Our Experts' Top Cybersecurity Predictions for 2023
A vulnerability in Log4j software library...an increase in the potential for Russian cyber attacks...a more commercialized cybercrime landscape...these are just some of the developments we saw in 2022. Without question, they've exposed new risks for your organization. But they've also sparked new ideas and conversations around where cybersecurity as an industry is heading...and where it needs to go next.
Here at the Center for Internet Security (CIS), we've taken all these factors into account and compiled a list of cybersecurity predictions for the year ahead. Here's what five CIS experts foresee for 2023.
Sean Atkinson | CISO
Automation as a Force Multiplier
Automation in security operations will see movement from general automated “as code” capabilities to managed SOAR enablement, bringing with it the offloading of incident and alerting workflows. This trend has already started, but in 2023, the capabilities will start to mature. This comes with a caveat of not allowing unfettered automation but applying it judiciously with human subject matter domain expertise. “Do not apply it and solely rely on it.”
A number of U.S. states have already adopted data protection or privacy laws, with more coming in 2023. Pressure is starting to mount on other states to follow suit and on regulators to manage the consequence of mishandling personal data. Given the impetus of states to apply new individual regulations, in 2023, real movement to a federal law may see significant traction. The need for cybersecurity professionals to be aware of these regulations has never bene more important. A resource in this space is the International Association of Privacy Professionals (IAPP) with excellent awareness articles, news, and guidance.
As organizations assess their current infrastructure, both on-premises and cloud-based, in 2023 multi-cloud data infrastructure adoption will become the new norm. To stay competitive, secure, and flexible, organizations will transform cloud computing into an undifferentiated capability to ease overhead and integrations of cloud services and application support. The security need encompasses the differing control mechanisms within each cloud provider to manage data and configuration as a means of controlling unnecessary exposure.
Artificial Intelligence and ChatGPT
The development and deployment of ChatGPT is likely to have a significant impact on the field of cybersecurity. While ChatGPT and other AI technologies hold great promise for improving the ability of organizations and individuals to defend against cyber threats, it is important to carefully consider the potential risks and challenges they may pose and to take appropriate measures to mitigate these risks. This may include implementing strict security protocols and safeguards to prevent unauthorized access to ChatGPT and other AI systems. It may also involve ongoing monitoring and evaluation to ensure that these technologies are being used in a safe and responsible manner. An interesting set of use cases is available for viewing below.
Angelo Marcotullio | CIO
Identity and Access Management (IAM)
Years ago, most IT systems and business applications lived within the corporate network. There was one user identity in the form of an account, and there were access controls that governed what the account could and could not do. Teams used technologies such as Microsoft’s Active Directory or Lightweight Directory Access Protocol (LDAP) software to manage IAM back then. Nowadays, third-party vendors use Software as a Service (SaaS) to host corporate business applications. Most SaaS applications require IT staff to create user accounts and manage user access within them. This model leaves plenty of room for errors. As the staff continuously changes, an organization's user accounts won't be updated. Certain employees may therefore still have privileges that they no longer need, including if and when they leave.
To address these risks, you must first identify the corporate employee system of record, or the source system that maintains a current list of employees and their current roles. Second, you must create and maintain an inventory of business systems and how those systems maintain accounts and roles. Finally, you must configure your IAM system to interface with the business systems and update access rights that support the employee system of record.
Kathleen Moriarty | CTO
Misconfigurations are perhaps the leading cause of attacks in cloud environments. According to Trend Micro, as many as 70% of security challenges in the cloud start with a misconfiguration. I anticipate we'll start to see the shared responsibility model for cloud environments “shift left” in 2023.
The trend to shift the shared responsibility model left has begun at several large vendors. Some are pursuing increased configuration management, while others are looking for fully automated solutions, especially where there is consistency in workloads across many customers. Through technology that performs attestation and remote attestation, we will see several providers implement automated configuration management to eliminate common misconfiguration problems where there is little impact to the service due to policy and configuration automation to expected values. This will be the starting point for more secure cloud-based offerings that require fewer resources to manage from each purchasing organization. It will help to reduce attacks due to misconfigurations.
