VP of IBM quantum adoption and business, explains in more detail: “Quantum-centric supercomputing (which describes a modular architecture and quantum communication designed to increase computational capacity, and which employs hybrid cloud middleware to seamlessly integrate quantum and classical workflows) is the blueprint for how quantum computing will be used in the years to come.”
He added, “This approach to scaling quantum systems alongside the recent, dramatic improvements in techniques to deal with quantum processor errors is how we envision a path to near-term, practical quantum advantage – the point when quantum processors will be capable of performing a useful computation, faster, more accurately, or cheaper than using exclusively classical computing.”
Navigating such projections doesn’t tell us precisely when to expect the cryptopocalypse, but they clearly show it is getting perilously close. “Quantum computing is not, yet, to the point of rendering conventional encryption useless, at least that we know of, but it is heading that way,” comments Mike Parkin, senior technical engineer at Vulcan Cyber.
The additional threat from AI
Skip Sanzeri, co-founder and COO at QuSecure, warns that the threat to current encryption is not limited to quantum decryption. “New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner,” he said. “It is also believed that quantum advancements don’t have to directly decrypt today’s encryption. If they weaken it by suggesting or probabilistically finding some better seeds for a classical algorithm (like the sieve) and make that more efficient, that can result in a successful attack. And it’s no stretch to predict, speaking of predictions, that people are going to find ways to hack our encryption that we don’t even know about yet.”
Steve Weston, co-founder and CTO at Incrypteon, offers a possible illustration. “Where is the threat in 2023 and beyond?” he asks. “Is it the threat from quantum computers, or is the bigger threat from AI? An analysis of cryptoanalysis and code breaking over the last 40 years shows how AI is used now, and will be more so in the future.”
QKD
Quantum key distribution (QKD) is a method of securely exchanging encryption keys using quantum properties transmitted via fiber. While in this quantum state, the nature of quantum mechanics ensures that any attempt to access the transmission will disturb the content. It does not prevent attacks, but ensures that an attempted attack is immediately visible, and the key can be discarded. Successful QKD paves the way for data to be transmitted using the latest and best symmetrical encryption. Current symmetrical algorithms are considered safe against quantum decryption.
“Symmetric encryption, like AES-256, is theorized to be quantum aafe, but one can speculate that key sizes will soon double,” comments Silvio Pappalardo, chief revenue officer at Quintessence Labs.
“Quantum cryptography is a method of encryption that uses the principles of quantum physics in securing and transmitting data,” says Ganesh Subramanya, head of data protection CoE cybersecurity at TCS. “It creates security so strong that data coded in quantum state cannot be compromised without the sender being notified. Traditional cryptography uses technologies like SSL and TLS to secure data over the internet, but they have been vulnerable to a variety of attacks, as an attacker can change the communication between two parties (like user’s browser and the webpage / application) and make them believe they’re still communicating with each other. With quantum cryptography, such an alteration of data is not possible, thereby strengthening the security of online transactions.”
John Prisco, Toshiba partner and president/CEO of Safe Quantum, applies these principles to QKD. “Quantum key distribution contains a key security aspect that cannot be overstated,” he says, “especially if it is being utilized in tandem with the NIST post-quantum encryption standards (PQC). The gold standard in cybersecurity is considered to be defense in-depth, as this leverages two totally different technologies with diverse failure mechanisms, working for protection. With harvest now decrypt later attacks becoming more frequent, there is no delay time that is safe to defend against quantum attacks. QKD authenticated with PQC signature algorithms is the only defense that can be deployed immediately and guarantee a successful defense against harvest now, decrypt later.”
Terry Cronin, the VP at Toshiba who oversees the QKD Division, agrees with this assessment. “The use of QKD as part of a hybrid solution to quantum resistance can offer the security needed ensuring that a harvest and decrypt attack cannot succeed in accessing the data.”
The practical difficulties in introducing wide-scale fiber based QKD means that it cannot be implemented everywhere. Its immediate use will likely be limited to point-to-point communications between high value sites – such as some government agencies and between major bank offices.
Post Quantum Cryptography
NIST
NIST began a competition to select and standardize post quantum encryption algorithms in 2016. “We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” said NIST mathematician Dustin Moody at the time. “They deal with encryption, key establishment and digital signatures, all of which use forms of public key cryptography.”
In July 2022, NIST announced its first four finalists. However, it emerged in August 2022 that a different finalist, the Supersingular Isogeny Key Encapsulation (SIKE) algorithm had already been broken. SIKE is designed to deliver keys securely from source to destination across an untrusted network. Researchers had demonstrated, however, the algorithm could be cracked on a single classical PC in little over an hour.
This illustrates a problem that all security professionals need to confront. Any encryption algorithm is secure only until it is cracked. Whitehat researchers will tell you if they can crack an algorithm — foreign governments will not. In effect, this means that the ‘later’ part of ‘harvest now, decrypt later’ is an optimistic view. We believe that encrypted IP being stolen today cannot yet be decrypted — but we cannot be certain.
We do, however, know that current PKI encryption will certainly be broken by quantum computers in the relatively near future. The solution from NIST is to replace current vulnerable PKI algorithms with more complex algorithms — that is to solve more powerful computing by using more powerful algorithms.
Ultimately, we will be in the same position we are in today. We will believe our IP protected by NIST’s post quantum algorithms will be safe — but we cannot be certain. Remember that at least one proposed post-quantum algorithm has been broken on a PC. So, even if we switch to a NIST-approved post quantum encryption standard tomorrow, we cannot be certain that the harvest now decrypt later philosophy has been beaten.
One-time pads
NIST’s PQC algorithms are ‘quantum safe’, they are not ‘quantum secure’. The former is thought to be safe against quantum decryption but cannot be proven to be so (since they are mathematical in nature and susceptible to mathematical decryption). Cryptography that can be proven to be safe is known as ‘quantum secure’ — and the only way to achieve this is to remove mathematics from the equation.
The only quantum secure cryptography known is the one-time pad because it relies on information security rather than mathematical security. Technically, QKD could be described in similarly secure terms since any attempt to obtain the keys for mathematical decryption could result in the immediate destruction of the keys (preventing them from being usefully decrypted). We have already seen that QKD has problems for widespread use — but it remains an open question whether modern technology is able to deliver usable one-time pads.
Historically, OTP has been considered unworkable for the internet age because it requires keys of the same length or longer than the message being encrypted. Nevertheless, several companies have been exploring the possibilities becoming available with new technology.
Qrypt started from the basis that the quantum threat comes from the communication of encryption keys from source to destination. If you can avoid the necessity to communicate the keys, you can eliminate the threat. It consequently developed a process that allows the generation of the same quantum random numbers simultaneously at both source and destination. A quantum random number is a genuinely random number generated with quantum mechanics principles. These numbers can then be used to generate identical keys without them needing to be transmitted across the internet.
However, since the generation of the numbers can be performed and stored until use, there remains the potential to chain the process to provide genuine OTP for the keys without requiring them to be transmitted across the internet. Solutions based on this process are quantum secure.
Incrypteon, a British startup, has taken a different route by applying Shannon’s information theories to the one-time pad. The science is a bit mind-numbing but is based on Shannon’s equivocation from his Communication Theory of Secrecy Systems published in 1949. “The definition of perfect secrecy is based on statistics and probabilities,” says Incrypteon. “A ciphertext maintains perfect secrecy if the attacker’s knowledge of the contents of the message is the same both before and after the adversary inspects the ciphertext, attacking it with unlimited resources.”
Using its own patented software and ‘Perpetual Equivocation’, Incrypteon “ensures that conditional entropy never equals zero, therefore achieving Perfect Secrecy.” The result is something that is automatically quantum secure (not just quantum safe) — and is available today.
Co-founder Helder Figueira had been an electronic warfare signals officer commanding a cryptanalysis unit in the South African Army. The concepts of Shannon’s equivocation are well-understood by the military, and he has long-been concerned that the commercial market is forced to accept encryption that is, by definition, ‘insecure’ — if something cannot be proven to be secure, it must be insecure.
A third and potentially future approach to the one-time pad could evolve from current advances in tokenization – more specifically cloud-based vaultless tokenization protected by immutable servers.
