Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

The Rising Threat from Chaotic, Asymmetric Cyberattacks

By Casey Ellis, Founder and CTO of Bugcrowd

Cybercriminals are motivated by money, while nation-states are motivated by national interests. So, while neither of these adversaries play by the rules, both of their actions are somewhat predictable. The most dangerous aspect, in my opinion, is that most security organizations have spent the last five-plus years developing symmetric defensive strategies based on such threat actors with reasonably well-defined goals. However, when a chaotic threat actor is introduced into the mix, the game tilts and becomes asymmetric. 

For example, consider the attacks we saw earlier this year by the extortion group Lapsus$, which were focused on opportunistic data thefts and subsequent threats to publicly release the stolen data. My main concern about Lapsus$ and other similar actors is that defenders haven't really been preparing for this type of threat for quite some time. Lapsus$ relies heavily on social engineering to gain an initial foothold, so assessing your organization's readiness for social engineering threats, both on the human training and technical control levels, is a prudent precaution to take here.

While the stated goals of Lapsus$ and Anonymous/Antisec/Lulzsec are very different, I believe they will behave similarly as threat actors in the future. The evolution of Anonymous in the early 2010s saw various sub-groups and actors rise to prominence, then fade away, to be replaced by others who replicated and doubled down on successful techniques. Perhaps Lapsus$ has vanished completely and forever, but as a defender, I wouldn't rely on this as my primary defensive strategy against this type of chaotic threat.

Returning the Focus to Essential Security Controls

The recent case of the Senate whistleblower Peiter Zatko - Twitter's former head of security, better known as Mudge - produced some uncomfortable allegations about security failures and coverups. Yet the cybersecurity challenges that Mudge pointed out are not uncommon outside of Twitter, although they may vary to the degree by which they exist within different organizations. 

To me, there are two opportunities for lessons learned here: The first is for security leaders and teams to step back for a moment and consider how they are going about prioritizing, managing, and burning down the basics. There are no shortages of "shiny objects" in cybersecurity, and it can be easy to get caught focusing on esoteric controls and threats when the simpler (and for an attacker, just as effective if not more effective) issues go unaddressed. The second takeaway would be to table-top the scenario from Twitter's point of view. Regardless of the validity of the reason for whistleblowing, it is a useful exercise to consider the cybersecurity impact, as well as the impact on trust and brand, if your own security deficiencies as an organization were suddenly to become an issue of public record.

Election Security Will Be Top of Mind 

From this year's mid-term elections through 2024, election security will be a top of mind. Several states are testing out the idea of risk-limiting audits and have passed legislation moving them toward hand-marked paper ballots.

At least six states rely on modems to transmit unofficial results, which introduces more hacking risk, Politico recently reported. Michigan says it's phasing them out entirely and the "vast majority" no longer use them, as the Detroit Free Press put it, citing the secretary of state's office.

We should see additional adoption of VDP and crowdsourced testing by states and voting machine manufacturers, as misinformation continues to be the most pressing real risk.

##

ABOUT THE AUTHOR

 

Casey is the Founder, Chairman, and CTO of Bugcrowd. He is an 18-year veteran of information security, servicing clients ranging from startups to multinational corporations as a pentester, security and risk consultant and solutions architect, then most recently as a career entrepreneur. Casey pioneered the Crowdsourced Security as a Service model launching the first bug bounty programs on the Bugcrowd platform in 2012, and co-founded the disclose.io vulnerability disclosure standardization project in 2016.

A proud ex-pat of Sydney Australia, Casey lives with his wife and two kids in the San Francisco Bay Area. He is happy as long as he’s passionately pursuing potential.