Several providers will lead a shift in expectations to security being built in and managed over time. For 2023, we will see niche instances of securely managed hyperscaler services and the beginning of a “shift left” for one or more larger providers with built-in security for policy and configuration management over time. This trend will gradually expand in the following years with testing on safe ranges for the automated configuration adjustments as well as changing customer expectations.
This prediction for 2023 is part of a larger vision where security becomes more fully integrated into products by design and management requirements on individual organizations is reduced. This trend will take place over the next five years. To learn more about this direction, please read Transforming Information Security.
Tony Sager | SVP & Chief Evangelist
In 2023, we’ll see the release of the Office of National Cyber Director Strategic Plan. Projections range from “yet another restatement of the same message” to something stronger. CIS has provided input and hope that it represents more progressive thinking about incentives and a more distributed, partnership-based model. I do think that release and reaction to the Plan in early 2023 will be a make-or-break indicator of the national progress we can expect in the next two years.
The States and “Reasonable” Security
Every year, I think (hope) this trend will take a big step forward, but progress has been steady rather than dramatic. We’re seeing a recent uptick in court decisions, state legislation, etc. that use CIS work as the basis for incentive adoption of cyber practices. This same work is proving helpful in defining reasonable practice.
Randy Rose | Sr. Director of Security Operations & Intel
Open-Source Supply Chain Security
Threat actors will continue to target vulnerabilities in the software supply chain with a particular focus on open-source software repositories. One reason for this is the level of difficulty in defending against such attacks because of the existing trust model for software vendors. Over the last two years, we saw successful targeting of major commercial vendors and one of the most impactful events in the targeting of an open-source logging dependency, Log4j. We should also expect to see large swaths of attackers, from lesser-skilled script kiddies through organized cyber criminals and even state actors, converge on disclosed vulnerabilities when the potential yield is high. The Multi-State Information Sharing and Analysis Center (MS-ISAC) continues to observe mass scanning and exploit attempts against known vulnerabilities from major incidents over the last two years.
More Threats Coded in Newer Languages
We should expect to see more malware, specifically ransomware, coded in more uncommon languages such as Rust and Golang. Using non-standard languages can make malware more difficult to detect as well as provide some unique advantages for the attackers, including development opportunities, control over their intellectual property, and minimization of re-use by other actors. We should also expect to see more targeted ransomware attacks against specific sectors that have more to lose by not resolving the issue quickly. This includes schools, hospitals, and critical infrastructure.
Increase in (and Use of) Insider Threats
Attackers may be seeking to leverage worldwide economic issues and global recession to their advantage. Organized groups will want to capitalize on organizations that have financial or other resources of interest that may also be laying off staff, including IT and security staff. As a result, we may see an increase in insider threats, which can originate both from internal and external motivations. For example, internal staff may be concerned about their financial future or even attack in retaliation for pay reductions, pay freezes, or layoffs. Alternatively, we expect an increase in external actors leveraging insiders, both witting and unwitting, such as what played out in recent attacks on Okta and Nvidia in the commercial sectors and multiple K-12 schools that suffered data dumps from the cyber actor mud this past year.
Decreasing Affordability of Cyber Insurance
Cyber insurance will become more difficult to obtain and maintain. We expect cyber insurance premiums to increase, alongside deductibles, while we see the actual coverages and payouts for claims shrink. 2023 will also likely bring steep limitations on recipient eligibility including certain security benchmarks being met prior to coverage, which may be unrealistic for smaller, less resourced organizations. We may also see exclusions for entire sectors or organization types as well as for some specific types of attacks. As a result of these changes, we may see more and more ransomware “brokers”—that is, companies that negotiate the cost of the ransom on behalf of the victim—emerge and more organizations turn to them for assistance in times of need.
Abuse of Public Guidance for Targeting Gaps
As more and more policy requirements become public – including but not limited to insurance policies, federal regulations and operational directives, and local governance – we can expect to see attackers specifically target the gaps. For example, if a new regulation dictates that all agencies in a given state must put a specific control in place or mitigate a specific vulnerability by a set date, cyber attackers may increase focus on those agencies to exploit potential vulnerabilities prior to the deadline.