2023 Offensive Security Resolutions from the Fox Den

‘Tis the season to think about New Year’s Resolutions and beneficial ways to level up our hacking skills in the coming year. As offensive security professionals, we have a particularly unique task (and great responsibility) of keeping pace with the myriad of ways that attack surfaces quickly morph to support emerging technologies.

We’ve made the rounds in the Fox Den to see what our consultants and Cosmos operators are adding to their hacker tool kits in 2023. Read the blog to see how we will invest our time in the upcoming year to stay ahead of advanced cyber threats.

Cloud Environments

Cloud environments are a resounding top contender to keep security tabs on, with Gartner recently forecasting that worldwide cloud spending will grow 20.7% to $591.8 billion in 2023. This is no surprise as cloud computing has completely transformed the world, allowing enterprises and consumers alike to reap the benefits of “as-a-service” applications that may otherwise be too complex or costly. With the onset of the COVID-19 pandemic significantly accelerating cloud adoption to support remote work forces, offensive security is needed more than ever to combat the detrimental threats facing cloud environments. Therefore, cloud security will continue to be a top priority skill set for our Foxes to focus on and expand upon in 2023.

“Everyone is putting some form of infrastructure in the cloud now, and I don't see that slowing down any time in the future.” - Jake Shafer, Security Consultant III, Consulting Managed Services

Cloud security is a big security topic with many different facets but rest assured that courses are plentiful if this is on your 2023 New Year’s resolution list. Check out this resource that offers free options to start learning. And if you are ready to get serious about cloud security and boost your resume, consider obtaining these certifications.

Artificial Intelligence & Automation

Anyone in the security industry knows that artificial intelligence (AI) and automation are two of the most frequently discussed topics these days. The rising prevalence of AI and automation means that digital attack surfaces are expanding and providing new opportunities to threat actors that didn’t exist before. As more industries begin to automate tasks in exchange for less reliance on human input or perhaps to increase environmental sustainability, the compromise is a larger digital footprint that requires protection and robust security controls.

On one hand, AI, automation, and machine learning (ML) are used heavily in a cybersecurity “good guy” capacity to analyze massive amounts of data moving through networks for anomaly detections indicating possible threat activity. Pen testers use tools powered by AI technology, like Eyeballer, to help assess large-scale, external perimeters. However, threat actors and cybercriminals have adopted AI technologies to their advantage as well. Some ways that AI is being used to evade defenders:

• Identifying weaknesses in security systems for exploitation
• Finding the tiny valuable data needle in a haystack of information and systems
• Developing large numbers of personalized phishing emails
• Business identity compromise attacks via deep-fakes

If you’ve been on LinkedIn anytime recently, you’ve likely noticed a deluge of chatter about ChatGPT by OpenAI. The accuracy of ChatGPT technology is a gold mine for threat actors. It can create phishing emails without typos and write code that is used as malware, for example, enabling even the most unsophisticated hackers to do potential harm. To learn more about ChatGPT capabilities, check out this episode of The Shared Security Show podcast, co-hosted by Tom Eston, AVP of Consulting at Bishop Fox.

The AI world is vast and if you are new to this topic, it may seem overwhelming to find a starting point. Take note of why you want to learn about AI and what you want to do with your knowledge to help choose the right online courses to get started. If you are looking to make your AI investment more official, check out these courses that provide certifications upon completion. Good luck!

Blockchain Technology

If you’ve looked at any security blogs forecasting 2023, you’ve most likely seen blockchain mentioned several times. Here’s why - blockchain is an influential technology that underpins increasingly diverse methods of global communication, transactions, and commerce activities. Most commonly known for its support of the cryptocurrency ecosystem, blockchain technology has expanded to drive emerging business in other sectors such as healthcare, real estate, smart contracts, and more.

