What your SOC will be facing in 2023

As the role of cybersecurity in large businesses increases remarkably year over year, the importance of Security Operations Centers (SOCs) is becoming paramount. This year’s Kaspersky Security Bulletin ends with tailored predictions for SOCs – from external and internal points of view. The first part of this report is devoted to the most current threats any SOC is likely to face in 2023. Based on our extensive Managed Detection and Response (MDR) experience and the dynamics we have seen over the years, we provide insights into the trends set to shape the threat landscape for enterprises this year. The second part is devoted to SOC trends from an internal point of view. Here we analyze challenges that managers will face regarding personnel, budgets and functions. They are closely intertwined with the threats looming over corporations in 2023, as only an effectively organized team can safeguard business against rapidly evolving malware and attack methods.

Part 1. What threats security operations centers will face in 2023

Ransomware will increasingly destroy data instead of encrypting it

Cyberspace reflects the global agenda, and geopolitical turbulence influences the attack surface. That’s why in 2023 we can expect the echoes of cyberwarfare to continue reverberating. The most common attack scenarios here are: attacks on employees (social engineering), attacks on IT infrastructure (DDoS), as well as attacks on critical infrastructure. Another interesting trend that started in 2022 and will continue in 2023 is that ransomware now not only encrypts companies’ data, but destroys it in certain cases. This threat looms large over organizations that are subject to politically motivated attacks, which look destined to be on the rise in the coming year.

Public-facing applications will continue to be exploited for initial access

Largely due to some notorious critical vulnerabilities in Exchange, in 2021 and 2022 we observed significant growth in successful initial compromise through the network perimeter, with the share of this type of initial access doubling in 2022 against 2021. Penetration from the perimeter requires less preparation than phishing, and rather old vulnerabilities are still exposed; we expect this tendency to continue in 2023.

Share of exploits in public applications, dynamics in 2021–2022, worldwide statistics (download)

More supply chain attacks via telecom

From year to year here at Kasperksy SOC we observe the interest of attackers for IT and telecom companies. According to the Kaspersky MDR report, in 2021 the telecom industry for the first time saw a prevalence of high severity incidents over medium and low in terms of expected number: on average 79 incidents per 10k systems monitored versus 42 incidents of medium severity and 28 of low severity (see this report for more details). In 2022 we continued to observe cybercriminal interest in telecom companies, although the share of high severity incidents was lower (roughly 12 per 10k computers versus 60 of medium and 22 of low severity). We encountered scenarios in which intruders attacked telecom companies in order to further target their customers. In 2023 we expect an increase in the number of supply chain attacks via telecom providers, which usually offer additional managed services.

Number of incidents in telecom companies per 10K systems in 2021 and 2022, worldwide statistics (download)

More reoccurring targeted attacks by state-sponsored actors

Kaspersky has provided MDR since 2016. During this time, we have observed targeted attacks (TA) across various industries – from automotive to government. Many of them are threatened by targeted attacks, especially large businesses and non-profits. Note that in cases with no signs of live targeted attacks, we still were able to find artefacts from previous targeted attacks.

It means there is a looming threat of reoccurring attacks in 2023: if a company was compromised once, with the attack successfully remediated, attackers are highly likely to try hacking this organization again. After an unsuccessful attack this organization is most likely to be attacked again, as it is a long-term goal of threat actors. This is especially noticeable in government organizations, which tend to get attacked by state-sponsored actors.

Number of incidents in government organizations per 10K systems in 2021 and 2022, worldwide statistics (download)

International conflicts are traditionally accompanied by information warfare where mass media inevitably play an important role. In recent years we have observed steady growth in attacks on this sector, and statistics for 2022 support this trend, with mass media one of the prime targets for attackers, along with government organizations.

Number of incidents in mass media companies per 10K systems in 2021 and 2022, worldwide statistics (download)

In 2023, these two sectors will most likely remain among the most frequently attacked, with the share of high severity incidents probably increasing.

To effectively guard against targeted attacks, it is necessary to implement active threat hunting in combination with MDR.

Part 2. What challenges will SOCs face internally: processes and efficiency

SOCs will be forced to raise requirements, while experiencing staff shortages

Looking at the internal challenges, we first need to consider human resources issues. The future of SOC development lies in intensive, not extensive, growth, meaning the value every team member (even unskilled ones) brings to SOC is increasing. Developing the skills of the SOC team is a proven way to counter the increasing amount of threats every SOC will be facing in 2023. That means incident response training, and all forms of SOC exercises, such as TTX, purple teaming, and adversary attack simulations, should be a significant part of 2023 SOC strategy. This gives SOC a goal: to enhance the SOC team, architecture, and operations for better performance. In the case of a mature SOC, it is just a question of time; in others, usually lack of experience and vision in terms of SOC development can be an issue. Commonly, the second case can be solved with a SOC review by external experts, who can identify gaps with fresh eyes to avoid the bias that prevents the internal team from seeing the bigger picture from the outside.

Another trend is related to the lack of skilled and experienced personnel that will continue to be present in 2023: the need for well-defined SOC processes. Therefore we predict an increasing role for SOC process development and related services.

Bigger budgets alongside efficiency as the cornerstone of SOC processes

The growing threat landscape is pushing cybersecurity and SOC budgets skywards. This trend will focus attention on budget spending, prompting “Why? What was the effect? What value does it bring?”- type questions for SOC managers.

With a mature approach, this circumstance should lead SOCs to implement “SOC efficiency management.” As part of this practice, companies will evaluate breach costs and map them to SOC performance in reducing such losses. Combined with analysis of prevented incidents, this can allow SOCs to evaluate the value they bring in monetary terms. But prior to implementing this approach, SOCs will need to deploy efficient metrics and their analysis, as well as established SOC governance processes.

Building full-scale threat intelligence and threat hunting

The growth of cyberattacks and threats will transform into high demand to predict attacks and attacker techniques, thus increasing the value of cyberthreat intelligence (CTI). From what we have observed so far in our daily practice, many SOCs’ CTI activities boil down to managing IOC feeds. This approach is ineffective against zero-day and APT attacks. Current trends already have shifted to establish full-scale CTI capabilities within companies, and in most SOCs have a dedicated CTI unit. That trend will grow and mature in 2023.

Cases of successful attacks being left unwatched for a long time are still common – and will be in 2023 due to the continuous growth of targeted attacks. And the Assume Breach Paradigm will stay with us in 2023 as well, which means that threat hunting has a good chance of becoming a trend.

So, we believe that threat hunting will form a vital part of any SOC development strategy. Although current thinking places it at the bottom of the list of must-have SOC technologies, in most cases this can be explained by poor understanding of how to conduct threat hunting or chaotic approach to delivery. But since threat hunting is part of SOC detection capabilities, which will be challenged by evolving threats, more companies will consider conducting threat hunting on a regular basis with clear goals and an understanding of how to reach them continuously.

These are our predictions for SOC specialists for 2023. Watch this space in 12 months’ time to see which of them came true.