Rixon, another startup, is involved in this area. Its primary purpose is to protect PII stored by organizations with a web presence – but the principles could easily be extended. Plaintext is immediately tokenized in the cloud, and no plaintext is held onsite. Nor is the plaintext held at the tokenization engine in the cloud – all that is stored is the tokenization route for each tokenized character (for the purpose of comparison, this tokenization route is equivalent to the cryptographic key, but is random for each character).
This provides the primary parallel with the OTP – the ‘key’ is the same length as the message. Currently, Rixon concentrates on tokenizing PII; but the same concept could be extended to secure high value files at rest such as intellectual property and commercial plans.
Transition to post quantum cryptography
The coming cryptopocalypse requires organizations to transition from known quantum-vulnerable encryption (such as current PKI standards) to something that is at least quantum safe if not quantum secure. This will be a long process, and in 2023 businesses will need to start planning their route in greater detail.
Most companies will start from the viewpoint that NIST post-quantum algorithms is the only way forward. We have discussed OTP developments in some depth to show that the NIST route is not the only available route – and we expect further OTP developments during 2023.
The full transition to post quantum readiness will take many years, and will not be achieved by throwing a switch from classical to PQC. This has led to the concept of ‘crypto agility’. “It will be essential that quantum ready algorithms (QRAs) are able to coexist with existing cryptographic capabilities, in a hybrid manner, while the complete transition to quantum safe occurs,” explains Silvio Pappalardo, chief revenue officer at Quintessence Labs.
“Crypto agility enables applications to migrate between key types and cryptographic algorithms without the need to update the application software — transitioning from homogenous towards micro-service architecture,” he said. “With encryption ciphers changing due to the threat of quantum, decreasing longevity, increasing key sizes, and the expanding requirements to protect more data, more effectively, crypto agility becomes a business enabler and defender to keep pace with constant innovations and enable greater flexibility into the future.” Such agility also allows companies to switch from one quantum safe algorithm to another if the one in use gets broken.
For now, government agencies will have little choice but to follow NIST. On November 18, 2022, the White House issued a memorandum to the heads of executive departments and agencies requiring that CRQC readiness begins with taking an inventory of vulnerable assets. “By May 4, 2023, and annually thereafter until 2035”, states the memo, “agencies are directed to submit a prioritized inventory of information systems and assets, excluding national security systems, that contain CRQC-vulnerable cryptographic systems to ONCD and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).”
(This confirmed earlier details announced in the National Security Memorandum NSM/10 published on May 4, 2022.)
On December 21, 2022, Biden signed the Quantum Computing Cybersecurity Preparedness Act into law. “Quantum computers are under development globally with some adversarial nation states putting tens of billions of dollars into programs to create these very powerful machines that will break the encryption we use today,” comments Sanzeri. “While not here yet, quantum computers will be online in coming years, but it will take more than a few years for our federal agencies and commercial enterprises to upgrade their systems to post quantum cybersecurity.”
This Act, he continued, “requires federal agencies to migrate systems to post quantum cryptography which is resilient against attacks from quantum computers. And the Office of Management and Budget is further required to send an annual report to Congress depicting a strategy on how to assess post-quantum cryptography risks across the federal government.”
The government is clearly wedded to the NIST proposals. This may be because NIST is correct in its assertion that OTP is not realistic. NIST computer security mathematician Dustin Moody told SecurityWeek in October 2022, “The one-time pad must be generated by a source of true randomness, and not a pseudo-random process.” But there are numerous sources for the generation of genuinely random numbers using quantum mechanics.
“The one-time pad must be as long as the message which is to be encrypted,” added Moody. “If you wish to encrypt a long message, the size of the one-time pad will be much larger than key sizes of the algorithms we [NIST] selected.” This is also being challenged as a problem by both Qrypt and Incrypteon, and potentially tokenization firms like Rixon.
Nevertheless, most companies will follow the incremental process of NIST rather than the more revolutionary process of OTP, if only because of NIST’s reputation and government support. 2023 will see more companies beginning their move to CRQC readiness – but there are more options than are immediately obvious.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Supply Chain Security – The supply chain threat is directly linked to attack surface management (it potentially represents a hidden part of the attack surface) and zero trust (100% effective zero trust would eliminate the threat). But the supply chain must be known and understood before it can be remediated.
In the meantime – and especially throughout 2023 – it will be a focus for adversaries. Why attack a single target when successful manipulation of the supply chain can get access to dozens or even hundreds of targets simultaneously.
Supply chain attacks are not new. The iconic Target breach of late 2013 was a supply chain breach. The attackers got into Target using credentials stolen from its HVAC provider, Fazio Mechanical Services – that is, via Target’s supply chain.
The 2018 breach of Ticketmaster was another supply chain breach. A Ticketmaster software supplier, Inbenta, was breached and Inbenta software was modified and weaponized. This was automatically downloaded to Ticketmaster.
Island hopping is another form of supply chain attack. In 2017, Operation Cloud Hopper was revealed. This disclosed that an advanced group, probably APT10, was compromising managed service providers to gain access to the MSP’s customers.
Despite these incidents, it has only been in the last couple of years, fueled by more extensive incidents such as SolarWinds, that industry has become cognizant of the full threat from increasingly sophisticated and wide-ranging supply chain concerns. But we should not forget that the 2017 NotPetya incident also started as a supply chain attack. Software from the Ukrainian accounting firm M.E.Doc was weaponized and automatically downloaded by the firm’s customers, before spreading around the globe. Both SolarWinds and NotPetya are believed to be the work of nation state actors.
All forms of supply chain attacks will increase in 2023, and beyond. Chad Skipper, global security technologist at VMware, specifically calls out island hopping. “In 2023, cybercriminals will continue to use island hopping, a technique that aims to hijack an organization’s infrastructure to attack its customers,” he warns. “Remote desktop protocol is regularly used by threat actors during an island-hopping campaign to disguise themselves as system administrators. As we head into the new year, it’s a threat that should be top of mind for all organizations.”
Attacks will increase
That supply chain attacks will increase in 2023 and beyond is the single most extensive prediction for 2023. “Supply chain attacks happen when hackers gain access to a company’s inner workings via a third-party partner, a method that provides them with a much greater amount of privileged information from just one breach,” explains Matt Jackson, senior director security operations at Code42. “This type of attack already rose by more than 300% in 2021, and I anticipate this trend will continue in 2023, with these attacks becoming more complicated and intricate.”
Lucia Milică, global resident CISO at Proofpoint, worries that despite all the wake-up calls so far, “We are still a long way from having adequate tools to protect against those kinds of digital supply chain vulnerabilities. We predict these concerns will mount in 2023, with our trust in third-party partners and suppliers becoming one of the primary attack channels.”
The result, she added, is, “We expect more tension in supply chain relationships overall, as organizations try to escalate their vendors’ due diligence processes for better understanding the risks, while suppliers scramble to manage the overwhelming focus on their processes.”
Jackson added, “Because many third-party partners are now privy to more sensitive data than ever before, companies can no longer rely on their own cybersecurity prowess to keep information safe,” he said.
“Supply chain attacks purposefully target the smaller organizations first because they’re less likely to have a robust cybersecurity setup, and they can use those companies to get to the bigger fish,” he continued. “In the next year, companies will become even more diligent when deciding on an outside organization to work with, creating an increase in compliance verifications to vet the cyber tools used by these prospective partners.”
Anand Raghavan, co-founder and CPO at Armorblox, expands on this theme. “This becomes particularly relevant,” he said, “for the Fortune 500 or Global 2000 companies that have a large ecosystem of suppliers, vendors, and distributors whose security stacks are nowhere as mature as those of large organizations. Large organizations might consider requiring all vendors to follow certain security best practices, including modernizing their email security stack if they want to continue being a vendor in good standing.”
Interestingly, despite all the warnings of an escalating threat, Christopher Budd, senior manager of threat research at Sophos, notes, “Unlike two years ago when the SolarWinds attack put supply chain attacks high on people’s radar, supply chain attacks have faded from prominence.” This may be a misleading premise. The discovery of a vulnerability in a widely used piece of software, such as the log4j vulnerability, will be used by individual cybercriminals and nation state actors alike.
