The year 2022 has been unrelenting on the cybersecurity front and adversaries are only becoming more sophisticated and adopting more advanced techniques and technologies to circumvent organisations’ security measures.
Ransomware has remained the most dangerous, costly and prevalent cyberthreat to EMEA organisations last year, and will continue to be the most damaging cybercrime tool of 2023.
According to CrowdStrike’s 2022 Global Threat Report, there was a terrifying annual increase of 82 per cent in ransomware related data leaks in the year to date, costing the companies concerned EUR1.72m on average.
It’s easy to understand the enduring appeal of ransomware to cybercriminals: it is increasingly easy to use and wildly lucrative. Over the course of the last two years, obtaining and using ransomware tools has become simpler than ever, with an ecosystem of criminal suppliers offering Ransomware-as-a-Service, with other elements of the operation, from stolen credentials, to payment services and money laundering, also available as third-party services from a growing range of providers.
Getting started as a cybercriminal requires no more than a working credit card in late 2022. This coordination of criminal service providers to provide specialisation and automation is sadly only likely to grow over the coming year. Ransomware will continue to grow until such a point that the vast majority of organisations have adopted advanced tools that make other criminal tactics more profitable.
Europe also at risk
Unfortunately, it seems likely that European organisations will suffer as badly as anywhere else from cybercrime in 2023. While some countries have developed a mature understanding of the risks and available defences, in Europe, the picture is more fragmented, with low levels of cybersecurity understanding common across some areas of the region. Most notably, a proportion of organisations are still sceptical about cloud technologies — or feel their hands are tied when making the right technology choices due to miss-understanding or confusion on local or regional regulations and privacy requirements.
These attitudes will change over time. In fact, there can be no privacy without security. Data that has been stolen or leaked is no longer private, no matter what laws or regulations might apply. In turn, modern technology is needed to solve a modern threat, only next-generation, cloud-based cybersecurity solutions, drawing on big data from across the globe, are equal to the task of keeping any kind of data secure.
Many countries across the globe expect their economies to approach recession during the coming year. Cost-cutting will be discussed at many companies, and cybersecurity budgets, having risen – on average – for many successive years, will certainly be under scrutiny. Reducing and consolidating the number of licensed products in the area may well make sense, although maintaining the best levels of security is not negotiable at any company.
Notwithstanding, many companies have far more tools than they need. Our own discussions with CISOs suggest it’s not uncommon for companies to have multiple licensed cybersecurity products at their disposal. This isn’t rendering them immune to attack and, in fact, security levels and team performance are suffering at many organisations due to redundant or excessive notifications and checks. Working towards a consolidated single point of truth through a united platform will not only yield cost savings, but also productivity and performance gains for cybersecurity analysts.
The 2023 battlefield
Over the course of 2022, we have seen some evolution in adversaries’ ransomware tactics. The extraction of sensitive data and extortion attempts based on the threat of the sale or publication of this stolen information has seen a marked rise. Indeed, we have seen a number of cases over the course of this year in which the traditional encryption of victims’ data has not been part of the attack, with the adversary moving directly to threatening exposure of the data, with all the legal, regulatory and reputational damage such leaks would entail. The extortion tactic is potentially worth millions of Euros for every attack, and can be repeated without any additional effort on the part of adversaries, so long as the data retains a value for its rightful owners.
Similar to previous years, we continue to see the successful and most sophisticated adversaries no longer using malware-based attacks but focussing on non-malware based techniques. As companies continue to focus on malware, these interactive attacks have begun to provide a higher success rate for cyber attackers. They now account for 71 per cent of successful breaches, up 50 per cent on the previous year. Ever the pragmatists, cybercriminals are now focused on identity-based attacks, whereby, rather than hacking their way into a victim’s system, they are able to just simply log-in, using genuine but stolen credentials available on the underground markets of the dark web or through other techniques
This continued move to malware-free attacks, growing strongly since 2019, puts identity protection at the heart of cybersecurity in 2023. Alongside established, well-understood policies around strong passwords, organisations need to adopt new technologies developed specifically to make it harder for criminals to succeed with identity-based attacks.
Security departments need to establish zero trust policies and the technologies to support them if they have not already. They need to interrogate every identity on the network and use a variety of techniques to validate whether that identity is legitimate. Their chosen technology partner must offer several ways in which this legitimacy can be established (or not). Data in the organisation needs to be split, according to the needs of different roles in their organisation. A salesperson might legitimately need access to customer records, for example. Someone working in production probably does not.
Alongside identities, APIs have become a part of the cybersecurity battlefield in 2022, and is a trend we will see continue this year and beyond. Gartner® predicts this will become the most common attack vector before long. Many cloud and SaaS services are accessed and controlled through APIs that allow their functionality to be extended and the flow of data through different applications. This is key to the power and popularity of cloud and SaaS, but like any other fast growing technology, it has attracted the attention of bad actors. We’ve seen a number of successful attacks in this domain, and security-conscious organisations will have already adopted solutions that can ingest and assimilate signals from many different parts of their IT estate, as well as endpoints.
The right way forward – partners not technology
Technology moves very quickly and that won’t change in 2023. Anyone who has worked in the domain knows this: the tools and processes that were best practice in 2022 may be considered dangerously antique by the end of next year. This has important implications for your choice of vendor. It doesn’t make much sense to focus entirely on a particular product or technology, since these inherently have a short shelf-life. Rather, you should choose a vendor who will become a partner through the uncertain times ahead, which will adapt and continue to support you as technologies and threats evolve. A partner organisation will have evidence of high, sustained levels of support for its customers. It will be transparent about its current capabilities and its roadmap.
Zeki Turedi is the chief technology officer – EMEA at CrowdStrike