Predicting the future is hard, but you can anticipate what is likely to happen by looking at prevalent and emerging trends from the past year. As part of our 2023 threat forecast, Barracuda turned to the professionals on the security frontline and asked them about the things they witnessed in 2022 and expect to see in 2023. What most surprised them, and what are the risks that organizations either under- or overestimate that could be leaving them exposed over the coming year?
Q: What surprised you most during 2022 that will echo into 2023 and beyond?
Vulnerable software supply chains, weaponized social media, MFA abuse, the reach of geopolitically motivated cyberattacks, and everything-as-a-service
Riaz Lakhani, Chief Information Security Officer (CISO) at Barracuda: What surprised me most was the number of popular third-party software libraries that had critical vulnerabilities reported and the number of large enterprises that were impacted because they use those libraries, for example in their own applications.
Adam Kahn, VP Security Operations at Barracuda XDR: This year for the first time we saw targeted ransomware attacks against individuals based on their personal social media profiles.
Shani Mahler, Product Management Director, Engineering, Barracuda XDR: How ‘influence-based’ cyberattack operations are escalating. There seems to be little incentive for the leading social media platforms to solve this problem, so they don’t, and security teams can’t monitor influence operations. The Security Operation Center’s (SOC) job is to monitor machines and networks to find risks, not how people are being influenced to cause chaos. Social media influence is an unmonitored and very effective cyberthreat that will continue to run rampant in 2023.
Merium Khalid, Senior SOC Manager, Offensive Security: The increased abuse of multifactor authentication (MFA). I think 2022 was the year we saw that MFA is not the answer to all security concerns. Ever more compromises were reported, either due to MFA abuse or social engineering to get someone to give up their MFA codes.
Stefan van der Wal, Consulting Systems Engineer, Application Security: That ransomware is still an issue. For an attack that has such devastating consequences, there remain organizations that, in 2022, despite all the news surrounding this topic, still haven’t taken appropriate measures in terms of prevention, detection, response, and recovery. This, despite the efforts of the entire security industry to make it easier to address the threat.
John Flatley, Consulting Systems Engineer, Email Security: How easily accessible and available attack tools have become. There are subscription services that offer attackers all these services.
Stefan Schachinger, Product Manager, Network Security: In 2022, geopolitical conflict reminded us that cyberthreats have no borders and just how vulnerable the world is to cyberattacks. Many cyberthreats, including ransomware, were originally designed to make money, not to destroy the target. This shifted in 2022, when countries and organizations that were not directly involved in conflicts suddenly became victims of nation-state driven (or tolerated) attacks executed with a level of sophistication that was unlikely before, and for the purpose of disruption and interference. Our global level of cyber-vulnerability was a tough lesson to learn, but an important one as the threat level is unlikely to decline in 2023.
Against this backdrop, what are the top cyberthreat trends that organizations need to be ready for in 2023?
Exploited authentication methods, expanding attack surfaces, ever more zero-days, supply chain attacks, web and application attacks, and vulnerable IoT
RL: Account takeover continues to be a low-hanging fruit for attackers and a top-of-mind risk for organizations. With the growing ease of two-fact and multifactor authentication fatigue attacks and with TOTP (time-based one-time passwords) susceptible to social engineering, security practitioners will be taking a new look at authentication measures.
AK: In 2023, the number of potential attack surfaces in organizations will continue to increase as more of them adopt cloud-based and Software-as-a-Service offerings. Fortunately, this will be matched by a growing understanding that cyberthreats are active and evolving and need intelligent, automated, and real-time monitoring and response.
SM: In 2023, organizations need to be ready to be targeted by every kind of cyberthreat, regardless of their size or industry sector.
MK: More zero-day vulnerabilities. In 2022, there were 21,000 CVEs (new vulnerabilities) registered. Many of them were classed as ‘critical’, and many were actively exploited by attackers. Zero-days hit organizations without warning, and organizations need to have a team in place ready to patch software and remediate as soon as possible.
SVDW: Supply chain attacks. 2022 was the year of the supply chain attack, and it has led more attackers to look for the weakest link in attacking companies. Every company does business with others, and no one wants to be the attack pivot into another organization.
JF: The terrible threesome of email account takeover, ransomware, and web application attacks.
SS: The attack surface is expanding as more connected things are added to the infrastructure, more cloud services are used in conjunction with edge computing, and remote work continues. This is forcing organizations to rethink security. For years, the primary security objective was to defend ourselves against initial compromise, keeping malware and attackers out of our networks. Now we also need to prepare for something or someone breaking through and how we are going to react when it does.
