There is always buzz around this time of year from cyber professionals the world over doing their best to foretell what the threat landscape will look like in the coming year. And at Huntress, we’ve got some hard-hitting takes from two of the best in the field.
Entering the ring, two of Huntress’ heavy hitters John Hammond and Dray Agha laced up their gloves to join the good fight and add their predictions for 2023 to the slugfest based on Huntress observations in 2022—and you can bet your patootie they didn’t pull any punches.
Let's be clear about the point of this blog though: whilst we can always step up our technological security game, we’ll hit harder and smarter if we step up and foster our cultural security game. This will have the cascading impact of reducing burnout, training users to be shrewder and ultimately imposing a far greater cost on adversaries.
Below we cover five key trusted knowledge observations (TKOs) regarding the threats and insights John and Dray feel are trending for 2023 that we can all take a part in preventing from becoming reality.
TKO #1: Phishing 🎣
Cyber attackers will continue using the economic crisis and political tie-ins to phish users.
Backdoor documents with catchy titles/content like “Layoffs 2023” or “Department Budgets 2023" will continue to be a popular method for cybercriminals phishing users, as will attachments and links that leverage spicy political topics like Liz Truss stepping down, midterm elections, etc. There are even efforts out there masquerading as legitimate relief asking for donations that never make it to the orgs they claim to support. The tomfoolery knows no bounds.
The best way to combat phishing is security awareness training for all employees. Yes, we’ve said it before and we’ll continue to say it for those trickling in and standing in the back (we see you 👀): train up your workforce to be keen to attack techniques that face the average user on a daily basis.
👉 By ignoring this simple yet crucial task, you are creating your own insider threats.
Social engineering isn’t going to go away, so help your people help themselves (and you!) by knowing what to look for, who to report suspicious activity to, and how to keep your company safe from attackers.
In the wise words of Dray Agha:
"Email is the best delivery mechanism for adversaries. Whether they're delivering malware, socially engineering users to install something SUS, or if they're just straight tryna STEAL your users creds - email is the necessary evil we're all going to have to continue managing. An educated user force is best defence we can foster to create a hostile environment that rejects malicious intent."
TKO #2: Dark Web Marketing 🕸️
Dark web marketing will only get more sophisticated and widespread.
Cybercriminals are getting more and more innovative with how they advertise their products, even giving them to security researchers (like John Hammond) to play around with and utilize in research/educational materials. Cybercriminal groups are going to continue to rework their marketing operations to look more like those of legitimate businesses (FAQs, marketing materials, case studies, etc.).
💡ICYMI💡 The Merriam-Webster online dictionary defines the term dark web with the following definition: The set of web pages on the World Wide Web that cannot be indexed by search engines, are not viewable in a standard Web browser, require specific means (such as specialized software or network configuration) in order to access, and use encryption to provide anonymity and privacy for users.
If you think cybercrime isn’t already a business venture, you’re severely misguided.
Sure, some of these threat actors are script kiddies seeing what all they can get up to and striking gold. However, the more experienced cyber gangs have business models, organizational hierarchies, and even ways in which they handle grievances among themselves in forums on the darknet. They are very much for-profit and they make a lot of money by selling ransomware-as-a-service (RaaS) to other hackers, collecting ransoms from breached companies, and duping the average Joe out of their money with ingenious phishing techniques. Staying aware and up-to-date on the threat landscape will be your best course of action.
TKO #3: Cybercriminal Insider Threats 🧑💻
Cybercriminal groups will continue facing their own insider threats.
The recent incident with LockBit won’t be the last time we see builder code get leaked…and it likely won’t be the last time we see hackers screwing up the plans of groups they’re disgruntled with or competing against. And we’re sorta fine with that.
As mentioned in TKO #2, there exists in a not-so-far-away land a dark and scary place in the bowels of the interwebs called the dark web, and most of the grievances threat actors take with each other occur there in moderated forums. But those who are really fed up with their cohorts take to publishing trade secrets on the regular ol’ internet for all to see, much like any other whistleblower has. Sometimes it’s an attempt to save their own hides and comply with law enforcement, and sometimes it’s just a “screw you guys, I’m goin’ home” type of thing. But whatever the reason, we are happy when they do.
TKO #4: Burnout 🔥
Burnout will continue to be an issue at all stages of cybersecurity practitioners’ careers (and pre-careers).
John Hammond has some empathetic and insightful words on this topic:
Personally I'm a huge fan of the talk-track on "burnout before even getting into the business" -- like there are so many people and students that are so interested in, fascinated by, and passionate about cybersecurity -- but get super bogged down and overwhelmed by everything because our industry is just a freaking information yard sale. So anything we can do to offer some solace and level-headedness that says, "Hey, let's take this as an opportunity to curate what we offer to passionate people and cultivate the best in our community" is something I think we should strive for.
From applicants to junior staffers to team leads to CISOs—cybersecurity burnout is going to continue to fuel the widening of the workforce/skills gap. Applicants are having to spend thousands of dollars on certifications and training to even be considered for positions in cybersecurity and once they get in, they get burned out from alert fatigue…not to mention the toll on family and friends that comes with sacrificing free time to dedicate to cybersecurity training.
As threats increase, so will burnout, and it will become more important than ever for companies to prioritize their employees’ well-being.
Many companies—Huntress included—are offering wellness programs for employees to take advantage of and we sincerely urge you to do so! We are in an era of information overload via the handy-dandy portable computer we keep in our pockets and spend much of our time looking at for various reasons. Studies show how detrimental blue light, excessive screen time and sitting for hours can be. The increase in work-from-home jobs also means less time outside in the sun soaking up that vital vitamin D3.
Without turning this into a self-help article, suffice it to say we care about the well-being of our cyber community and hope everyone invests just as much in themselves and their mental and emotional health as they do in their careers. If you need a break, take it.
TKO #5: Acronym Acropolis 🔤
The alphabet soup of acronyms is only getting more confusing.
More acronyms are going to be added to the “alphabet soup” of cybersecurity and the industry is going to continue to push things like zero-trust, AI and ML that aren’t working the way they were intended to. And Huntress will keep breaking these concepts down to help MSPs and SMBs understand.
We previously talked about the most popular acronyms in the blog linked above, but that doesn’t mean the list is all-encompassing. It is, however, a great place to start.
Whether you are new to the industry or a seasoned pro, it is inevitable that someone will rattle off an acronym you don’t yet know (pretty sure some of ‘em make them up on the spot 😤).
First, don’t be alarmed. Second, don’t just roll with the punches; ask and make sure that you do understand. We tend to do this to shorten our typing time and have fewer words to say in meetings, but it can compound the situation if all parties are not aware of what SOARing over the SIEM in the SOC means.
Don’t assume understanding, and don’t pretend to know what you don’t.
Break! Wrapping This Up
While this particular bout is by no means over, we feel we got in a few strong jabs to contend with other predictions being made for 2023 right now.
Even though we didn’t foretell any haymakers, there’s still time for threat actors to change up the combination and deliver punches we didn’t see coming.
It’s up to everyone in the community to make sure they don’t end up on the ropes or down for the count by employing strong cyber hygiene, issuing security awareness training, seeking continuing education and tending to one’s health when needed.