Robin’s Newsletter #237 — 2023 Forecast

1 January 2023. Volume 6, Issue 1
My thoughts on the broad outlook and specific predictions for the world of cyber in 2023.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Happy New Year!

This year

Broad outlook for 2023

This year I’m trying to map the overarching themes and their risk sources, events and consequences. (The OISRU provides a good place to start for these.) There are three bigger picture, thematic observations and three more day-to-day, technical in nature. 

Balkanisation/deglobalisation (regulator; rules change; increased costs) continue to be prioritised by governments around the world, often at significant cost ($4.98 billion was the cost cited in July 2022 for ripping/replacing Huawei and ZTE gear from US telco networks). Globalisation brought us long supply lines and concentration but economies of scale and low prices. Developing sovereign capabilities and focusing on buying local should, long term, increase global resilience and options, but it is a tricky, time-consuming and expensive road. (Microchips are a good example: 75% of manufacturing occurs in East Asia, including Taiwan, where the majority of cutting-edge chips found in modern smartphones are made; the US accounts for just 12% of global production. In response, the US government has committed $52 billion to bolster this through the CHIPS and Science Act in August 2022. Building new ‘fabs’ to manufacture semiconductors is phenomenally capital intensive: Intel is investing $20 billion to create a new semiconductor fabrication plant to make chips in Ohio.)

Trust and transparency (ineffective; process failure; regulatory fines, increased costs) continue to be important to the individual and business, particularly as part of the environmental, social, and corporate governance (ESG) agenda. Regulatory and reporting requirements are increasing and differ from country to country or state to state. Businesses are asking more of their supply chains to understand their risk and ensure compliance, and having robust controls to know where and how data is processed is more important than ever. The upside? A better understanding of your critical business functions.

Service outage (compromised suppliers; service unavailability; business disruption) may not be uncommon, but the concentration of service providers on a small number of cloud platforms increases the frequency of multiple simultaneous outages. Sensitivity to this risk remains high following the pandemic, with workforces geographically dispersed. The adoption of communication and collaboration tools and platforms may have outpaced your understanding of them as critical business tools.

Infostealers (cyber-criminals; social engineering; inefficiency) are not new, but the growth of specialised criminal marketplaces for credentials, tokens, keys and cookies should give weight to the importance of identity and access control. With the proliferation of cloud-based and Software-as-a-Service apps, having a firm grasp on your identities and an ability to control their access is the front line of defence for modern businesses. That’s not just your users but also your tools, bots and APIs that you have plumbed together to achieve business objectives. There’s plenty of phish in the sea, and playbooks and checklists can help to ensure the response is as effective and efficient as possible.

Hacktivism (hacktivists; system intrusion; damaged reputation) is worth thinking about. Less so in the sense of website defacements, but rather the sense of hacking “for the lols” or the sake of it. Lapsus$ are a good example of this risk: they’re not particularly sophisticated but are mighty persistent, and then they make a lot of noise. Your ability to manage identities and access are key controls.

Ransomware (cyber-criminals; malware; disruption, unplanned costs) has become a mainstream concern. While I make a specific prediction below, it will feature prominently and take up a significant portion of security team bandwidth to ensure systems are hardened and third-party requirements (from suppliers and insurers) are met. Multi-factor authentication is a must for all remotely accessible and cloud systems. Testing backups is not the most cutting-edge, but it can be crucial to recovery ability.

Specific predictions for 2023

Last year I also started making specific, measurable, timely predictions for the year. These realistic and achievable things should be verifiable by press coverage or government announcement.

So here are my smart predictions for 2023:

1. A managed security provider will be compromised, and attackers will leverage their privileged access to compromise their customers.

There are a lot of players in this space now. Some are VC-backed startups, some larger cyber-specific vendors, and many managed IT firms now offer detection and response services. Not all of them practice what they preach. After all, getting the basics right all the time is hard, right? 

We are in a recession, and inflation is topping 10% in the UK and 7% in the US. Businesses where cyber security is a profit centre will face tough choices about maintaining revenues and profitability.

