Three experts from Venafi highlight various areas that will change the cyber threat landscape in 2023 and consider the way organizations may adapt in response.
Kevin Bocek, VP Security Strategy and Threat Intelligence
A tale of two CISOs
2023 will tell the tale of two CISOs as harsher economic conditions put the microscope on what value security delivers – those who fail to adapt will find themselves out in the cold.
Outside influences and harsher economic climates will stretch the security industry – some CISOs will shine, while others will play a more supporting role. With geopolitics on unstable ground, cyber security has never been more important. But the economic downturn will squeeze security budgets across Europe and the US, and CISOs will have to do more with less. This will bring security leaders into sharp focus.
Forward-thinking CISOs who embrace decentralized security decision-making will take a more prominent role, and ultimately lead their organizations to the front of the pack. This will mean optimizing what they already have and collaborating across business functions to maintain a competitive edge. On the other hand, some CISOs will be more cautious, falling back on the fact that they have limited budgets and relying on the tactics they’ve deployed over the last decade. This will cost companies, as breaches will have huge financial implications in a turbulent economic climate.
Cybercriminals will start to move on from ransomware
The ransomware cash cow may stop mooing in 2023, forcing hackers to start looking at other revenue generators – like selling stolen machine identities.
It’s not just governments, citizens and companies that will feel the sting of the economic downturn in 2023 – it’ll affect hackers as well, who’ll be forced to change their tactics. For example, with fewer companies able to afford to pay ransoms, we could see ransomware shrinking as an attack vector.
This will put a premium on other sources of income for threat actors, such as the lucrative sale of stolen machine identities like code-signing certificates. We’ve seen a high price for these in dark web markets before, and groups like Lapsus$ regularly use them to launch devastating attacks. So, their value will only increase in 2023, and we’ll see dark web marketplaces booming with sales of stolen machine identities.
Developer experience will become more important than ever
In 2023, those forward thinking CISOs that are working across business functions will help to reduce friction for developers. The shift to cloud native solutions is relentlessly marching on, and many organizations - particularly regulated ones - have shifted at least half of their environment to cloud. Developers really understand these environments, as they work in them day in day out, so their experience is becoming business critical.
So, CISOs will have to work with developers to make the cloud a success, deploying security solutions that reduce friction, and are invisible to developers. This will free up developers’ time, allowing them to innovate and ensure their businesses remain competitive.
Critical infrastructure in the cross hairs
In 2023, the energy crisis will deepen, putting a higher premium on the security of critical infrastructure. Governments and energy companies will be doing everything they can to ensure that the lights stay on, as the impact of blackouts on citizens and the economy would be profound.
Of course, threat actors are aware of this, and the incentive to target critical infrastructure will rise. This will be the domain of nation state hackers, who’ll be looking to cause chaos in rival economies.
We’ve seen examples of these damaging, state-backed attacks in the past, such as Stuxnet, downing critical infrastructure by exploiting machine identities and causing major disruption. So, energy companies must secure their machine identities in preparation for these attacks.
Nation state attacks will become more frenetic as the cyber and physical worlds collide
In 2023, we’re likely to see nation state attacks become more feral. The war in Ukraine hasn’t been as successful as Russia hoped, and we’re increasingly seeing its kinetic war tactics becoming more untamed, targeting energy and water infrastructure with missile strikes. We’re also seeing North Korea flexing its muscles by flying long range weapons over borders.
With these increasingly unpredictable ground war tactics being displayed, we expect the same to apply to cyberwarfare. As the war in Ukraine continues, Russia’s cyber attacks will work in tandem with its kinetic attacks. These will have the potential to spill over into other nations as Russia becomes more daring, trying to win the war by any means, and Russia could look to use the conflict as a distraction as it targets other nations with cyber attacks. This will be replicated by North Korea as it looks to advance its economic and political goals.
Budget-saving results in concentration risk
Budget-saving cloud strategies will lead to companies putting all their eggs in one cloud basket, concentrating their risk and spoiling agility.
In 2023, the smart play to protect budgets during times of economic uncertainty will be to increase agility and spread costs across multiple clouds. However, some CFOs and CIOs will be lured into the low-cost, low-stress single-cloud option and will put all their eggs in one basket. This concentrates risk and presents opportunities for attackers as security teams come up to speed with the cloud-native technologies developers have deployed since the pandemic accelerated cloud use. It also wastes the agility and speed that a multiple cloud - not just one - strategy provides.
The human identity market will consolidate
Securing human identity became more important than ever during the pandemic, but in 2023, we expect to see the market consolidate. Companies need – and generally have – human identity security, but it’s a very competitive market and major private equity firms are taking a lot of companies private.
But there are only so many seats at the human identity table, and it’s becoming a race to the bottom. We’d expect there to be some casualties over the next 12 months.