How prepared are we? What cyber risks were organizations most likely to underestimate in 2022?
Vulnerable software development pipelines, employee security awareness, application security, and the likelihood of attack
RL: How easy account takeover is; what their most precious assets are and where they reside on the network; and what their attack surface looks like. Many organizations also underestimate the need to harden the CI/CD (continuous integration and delivery) pipeline for automated software production, from development through patching, deployment, and more. The CI/CD pipeline includes critical components such as source code, application code repositories, containers, and build servers, making it a top target for attackers.
SVDW: Application security risks. So many attacks now originate in applications, yet some organizations are unaware of the need to be proactive about security. Companies need to ask suppliers about the protective measures taken and investigate the security posture of an application before a cyber attacker does it for them.
SM: How well employees understand security. Employees are constantly targeted with phishing, smishing, and other social engineering tactics. However, most companies provide security awareness training (SAT) to their employees just once a year.
MK: The importance of security awareness training. Many of the compromises and breaches that happen are due to compromised credentials, and better education can do a lot to reduce this.
JF: The scale and accessibility of the above attack types and how easy it now is to utilize attack tools.
SS: Organizations and governments underestimate their chances of falling victim to a targeted attack and underestimate how extensive the impact of that attack will be. 2022 showed us how important single organizations can be to the economy and society. In a connected world, dependencies can be huge, and small causes can have big effects. For example, a single compromised documentation or billing system could force organizations to shut down worldwide operations, while a disabled power grid can cause a nationwide blackout. We must create more efficient ways to defend organizations and infrastructure, implement more resilience to avoid large-scale downtime for “tiny” reasons, and become capable of stopping ongoing attacks.
And what cyber risks were organizations most likely to overestimate?
Brute force attacks, data compliance breaches, and how protected they are
MK: The risk of a successful brute force attack. Scanning networks for vulnerabilities is one of the most common adversarial reconnaissance activities I see in the SOC. If an organization has external-facing assets due to their business needs, it is very likely it will get brute forced and scanned for vulnerabilities. However, if a company has controls in place such as geo-blocking, VPN, and MFA the likelihood of brute force activity to turn into a compromise is low.
SVDW: GDPR compliance risks. Some organizations have built very restrictive policies around data privacy. This is a good thing, unless they start inhibiting business agility around data where no PII (personally identifiable information) is involved. This can mean, for example, that organizations skip security measures that the compliance department thinks of as a data risk. Whereas the real risk is not addressing the information security risk by implementing the systems that address them.
SS: Organizations overestimate their level of protection, their capability to defend themselves against attackers who probably already have a foothold, and they overestimate the positive impact of isolated security measures and tools that are only loosely integrated or not integrated at all.
How should security adapt in 2023?
AI, application security, new methods of authentication, automation, 24/7 real time human-led monitoring, and Security Operations Centers (SOC)-as-a-Service will power cybersecurity in 2023
RL: As existing authentication methods are challenged by attackers, security practitioners need to look at alternatives, and we expect to see password-less and FIDO U2F (Universal 2nd Factor) single security key technology receiving a lot of consideration.
MK: As we move into 2023 and beyond, I can see the technology industry shifting toward biometrics and password-less methods for authentication.
AK: The growing use of artificial intelligence (AI) in threat detection — particularly in removing the “false positive” security noise that consumes so much security attention ― will make a significant difference to security. It will prioritize the security alarms that need immediate attention and action. Automated SOAR (Security Orchestration, Automation and Response) products will continue to play a bigger role in alarm triage, and we expect to see more companies invest in 24/7 human-led threat hunting and response, making use of an expert SOC-as-a-Service if they don’t have the resources in house.
SS: Modern security solutions that remove the implicit trust from users, devices, services, and workloads, regardless of the location will become the norm. The “context” of who, what, when, where, and how will become key security components in a world of continuous Zero Trust evaluation that will defend against ever more stealthy threats. In 2023, just detecting and blocking malicious events will no longer be sufficient. You need to investigate and remediate everything.
This was an awesome collection of input. Thank you
This is a fantastic compilation of awareness and recommendations! I agree ZTNA and ‘physical keys’ will see significant growth. Additionally, a large shift in compliance will rise quickly.
Great article! Thank you for sharing these insights!
2023 year of the whack a mole, from one pile to another pile the targets will be switching
Interesting article. Great insight into things we should look forward to in 2023.
Thanks for this. Lots if great insight. I hope some of these predictions come true as I personally can’t wait to get rid of passwords in the future.