The nature of cyberattacks is changing fast. Generative AI, cloud complexity and geopolitical tensions are among the latest weapons and facilitators in attackers’ arsenals. Three-quarters (74%) of security decision-makers say their organizations’ sensitive data was “potentially compromised or breached in the past 12 months” alone. That’s a sobering cybersecurity baseline for any CISO to consider.
With attackers quickly weaponizing generative AI, finding new ways to compromise cloud complexity and exploiting geopolitical tensions to launch more sophisticated attacks, it will get worse before it gets better.
Forrester’s Top Cybersecurity Threats in 2023 report (client access reqd.) provides a stark warning about the top cybersecurity threats this year, along with prescriptive advice to CISOs and their teams on countering them. By weaponizing generative AI and using ChatGPT, attackers are fine-tuning their ransomware and social engineering techniques.
Two fronts of the global threatscape
CISOs are under pressure to deal with long-established threats, and at the same time find themselves unprepared to thwart emerging ones. Ransomware and social engineering through business email compromise (BEC) are the longstanding threats CISOs have concentrated on defending against for years. Yet while security teams have invested millions of dollars in strengthening their tech stacks, endpoints and identity management systems to battle ransomware, breaches continue to grow.
For one thing, as they look for new ways to increase the size and speed of ransomware payouts, attackers are making supply chains, healthcare providers and hospitals prime targets. Any target that delivers time-sensitive services and can’t afford to be down for long is a source for larger ransomware payouts, as these businesses need to get back online immediately.
Forrester’s predictions and survey results also show why a greater percentage of breaches will remain unreported as newer threats advance. CISOs and enterprises won’t want to admit they were unprepared. Twelve percent of security and risk professionals say they’ve experienced six to over 25 breaches in the past 12 months. The breaches represented in this report derive from BEC, social engineering attacks and ransomware. New, more lethal attack strategies that seek to destroy AI-based defenses are coming.
Perimeter-based legacy systems not designed with an AI-based upgrade path are the most vulnerable. With a new wave of cyberattacks coming that seek to capitalize on any given business’ weakest links, including complex cloud configurations, the gap between reported and actual breaches will grow.
With the new wave of threats, Forrester anticipates more lethal attacks, as threat actors scale up their expertise in AI to defeat the newest generation of cybersecurity defenses. VentureBeat has learned this is already happening, with the unsecured gaps between endpoints and identity protection being a weak link attackers focus on.
CrowdStrike president Michael Sentonas told VentureBeat in a recent interview that the need to close the gaps between endpoint protection and identity protection is “one of the biggest challenges people want to deal with today. The hacking exposé session that George and I did at RSA  was to show some of the challenges with identity and the complexity and why we connected the endpoint with identity [and] with the data the user is accessing. That’s the critical problem. And if you can solve that, it’s tough, but if you can, you solve a big part of an organization’s cyber problem.”
Real threats to AI deployments emerge
Using generative AI, ChatGPT and the large language models supporting them, attackers can scale attacks at levels of speed and complexity not possible before. Forrester predicts use cases will continue to proliferate, limited only by attackers’ creativity.
One early use case is a technique of poisoning data to cause algorithmic drift, which reduces the detection efficacy of email security or the revenue potential of ecommerce recommendation engines. What had once been a niche topic is now one of the most urgent threats to anticipate and counter. Forrester notes that while many organizations don’t face an immediate risk of this threat, it’s essential to understand which security vendors can defend against an attack on AI models and algorithms. Forrester recommends in the report that “if you need to protect your firm’s AI deployments, consider vendors like HiddenLayer, CalypsoAI and Robust Intelligence.”
Cloud computing complexity is increasing
Cloud services are used by 94% of enterprises, and 75% say security is a top concern. A full two-thirds of companies have cloud infrastructures. Gartner estimated last year that the cloud shift will affect more than $1.3 trillion in enterprise IT spending this year and almost $1.8 trillion in 2025. Compared to 41% in 2022, by 2025 51% of IT spending will move to the public cloud. And cloud technologies will account for 65.9% of application software spending in 2025, up from 57.7% in 2022.
These predictions amplify how the increasingly complex nature of cloud computing and storage infrastructure poses significant security risks. Forrester notes that insecure IaaS infrastructure configurations, malwareless attacks and privilege escalation, and configuration drift are a few of the many threat surfaces CISOs and their teams need to be aware of and harden.