However, targeted attacks such as that against SolarWinds requires resources and skill. These attributes are more usually found only in the more advanced gangs and nation state actors. Such adversaries have another attribute: patience. “Today’s and undoubtedly tomorrow’s threat actors have shown they can play the long game,” warns Pieter Arntz, senior intelligence reporter at Malwarebytes.
Budd also warns that despite their immediate lack of prominence (at the time of writing, but anything could happen tomorrow), “Supply chain may be something that continues to not gather news, similar to 2022. But it will remain a real threat and one that organizations should be prioritizing across the board, in part because effectively countering this threat requires a comprehensive, careful, methodical approach.”
The software supply chain
The primary growth area in supply chain attacks will likely be the software supply chain. “Over the past few years,” explains Eilon Elhadad, senior director of supply chain security at Aqua, “increasing pressure to deliver software faster has widened attack surfaces and introduced severe vulnerabilities.”
New tools, languages and frameworks that support rapid development at scale are being targeted by malicious actors, who understand the widespread impact that results from attacks to the software supply chain.
“In 2023,” Elhadad continued, “software supply chain threats will continue to be a significant area of concern. These attacks have a larger potential blast radius to allow hackers to impact entire markets and wreak havoc for organizations.”
Eric Byres, founder and CTO at aDolus, agrees. “Software supply chain attacks will continue to increase exponentially in 2023,” he said; “the ROI on these attacks is just too sweet for professional adversaries to resist.” He notes that supply chain attacks have increased by 742% over the last three years.
Much of the software supply chain threat comes from the growing reliance on open source software libraries as part of the ‘increasing pressure to deliver software faster’. Zack Zornstain, head of supply chain security at Checkmarx, believes the software threat will particularly affect the open source supply.
“We believe that this threat of compromising open source packages will increase as malicious code can endanger the safety of our systems, ranging from ransomware attacks to the exposure of sensitive information, and more. We expect to see this as a general attack vector used both by cyber firms and nation-state actors. SBOM adaptation will help clarify which packages we’re using in applications, but we will need to invest in more controls to ensure the safety of those packages,” he said.
“Organizations should be on high alert for supply chain attacks if they use open-source software,” warns Kevin Kirkwood, deputy CISO at LogRhythm. “Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.”
If the source code of an open source software library either has – or can be engineered by bad actors to have – a vulnerability, then every company that downloads and uses that code becomes vulnerable.
“In 2023,” continues Kirkwood, “we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that uses third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins.”
Venafi’s Matt Barker, president of cloud native solutions, adds, “We’re seeing many instances of vulnerable code brought inside their firewall by developers trying to go fast using unverified code from GitHub, or copypasta from Stack Overflow.”
He continues, “Thankfully, we’ve reached a collective sense of focus on this area and are seeing tremendous developments in how we tackle it. This is only going to increase through 2023 as we see more start-ups popping up and open source tools like cosign and sigstore designed to help it. Biden’s SBOM initiative has helped bring attention to the requirement, and The OpenSSF is leading in this charge.”
Mark Lambert, VP of products at ArmorCode, expands on this. “As the software supply chain continues to get more complicated, it is vital to know what open source you are indirectly using as part of third-party libraries, services (APIs) or tools. This is where SBOM comes in,” he said. “By requiring a disclosure of all embedded technologies from your vendors, you can perform analysis of those libraries to further assess your risk and react appropriately.”
The SBOM
Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity introduced the concept of a software bill of materials (SBOM), effectively if not actually mandating that software bought (or supplied) by government agencies be accompanied with a bill of materials. It described the SBOM as “a formal record containing the details and supply chain relationships of various components used in building software,” and analogous to a list of ingredients on food packaging.
While the advantages of the SBOM may appear obvious in helping software developers understand precisely what is included in the open source libraries they use, it must be said that not everyone is immediately enthusiastic. In December 2022, it emerged that a lobbying group representing major tech firms such as Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks was urging the OMB to ‘discourage agencies’ from requiring SBOMs. The group argued that the requirement is premature and of limited value — but it didn’t ask for the concept to be abandoned.
It is the complexity and difficulty in both compiling and using an SBOM that is the problem — and it is these concerns that will drive a lot of activity through 2023. The value of the concept outlined in the executive order remains undiminished.
“Incidents such as Log4shell [log4j] and the most recent SpookySSL vulnerabilities [CVE-2022-3602 and CVE-2022-3786] will push the adoption of a software bill of materials as a core component of achieving effective incident response, while efforts will continue in maturing the SBOM ecosystem (adoption across sectors, tooling, standardization around sharing and exchanging of SBOMs and more),” explains Yotam Perkal, director of vulnerability research at Rezilion.
“One of the big challenges I see in the year ahead is that this is more data for the development teams to manage as they deliver software,” notes Lambert. “In 2023, organizations are going to need ways to automate generating, publishing and ingesting SBOMs – they will need ways to bring the remediation of the associated vulnerabilities into their current application security programs without having to adopt whole new workflows.”
As part of this process, Michael Assraf, CEO and co-founder at Vicarius, said, “We predict that a new market will evolve called binary software composition analysis, which will look for software files that are different from what was pre-packaged and shipped. Automated techniques can utilize machine learning that will find this discrepancy, which will be vital in knowing where your risk lies and how large your attack surface can potentially be.”
Thomas Pace, CEO at NetRise, suggests, “SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use.”
He adds, “The need to be able to rapidly understand the provenance of software components is becoming increasingly critical. Without this visibility, the window for attackers to exploit these vulnerabilities is much too big and puts cyber defenders at a significant disadvantage.” But he also notes, “strong efforts from organizations like Google have moved the ball forward in a positive way. Efforts such as open-source insights provide a lot of visibility for end users and vendors alike to scale out the analysis of these components.”
The problems involved with SBOM generation and use have not yet been solved, but enthusiasm remains. We can expect considerable effort into automating these processes to continue throughout 2023.
Nevertheless, Kurt Baumgartner, principal security researcher at Kaspersky, warns, “Open source projects continue to be polluted with malicious code. Awareness of these issues and challenges increase, but the attacks continue to be effective on a large scale. Despite the best efforts of software bill of materials, complex dependency chains help ensure that malicious code is uncontrolled for a time in some projects.”
The physical supply chain
Despite all companies’ need to be wary of potential software supply chain attacks via the code they develop for their own use, we should not forget that there is a potentially more catastrophic physical supply chain threat. We need only consider the effect the prevention of grain supplies leaving Ukraine (because of the Russia/Ukraine conflict) had on global food supplies to see the potential. Covid-19 also affected many different global supply chains, causing panic buying and popular distress in its early days.
These were not the result of cyberattacks – but many of those physical supply chains could be disrupted by cyberattacks. The Colonial Pipeline incident, although a financially motivated attack, had an immediate effect on the supply of oil to eastern USA. The longer the Ukraine/Russia conflict continues, and the greater that east/west tensions increase, the possibility of physical supply chain cyber disruption will equally increase through 2023, and possibly beyond.
SecurityWeek discussed one such possibility in May 2022: The Vulnerable Maritime Supply Chain – a Threat to the Global Economyhere.
Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant notes that in the utilities and energy sector, “99% of energy companies say they have been negatively impacted by at least one supply chain breach in the past year, representing the highest rate of overall impact in any other industry. Because it remains one of the most frequently attacked verticals, it is especially crucial that it rises to the challenge of supply chain defense in 2023.”
Taylor Gulley, senior application security consultant at nVisium, comments, “The past few years have shown that both the digital supply chain, as well as the physical world supply chain, are very fragile. This fragility is due to a lack of redundancy and resources due to economic constraints or skill gaps. For 2023, this situation will still stand true. Supply chain security is a weak link that needs to be strengthened.”
Solutions and the way forward
Sam Curry, CSO at Cybereason, believes the SBOM will be an important part of solving the software supply chain problem. “It would be naive in the extreme to think that with thousands of trusted software and service providers to choose from… that the handful of known supply chain compromises were the sum total of them. No. 2023 will show us more, and we will be lucky to learn of them because the attacker can quietly exploit these without tipping their hands.”
He added, “We need to use 2023 to be innovative and vigilant and to find new answers to the supply chain problem, to build on software bills of material, to innovate with the men and women building our software and to find the solutions to deter, to detect and to remove the vulnerabilities and exposures that enable this most insidious and trust eroding of attacks.”
