The 2023 Security Landscape: A Social Engineer’s Take 

High-profile data breaches, attacks on essential infrastructures, and targeted cyber warfare made 2022 a pivotal year in the cybersecurity field. It challenged an already sophisticated threat landscape. All of this has had drastic effects on organizations. It is reported that about half of CISO’s felt at risk of a cyber-attack last year. The many broad and varied attack vectors left those in leadership with a lack of clarity. Additionally, two-thirds of cybersecurity decision makers felt unprepared to defend against common threats in 2022 because of increasing staff turnover and hybrid working environments.  

With global tensions escalating, economies faltering, and threat landscapes ever evolving, the next 12 months of 2023 could be even more challenging. In view of this, how can you build a cyber defense that’s up to the task? Knowledge is power. The experts at Social-Engineer weighed in on the 2023 security landscape and what you can expect from the year ahead. 

Hacking Tools As A Service

The dark web has been increasing in popularity, especially for those who are looking to conduct devastating cyber-attacks. Recent months have seen “ransomware-as-a-service” becoming a valuable commodity on the dark web. This service gives the power to cause corporate devastation with zero technical capability required.  

The success of threat vectors like these can easily be duplicated in many other ways. One of our professional social engineers commented, “These attack vectors that were once only the realm of highly skilled attackers have become commoditized to where almost anyone can buy or rent malicious tools. We also see that each step in the chain is specialized. Some attackers only focus on gaining initial access to a network, only to sell that access to other buyers.” We can expect to see other hacking tools on sale, such as Vishing, Phishing, SMishing and many more. These threats require less technical sophistication making them much more dangerous. The sheer volume that can be unleashed with minimal effort means a much higher rate of success.  

Economic Pressures Increase

Financial pressures, job insecurity, and the ever-increasing cost of living are already taking a huge emotional toll on employees. One of our social engineers has seen, “Any time there is a notable world event, especially in times of crisis, we see threat actors trying to take advantage of people. That is often seen in things like fundraising scams.” Financial gain is often the main motivator for most attacks, these trends will continue to increase especially given the economic outlook. As this situation grows increasingly complex, the burden on cybersecurity professionals and employees alike will be intense. Under this kind of stress, people experience more mental fatigue, and feelings of desperation. As a result, they are more prone to making costly mistakes. These mistakes can often be clicking on malicious URL links or downloads that can open the door to threat actors.  

Knowing this, malicious social engineers will increase their efforts to exploit and capitalize on the weakest points in the cybersecurity chain, our people. 

With Great Ransomware Comes Greater Consequences

It certainly was not the first year that ransomware was a fixture on the threat landscape. However, the 2022 State of the Phish reported that over two-thirds of organizations experienced at least one infection in the past year. In the first quarter of 2022, the ransomware trend involving threats to leaked data accelerated rapidly. 77% of attacks used double extortion techniques to encrypt files and exfiltrate data from organizations. Ransomware adds another layer of stress. Leadership must make crucial decisions about whether to pay the ransom to get the stolen data back or not. As one of our experts noted, “It can be tempting to pay the ransom to get systems unlocked and get data back, but there is no guarantee that will happen. Additionally, paying the ransom is funding the next wave of attacks.” 

In 2023, we can be sure that threat actors will be more aggressive and bolder in their methods. And on the wings of lucrative supply chain attacks that happened in 2022, we can expect them to be a prime target of cyber-criminals who are looking to exploit these third parties. This will mean that CISO’s will need to scrutinize relationships more closely, due diligence on everyone’s part must be required along with transparency.  

 Turning MFA into a Weakness

Multifactor Authentication (MFA) is a tricky game that constantly persists between cyber-criminals and cybersecurity professionals. While threat actors are getting better at compromising credentials, security experts are trying to add additional steps as company standards.  

While MFA is a crucial part of increased security, it is not immune to exploitation by threat actors. Cyber-criminals are leveraging phishing and vishing to steal MFA tokens, bombarding employees with approval requests until they finally fall into MFA fatigue. This has taken off in 2022 with great success and as the threat landscape evolves, we can expect it to increase in 2023. 

How to Defend from Threats on the Horizon

While there are multiple attack vectors that cyber-criminals can choose, one thing is for sure: people will be the main attack surface of choice and their data being the desired prize. With the 2023 landscape rapidly evolving, we can be sure there will be larger attack surfaces, more access points, and increasingly sophisticated cyber-attacks.  

To defend against these attacks, corporations must maintain a robust cybersecurity posture. This posture must consider the corporation’s employees, processes, and technology. Employee managed service programs that test, educate, and protect your human network by conducting simulated attacks will give you actionable metrics to protect your organization. These services should apply scientifically proven methodologies to uncover vulnerabilities, define risk, and provide remediation.  

At Social-Engineer, our ethic is: Leave them feeling better for having met us. Our purpose is to bring education and awareness to all users of technology. By implementing our core values, we treat all your employees with dignity and respect as we test for vulnerabilities. This not only gives you actionable reporting and guidance for remediation, but leaves your employees open to teachable moments.  

Reach out to us today and let’s talk about what we can do to help you make 2023 your most secure year yet!  

Written by: Amanda Marchuck 

At Social Engineer LLC, our purpose is to bring education and awareness to all users of technology. For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit: 

https://www.Social-Engineer.com/Managed-Services/