Cybersecurity targets and improvements in 2023
If 2022 proved anything, it’s that cybersecurity is in a necessary growth phase to tackle the increasingly broad range of threats that companies face. In Part 1 of this article, we sat down with Mike McLellan, Director of Intelligence at the SecureWorks Counter Threat Unit, to discuss three of the biggest general commercial cybersecurity threats of 2023 – ransomware, extortion-only attacks, and business email compromise.
In Part 2, Mike took us through the geopolitical landscape of cybersecurity threat as it’s likely to unfold in 2023. Here, we round off our look at the cybersecurity landscape with sectors that will likely come under enhanced threat in 2023, and some actions businesses need to take to improve their overall cybersecurity threat, to make it through the year as safely as possible.
The challenge for SMBs
This is a callback to Part 1, but you mentioned that SMBs in particular were going to be under increased cybersecurity threat in 2023, because of a shift in the ransomware landscape.
We believe that ransomware-as-a-service will become more and more of a problem for SMBs in 2023, yes, because ransomware groups are shifting their focus away from large enterprises – which not only have large cybersecurity budgets, but might also bring the hackers unwelcome exposure and retaliation – to SMBs. SMBs have fewer resources to devote to cybersecurity, and also are unlikely to make headlines.
If, say, the Irish health service gets hit with a ransomware attack, the Irish National Guard jumps on your tail, and you have a lot of hassle. If Jimmy’s Lumber Shack is the victim of a ransomware attack, more often than not, Jimmy’s on his own, at least in terms of high-pressure publicity and results. So SMBs are a great target for ransomware groups who want the payoff without the hassle.
We are seeing more ransomware attacks targeted at smaller organizations like SMBs, and that seems very likely to intensify across 2023.
Bad time to be an SMB, then. That’s worrying, given the economic forecasts that make it sound like 2023 will be economically challenging for SMBs in any case. What about things at the other end of the spectrum. Cryptocurrencies, exchanges, and lenders have, to put it mildly, not had a good second half of 2022. Is that a trend we see continuing across 2023? Are we going to continue to see big hacks, big hauls, and bankruptcies in the cryptomarket?
A crypto-feeding frenzy?
On the one hand, obviously, the value of cryptocurrency crashed a lot in 2022, and there’s been lots of flux in the cryptolandscape since. But in the same vein, clearly, some of these currencies are fairly poorly regulated, and in some cases, fairly poorly designed, so they are a ripe target for groups trying to generate lots of revenue.
North Korea has been targeting crypto-exchanges for years, and there’s been lots of coverage of that. We don’t think that’s going to stop any time soon. Even with some of the flux around the valuation of cryptocurrencies and decentralized finance, we still think we’re going to see North Korean groups targeting these currencies, because they are less regulated, less secure than traditional banks might be. So cryptofinance is still going to be an easy target throughout 2023.
The question becomes one of the attackers’ mindset, doesn’t it? Do they think “If we do too much of this, the whole thing will collapse as a viable prospect,” or do they think “It’s vulnerable now, let’s hit it now!”
Yes. Clearly, if trust goes out of the whole enterprise, which it will with enough hacks and bankruptcies, then cryptocurrencies will fail. If I were an adversary, I’d probably be looking at the situation and thinking that there’s as much chance of that happening because of the people running some of these schemes and exchanges as there is from hacking, so I’d probably capitalize on them while the going is still fairly good.
An oasis of safety?
Of course, there are moves in Europe to set up some regulation there. But the point about cryptocurrency is that it’s worldwide and distributed, so you can only protect it within a certain sphere.
Exactly. I’m sure some regulation would go a long way with some of this risk, but again, that goes against the whole ethos of cryptocurrency. There’ll always be jurisdictions where regulation and compliance is poor, and therefore they’re more vulnerable. So for instance, in traditional banking, North Korea targeted Bangladeshi Bank years ago, because it was a much softer target than some Western banks might be, so with cryptocurrency, even when the European regulations come in, we may still see some sort of regional focus from the cyberattackers, based on where they think they can operate more freely.
New tools for the job
Speaking of a behavioral change from the attackers, do we think they’ll be changing to different tools and platforms in 2023?