Sharon Chand, Deloitte US’ cyber risk secure supply chain leader, believes that software supply chain security will require continuous realtime monitoring of third-party risks and vulnerabilities in inbound packaged software and firmware components. “For instance,” she said, “this includes implementing leading practice techniques around ingesting SBOMs and correlating the output to emerging vulnerabilities, identifying risk indicators such as geographical origin of the underlying components, and providing visibility to transitive dependencies.”
Christian Borst, EMEA CTO at Vectra AI, suggests collaboration and cooperation across the software industry will be required. “A holistic approach may help turn the tables on the matter: supply chain means partnership – partnership means collaboration and supporting each other. Only as a ‘mesh’ interconnected structure with consistent resiliency can companies thrive in the digital economy. This includes ensuring that they review the security policies of all those in the chain.”
Sounil Yu, CISO at JupiterOne, makes a fitting summary, referencing a paper written by Richard Danzig in July 2014 (Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies). “To borrow Richard Danzig’s analogy,” says Yu, “we are on a diet of poisoned fruit with respect to our software supply chain. This poison is not going to go away, so we will need to learn how to survive and thrive under these conditions. Being aware of the risks, through efforts such as SBOM, and managing the risks through compensating controls such as egress filtering, will be a priority in 2023 and the foreseeable future.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Regulations – In this world, nothing is certain but death, taxes, and cyber regulations. The first is static, the second goes up and down, but the third seems only to increase. The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often in conflict with the second and third.
Transatlantic data flows
Privacy is the headline battleground going forward, and amply illustrates the conflict between voter demands and national economies. This can be seen in the unsettled but multi-year attempt to find a legal solution to the transfer of personal user data from Europe to the US. Economics demands it, but European law (GDPR) and swathes of European public opinion deny it.
At the time of writing, it is almost certainly illegal to transfer PII from Europe to the US. The Privacy Shield – the second attempt at finding a workaround to GDPR – was declared illegal in what is known as the Schrems II court ruling. The wording of that ruling almost certainly eliminates an alternative approach known as ‘standard contractual clauses’.
During 2022, the European Commission (EC) and the US Biden administration have worked on developing a replacement for Privacy Shield. The ball was obviously in the US court, and on October 7, 2022, Biden issued an Executive Order to implement the EU-US Data Privacy Framework agreement – sometimes known as Privacy Shield 2.0.
This was enthusiastically greeted by US business. IBM, for example, issued a statement, “These steps will restore certainty to the thousands of companies already self-certified under Privacy Shield. Providing predictable, free flows of data between the US and the EU will secure the mutual benefits of continued business cooperation and will create a foundation for future economic growth.”
Our first prediction for 2023 is that the EC will approve Biden’s Executive Order and allow ‘free flows of data between the US and the EU’. This approval is in process. The EC issued a draft adequacy determination for the EU-US data privacy framework on December 12, 2022.
“As expected,” comments Caitlin Fennessy, VP and chief knowledge officer at the International Association of Privacy Professionals (IAPP), “the draft outlines the Commission’s reasoning in finding the framework adequate, with a focus on the new necessity and proportionality requirements for US signals intelligence and the Data Protection Review Court outlined in the recent Executive Order and Department of Justice regulations.”
But that will be just the beginning. European activists, such as Max Schrems, are likely to challenge the EC ruling in the European Court.
The basic problem remains the NSA’s requirement to only surveil non-Americans (such as Europeans) for national security purposes. Schrems’ website, noyb, has already indicated a dissatisfaction. “So-called ‘bulk surveillance’ will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not ‘proportionate’ (under the European understanding of the word) twice.”
So, during 2023, transatlantic PII data flows will become legal under the new framework, but that framework will be challenged as unconstitutional in the European Court. The court case will take several years to come to a conclusion, but it will probably declare the data privacy framework (or whatever it becomes known as) to be illegal. The basic problem is that GDPR and NSA surveillance are incompatible, and neither is likely to change.
Federal privacy law
The US government has been seeking a federal privacy law for around a decade but is probably no closer to achieving one. Progress was made during 2022, but the midterms kicked the bill into the long grass while the lawmakers concentrated on more pressing career issues. The question is whether it can be retrieved during 2023.
Mitzi Hill, a partner at the Taylor English Duma law firm, thinks it is unlikely. “I remain doubtful,” she said. “It is a complex topic both technically and legally. It is made more complicated with every new state law, because that is a new set of factors to consider in drafting any federal legislation.”
She also notes the outcome of the 2022 midterms. “Traditionally, we would expect that a Republican House majority [as we will have in 2023] will favor marketplace (as opposed to regulatory) solutions, making it tough to get anything passed in both houses of Congress. My own view is that the states will continue to lead in this area.”
Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems points out that “Five states have already enacted privacy acts, and more are expected to follow. The increased focus on privacy has stemmed from the introduction of GDPR and Schrems II decision from the EU.”
The California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, with enforcement beginning on July 1, 2023. It is an extension of the existing CCPA, which is already possibly the strongest privacy act in the US (and largely modeled on GDPR). While it is somewhat more friendly to small businesses, it gives consumers more rights, places more requirements on organizations, and establishes an enforcement agency.
The consumer demand for privacy is strong, but not absolute – and often depends on what is received in return for giving up personal information. Consider Google, widely acknowledged as one of the primary collectors and users of PII. Despite this, consumers continue to consume Google because of the ‘free’ services the company offers in exchange. The result is that it is difficult for lawmakers to know exactly what their voters really want.
“Privacy laws and regulations will continue to swing widely between completely useless – even harmful – and amazing wins for consumers. This is due to corporation lobbying and consumer [voter] demands,” comments Taylor Gulley, senior application security consultant at nVisium. “Though most consumers desire complete privacy, the growing demand for personalized content and services requires providing ever more information to companies. This increase of valuable, marketable, information gives corporations a reason to continue to lobby for their benefit.”
One area worth watching in 2023 is whether the FTC picks up the mantle of a ‘federal’ privacy regulator. Noticeably, the FTC includes failures in consumer privacy to be a potential deceptive practice – and deceptive practices are firmly within the FTC bailiwick.
“The FTC may become even bolder about privacy matters in the next couple of years,” suggests Hill. “It recently adopted an enforcement action that is targeted to a particular CEO and any future business he may join.”
She explained that his current company has multiple privacy violations and may have misstated the degree to which it addressed security issues following the first set of violations. His future companies or employers will be required to release detailed security plans. “This is unprecedented as far as I know,” she added.
Trickle-down regulated security
Although Biden does not believe in trickle-down economics, he nevertheless makes use of trickle-down cybersecurity. He cannot pass federal laws for private industry without the support of Congress – but he can (and does) issue executive orders that become mandatory instructions for federal agencies and strong trickle-down recommendations for private industry.
If security vendors must conform to certain requirements before they can sell into the government, the size of the government market makes it a commercial if not legal requirement to conform. Furthermore, if federal agencies are required to apply certain cybersecurity methodologies, much of private industry will also take heed.
Both conditions were introduced in May 2021 with Executive Order 14208, spurring activity in zero trust, and introducing the software bill of materials (SBOM). Both are intended to counter the growing supply chain threat, and both will remain top of mind for companies during 2023.
“SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use,” comments Tom Pace, CEO at NetRise.
The federal government described the requirements for SBOMs in an OMB memorandum published on September 14, 2022. “This is going to cause a cascading effect in the private sector,” continued Pace, “since obviously the federal government does not manufacture all its own software and firmware – in fact very little is manufactured in house.”
There will be a bedding-in period before SBOMs achieve their end – and attackers are likely to increase their own efforts in the meantime. “Highly visible attacks on the software supply chain start with access to the weakest link. As we head into 2023, it will be important for businesses of all sizes to be engaged as new secure software development practices are defined,” warns John McClurg, SVP and CISO at BlackBerry.
Executive Orders are not the only tools the federal government can use – it also has NIST (a standards body) and CISA (a DHS agency responsible for strengthening security and infrastructure across all levels of government). While they primarily provide recommendations, this may not always be the case.
“The combined efforts of CISA and NIST in recent years,” comments Eric Hart, manager of subscription services at LogRhythm, “have led to a series of new cross-sector cybersecurity performance goals (CPGs) that organizations have already begun to implement.”
