The art of cyber crime is in a constant state of flux and evolution. Simply staying on pace with these trends is a significant part of the CISO’s job.

Today’s modern CISO must ensure they are always prepared for the next big trend and remain ahead of adversaries.

As we begin to navigate 2023, the security landscape has transformed from a year ago, let alone a decade ago. The Russian invasion of Ukraine, emerging technologies like Web3 and AI, and new, post-pandemic ways of organizing the workforce have all led to significant shifts in the world of hacking.

In this article, we’ll look at how hacking is different in 2023, some of the key threats CISOs must contend with and some of the best defenses available.

What Does Modern Hacking Look Like?

Before we start, it’s worth noting that even the term “hacker” has undergone some evolution over the years. Once largely associated with hostile actors, many security professionals now refer to themselves as hackers. The term “white hat hacker” also exists; this refers to hackers using the same methods as cyber criminals to carry out ethical tasks like pressure-testing security systems.

So what are the concrete ways hacking has changed today compared to five, ten and even twenty years ago? There are several significant trends to highlight that look set to dominate the cybersecurity conversation in 2023.

A Lower Barrier to Entry

In the past, threat actors needed highly developed skill sets honed over many years. Hacking, especially targeting high-level organizations with valuable assets, wasn’t something just anyone could do — the bar was set high.

Today, with the emergence and growth of DIY hacking kits and services — available in places like the dark web — even fairly low-skilled cyber criminals can inflict damage and successfully commit crimes. This is concerning news because it means the pool of potential attackers is soaring.

Taking Advantage of the Shift to Remote Work

Although the COVID-19 pandemic is now receding, many effects still linger. One of the most notable is the sustained shift to remote working patterns. While more remote work options come with great employee benefits such as work-life balance and productivity, this style of working also carries inherent security risks.

With millions of companies now operating either partially or fully remote, along with escalating levels of cloud adoption, security teams have the challenging task of defending sensitive information and assets. Employees access all this data from a wide range of locations — including unsafe wireless networks and even public places.

Emerging Technologies Will Play a Greater Role

Emerging technologies like blockchain, the internet of things and artificial intelligence are expected to play a more prominent role in our lives in 2023, making them a more attractive target for attackers.

We’ve already seen a number of high-profile attacks on Web3 infrastructures, like the 2022 hacking of the Binance exchange for $570 million. Threat actors can also turn new technologies to their own advantage; for example, by harnessing AI tools to automate their attacks and quickly identify easy targets.

Bigger Targets and Heavyweight Players

The invasion of Ukraine in early 2022 sparked a new era of geopolitics, shifting the cybersecurity landscape. Russia has been targeting critical infrastructure in Ukraine with cyberattacks. As tensions between the West and its adversaries reach the highest point in decades, it’s realistic to expect more such attacks against Western targets.

CISOs at all levels must prepare for attacks by nation-state actors, which could even target assets like regional power grids.

What Will Be the Most Popular Hacking Methods of 2023?

Which techniques will malicious actors use to achieve their goals in 2023? While it’s difficult to predict, we’ll likely see a continuation of recent trends.

• Phishing. Despite  — or perhaps because of — its simplicity, phishing remains an extremely effective method for threat actors of all types. Tricking victims into sharing sensitive data, including company information, is a tried-and-tested attack vector that organizations must prepare for with widespread employee education and more robust password policies.
• DDoS attacks. Distributed Denial of Service attacks work by overwhelming the target’s servers with traffic, causing them to crash. In many cases, attackers are using cloud infrastructure to bolster their DDoS attacks.
• Ransomware. This method has been skyrocketing year over year and will probably trend upward in 2023. During an attack, malicious actors seize an organization or individual’s data, encrypt it and demand a ransom for its return. Ransomware can be devastating, leading to enormous financial losses and irreparable reputation damage.
• Targeting missing patches. Many threat actors are actively searching for security patches that organizations have failed to keep up to date. Then, they take advantage of those vulnerabilities.

What Does Defense Against Hacking Look Like in 2023?

As hacking continues to evolve, so do the methods cybersecurity teams are deploying to combat those threats.