Yana Blachman, Threat Intelligence Specialist
Cyber attacks will be used as a smokescreen
This year, we’ve seen growing evidence of threat actors deploying attacks with a dual purpose, which will increase as a tactic in 2023. There have been examples of ransomware and DDoS attacks being used to cause chaos in security teams, which have actually been a smokescreen, enabling them to achieve nefarious secondary goals like espionage.
It’s this broader goal that we should concentrate on, questioning why these particular companies are being targeted and the motivation for attacks. Organizations must collaborate, both with each other and governments, sharing intel and really drilling down into the true purpose of attacks.
We’ll discover that attacks on the cloud have already happened
We’ve yet to see many major cloud-related breaches, but that’ll change in 2023 - we’re going to see a lot of cloud-related breaches and vulnerabilities float to the surface. The speed and scale of cloud adoption has created a knowledge gap within security teams, who don’t fully understand the risks of cloud.
As security professionals develop their knowledge of cloud security this year, they’ll find that threat actors are ahead of the curve and have already infiltrated their networks – perhaps weeks, months or even years ago. It’s only as we build our knowledge of cloud risk that we’ll start to uncover these breaches.
There will be more failed audits
We’ll see more failed audits in regulated companies as multi-cloud, multi-cluster grows as a strategy in 2023. The shift away from larger clusters to multiple smaller ones is popular with regulated companies, as it allows them to use private cloud alongside public cloud. This spreads risk, increases performance and offers the control and visibility they need for compliance.
However, it also increases complexity because these environments are fragmented and require a huge number of machines – clusters, microservices, servers and applications – which all need an authenticated identity to communicate securely. Due to this increased volume of machine identities in cloud native environments, compliance with regulations on machine identity management is a real challenge. If this process isn’t automated via a control plane, failed audits will become commonplace.
Matt Barker, President of Cloud Native Solutions
The rise of platform engineering
In 2023, we’ll see the rise of platform engineering. The Cloud Native ecosystem has exploded. Some eight years after the open sourcing of Kubernetes, there are now thousands of companies running it in production. However, it’s relatively early days in the enterprise adoption of Cloud Native, and we’re still learning huge amounts about how to organize, run and manage teams to take advantage of it. A common theme that is developing is the need for ‘platform engineering’
Even in the move to cloud, we didn’t see large-scale restructuring of the teams delivering the infrastructure. This lack of restructure is partly what led to the huge number of ‘lift and shift’ migrations we’ve seen over the years.
However, given that Cloud Native reimagines how companies think about building and operating infrastructure, they require a totally new team to build and support it. This is leading to the rise of the ‘platform engineering’ team, which builds on the learnings of DevOps culture, and encompasses every persona needed to build and run IT infrastructure, including Dev, Security and Operations.”
Service mesh will continue to grow, and stop disappointing
Over the next year, we’ll see service mesh grow and mature. Companies continue to adopt service mesh rapidly, however, they tend to deploy it for a few key reasons, often driven first and foremost by the need for mutual TLS. As much as these companies get value from service mesh, it can sometimes come at the expense of latency, performance, and complexity. For that reason, it’s not very easy to say that service mesh has ‘lived up to the hype’.
It does, however, look like this is changing, and we’ve seen a lot of recent innovation in the space. For example, we’ve seen some of the vendor-led Istio services improve rapidly, we’ve seen more simple technologies like LinkedD gain traction with developers, and we’ve seen completely different approaches adopted with technologies like ambient mesh. Jetstack itself has also done a lot of work with Istio-CSR to help companies to connect their service mesh to a corporate-approved CA.
Thanks to this improvement, we see big strides in service mesh in 2023 and we’ll see more features that help it become easier to adopt, easier use, and more ‘enterprise ready’
Start-ups and open source will help solve supply chain security issues
As far as trends go in Cloud Native, supply chain security is one of, if not the most pertinent issue, and will continue to be so in 2023. Highly visible open source vulnerabilities like Log4Shell, or in some cases the ‘weaponization’ of software has posed uncomfortable questions around the dependencies you are running in your business at this very moment.
Sadly this is a question that should always have been asked, but for whatever reason, it wasn’t, and there are many companies now struggling with the question of how vulnerable their code is, and where it has come from. We’re seeing many instances of vulnerable code brought inside their firewall by developers trying to go fast using unverified code from GitHub, or copypasta from Stack Overflow.
Thankfully, we’ve reached a collective sense of focus on this area, and are seeing tremendous developments in how we tackle it. This is only going to increase through 2023 as we see more start-ups popping up and open source tools like cosign and sigstore designed to help it.
Biden’s SBOM initiative has helped bring attention to the requirement, and The OpenSSF is leading in this charge. Their approach is being supported by a number of companies in the space, including Jetstack who have published a Secure Supply Chain toolkit, and are proactively working with customers to help understand their issues, and solve them with a ‘low effort, high impact’ approach.