CISA’s CPGs are designed to provide an easier route towards conforming to NIST for organizations that may not have the resources to go straight to the complexities of the NIST CSF. “While these standards are designed to strengthen organizations,” continued Hart, “the process of reaching full regulatory compliance can be tricky. The complexity, along with the growing push for federally enforced compliance, suggests we could see a flurry of activity in 2023 as more organizations seek to adopt these new security standards.”
Noticeably, CISA describes the CPGs as ‘voluntary’ and ‘not comprehensive’, adding, “The CPGs are intended to supplement the [NIST] Cybersecurity Framework (CSF) for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.”
But it is also worth considering a comment from Grant Geyer, CPO at Claroty, who blogged that they may prove a jumping off point for upcoming regulations coming from the White House. “Regulators now have a CISA-approved, pre-built checklist of critical areas to focus on that address key practices such as account security, data and device integrity, supply chain and third-party risk, and response and recovery.” We may yet see CISA’s CPGs become mandated for federal agencies and join the trickle-down process of federal regulations.
Ben Johnson, CTO and co-founder of Obsidian Security, sees a great future for CISA. “CISA came into its own in 2022. This next year, we’ll see CISA drive better, more resilient security, especially in critical infrastructure — increasing the sector’s maturity as a whole.”
The regulations jungle
The trajectory for regulations is to increase, and they are increasing rapidly. These include state-level, federal level, and overseas national level that may impact US companies with operations in those countries. An example of the last could be Australia’s current plans for a new more aggressive attitude toward cybercriminals. Part of this will be to make ransom payments illegal in Australia.
One question to be decided is how that might impact American companies with an Australian operation that gets ransomed. Will the American parent, where ransom payments are not illegal, be able to pay the ransom on behalf of the Australian operation?
Such complexities will require expert input by companies to match their infrastructure and processes against a huge number of regulations simply to understand where their compliance requirements are effectively mandatory.
Another new law, passed by Congress but targeted at federal agencies, may be introduced early in 2023: the Strengthening Agency Management and Oversight of Software Assets Act. MeriTalk reported on November 17, 2022, “The legislation would order Federal government agencies to undertake an inventory of all software used by the government – with a view toward eventually creating strategies to consolidate government software contracts, create governmentwide software licenses, and move toward adopting open-source software.”
This is not directly a cybersecurity regulation and will not be enforced on private industry. Nevertheless, if its precepts are adopted by industry, it could benefit industry groupings and separately lead to a beneficial reduction of security tool sprawl within companies.
The totality of regulations is beyond the scope of this peek into regulations in 2023. However, there is one we should consider that won’t come into effect until 2024.: PCI DSS 4.0. This will impact all organizations that store, transmit or process cardholder data and sensitive authentication data. The new standard allows organizations to customize their approach to proving compliance with each PCI DSS security requirement.
“If organizations take this direction,” warns Terry Olaes, senior technical director at Skybox Security, “there are growing opportunities for threat actors to exploit retailers who may have taken non-standard routes to achieve compliance. Additionally, the long lead time to implement these regulations gives attackers more opportunity to use those requirements as a blueprint to breach retailers before they have time to implement changes to their cybersecurity strategy.”
It is also worth noting that while regulations are becoming more numerous, they are also becoming more difficult to satisfy. “We’ll see more failed audits in regulated companies as multi-cloud, multi-cluster grows as a strategy in 2023,” warns Sitaram Iyer, senior director of cloud native solutions at Venafi. This strategy is increasingly popular among smaller but regulated organizations because it spreads risk, increases performance, and offers the control and visibility they need for compliance.
“However,” adds Iyer, “it also increases complexity because these environments are fragmented and require a huge number of machines which all need an authenticated identity to communicate securely. Due to this increased volume of machine identities in cloud native environments, compliance with regulations on machine identity management is a real challenge.”
And one to watch…
Elon Musk has completed his takeover of Twitter, and his swashbuckling management style has caused ructions even before the end of 2022. These are not relevant to us. What may be relevant, however, is his adherence to the constitutionally protected concept of free speech; and the potential for Musk’s new Twitter to operate at a lower level of moderation than the old Twitter. Noticeably, in late November 2022, Musk reinstated almost all the accounts that had previously been suspended for spreading misinformation.
As a quick aside, on November 17, 2022, a group of Democrat senators asked the FTC to investigate any possible violations by the platform of consumer-protection laws or of its data-security commitments. The FTC had already said it is “tracking recent developments at Twitter with deep concern”.
Of more direct relevance, many governments have already expressed concern over the practice of bad actors spreading misinformation, malinformation and disinformation – and giving extremist viewpoints a loudspeaker – via social media platforms such as Twitter. This is a direct challenge to democratic government, and some governments have suggested countering it by making websites legally responsible for the user-generated content they publish. There is a possibility that such suggestions will increase during 2023.
Mitzi Hill does not think this is likely in the US. Although lower moderation might lead to howls of protest, “I never bet against the First Amendment,” she said. “‘Congress shall make no law… abridging the freedom of speech’ is one of the most important tenets in American legal thinking.”
Europe, however, thinks differently. The EU already has a new Digital Services Act that will kick in from January 2024. It doesn’t make platforms directly responsible for any unknown illegal content, but does require them to remove it once they are informed that it is illegal. It will also impose greater transparency on how algorithms work and are used. It is aimed at platforms that reach more than 10% of the EU population; that is, have at least 45 million EU users – that includes US big tech companies such as Twitter and Facebook. Non-compliance could lead to fines of up to 10% of annual turnover.
Finally
Martin Zinaich, CISO at the City of Tampa, once suggested to SecurityWeek, “If it ain’t required, it ain’t gonna happen.” We may have reached the point, with better organized cybercriminals and more aggressive nation states, where it must happen and therefore must be required.
Ron Kuriscak, MD at NetSPI, certainly believes so. “Regulations need to become much more mature, stringent, and punitive. We must hold organizations more accountable for their inaction in the area of cybersecurity… Organizations will be held accountable for basic cybersecurity hygiene. If they are unable to meet the most basic standards a regulator will require a third party to take over cybersecurity program execution (they will be mandated to cover the associated costs). Similar to the FDA, we will start seeing industry-aligned compliance regulations with real penalties that will force real compliance and organizational change. The key will be enforcement and penalties.”
But don’t expect much from the federal government in 2023. “On federal government cybersecurity issues,” explains Robert DuPree, manager of government affairs at Telos Corporation, “Congress has been more active and effective but further progress in 2023 will be hampered by the fact that some longtime cyber policy advocates and experts from both parties – including Sen. Rob Portman (R-OH), Rep. Jim Langevin (D-RI) and Rep. John Katko (R-NY) – are retiring and won’t be around in 2023. Their absence will leave a tremendous void when it comes to pushing ‘good government’ cybersecurity issues through Congress.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.
There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.
Background to the ICS/OT Threatscape
The IT/OT overlap
One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.
“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.”
For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. “This yields maximum financial or political gain for the attacker,” continued Chassar, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”
Ramsey Hajj, Deloitte’s US and global cyber OT leader, expands on this theme. “Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.”
Supply chain attacks cannot be ignored, either on the IT side or directly against OT. “Supply chain attacks continue to evolve for both ICS hardware and software,” comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. “Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors’ file repositories with the purpose of adding implants in the provided software.”
Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com
Geopolitics and the Russia/Ukraine war
“One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT,” says Christopher Budd, senior manager of threat research at Sophos. “While we haven’t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.”
He suspects this will focus both government and industry on strengthening the security of ICS/OT systems, even if it’s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, “a foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.”
Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.
We can expect that government agencies will, and private industry should, work on conforming to CISA’s CPGs during and from 2023.
Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. “2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification – CyberSentry and RedEye for example – which will broaden the aperture for understanding OT and ICS incidents.”
One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. “Besides the growth of hacktivist activity ‘working’ to internal and external political agendas,” suggests Kaspersky, “we might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.”
Chassar is more direct. “There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,” he says. “Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia/Ukraine war, as well as the current economic climate.”
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.