Cyber security salaries are already high, and for these firms they make up a significant portion of their workforce. They will face cost pressures and budget challenges just like any business. Cost-saving initiatives will inevitably be on the table. 

Cost-cutting managed service providers risk undermining the quality of their service. Too many cut corners may increase the cyber risk of their customers.

That doesn’t mean that businesses would be better off doing it themselves — the majority will be very well served by them than the alternatives — and running security operations at scale is an expensive business.

2. The number of ransomware victims will fall year-on-year.

We may have hit peak ransomware.

The ransomware-as-a-service business model has commoditised the market. This has reduced the barrier to entry, but there are now many more figures involved in a successful attack who all need paying in advance or following a ‘successful’ attack. High-profile attacks have proved to bring a significant amount of unwanted law enforcement and political attention, while lower value targets limit the return on criminal’s investment.

The notoriety of these attacks has caused many businesses to review their postures. Cyber insurers have set the bar on basic entry controls necessary to receive cover and tightened their position on paying ransom demands.

The introduction of sanctions and other policy-level initiatives are starting to show some benefits. Offensive operations to disrupt criminal operations and sow seeds of distrust have also proven effective.

Governments, like Australia, are publicly talking about going after ransomware groups. That is a useful diplomatic tool. We’ve seen attacks against countries like Vanuatu and Costa Rica, and countries with more advanced national cyber capabilities looking out others make for good soft power projection. This is especially true, for example, in the Asia-Pacific, where Australia and the US are seeking to maintain influence while China embarks on infrastructure projects to achieve similar aims.

3. A wiper attack will disrupt a critical infrastructure provider and cause real-world consequences

Destructive ‘wiper’ malware that renders computer systems unusable made a comeback in 2022. Russia’s invasion of Ukraine didn’t live up to the ‘cyber war’ hype though there have been multiple attempts by both sides to disrupt systems using wiper malware.

However, it’s not just the preserve of Russia or Ukraine. Other nation-states have also used the cover of ransomware to attack neighbours or disrupt foreign interests for their benefit.

The Middle East, in particular, has a history of this type of attack. Saudi Aramco was crippled by the Shamoon malware a decade ago. Over 30,000 computers were affected in the August 2012 attack that resulted in queues of fuel trucks unable to be filled. The price of hard drives increased as the oil giant snapped up replacements. Shamoon made return appearances against Saudi businesses in 2016, 2017 and 2018.

Looking back at 2022

This time last year, I also made three ‘smart’ predictions. So how did I do?

  1. A vulnerability at an identity provider will allow attackers to bypass authentication

Lapsus$ ran pretty rough-shod over Okta (vol. 5, iss. 17) and 0ktapus gained access to over 130 organisations via Twilio (vol. 5, iss. 35).

  1. An attacker will execute a successful software dependency confusion attack to successfully deploy crypto-mining malware at scale

In July, an attacker created 1,300 malicious packages on the npm repository that contained crypto-mining malware (vol. 5, iss. 28). A similar event occurred in August when 241 were found on PyPI (bleepingcomputer.com). It’s unclear how successful these attacks were.

  1. Core members from one of the top 10 ransomware gangs (by revenue) will be arrested by law enforcement

Russian authorities arrested members of the REvil ransomware gang in January (vol. 5, iss. 3). Canadian authorities picked up a member of LockBit in Ontario in October (vol. 5, iss. 46).

I’d give myself 2.5/3.0 :-)

Interesting stats

£49 million ($59M) fine for UK bank TSB for technical failures following a migration of 1.3 billion customer records that affected “a significant proportion” of their 5.2 million customers, left many without access to online accounts for weeks and took  8 months to fully resolve all issues. bbc.co.uk 

And finally

GP Surgery sends cancer, instead of Christmas, message

A GP surgery in Yorkshire sent a text message to almost 8,000 patients on the 23rd of December advising them that they have “aggressive lung cancer” rather than the intended “Merry Christmas”.

I’m not sure how that user interface for that system, let alone the broader procedural controls, allowed that. 

bbc.co.uk

Robin

  Robin's Newsletter - Volume 6

  Balkanisation Deglobalisation Soverignty Trust Transparency Infostealer Ransomware Hacktivism