We do. There are lots of tools that adversaries use, which are made freely available or commercially available to testing teams. So for instance, Cobalt Strike, the big one that lots of people may have heard of, is a licensed product that you can use for running security tests, but cracked versions of it regularly appear in underground forums or elsewhere and are downloaded and used by criminals.
In the last year, we’ve seen huge numbers of cases using Cobalt Strike, but also a shift to other things they can just get from GitHub. They can get cracked versions of newer tools and they’ll use those because why bother developing your own tools if someone’s developed something which works perfectly well, and you can get a free copy of it?
We think we’re also going to see more of a shift to some of the other emerging ofensive security tools over the next year, that are advertised as being particularly good at evading security controls. Their whole unique selling point is that they can’t be detected by any of the modern endpoint detection, antivirus, etc. We fully expect that adversaries will take advantage of free tools like that, which are designed to be very hard to detect.
A license to protect
It’s going to be a real challenge, because obviously, red team security testers will want to have these tools to do comprehensive tests of an organization’s security, and make sure that they can provide some useful recommendations. But when you’ve got adversaries using the same tools, it does become really challenging to compete with them.
How do you deter adversaries from picking up some of these capabilities, and then just deploying them against companies? So if I were an adversary, I’d be looking at using those offensive security tools in 2023.
So just to play Devil’s Advocate…how do you stop them using those tools? Or make it less effective for them to do so?
There are a few ways you could do it. One would be not to release the tools at all. But as I say, there are reasons why teams want to have these tools, and there are legitimate uses to them.
Another way would be licensing, which is the way that any good commercial software will try. Make sure the licensing is quite tight, and therefore quite hard for anyone to operate without a legitimate version. And that’s something we may see come into force.
But the whole culture is geared towards access, with researchers putting up tools on GitHub and making them essentially free, and licensed for anyone to use. That’s just easy pickings for cybercriminals who want to try and get involved in activity without having to spend lots of money on developing their own toolset. So “I don’t know” is the short answer. We would certainly like to see either more control of some of these tools, or possibly better advice on how to detect them, so that organizations who have got mature security controls can detect them, whoever might be using them.
Training versus shaming
There’s been some debate around cybersecurity training in businesses this year, identifying a need to shift from the kind of button-pressing certification that’s popular because it’s relatively cheap, and cybersecurity training that…well, that works. Are we going to need to effectively rethink cybersecurity training in the short term?
Some organizations may do. There are still organizations out there that run tests where you get a phishing email, and if you accidentally give your credentials, you get named and shamed on some kind of internal website, and have to do some sort of repentance somewhere!
There are ways of doing this training that work more effectively than others. You have to make it interesting, you have to make it relevant. And ideally, try not to make it feel like people are being punished if they make a mistake. People are going to get tricked sometimes, because criminals are very adept at socially engineering people. So make sure that a user clicking on a link isn’t the only thing that’s going to prevent a compromise.
But also make sure users report things. Because crucially, if you can encourage a culture of reporting issues, you’ve got a much better chance of spotting these attacks. There are lots of things that can be done from a training standpoint, that go far beyond what we used to see a lot of two years ago, like that very simple phishing test.
We know that insider threats are a thing – people paid by cybercriminals or corporate rivals to compromise access to company systems for cash. As the cost of living crisis is scheduled to get worse for a year or two before it gets better, are we expecting a rise in the number of people who can be turned?
That’s a tricky one. We’ve already seen both criminals and hostile states advertising for insiders. We’ve seen reporting of that happening, although it doesn’t happen very often in our experience. However, as the economic situation changes, who knows what people will feel compelled to do, potentially? Organizations obviously can’t do anything about the global macroeconomic situation, but there are good well-established controls for insider threats that organizations can make sure they’re applying.
Separation of privileges, making sure people can only access things they need to be able to access, business controls that require more than one person to be involved in authorizing things like financial transactions, all those kinds of things. The good news is that most organizations are already thinking about doing all of that.
2023 looks to be a year when both SMBs and cryptofinance companies will be particular targets for cyberattackers. A year when ransomware will continue its dominance in spite of moves to minimize it, but when business email compromise will rise in prominence. And a year in which spiraling costs may find companies with insider threats fed not by genuine disloyalty but by economic hardship.
Here’s to getting through it with minimal damage.