Specifically…
IoT/IIoT
“There are now more known vulnerabilities impacting IoT devices than IT devices,” says Bud Broomhead, CEO at Viakoo, “and IoT devices are often the easiest for cybercriminals to access.” IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement.
“Breached IoT devices are having devastating impacts,” he continued, “such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”
The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.
Broomhead believes the shift to open source software presents the most immediate threat. “The dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.”
Wendy Frank, Deloitte’s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.
“Leading organizations,” she says, “will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”
Ransomware and other malware
“Ransomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,” states Thomas Winston, director of intelligence content at Dragos. “Based on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.”
Ackerman sees ransomware beginning to target OT specifically. He expects to see: “Ransomware targeting the industrial environment – in contrast to ransomware on the IT side accidentally compromising the OT space – with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).”
Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC’s OS, and paving the way for ransomware and rootkits running on the PLC.
Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that “Ransomware rarely uses novel methods – making the application of key elements of a defensible ICS/OT architecture particularly effective.”
He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.
Beyond ransomware, Winston is concerned about the evolution of Pipedream (also known as Incontroller). “Pipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,” he said.
“It is already capable of disruption across industries, including CrashOverride-style disruption, pipeline disruption, and servo manipulation. We’ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.” While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development.
Hijacking remote access sessions
Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. “Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.”
By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. “The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.”
Session hijacking does not involve exploiting a fixable vulnerability – it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. “If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.”
APTs targeting CNI through OT
“Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,” comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia/Ukraine conflict means the stakes are high.
“These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,” he continued.
Although OT and IT networks are converging, there remains a fundamental design difference between the two. “OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,” he added.
This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” he continued.
According to Kaspersky’s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. “Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,” they say. “Moreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.”
Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. “Other risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,” it says. “These insiders may be active in production facilities as well as technology developers, product vendors and service providers.”
Human costs
Attacks on the OT of critical industries have real world implications, which may worsen in 2023. “Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyberattacks have firsthand,” comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. “While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.”
He is concerned that IT and OT security convergence is still not effective. “Attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs.”
Catastrophic attack on the energy grid
Liebig is also concerned about attacks on the energy grid. “As Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the US’s infrastructure as well,” he warns. “At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.”
As a result, he continued, “The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.”
The way forward
Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS/OT system providers. “Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,” he says. “Most devices don’t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.”
This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. “There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there’s not only lower risk for business, but there’s money to be made and real value to provide.”
He adds, “2023 needs to be the year to reset ICS and OT standards for security.”
Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com
Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. “From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,” he says.
“My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: ‘Enough guidance and FUD. Help us execute.’” His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.
“A shift from ‘We know better’ to ‘You know better’ will be tough for a cybersecurity industry that is used to being the hero,” he adds. “The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.” There will consequently be continued movement from guidance to regulation.
But Jablanski offers a word of warning, more to do with party politics than geopolitics: “New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | The Geopolitical Effect – Geopolitics describes the effect of geography on politics, and usually refers to the political relationship between nations. That relationship is always mirrored in cyber. The Russia/Ukraine war that started in early 2022 has been mirrored by a major disturbance in cyber – and that disturbance will continue through 2023.
The physical conflict has forced much of the world to take sides. The US, NATO, the EU, and their allies are providing major support – short of troops – to Ukraine. China, Iran, and North Korea are all supporting Russia. The cyber conflict is similar, largely conforming to the George W Bush ‘axis of evil’ (Iran, Iraq, and North Korea, with the popular addition of Russia and China) versus the US, EU, and their allies.
Here we’re going to discuss how the current state of global geopolitics might play out in cyber during 2023.
Background
“Russia may well resort to increased cyber offensive actions as it contends with on-the-ground setbacks in Ukraine,” comments Bob Ackerman, MD and founder of AllegisCyber. This has been considered likely throughout 2022, but as Russian military setbacks have increased toward the end of 2022, so the likelihood of increasingly aggressive Russian cyber activity will rise. Such offensive actions will not simply target Ukraine – they will be aimed at all countries seen to be supporting Ukraine.
“While we haven’t seen those feared attacks materialize yet,” says Christopher Budd, senior manager of threat research at Sophos, “it would be premature to say that those risks have passed. In 2023, so long as the uncertainty of war exists, everyone should plan for the real possibility of unexpected, large-scale cyberattacks.”
Indeed, the mirror between the kinetic and cyberworlds suggests it is inevitable in 2023. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, expects to see Russian cyber activity becoming more ‘feral’. “We’re increasingly seeing its kinetic war tactics becoming more untamed, targeting energy and water infrastructure with missile strikes,” he says. “We expect the same to apply to cyberwarfare.”
He is concerned that Russia’s more feral activity will have the potential to spill over into other nations, “as Russia becomes more daring, trying to win the war by any means, and Russia could look to use the conflict as a distraction as it targets other nations with cyberattacks.”
Malwarebytes believes that large-scale attacks will appear first in Ukraine, but be accompanied by attacks against European allies. “In recent weeks [Oct/Nov 2022] Russia has been launching a barrage of missiles to cripple Ukraine’s electricity infrastructure. We could expect that at some point availability of such weapons will run low and that the Kremlin will want to increase the cyber effort. We may see further successful malware attacks from the Sandworm group as we have seen previously with the blackouts caused by the BlackEnergy malware,” comments Jerome Segura, senior director of threat intelligence at Malwarebytes.
While malware used to destroy or wipe systems is likely to be used against Ukraine,” he adds, “more stealthy malware such as backdoors are likely to hit European allies as attempts to compromise key leaders, gather intelligence and possibly expose or extort via ‘kompromat’.”
In one sense, the Russia/Ukraine conflict has taken the gloves off the lower-level cyberwarfare that has existed for years. You could say that 2023 may well prove to be a new era of bare-knuckle cyberwarfare. “Nation state cyber warfare will become more openly prevalent,” suggests Chris Gray, AVP of security strategy at Deepwatch. “The Russia/Ukraine conflict has taken away much of the ‘cloak and dagger’ aspects of this area and, in doing so, has also broadened the scope of available targets. Financial impact and the ability to increase chaos due to service interruption will increasingly grow over former levels.”
While we concentrate on Russia as the primary current protagonist in offensive cyber, we should not forget that Russian ‘allies’ will take advantage of the situation. “China is likely to expand the full spectrum of its cyber initiatives targeting economic, political, and military objectives,” continues Ackerman. “Bit actors on the global stage may well exploit Great Power conflict and related global distractions to launch targeted regional cyberattacks,” he added. Such as Iran targeting Israel.
Difficulty in attribution will remain
Increased nation-state cyber activity will become more obvious, but not necessarily legally attributable. The major powers will still seek to avoid direct retribution that could escalate into additional kinetic warfare. “The reality with nation-state attacks is you might never know you’ve been hit by one until another country’s intelligence agency actively identifies it,” warns Andrew Barratt, VP at Coalfire. “The attribution of attacks to specific parties is a highly contentious area with a lot of room for error and deniability. What we really need is crossover from friendly military intelligence partners to support a reasonable conclusion.”
SecurityWeek was told years ago by Luis Corrons, now security evangelist at Gen and co-chairman of the board at AMTSO, “The only people who really know what’s going on are the intelligence agencies, who have close knowledge drawn from signals intelligence and covert agents.” Historically, the intelligence agencies have been reluctant to make too many public accusations of attribution for fear that it might expose their sources.
Direct attribution from countries with mature intelligence agencies is likely to increase in 2023 – as will the strident denials coming from the perpetrators – but it will remain difficult. “The rapid expansion of non-state affiliated cyber actors including hobbyists, hacktivists, criminals, privateers, proxies, vigilantes, or cyber response reserve units, is unlike anything ever seen in traditional warfare,” explains Marcus Fowler, CEO of Darktrace Federal. “The surge in ‘vigilante’ approaches to cyber-crime will continue to alter the course of modern warfare in 2023, introducing unprecedented adversaries and allies for nation-states.”
Zero-day stockpiles
What remains largely unknown is the potential capability of unfettered cyberwarfare – all major nations have been stockpiling zero-days for years. “I dare not speak of the unused kinetic powers available to the nation-states,” comments Brian NeuHaus, CTO of Americas at Vectra AI, “but will digress to one which has only, I believe, been partially used. Cyberwarfare is still a real threat from a broader use of known TTPs, tools tactics procedures, and an unknown equity of zero-days just waiting for the right strategic moment to deploy against one’s foes.”