Here are some of the key trends in defense against hacking to be aware of in 2023:

Automation and AI

AI is being harnessed by cyber criminals more and more, but when used correctly, it can also be a powerful tool for defense. AI algorithms are excellent at analyzing huge datasets and making accurate predictions about when and where attacks will take place, giving security teams a valuable advantage.

According to research by IBM, companies that use AI and automation to defend against data breaches save an average of $3.05 million compared to those that don’t — a difference of 65.2%.

Secure Cloud Assets

As cloud assets and infrastructure become increasingly popular targets, companies will focus on defending in this area. Stricter security controls, greater enforcement of access requirements and better education and coordination between teams are all excellent places to start.

Make Cybersecurity a Priority

The past few years have seen a growing trend of organizations taking a much more focused approach to cybersecurity with company-wide education policies and growing cyber spending.

As we enter 2023 and beyond, companies look certain to continue along this path, emphasizing security responsibility for everyone in the organization, not just security teams.

The post What CISOs Should Know About Hacking in 2023 appeared first on Security Intelligence.

After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next?

As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the Deputy National Security Advisor for Cyber and Emerging Technology in the Biden Administration.

If not Walden, who else might take over from Inglis? The best answer is to look at the senior cybersecurity folks in the Biden administration who advise Biden directly.

A Group of Well-Qualified Successors

The national cybersecurity of the United States has been a priority for President Biden. To ensure that the most efficient protocols are being followed, the president has designated several senior members from his team to serve as direct advisors with specific responsibility for cybersecurity issues. These advisors bring extensive expertise in national security operations and risk management from multiple sectors. They played key roles in establishing national defenses, and are expert problem-solvers in the face of evolving threats. This highly specialized group provides the strength and stability needed to maintain national cybersecurity in a rapidly evolving threat landscape.

The key senior cybersecurity officials include the aforementioned Chris Inglis as the first National Cyber Director, Jen Easterly as the Director of the Cybersecurity and Infrastructure Security Agency (CISA), Alejandro Mayorkas as the Secretary of Homeland Security, Kemba Walden as the first Principal Deputy National Cyber Director, Neal Higgins as Deputy National Cyber Director for National Cybersecurity and Rob Knake as Deputy National Cyber Director for Budget and Policy.

A Promising Candidate

While everyone here plays a crucial role, Jen Easterly stands out based on her comprehensive cybersecurity background. Easterly is an internationally renowned cybersecurity expert, formerly serving as the Deputy Director of the United States Cybersecurity and Infrastructure Security Agency (CISA) and the Senior Advisor to the Under Secretary for National Protection and Programs Directorate at the Department of Homeland Security (DHS). Before joining CISA, she held management positions in both private industries and within the government. This included a four-year tenure with IBM Global Services as Senior Consulting Analyst.

Ms. Easterly’s expansive career has seen cybersecurity accomplishments in both the public and private sectors. Many of her notable successes occurred while working at CISA, initiating groundbreaking efforts to enhance information sharing among critical infrastructure sectors, as well as leading work that addressed cyber threats from foreign actors. She also spearheaded cybersecurity workforce development and led a collective effort to modernize Federal government organizations’ response to ever-increasing threats from malicious actors online.

Outside of her government service, Easterly was also instrumental in creating several successful commercial programs focused on protecting corporate IT assets through best practices such as risk assignment and attack surface reduction.

Initial Concerns Vanquished

Though many promising candidates have emerged for National Cyber Director, the role itself was not without contention. After the appointment of Chris Inglis, concerns arose that there were “too many cooks” in the federal cyber leadership kitchen. Additionally, there was uncertainty as to who would be the true “quarterback” taking over command of national cybersecurity going forward. While Inglis’ extended background in national security steered much of the discourse toward a sense of assurance, undertones still remained that he was just one man wielding undue power without a larger organization behind him for support.

Though uncertain at the time, these concerns have since dissolved. Inglis has proven himself more than capable of tackling national cybersecurity amid a coalition of national leaders and organizations.

