Cybersecurity “Predictions” – Let’s Talk about 2023

No matter what industry you’re in, the end of the year brings a few universal gifts to us all: a crush of retail offers for amazing deals on all the things we need (or want); a slew of conversations on what we learned in the previous year and what we resolve to do more/less/better next year; and predictions for what the new year will bring in terms of challenges and opportunities.

In cybersecurity, we see security trends and predictions proliferate through social media, blogs, Reddit, etc.  Many vendor forecasts highlight so many things that are either persistent challenges or the newest and shiniest objects to cross our field of vision. But, how do we determine what truly matters and what is just interesting to consider? That’s the challenge we decided to evaluate when we chose to categorize common predictive trends as “Always On,” “On the Horizon,” or “Overhyped.”

• Always On: These items demand attention because they are as enduring as death and taxes. They’re equally inevitable, ubiquitous, unexciting, and scary, too.
• On the Horizon: This is the most interesting set of considerations because the threats are here but not fully formed. They are likely to grow in ways that require they be taken seriously now and in the year ahead.
• Overhyped: These are topics everyone talks about even though most have no idea why (or if) we should be expending energy on them.

Always On

Ransomware isn’t going anywhere

• Ransomware is primarily delivered by the most effective means: Phishing emails.
• It generates revenue for cybercriminals: A single ransomware group was reportedly responsible for ~$100M in losses in just 16 months.
• It’s evolving: Double-extortion tactics empower criminals to extract money from victims more effectively and with higher returns.

Social Engineering is evergreen

• Social engineering takes advantage of the most complicated and persistent security weakness in any organization: people.
• Social media has grown to an estimated 4.6 billion users worldwide; most of whom do not have an information security mindset.
• Training to prevent social engineering attacks must be ongoing, which challenges corporate budgets and everyone’s attention spans.

Impersonations are continuous and growing

• The Federal Trade Commission (FTC) reported that “social media was far more profitable to scammers in 2021 than any other method of reaching people,” most of it related to some form of impersonation to conduct fraud. This is an upward trend we expect to continue.
• Impersonation can cause immense financial harm, as evidenced by Eli Lilly and Lockheed Martin reportedly losing a combined $15B in valuation due to two fake social media messages that likely cost the authors $16.
• Brand impersonation can damage a company through misdirected blame, such as when victims of fake job or tech support scams blame the impersonated company.

Deep and Dark Web are critical to cybercrime planning and monetization

• The deep web comprises more than 90% of the Internet (roughly 7,500TB of data compared to the surface web’s 550TB); the dark web is only ~.01% of the deep web.
• Just three prominent cybercrime marketplaces contain 5+ million digital identities for sale and 26.6 million sets of login credentials.
• Cybercrime, much of which is planned and monetized within the dark web, causes a reported $6T in damage annually; projected to grow to $10.5T per year by 2025

On the Horizon

Social Media is an expanding battlefield

• The average internet user in 2022 spends 147 minutes per day on social media sites; an upward trend we can expect to see continue. (See Figure 1)
• Influence operations, sentiment manipulation, securities fraud, and a plethora of scams await the unsuspecting social media user.
• With 128 social media platforms to consider in a social media strategy - in a landscape rapidly shifting through events like government bans on TikTok and Twitter in crisis - the social media landscape is both vital to modern commerce and too vast and complicated to monitor manually.

Mis/Dis/Malinformation is a growth industry worth watching more closely

• Mis/Dis/Malinformation has proven to be a significant threat to governments, having influenced popular opinion to impact foreign alliances and even elections.
• Eli Lilly, Lockheed Martin, and Starbucks are just a small sample of corporations impacted by misinformation through social media.
• With as many as 70 nation-states conducting misinformation operations, events in 2023 - including but not limited to the coronation of a new king in the United Kingdom, elections in Thailand, and the 2023 FIFA Women’s World Cup - are likely to be targets of misinformation campaigns.

Overhyped

Nation-State Threats are scary …but not likely your top concern

• While nation-states represent some of the most motivated and sophisticated capabilities among threat actors and groups, the vast majority of their targets are limited to government (including think tanks and NGOs), information technology (IT), and education. (See Figure 2)
• Many state-sponsored actors rely on relatively low-tech means, such as spear-phishing emails, to deliver sophisticated malware instead of developing customized exploits or using targeted social engineering.
• Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang recently said,  “Capabilities that were once reserved for state actors are available on the dark web for purchase” before adding that “there are categories of criminal actors who have capabilities that are sophisticated enough that we [the U.S. government] consider them targets that we might choose to disrupt."

Metaverse and Web 3.0 are gaining interest beyond their current impact

• There are an estimated 400M users in the Metaverse, but the top three platforms are all games geared towards teens – Roblox (230M), Minecraft (165M), and Fortnite (85M) – with limited relevance to corporate cybersecurity.
• 74% of adults were considering joining the Metaverse as of 2021, according to Statista. Additionally, Gartner estimates that 25% of the population will spend one hour per day in the Metaverse by 2026, engaging in distance learning, commerce, and even virtual real estate.
• Web 3.0 only had an estimated 50,000 users as of 2021, and estimates about future growth vary widely.

Crypto and Non-Fungible Tokens (NFT) are distractions

• Cryptomining was a big concern for large enterprises four years ago, but the cryptocurrency market crash reduced the payoff for setting up cryptomining operations in compromised systems. While cryptomining is still a threat – particularly for companies with large cloud computing contracts – monitoring corporate consumption more closely is a simple, cost-effective countermeasure.
• Attacks on cryptocurrency exchanges are a significant threat that doesn’t impact the majority of organizations. Furthermore, while compromises and theft of cryptocurrency can impact anyone, large attacks are reserved for financial institutions and crypto exchanges.
• NFTs are in their infancy, with an estimated user base of just over 400K as of 2021…but the jury is still out on what the future holds. NFTs could become a vital part of the future economy or a complete flop.

What Can You Do?

As organizations prepare for business in 2023, cybersecurity trends, predictions, and forecasting can help with prioritization …with risks to your business paramount to your strategy. It’s easy to get distracted by the shiny objects – the headline topics, the zero-days, the nation-states. But, an effective cybersecurity program isn’t necessarily about the biggest threat making headlines. It’s about fundamentally understanding and assessing your unique risk profile in the following ways

• Know Yourself: Document and monitor your internal environment (including Crown Jewels) and external attack surface (including social media). Additionally, identify and work with stakeholders to codify intelligence requirements to prioritize effort and focus in the always labor-constrained business of security.
• Know Your Adversaries: Invest in intelligence to assess the adversaries most likely to have both the desire and capability to do you harm, including their tactics, techniques, and procedures (TTPs), motives, and previous actions.
• Know the Shared Terrain:  Capitalize on intelligence to proactively understand the planning, facilitation, and execution of attacks within the deep, dark, and open web, and implement security strategies and policies that eliminate exposure to those threats when possible and compensate for threats that can only be managed.