Zero-days are not used lightly, especially by nation-states. Once used, they instantly lose their value. The problem is that we have no knowledge of our adversaries’ zero-day stockpiles, nor their ability to unleash widespread destructive capabilities against critical infrastructure. Their use is likely to be one of desperation – a cyber version of nuclear weapons with the potential to escalate into open kinetic conflict.
We must hope this day never comes, for it is worth remembering Putin’s warning on the use of nuclear weapons: “For the planet, it will be a catastrophe. But for me as a citizen of the Russian Federation and the head of the Russian State, I must ask myself the question. What is the point of a world without Russia?”
Wiperware and other destructive attacks
Our hope must therefore be that no nation-state feels so backed into a corner that it unleashes the full power of stockpiled zero-days against the opponent’s critical infrastructure. That doesn’t mean we can relax – the threat from what we could perhaps describe as conventional cyberweapons remains real and likely to increase through 2023. Wiperware is probably top of the list.
“Russia’s invasion of Ukraine this year revealed the modern digital battlefield. Most notably, we have witnessed an increased use of wiperware, a form of destructive malware against Ukrainian organizations and critical infrastructure,” comments Fleming Shi, CTO at Barracuda. “The frequency has dramatically increased as we saw WhisperGate, CaddyWiper, HermeticWiper, and others hitting the news since the war broke out.”
Unlike the financial motivations and decryption potential of ransomware, wiperware is typically deployed by nation-state actors with the sole intent to damage and destroy an adversary’s systems beyond recovery. “In addition,” he added, in 2023, wiperware emanating from Russia will likely spill over into other countries as geopolitical tensions continue.”
Wiperware can easily be disguised as criminal ransomware with non-functioning decryption, adding deniability to destructive nation-state attacks. There are suspicions that WannaCry was a version of this. “Given the current political climate, Kaspersky experts foresee a record number of disruptive and destructive cyberattacks, affecting both the government sector and key industries,” says Ivan Kwiatkowski, senior security researcher at Kaspersky`s GReAT.
“It is likely that a portion of them will not be easily traceable to cyberattacks and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations to provide plausible deniability for their real authors,” he added. “High-profile cyberattacks against civilian infrastructure, such as energy grids or public broadcasting, may also become targets, as well as underwater cables and fiber distribution hubs, which are challenging to defend.”
A particular target area for such attacks will likely be ‘dual use’ technologies; that is, those that serve both military and commercial purposes. “Satellite technologies and other advanced communication platforms come under a higher level of focus. Both intellectual property theft and disruption of data delivery to governments and militaries around the world become a stronger focus,” says Kurt Baumgartner, principal security researcher at Kaspersky.
It is noticeable that the cyberattack against Viasat by Russia just prior to the Russian invasion of Ukraine, designed to disrupt Ukrainian military communications, spilled out of the region to also affect some 9,000 European users. Russia seems to have ‘got away with it’ on this occasion, but it effectively remains a nation-state cyberattack against civilians outside of the war zone. We are not aware of any clandestine response from the West, but must wonder if the response would have been different if the spillover had directly affected US users.
John Pescatore, director of emerging security trends at SANS Institute, endorses Baumgartner’s view. “The war in Ukraine will have broader impacts on the commercial sector as operatives on both sides attack dual-use technologies (that is, services used by both the military and civilians) to take down communication and critical infrastructures systems.” He expects to see more attacks in 2023 that will impact business internet connections, communication, and logistics systems.
“Increasing attacks on key dual-use technologies like cell towers, GPS, and commercial satellites – such as Star Link,” he adds, “will damage connectivity and business operations for private sector companies that depend on these technologies, even if they are not directly targeted themselves.”
Beyond Russia
While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea will all increase their activity through 2023 under cover of the European war. China will likely continue concentrating on espionage rather than destruction – although this may change if the separate geopolitical tensions over Taiwan escalate into kinetic activity.
“China has high priority targets to meet in terms of economic and social development, made more pressing by continuing Covid outbreaks and a zero-tolerance stance on Covid,” warns Mike McLellan, director of intelligence at Secureworks. “Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas.”
This focus will be on upgrades to its manufacturing base, food stability, housing, energy supply, and natural resources. “Organizations operating in or supplying any of those areas, particularly hightech industries,” he continues, “are potential targets of Chinese cyberespionage.”
But he adds, “As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.”
Iran and North Korea are less concerned with maintaining any semblance of diplomacy with the US and EU. Iran may engage in more destructive cyberattacks, largely in the Middle East but potentially elsewhere. “Iran will exploit the blurring of state-sponsored activity with cybercrime, both against regional adversaries and more broadly,” says McLellan.
The country will make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. This will probably extend beyond the Middle East with Iran merging state and criminal activity. Citing the IRGC-affiliated Cobalt Mirage threat group, McLellan warns, “Iran will exploit this financially motivated activity as a plausible cover for state espionage or disruption operations, which can be dismissed as part of a ‘cybercrime problem’.”
“We’re also seeing North Korea flexing its muscles by flying long range weapons over borders,” adds Venafi’s Bocek. If the mirror between kinetic and cyber activity holds true, we can expect North Korea to become more aggressive in cyber in 2023. Such cyber activity, adds Bocek, “will be replicated by North Korea as it looks to advance its economic and political goals.”
Summary
A particular concern for 2023 and beyond is that the diplomatic seal may now be permanently broken. The Russia/Ukraine war will eventually end – but tensions between the two countries and their allies will continue. Aggressive international cyber activity may never return to pre-war levels. “Nation-states will continue to cause each other digital problems amid the constant fight for power and status on the world stage,” comments Zac Warren, chief security advisor for EMEA at Tanium.
“Nations will come to the table to discuss norms; China, Russia and others will inhibit progress,” warns Mike Hamilton, founder and CISO at Critical Insight. He has two specific predictions for 2023 that might take cyber relations beyond the point of no return. Firstly, he suggests, “Russia will have its infrastructure disrupted as a demonstration of seriousness.” Secondly, he adds, “Operational technologies will be disrupted/wiped, likely in the US water sector.”
If either of these incidents occur and can be reliably attributed to a foreign state, they will not be easily forgiven.
As it is in the kinetic world, so it is in the digital. “For everything in the real world, there is a shadow on the Internet,” says Sam Curry, CSO at Cybereason. “More-and-more, we are going to see the Internet as a primary forum for geopolitical activity. The classic diplomacy, information, military and economic (or ‘DIME’) options are seeing the rise of information options and a resurgence of military options from 2022. Going into 2023, it’s to be hoped that diplomacy and economics rise to the fore, but for that to happen, the world would need to see an amenable-to-all-parties resolution to the Russia-Ukraine War or at least motion in that direction with a meaningful ceasefire; and detente in the South China Sea, which although a secondary area is another potential area of rising concern and clash of superpowers.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Our intention here is to talk about cybercrime and cybercriminals. Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics.
“With the Russia-Ukraine War, many actors polarized, including players like Conti, Killnet and Anonymous. However, the ecosystem is much larger, and even with setbacks in cryptocurrency brokerage, which advanced the liquidity and economics of criminals online, criminal organizations are thriving, diversifying, and going gangbusters as we enter 2023,” comments Sam Curry, CSO at Cybereason.
“There are no signs of this letting up and all signs indicate that criminal organizations’ real growth is e-crime going forward.”
Know your enemy
An increasing sophistication among the more elite criminals together with a more streamlined organization of the infrastructure from which they operate has been apparent for many years. This process continues and will continue throughout 2023. It is apparent in both how the gangs operate and the tools they use.
“Malware will continue to evolve in 2023 as attackers find new ways to hide it to maintain persistence and get what they came for,” says Mike Parkin, senior technical engineer at Vulcan Cyber – adding, “The attack vectors they use to get a foothold will also evolve, taking advantage of new vulnerabilities, and leveraging variations of old ones.”
But it is the increasing maturity of the criminal business that perhaps poses the greatest threat. “There is a significant maturing of the tools used by cybercriminal groups,” explains Andrew Barratt, VP at Coalfire. “They are becoming platforms (as a service) for other criminal groups with significantly less technical expertise to leverage.”