The Role of National Cyber Director

The National Cyber Director has provided immense benefits to the public and private sectors over the past year and a half. The director essentially acts as a bridge between the two sectors, ensuring that national interests remain on top of government agendas while also fostering collaboration with industry stakeholders.

As National Cyber Director, Inglis developed national-level policies to protect organizations of all sizes from cyber threats and worked with government agencies to identify areas of need throughout the cybersecurity landscape. As a result, businesses could prioritize cybersecurity investments. know their threats better, remain at the cutting edge of technological innovation and adopt best practices — all in an effort to ensure national security.

IBM Security Intelligence reached out to the Office of the National Cyber Director (ONCD) about the role. They responded with the following statement:

“ONCD’s mission is to create a resilient, safe and equitable cyber space. We’re doing so by focusing on long-term strategic planning while executing on near-term tactics to mitigate existing vulnerabilities. Ultimately, we desire to seize the initiative back from the adversary and reimagine cyberspace with an affirmative vision consistent with our values.”

How ONCD Meets Its Goals

ONCD’s statement went on to elaborate on how it has tackled those objectives:

“Most notably, ONCD is leading the interagency drafting process for the Biden-Harris Administration’s National Cybersecurity Strategy. A process through which we’ve solicited input from over 300 stakeholders across industry, foreign governments, academia and the nonprofit sector. This exceptional level of collaboration is a recognition that the terrain in cyber space is principally privately owned, and public-private partnerships are paramount to addressing cybersecurity challenges successfully. “We also initiated an ongoing series of topical executive fora. By using the unique convening power of the White House, we’re bringing together industry executives with Cabinet Secretaries and Deputies to share threat intelligence and drive collaboration at the highest levels possible. Among these was the National Cyber Workforce and Education Summit in July. At the Summit, ONCD announced the development of a National Cyber Workforce and Education Strategy. A resulting RFI received over 150 responses from a broad section of stakeholders. ONCD is reviewing those and working to publish the full strategy, incorporating many of those inputs, in the coming months. “Finally, we worked aggressively with our colleagues across the interagency to bring enhanced security to the federal enterprise. This included overseeing the implementation of Executive Order 14028, deployment of Zero Trust Architecture, release of first-of-its-kind ‘Spring Guidance’ on cybersecurity budgeting and initiating a planning process for post-quantum encryption.”

Closing In On the Next National Cyber Director

This still leaves the identity of the next National Cyber Director in question. As the U.S. government bolsters its cyber defenses, replacing Inglis remains a priority. This influential role will develop and coordinate the nation’s cybersecurity strategy.

Asked about any insights as to plans once Chris Inglis retires, the ONCD states:

“With respect to Director Inglis’ retirement —  he will retire sometime this year after five decades of public service. At that time, Principal Deputy Kemba Walden will become Acting National Cyber Director and continue to lead the organization with the same passion as she has as Deputy Principal.”

Whether it’s Walden, Easterly or another senior official, the country’s cybersecurity efforts appear to be in good hands.

The post Who Will Be the Next National Cyber Director? appeared first on Security Intelligence.

On September 19, 2022, an 18-year-old cyberattacker known as “teapotuberhacker” (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer’s worst nightmare.

In addition, the malicious actor claimed responsibility for a similar security breach affecting ride-sharing company Uber just a week prior. According to reports, they infiltrated the company’s Slack by tricking an employee into granting them access. Then, they spammed the employees with multi-factor authentication (MFA) push notifications until they gained access to internal systems, where they could browse the source code.

Incidents like the Rockstar and Uber hacks should serve as a warning to all CISOs. Proper security must consider the role info-hungry actors and audiences can play when dealing with sensitive information and intellectual property.

Stephanie Carruthers, Chief People Hacker for the X‑Force Red team at IBM Security, broke down how the incident at Uber happened and what helps prevent these types of attacks.

“But We Have MFA”

First, Carruthers believes one potential and even likely scenario is the person targeted at Uber may have been a contractor. The hacker likely purchased stolen credentials belonging to this contractor on the dark web — as an initial step in their social engineering campaign. The attacker likely then used those credentials to log into one of Uber’s systems. However, Uber had multi-factor authentication (MFA) in place, and the attacker was asked to validate their identity multiple times.

