The changing face of cybersecurity threats in 2023

Over the last eighteen months or so, a motley group of teenagers under the banner of Lapsus$ managed to hack into “unbreachable” fortresses at tech giants such as Okta, T-Mobile, Nvidia, Microsoft, and Globant using unsophisticated but creative and persistent techniques.

While the group’s goals were unclear and differing – fluctuating between amusement, monetary gain, and notoriety – at various times, it again brought to the fore the persistent gaps in security at even the biggest and most informed companies.

“Organizations must act now to protect themselves, and the Board identified tangible ways to do so, with the help of the U.S. government and the companies that are best prepared to provide safe-by-default solutions to uplift the whole ecosystem,” says a report published by the Homeland Security Department’s Cyber Safety Review Board.

The lesson here for companies is that attackers don’t need to discover new threats or sophisticated methods of penetrating your networks. Using the “same old” low-skill tactics, common tools, and a bit of social engineering, hackers can get around complex security policies such as multi-factor authentication (MFA) and identity and access management (IAM) systems.

Let’s revisit the most prevalent security threats and see how they’re evolving in 2023.

Initial access

Initial access consists of various techniques attackers use to gain access to your network. The process starts with identifying compromised hardware, software, and human assets – both internal and external – by way of scanning and reconnaissance methods. The attacker then chooses the target and method of invasion and leverages the compromised assets to gain a foothold in the victim’s servers or network.

The MITRE ATT&CK framework – a knowledgebase of cyberattack techniques – maintains an updated list of initial access techniques. In 2023, these include:

• Drive-by compromise – using compromised websites or taking over the user’s browser
• Exploit public-facing applications – exploiting a weakness in the user’s system such as a bug or misconfiguration
• External remote services – using a VPN or other access mechanism to connect to the network
• Hardware additions – connecting new networking, computing, or storage devices to the host network
• Phishing – sending messages with malicious links or attachments that enable the attacker to gain control of the host
• Replication through removable media – copying malware to removable media, inserting it into the system, and executing it via autorun features
• Supply chain compromise – manipulating software product delivery mechanisms to insert malware into the network
• Trusted relationship – leveraging third-party individuals or organizations that have access to the victim’s systems
• Valid accounts – using existing user and system accounts to gain access to the network, bypass access controls, and staying undetected

Detection:

Patterns and changes to them are key to detecting fraudulent access. Smart admins will constantly monitor the success and failure of logins, multi-factor notifications, input validations in code, file access, creation and deletion, as well as plugging and removal of media. Every out-of-place event needs to be investigated.

Prevention:

As we’ve seen, there are a multitude of paths attackers can take to enter into your network. User awareness training, strong login credentials with multifactor authentication, updated software that patches and reduces the likelihood of vulnerabilities, and regular testing will help companies prevent adversaries from getting that all-important initial access to their systems.

Website spoofing

Spoofing is a practice similar in principle to phishing but deserves special mention due to the scale on which it is carried out and its continued impact on individuals as well as organizations.

In website spoofing, the attacker imitates a legitimate website or domain name, targets its audience to visit it using different methods, and lies in wait until an unsuspecting user lands on it. Once the victim is on the site, the possibilities are endless.

Imitating popular websites – or domain spoofing, to be precise – is more common than similar attacks such as IP spoofing, email spoofing, MAC spoofing, DNS spoofing, and ARP spoofing because the user experiences visual similarity to a recognized entity.

“Website spoofing takes advantage of naïveté, fooling everyday users who think they are interacting with brands they know and trust. Because of this trust, users are less likely to take a second look at the website’s URL,” says Israel Mazin, CEO of Memcyco, a real-time website spoofing protection platform.

The most recent data available indicates that 62% of all identity attacks leveraged display name deception to impersonate a trusted organization, individual, or brand, typically a vendor or partner. Brands and businesses need to monitor and take proactive steps to prevent domain spoofing.

Detection:

One of the first signs of a website spoofing attack is an unusual or too-good-to-be-true request – such as a special Amazon sale offering 25% discount on the latest model of the iPhone. You know very well it’s not going to happen. However, scammers might add a sense of urgency saying the offer expires in 2 hours, for example. On closer look, you’ll always find that it’s a shortened URL or a URL with a spelling slightly different than the company’s primary domain. A quick Google search should settle it.

Website spoofing puts a bigger onus on the user or individual than the organization for detection.

Prevention:

Nearly 75% of Forbes Global 2000 companies haven’t implemented vital domain security measures, indicating continued widespread susceptibility to domain and website spoofing.

It’s a common misconception that only enterprise domains are spoofed. SMBs and startups are equally at risk. You need to use a reputable registrar and hosting provider. Further, regularly monitor your domain and DNS settings, as well as your website logs for signs of abnormal traffic with unusual referrers or URL modifiers. Implement a Web Application Firewall (WAF) on your web server and Domain-based Message Authentication, Reporting & Conformance (DMARC) for emails.

Data exfiltration

Exfiltration is an umbrella term for the methods attackers use to steal data from the victim’s systems. Once they’ve identified and copied the data they want, adversaries use packaging, compression, encryption and hiding techniques to avoid detection at the time of stealing (transferring) it.

One of the most prevalent and damaging types of attacks – ransomware – relies on data exfiltration. The goal of the attacker is to identify file servers on which sensitive information is stored and then lock it or transfer it out of the network using email or by uploading to external servers. Some shocking ransomware stats:

• Ransomware accounts for 10% of all breaches.
• The average cost of a ransomware attack is close to $2 million.
• A significant ransomware attack will occur once every 2 seconds by 2031.

Detection:

Intrusion Detection Systems (IDS) that actively monitor network for suspicious traffic are the first line of defense against data exfiltration techniques. Traffic to and from unseen IP address ranges, file access at unusual times, major spikes in outbound traffic and outbound connections to external servers via a generic or non-secure protocol are typical indications of exfiltration threats.

Prevention:

In the age of Bring Your Own Device (BYOD) and remote work, preventing data exfiltration needs a comprehensive, well-rounded data security and governance strategy. Using a Security Information and Event Management (SIEM) system lets you collect and converge data from disparate IT environments and touchpoints for real-time monitoring and analysis.

Further, a next-generation firewall (NGFW) will provide an additional layer of defense against newer, advanced attacks by allowing you to monitor all network protocols at all times and blocking unauthorized channels. Finally, use Zero Trust Architecture (ZTA) policies to validate any and all data transfer, compression and encryption activities.

Proactive detection and prevention

In 2023, it is impossible for you to know of all the threats and vulnerabilities out there. It is impossible to know your adversaries. It is impossible to know their approaches. “With the increasing availability of sophisticated technological and social engineering tools, attackers have a higher chance of succeeding – and gaining big – with little risk,” Mazin warns.

A proactive threat detection and response program with user behavior analytics (UBA), regular threat hunting and penetration testing, and pre-emptive honeypot traps will soon be generic components of a typical security strategy, if not the norm.