As digital transformation evolves and the volume of data grows, so do opportunities for cybercriminals. Cyberattacks are projected to cost companies $10.5 trillion by 2025—up from $3 trillion a decade prior.
Today’s remote workforce unveils another layer of cybersecurity concerns for companies. Increased reliance on the public cloud, the use of unsecured networks and hardware, and a lack of IT oversight are several factors that make remote workers more vulnerable.
The evolution in IT systems to fit the converged workforce will attract threat actors in 2023, who will target elements of zero trust solutions and APIs, then hide deep within systems to achieve actions on their objective. Organizations must be prepared with robust security solutions and services that keep them steps ahead of these threats.
1. Rapid Increase in Attacks Against APIs
Gartner predicted in 2021 that application programming interface (API) attacks would take the top spot as an attack vector. This prediction is rapidly materializing. As publicly discoverable and self-documenting APIs have rapidly proliferated, API attacks are growing nearly 300% per quarter.
API attacks are particularly concerning because they’re a relatively new commonality and are more likely to have undiscovered vulnerabilities. Attackers frequently target access control, resource exhaustion, misconfigurations, and command injections. To defend against these attacks, you need to inventory your APIs, map vulnerabilities, and deploy web application firewall capabilities. These are often bundled into application solutions called Web Application and API protection (WAAP) and are typically found in DDoS solutions.
2. Perimeter Device Exploitation
Key to supporting the growing hybrid workforce, Secure Access Services Edge (SASE) enables employees’ efficient access to data resources both on and off premises. In 2022, advanced threat actors targeted perimeter devices, and as the hybrid workforce grows, these devices will continue to attract the attention of attackers.
Within SASE, attackers also target improperly exposed management frameworks due to the low detection—yet privileged—point of access on a network. To combat this threat in 2023, cybersecurity budgets must be prioritized for SASE solutions with defense-in-depth and professionally managed security services, taking into account the IT team’s structure and the product(s) needed to address networking and security within this structure.
3. Rapid Weaponization of Severe Zero-Day Exploits
The security industry has recently witnessed the disclosure of security weaknesses in key infrastructure solutions. In 2023, both APT and ransomware threat actors will continue to produce exploits based on zero-day vulnerability disclosures, intending to beat network defenders’ ability to fully patch systems.
A few recent examples include:
- Conti ransomware obtained a log4J-based exploit within a week of its disclosure and leveraged it in attacks.
- A full exploit POC was published in one cloud server model for remote code execution CVEs within 48 hours of the CVE announcement in April 2022.
To mitigate these risks in 2023, comprehensive logging and correlation at the perimeter and throughout the organization’s holdings will limit the actor’s impact, should they leverage a one-day exploit against a network before it is fully patched.
4. Astonishingly Sophisticated Social Engineering
Growing sophistication of phishing attacks has enabled actors to deepen their access and compromise supply chain connections. This was seen in the work of the Lapsus$ gang, who successfully compromised identity systems within Okta and Microsoft. These attacks effectively bypass multi-factor authentication security measures to breach the perimeter of an organization.
Throughout 2022, Lumen’s Black Lotus Labs observed that these attacks resulted in divergent outcomes: either the adversary was limited to a single user’s access, code base, or data—or the organization suffered complete compromise. In 2023, we expect these attacks to persist.
Organizations that have invested in their zero trust journey and ecosystem partners to segment network and data access, lock down administrative accounts, centralize and correlate log collections, and tightly monitor anomalous activity will keep themselves out of the news.
5. Deep Obfuscation of Attack Telemetry via Compromised Cloud and Consumer Devices
Advanced actors are sourcing their attacks behind multiple traffic hops and legitimate sources that are impossible to block. As highlighted in Lumen’s Q2 DDoS report, actors are sourcing attacks from cloud providers, and advanced threat actors continue to obscure command and control infrastructure to evade atomic-indicator-based detection. And as Lumen’s Black Lotus Labs observed, advanced actors are leveraging SOHO (small office, home office router) devices to conduct stealth operations. This makes it nearly impossible to distinguish between a remote worker and an actor who has leveraged an unsuspecting user’s device.
Access to compromised SOHO devices is convenient for adversaries because of the widespread use of default credentials and the magnitude of vulnerable internet-exposed devices. In 2023, defenders are advised to revisit assumptions to help uncover threats that may lurk from familiar sources. Defenders should also opt to increase investment in security threat detection and response solutions.
Security threats have become increasingly sophisticated and covert; thankfully, cybersecurity solutions have advanced in stride. Still, in a connected and data-driven society, attacks are inherently expensive. Knowing where vulnerabilities exist, and the security solutions and services that can combat them, will help companies stay ahead of these threats.
Martin Nystrom is vice president of security development at Lumen Technologies, as well as leader of the Black Lotus Labs threat intelligence team and its underlying programs. Prior to joining Lumen, Martin spent more than 22 years at Cisco, where he was the head of product management for SecureX, Cisco’s security platform.