According to reports, “TeaPot” contacted the target victim directly with a phone call, pretended to be IT, and asked them to approve the MFA requests. Once they did, the attacker logged in and could access different systems, including Slack and other sensitive areas.

“The key lesson here is that just because you have measures like MFA in place, it doesn’t mean you’re secure or that attacks can’t happen to you,” Carruthers said. “For a very long time, a lot of organizations were saying, ‘Oh, we have MFA, so we’re not worried.’ That’s not a good mindset, as demonstrated in this specific case.”

As part of her role with X-Force, Carruthers conducts social engineering assessments for organizations. She has been doing MFA bypass techniques for clients for several years. “That mindset of having a false sense of security is one of the things I think organizations still aren’t grasping because they think they have the tools in place so that it can’t happen to them.”

Social Engineering Tests Can Help Prevent These Types of Attacks

According to Carruthers, social engineering tests fall into two buckets: remote and onsite. She and her team look at phishing, voice phishing and smishing for remote tests. The onsite piece involves the X-Force team showing up in person and essentially breaking and entering a client’s network. During the testing, the X-Force teams attempt to coerce employees into giving them information that would allow them to breach systems — and take note of those who try to stop them and those who do not.

The team’s remote test focuses on an increasingly popular method: layering the methods together almost like an attack chain. Instead of only conducting a phishing campaign, this adds another step to the mix.

“What we’ll do, just like you saw in this Uber attack, is follow up on the phish with phone calls,” Carruthers said. “Targets will tell us the phish sounded suspicious but then thank us for calling because we have a friendly voice. And they’ll actually comply with what that phishing email requested. But it’s interesting to see attackers starting to layer on social engineering approaches rather than just hoping one of their phishing emails work.”

She explained that the team’s odds of success go up threefold when following up with a phone call. According to IBM’s 2022 X-Force Threat Intelligence Index, the click rate for the average targeted phishing campaign was 17.8%. Targeted phishing campaigns that added phone calls (vishing, or voice phishing) were three times more effective, netting a click from 53.2% of victims.

What Is OSINT — and How It Helps Attackers Succeed

For bad actors, the more intelligence they have on their target, the better. Attackers typically gather intelligence by scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly-documented online activities, attackers can easily profile an organization or employee.

Carruthers says she’s spending more time today doing OSINT than ever before. “Actively getting info on a company is so important because that gives us all of the bits and pieces to build that campaign that’s going to be realistic to our targets,” she said. “We often look for people who have access to more sensitive information, and I wouldn’t be surprised if that person (in the Uber hack) was picked because of the access they had.”

For Carruthers, it’s critical to understand what information is out there about employees and organizations. “That digital footprint could be leveraged against them,” she said. “I can’t tell you how many times clients come back to us saying they couldn’t believe we found all these things. A little piece of information that seems harmless could be the cherry on top of our campaign that makes it look much more realistic.”

Tangible Hack Prevention Strategies

While multi-factor authentication can be bypassed, it is still a critical security tool. However, Carruthers suggests that organizations consider deploying a physical device like a Fido2 token. This option shouldn’t be too difficult to manage for small to medium-sized businesses.

“Next, I recommend using password managers with long, complex master passwords so they can’t be guessed or cracked or anything like that,” she said. “Those are some of the best practices for applications like Slack.”

Of course, no hacking prevention strategies that address social engineering would be complete without security awareness. Carruthers advises organizations to be aware of attacks out in the wild and be ready to address them. “Companies need to actually go through and review what’s included in their current training, and whether it’s addressing the realistic attacks happening today against their organization,” she said.

For example, the training may teach employees not to give their passwords to anyone over the phone. But when an attacker calls, they may not ask for your password. Instead, they may ask you to log in to a website that they control. Organizations will want to ensure their training is always fresh and interactive and that employees stay engaged.

The final piece of advice from Carruthers is for companies to refrain from relying too heavily on security tools. “It’s so easy to say that you can purchase a certain security tool and that you’ll never have to worry about being phished again,” she said.

