Our Experts' Top Cybersecurity Predictions for 2023

Automation as a Force Multiplier

Automation in security operations will see movement from general automated “as code” capabilities to managed SOAR enablement, bringing with it the offloading of incident and alerting workflows. This trend has already started, but in 2023, the capabilities will start to mature. This comes with a caveat of not allowing unfettered automation but applying it judiciously with human subject matter domain expertise. “Do not apply it and solely rely on it.”

Years ago, most IT systems and business applications lived within the corporate network. There was one user identity in the form of an account, and there were access controls that governed what the account could and could not do. Teams used technologies such as Microsoft’s Active Directory or Lightweight Directory Access Protocol (LDAP) software to manage IAM back then. Nowadays, third-party vendors use Software as a Service (SaaS) to host corporate business applications. Most SaaS applications require IT staff to create user accounts and manage user access within them. This model leaves plenty of room for errors. As the staff continuously changes, an organization's user accounts won't be updated. Certain employees may therefore still have privileges that they no longer need, including if and when they leave.

To address these risks, you must first identify the corporate employee system of record, or the source system that maintains a current list of employees and their current roles. Second, you must create and maintain an inventory of business systems and how those systems maintain accounts and roles. Finally, you must configure your IAM system to interface with the business systems and update access rights that support the employee system of record.  

Misconfigurations are perhaps the leading cause of attacks in cloud environments. According to Trend Micro, as many as 70% of security challenges in the cloud start with a misconfiguration. I anticipate we'll start to see the shared responsibility model for cloud environments “shift left” in 2023.

The trend to shift the shared responsibility model left has begun at several large vendors. Some are pursuing increased configuration management, while others are looking for fully automated solutions, especially where there is consistency in workloads across many customers. Through technology that performs attestation and remote attestation, we will see several providers implement automated configuration management to eliminate common misconfiguration problems where there is little impact to the service due to policy and configuration automation to expected values. This will be the starting point for more secure cloud-based offerings that require fewer resources to manage from each purchasing organization. It will help to reduce attacks due to misconfigurations.

Several providers will lead a shift in expectations to security being built in and managed over time. For 2023, we will see niche instances of securely managed hyperscaler services and the beginning of a “shift left” for one or more larger providers with built-in security for policy and configuration management over time. This trend will gradually expand in the following years with testing on safe ranges for the automated configuration adjustments as well as changing customer expectations.

This prediction for 2023 is part of a larger vision where security becomes more fully integrated into products by design and management requirements on individual organizations is reduced. This trend will take place over the next five years. To learn more about this direction, please read Transforming Information Security.

In 2023, we’ll see the release of the Office of National Cyber Director Strategic Plan. Projections range from “yet another restatement of the same message” to something stronger. CIS has provided input and hope that it represents more progressive thinking about incentives and a more distributed, partnership-based model. I do think that release and reaction to the Plan in early 2023 will be a make-or-break indicator of the national progress we can expect in the next two years.

The States and “Reasonable” Security  

Every year, I think (hope) this trend will take a big step forward, but progress has been steady rather than dramatic. We’re seeing a recent uptick in court decisions, state legislation, etc. that use CIS work as the basis for incentive adoption of cyber practices. This same work is proving helpful in defining reasonable practice.  

Threat actors will continue to target vulnerabilities in the software supply chain with a particular focus on open-source software repositories. One reason for this is the level of difficulty in defending against such attacks because of the existing trust model for software vendors. Over the last two years, we saw successful targeting of major commercial vendors and one of the most impactful events in the targeting of an open-source logging dependency, Log4j. We should also expect to see large swaths of attackers, from lesser-skilled script kiddies through organized cyber criminals and even state actors, converge on disclosed vulnerabilities when the potential yield is high. The Multi-State Information Sharing and Analysis Center (MS-ISAC) continues to observe mass scanning and exploit attempts against known vulnerabilities from major incidents over the last two years.

More Threats Coded in Newer Languages

We should expect to see more malware, specifically ransomware, coded in more uncommon languages such as Rust and Golang. Using non-standard languages can make malware more difficult to detect as well as provide some unique advantages for the attackers, including development opportunities, control over their intellectual property, and minimization of re-use by other actors. We should also expect to see more targeted ransomware attacks against specific sectors that have more to lose by not resolving the issue quickly. This includes schools, hospitals, and critical infrastructure.

Increase in (and Use of) Insider Threats

Attackers may be seeking to leverage worldwide economic issues and global recession to their advantage. Organized groups will want to capitalize on organizations that have financial or other resources of interest that may also be laying off staff, including IT and security staff. As a result, we may see an increase in insider threats, which can originate both from internal and external motivations. For example, internal staff may be concerned about their financial future or even attack in retaliation for pay reductions, pay freezes, or layoffs. Alternatively, we expect an increase in external actors leveraging insiders, both witting and unwitting, such as what played out in recent attacks on Okta and Nvidia in the commercial sectors and multiple K-12 schools that suffered data dumps from the cyber actor mud this past year.

Decreasing Affordability of Cyber Insurance

Cyber insurance will become more difficult to obtain and maintain. We expect cyber insurance premiums to increase, alongside deductibles, while we see the actual coverages and payouts for claims shrink. 2023 will also likely bring steep limitations on recipient eligibility including certain security benchmarks being met prior to coverage, which may be unrealistic for smaller, less resourced organizations. We may also see exclusions for entire sectors or organization types as well as for some specific types of attacks. As a result of these changes, we may see more and more ransomware “brokers”—that is, companies that negotiate the cost of the ransom on behalf of the victim—emerge and more organizations turn to them for assistance in times of need.