We’ve had ransomware-as-a-service and infostealers-as-a-service for a few years, but it is becoming more accurate to describe the process as a complete ‘crime-as-a-service’. “While we’ve seen the crime-as-a-service infrastructure become very prevalent, it’s probably likely we’ll see an uptick in volume and/or pricing of these attacks in the year ahead,” adds Barratt.
Crime-as-a-Service
“We’ve looked at numerous online forums and found such a rise and diversification in the many kinds of criminal ‘as a service’ offerings that people really can set up their own cybercrime business with little to no technical knowledge or skills,” explains Christopher Budd, senior manager of threat research at Sophos.
“Now you can find a vendor or supplier to cover your needs around targeting and initial compromise of victims, evasion and operational security, and malware delivery, among others.” These offerings often come with good marketing and customer service and support that meets – or even exceeds – those you get when paying for legitimate software.
Calling it malware-as-a-service (MaaS) rather than crime-as-a-service, Andrew Pendergast, EVP of product at ThreatConnect, adds, “MaaS operators act like a business, because they are a business – just an illegal one. Their goals are to make as much money as possible selling their product and services. This entails making it as accessible, trustable, reliable, and easy to use as possible for their ‘market’.”
He expects the CaaS providers to continue to improve their support and services to accommodate a broader set of customers and affiliates, adding, “The net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks.”
In fact, the service is now so complete that Benjamin Fabre, CEO at DataDome, points out new cybercriminals no longer need the technical skills to develop and execute cyberattacks on their own. “Cybercrime will require as much brains as holding a baseball bat to a shop owner’s window,” he comments.
Chris Vaughan, a VP of technical account management at Tanium, agrees with this assessment. “Malicious cyber tools are becoming more available to be purchased online which is leading to a greater number of attacks that are also less predictable. This includes vulnerabilities and exploits as well as hackers for hire, dramatically lowering the barrier of entry for anyone interested in launching a cyberattack.”
This leads us to another related concern for 2023: the potential. expansion of a recession-promoted cybercrime gig economy. “People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn,” warns Alex Holland, senior malware analyst at HP Inc.
He fears a potential increase in the number of cyber hustlers seeking to make additional – or, indeed, any – income by scamming consumers who will themselves be looking for opportunities to raise some extra cash. “Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit.”
The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. “And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.”
Crime gang career roles
Fundamental to the emergence of streamlined CaaS has been the evolution of career specializations within the gangs. “In many ways, the cybercrime ecosystem has developed specialized ‘career fields’ in a similar way that cybersecurity has developed specializations,” comments John Bambenek, principal threat hunter at Netenrich.
This means there are many more partnerships and boutique actors helping a variety of groups. “Getting initial access is a specialized skill set, just like money laundering (in cryptocurrency) and ransomware development are skill sets,” he added. “This specialization makes the ecosystem as a whole more resilient and more difficult to bring to justice.”
This process of business refinement will continue through 2023. “Criminal organizations will continue to grow in scope and capabilities, with increased focus on functional areas,” suggests Gray, AVP of security strategy at Deepwatch. “Specialization will allow these groups to maintain the razor margins needed to operate at levels that are capable of bypassing security program components at advanced targets and/or operate at scale against more susceptible targets.”
Three categories of CaaS to watch in 2023
Three categories of crime-as-a-service are likely to be prevalent in 2023: ransomware-as-a-service (RaaS), stealer-as-a-service (SaaS), and victims-as-a-service (VaaS).
RaaS
The ‘pay-per-use’ version of delivering ransomware is, says, Camellia Chan, CEO and founder of X-Phy, “a sophisticated, and yet much more accessible form of ransomware, with malicious actors no longer requiring advanced technical skills to carry out attacks.” This is a win for wannabe criminals who cannot code.
But it is also a win for the more elite coding criminals trying to avoid the eye of law enforcement. “The number of different entities involved adds another layer of complexity,” explains Chan. “While RaaS operators develop the infrastructure, access brokers focus on the identity posture and external access portals. To finish, the affiliate buying the RaaS handles the exfiltration of data to ransom, then deploying the actual ransomware payload.”
Mike McLellan, director of intelligence at Secureworks, continues: “New RaaS schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes.”
He expects the dominant schemes to increase their capacity to support more affiliates. “Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events.”
SaaS
A study published by Group-IB on November 23, 2022, reported that 34 Russian-speaking groups were distributing infostealers as part of stealers-as-a-service operations. On average, each of these groups has some 200 active members.
Twenty-three of the groups distributed the Redline infostealer, while eight concentrated on Raccoon. “An infostealer,” explains Group-IB, “is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then sends all this data to the malware operator.”
Given that credentials remain the starting point for most cyberattacks, the demand is and will remain high. Group-IB suggests “Stealers are one of the top threats to watch in the coming year.” The company notes, “In the first seven months of 2022, the gangs collectively infected over 890,000 user devices and stole over 50 million passwords.”
While the targets are individual computers often used by gamers and remote workers, the potential knock-on effect against corporates should not be under-estimated. “The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Raccoon stealer,” says Group-IB.
Uber itself explained the process in a statement: “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
This demonstrates both the success of stealers and the failure of MFA to offer a complete access solution. The Uber instance seems to be a variation on what Tanium’s Vaughan describes as an MFA push exhaustion attack. “This,” he explains, “is where an attacker sends a large number of MFA acceptance prompts to a user’s phone which may cause them to click accept in order to stop the barrage of requests.”
This whole process of SaaS-delivered stealers acquiring credentials and attackers defeating MFA will persist and increase in 2023.
VaaS
Mark Warren, product specialist at Osirium, believes there is a new service offering on the rise: hacker teams offering victims-as-a-service. “For the last couple of years, threat actors have been team-based,” he explains. “Before cryptocurrency, they were lone wolves – or, occasionally, a loosely connected group who’d met online. Then they started working in teams, and because they were paid money those teams became tightly bonded. Over the next year we’ll see more teams divide out into skills-based groups.”
He uses REvil as an example of a successful RaaS model offering an end-to-end solution for attackers that included encryption software, access tools, helpdesks for victims, payment services and much more. “But,” he says, “there’s still a market for smaller teams that focus on specific attack skills. For example, they may breach defenses to acquire user or admin credentials, or even install malware to provide back door entry for use at a later date.”
Providers of such a service don’t need to take the risk of executing the attack or handling payment; they can make good money just by selling the access on dark web marketplaces. The access could be obtained via relatively risk-free phishing campaigns.
The approach could be modular. “Company intelligence may be another specialist service,” he suggests. “For example, knowing what cyber insurance a potential victim has could reveal the kinds of defenses they’ll have in place and even how much they’re insured for, so ransomware demands can be tailored.” In this sense, VaaS can be seen as an extension and expansion of the existing access broker criminal service.
And going forward…
Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs, adds further subtleties that will emerge. “Going forward, subscription based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings and related algorithms more broadly for purchase.”
The quasi-APT
This continuing professionalization of the criminal fraternity is causing the inevitable emergence of what Omer Carmi, VP of cyber threat intelligence at Cybersixgill, calls the quasi-APT. “In 2023,” he warns, “the quasi-APT’s emergence will escalate due to the democratization of cyberweapons and the democratization of access enabled by powerful technology now accessible to the cybercrime underground.”
The growth of specialized roles and CaaS means that for as little as $10, threat actors can purchase access and gain a steady foothold into their targets’ systems. They can get a beachhead into highly secured organizations without having to bother with the complex, drawn-out process of gaining initial access on their own.
“By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT – hence the birth of the quasi-APT,” he warns.
The constantly improving sophistication and professionalization of the criminal underground will continue through 2023 and beyond. For example, Mikko Hypponen, chief research officer at WithSecure, sees artificial intelligence adding a new string to the criminal bow in 2023.
“Malware campaigns will move from human speed to machine speed,” he warns. “The most capable cybercrime groups will reach the capability to use simple machine learning techniques to automate the deployment and operation of malware campaigns, including automatic reaction to our defenses. Malware automation will include techniques like rewriting malicious emails, registering and creating malicious websites, and rewriting and compiling malware code to avoid detection.”
2023 may see the beginning of a new crime gang service: AI-as-a-Service.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.