The key takeaways here are:

• Incorporate physical devices into MFA. This builds a significant roadblock for attackers.
• Try to minimize your digital footprint. Avoid oversharing in public forums like social media.
• Use password managers. This way, employees only need to remember one password.
• Bolster security awareness programs with particular focus on social engineering threats. Far too often, security awareness misses this key element.
• Don’t rely too heavily on security tools. They can only take your security posture so far.

Finally, it’s important to reiterate what Carruthers and the X-Force team continue to prove with their social engineering tests: a false sense of security is counterproductive to preventing attacks. A more effective strategy combines quality security practices with awareness, adaptability and vigilance.

Learn more about X-Force Red penetration testing services here. To schedule a no-cost consult with X-Force, click here.

The post An IBM Hacker Breaks Down High-Profile Attacks appeared first on Security Intelligence.

It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes.

To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going and how its budget compares to previous years.

How Much is the U.S. Spending on Cybersecurity, and Where is the Money Going?

In June 2022, the U.S. announced new spending bills for the fiscal year 2023, including an allocation of $15.6 billion for cybersecurity. The majority of the money — $11.2 billion — will be appropriated for the Department of Defense (DoD), and $2.9 billion will go to the Cybersecurity and Infrastructure Security Agency (CISA).

The money going to the DoD will be used in a variety of ways. For example, Paul Nakasone, commander of the U.S. Cyber Command, has discussed plans to grow five Cyber Mission Force teams. Approximately 133 of these already exist and focus on carrying out defensive cyber operations.

How Involved is the Private Sector in the Allocation of Funds?

Clearly, the majority of funds in the new budget will go to government agencies. However, the government also plans to invest in the private sector and has discussed the importance of strengthening relationships with companies and private organizations.

One key area here is information sharing; after all, cybersecurity is a team sport. However, the government has faced criticism in the past for expecting detailed data from companies while failing to provide adequate information on their end. Recently, government agencies have spoken more about working towards more open and two-sided information sharing, but only time will tell how successful that strategy will be.

U.S. lawmakers have asked the defense secretary to work more closely with CISA and the private organizations within it, especially in areas related to Russian and Chinese activity. CISA has also received $417 million more in funding than was initially requested by the White House.

How do Current Federal Investments in Cyber Compare to Previous Years?

Compared to the previous few years, investment in cybersecurity is gradually increasing. 2021 saw $8.64 billion in spending, followed by a slight increase in 2022.

It’s a positive trend that signals the government is taking the issue seriously. But are state and local governments keeping up?

How is Cyber Investment Changing at the Local and State Levels?

The data shows that the government is also investing in cybersecurity in non-financial capacities at the local and state level. In 2021, for instance, state legislative sessions saw more than 285 pieces of cybersecurity-related legislation introduced, and in 2022 that number increased to 300.

In addition, President Biden introduced the Infrastructure Investment and Jobs Act in 2021, which allocated $1 billion in grants to bolster cybersecurity at the local, state, tribal and territorial levels. The government will distribute this amount over four years until 2025.

It adds up to a promising development for local and state governments, who are finally gaining the resources to protect their communities more effectively. Plus, it demonstrates a growing understanding of the importance of cybersecurity at the federal level and, hopefully, a more informed approach in the future.

Promising Signs for the Future

While cybersecurity funding is one truly positive sign, there are more reasons to be hopeful — such as the appointment of the USA’s first-ever National Cyber Director, Chris Inglis.

Looking to the future, the U.S. will need to constantly readjust its cyber defense posture and adapt to this ever-changing landscape, especially as cyber crime becomes not only more common but also more challenging and complex. It costs money to do that effectively, so the government must prioritize cyber funding for the foreseeable future.

Of course, individual organizations will need to take responsibility for their own security, too.

IBM can help — with solutions like the Security QRadar XDR, you get a suite of tools and powerful features to help you defend your organization against attacks and keep your teams focused on what’s important. Find out more here.

The post How Much is the U.S. Investing in Cyber (And is it Enough)? appeared first on Security Intelligence.