The report recommends that enterprises build resilient, robust cloud governance, and use security tools such as the native security capabilities of IaaS platforms, cloud security posture management, and SaaS security posture management to detect and remediate threats and breach attempts.
Forrester writes in the report that “infrastructure as code (IaC) scanning is also gaining momentum to detect misconfiguration (e.g., unencrypted storage bucket or weak-password policies) in terraform, helm and Kubernetes manifest files by integrating IaC security (e.g., Checkmarx’s KICS and Palo Alto Networks’ Bridgecrew) into the continuous improvement/continuous deployment pipeline or even earlier during coding in the integrated developer environment.”
Geopolitical threats loom large
Forrester cites Russia’s invasion of Ukraine and its relentless cyberattacks on Ukrainian infrastructure as examples of geopolitical cyberattacks with immediate global implications. Forrester advises that nation-state actors will continue to use cyberattacks on private companies for geopolitical purposes like espionage, negotiation leverage, resource control and intellectual property theft to gain technological superiority.
Forrester points to the ongoing diplomatic and trade tensions between China and the U.S. as a flashpoint that could increase attacks on enterprises. The report cites how, in late 2022, the U.S. restricted China’s semiconductor chip exports and communications equipment imports. China sanctioned U.S. defense contractors in early 2023. Russia faces European trade bans and export controls. These conflicts may impact private companies. North Korea stealing $741 million in cryptocurrency from Japan is another example of how geopolitical threats can quickly destabilize an entire nation’s financial condition.
Ransomware continues to batter organizations
According to Forrester, ransomware remains a top cyber-threat, with attackers demanding double extortion to prevent data disclosure. Attackers also demand ransom from breached enterprises’ customers to keep their data private, further damaging an enterprise’s reputation and trust.
Forrester is seeing ransomware attacks that target critical infrastructure and supply chains, where delays can cost millions of dollars. Attackers know that if they can disrupt a supply chain, their demands for higher ransomware payouts will be quickly met by enterprises that can’t afford to be down for long.
Most troubling is Forrester’s finding that between 2016 and 2021, hospital ransomware attacks doubled, endangering lives. Ransomware is a common tactic North Korea uses to fund its espionage and missile development programs.
In response, over 30 nations formed the Counter Ransomware Initiative (CRI) in October 2021 to fight global ransomware. Australia is leading the International Counter Ransomware Task Force (ICRTF) to tackle ransomware as part of the CRI strategy. Forrester recommends that enterprises too “equally prioritize ransomware defense and subscribe to external threat intelligence service providers with targeted ransomware intelligence like CrowdStrike or Mandiant.”
The report also reminds security and risk management teams at critical infrastructure companies that they must be prepared to report cyber-incidents within 72 hours and ransom payments within 24 hours to CISA, per the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
BEC social engineering tops ransomware in insurance claims
The FBI’s Crime Complaint Center reported $2.4 billion in BEC social engineering losses to businesses in 2021. Fraudulent funds transfer claims from BEC attacks topped all types of claims in 2022, overtaking ransomware attacks. BEC social engineering attacks take advantage of human error. They use phishing to, for example, steal credentials and misuse accounts.
Forrester notes that BEC social engineering campaigns are moving into a new phase, seeking to combine multiple communication channels to convince victims to take action. Some campaigns include a CAPTCHA process to increase their legitimacy. The report advises that it’s not enough to adopt domain-based message authentication, reporting and conformance (DMARC) for email authentication. Enterprises should take a data-driven approach to behavior change to measure progress, and course-correct with additional training and technologies to reduce the risk of socially-engineered attacks succeeding.
Security teams need to prepare
Forrester’s latest report on cybersecurity threats is a stark warning to organizations worldwide to prepare for an era of new attack strategies. Attackers continue to refine their tradecraft to include new tactics for weaponizing generative AI, exploiting cloud complexity and leveraging geopolitical tensions to launch more sophisticated attacks.
While enterprises continue to fund cybersecurity budgets to contain BEC social engineering and ransomware attacks, they also need to start planning how to predict, identify and act on threats to their AI models and algorithms and the data they use. To improve threat intelligence, security teams must unify these diverse efforts to stop the next generation of cyberattacks.