Mandiant Cyber Security Forecast 2023

Mandiant’s insights on the year ahead have previously been referred to as “predictions.” However, the company’s thoughts about the cyber security landscape in the coming year are always based on the trends the world is already seeing. This report is filled with forward-looking forecasting thoughts from several of Mandiant’s brightest minds, including Sandra Joyce, Head of Global Intelligence, and Charles Carmakal, Consulting CTO, as well as Phil Venables, CISO for Google Cloud. Threats evolve, attackers constantly change their tactics, techniques and procedures, and defenders must adapt and stay relentless if they want to keep up. This Forecast aims to help the cyber security industry frame its fight against cyber adversaries in 2023.

Global Forecasts

• More Attacks by Non-Organized Attackers and Non-Nation State Attackers

In 2023 Mandiant forecasts more intrusions conducted by non-organized attackers and non-nation state attackers. More of the threat actors operating out of North America and Europe will likely be younger, and conducting intrusion operations not because they’re interested in making money specifically, or because governments have tasked them with doing it, but because they want to be able to brag to their friends or boast online that they’ve hacked into and brought embarrassment to prominent organizations. While they will be happy to achieve financial gain, that may not necessarily be their lead motivation.

• More Extortion, Less Ransomware 

Historically, cyber criminals have used ransomware to monetize access into a victim’s network. Due to several high-profile and visible breaches last year, organizations see mitigating brand damage as a much more compelling reason to pay a ransom than regaining access to encrypted systems. Over the next year, the trend shows that  criminals rely on extortion, but actual ransomware deployments may decline. Ransomware-as-a-service (RaaS) providers will modernize their software to focus on data exfiltration and “leak sites” for public shaming.

• Information Operations (IO) Will Rely More on Third Party Organizations for Plausible Deniability 

Historically, IO have always been politically motivated and state sponsored, as observed in the 2016 U.S. elections. Since then, there has been more outsourcing of IO work by state actors. This could be a growing trend in 2023 as “hack-for-hire” engagements become more common. In 2019, OSINT researchers observed a pro-Indonesian IO social media campaign conducted by Jakarta-based media company InsightID. This campaign was aimed at distorting the truth about events in the restive Indonesian province of Papua. Coincidentally supporting this observation, Meta testified in mid-2021 about an increase of hiring marketing or public relation firms in IO campaigns—to lower the barrier of entry for some threat actors and obfuscate the identities of more sophisticated ones.

• Enterprises Will Lean into Password-less Authentication 

Corporate credential theft continues to be one of the top ways cyber criminals access victims. Furthermore, in 2022, there have been several examples of attackers finding ways to circumvent multi-factor authentication technologies. Apple, Google and Microsoft have committed to consumer-based password-less resources based on standards from the FIDO Alliance and World Wide Web Consortium. The initial roll out of these technologies will focus on consumer-grade password-less resources, but CISOs will demand enterprise identity platforms to expand password-less concepts to the enterprise market. Over the next year, organizations should look for enterprise-focused password-less solutions.

• Identity First, Identity Lost

Threat actors have shifted from gaining control of an endpoint to gaining access to a user’s credentials and account. A user’s identity within an organization has become more critical than access to the user’s endpoint. Over the next year, threat actors will find new ways to steal identities from users using a combination of social engineering, commodity information stealers and information gathering from internal data sources post-compromise. They will combine stolen credentials with new techniques to bypass multifactor authentication (MFA) and abuse Identity and Access Management (IAM) systems.

• Attackers Will Read More Security Research to Learn Offensive and Defensive Tactics

A trend observed in 2022 is expected to increase: Threat actors will continue to study the blogs and research of analysts in the security community to learn offensive tactics and techniques, defensive strategies and how to exploit vulnerabilities. They may discover clever ways to break into organizations, or perhaps learn techniques that were written about in a security post two or three years ago, but that haven’t really been used in the wild. Mandiant has already observed threat actors reading security blogs from defenders to learn ways they could be detected.

• Cyber Insurance Will Be Harder to Obtain and Coverage May Be Restricted

More enterprises have relied on cyber insurance to cover their cyber risks over the years as management has become more aware of cyber security risks. However, claims have also skyrocketed, forcing insurance firms to reevaluate their risk appetite and scale back coverage accordingly. Many firms attempting to renew their cyber insurance—or fresh in the market for cyber insurance—may find difficulty obtaining the coverage they desire.

• When the Real World Meets the Virtual World

SMS attacks, email attacks and application redirection attacks have already been observed and encountered. Now there is a new model coming—an approach that consists of deceiving victims in the real world. For example, in 2022 there was a campaign in which victims received a receipt for the delivery of packages in their physical mailboxes. The receipt included a QR code directing them to an identity and credit card number theft site. In 2023, more schemes like this are expected, where the attacker uses everyday physical support to deceive their victims. Fake advertisements, fake USB keys, fake receipts—the possibilities for attackers are endless. Educating employees and the public is the best defense against these types of threats.     

Ransomware has been a staple of Mandiant reports for several years. While it is well-established as part of many threat actors’ toolkits, data shows more of a drop in U.S. incidents and a rise in European      incidents. While entities in European regions need to stay especially vigilant, organizations around the world need to be ready for increased attempts at extortion. Extortion actors will stop at nothing to achieve their goals, even using physical devices and less common types of social engineering.

2023 is also expected to bring an increase in the number of attackers motivated simply by bragging rights. These actors are often younger and not tied to a nation state or organized group. However, there could still be nation-state activity.

The road to stronger cyber defenses has never been simple, especially for security professionals. Organizations have a lot to keep in mind for 2023 when it comes to cyber security.