Because blockchain ensures a tamper-proof ledger of the distributed transactions throughout the blocks, it is often used for high-risk transactions and exchanges; however, this also makes for high stakes opportunities for adversaries to steal massive amounts of money and sensitive information. Four of the most common cyberattacks against blockchain are:

• Phishing attacks

• Routing attacks
• Sybil attacks
• 51% attacks

If you (and your investments) are part of the blockchain world or joining is part of your 2023 New Year’s resolutions, here are a few words of advice from our expert offensive security practitioner, Dylan Dubief:

• Be a control freak. For developers, audit your entire ecosystem, share audit reports to get an outside perspective, and correct vulnerabilities before launching a project. For users, check the security strategy of projects you are interested in before it is too late, and your money is long gone.

• Don’t trust anyone. A system that aligns security based soled on the possession of a private key is risky and compromise is likely inevitable at some point. Only you can make sure to limit the impact of your losses.
• Only invest what you can lose. Decentralized finance (DeFi) is a budding financial system and with that comes risk. Don’t put all your eggs in this basket if you can’t afford it.
  

Metaverse Attack Surface Management

Metaverse is quite the digital buzzword these days, but how secure is it? This is by far the most nascent technology on our list, but with heavy hitters like Disney and JP Morgan taking the plunge into this digital universe, it only seems logical to keep tabs on what attack surface management means in this new realm. In a recent survey of 1,500 cybersecurity, IT, and DevOps professionals respondents categorized the top cyber threats keeping them up at night in the metaverse:

• Cloning of voice and facial features and hijacking video recordings using avatars
• Invisible avatar eavesdropping or ‘man in the room’ attacks
• Conventional phishing, malware, and ransomware attacks
• Compromised machine identities and application programming interface (API) transactions

The emerging technologies being used to access the metaverse are well within the wheelhouse of most security professionals, but the ability to secure them while in a shared virtual environment is something new. Furthermore, certain metaverses are being built on blockchain technologies, an emerging technology in its own right, so it is imperative that users understand the full scope of this new type of attack surface.

There is no need to wait and see what happens with metaverse security. You can become a Certified Metaverse Security Consultant (CMSC) with coursework aimed at cybersecurity professionals whenever you are ready. Or take a shot at achieving a Certified Metaverse Professional (CMP) certificate that offers a broader vantage point into metaverse. Alternatively, you can start with a free Coursera resource that provides an overview of what the metaverse is and how it will influence our lives. Metaverse may be an emerging technology, but there is no shortage of courses already available to kickstart your learning!

Get Your Code On

Writing code is a classic that never goes out of style in the hacker community. Proper code development that happens in a timely manner never fails to be a useful skill for hackers. There are so many useful security benefits that stem from skilled code writing – tool development, hacking, adversary emulation, DevOps, and DevSecOps just to name a few. Hence why it makes our 2023 New Year's Resolution list. And a 2023 salary guide identifies a steady demand for developers, especially those with knowledge of C#, C++, Angular, Node.js, AWS, Google Cloud Platform and Azure.

It may seem obvious but let’s not underestimate the benefits of decent code writing. It is the underlying fundamental element that can make technology more bulletproof to cyberattacks or more vulnerable allowing adversaries to traipse through the attack surface at will. Adopting good code practices and committing to improving upon them follows a shift left approach that builds secure design from the beginning of a technology lifecycle.

Writing good code is always a top priority for Foxes and supports everything from our consulting engagements to open-source tool development. Check out our Tool Talk series to hear how some of our Foxes use their code writing skills to create offensive security tools.

Mobile Apps

Do you ever stop to look at how many mobile apps you have on your phone? It is becoming difficult to remember the days without smart phones filled to the brim with apps that make life more convenient. By December 2021, mobile health and business apps increased by 187% and 102% respectively, compared to pre-pandemic levels. Mobile applications are direct attack surfaces for such a wide variety of users from the world’s largest businesses with millions of customers relying on mobile application technology to individuals downloading games from app stores.

Mobile app developers are often under pressure to meet speedy delivery deadlines with a desirable user experience at the expense of application security. And with the rapid adoption of mobile technology comes the massive influx of personal and sensitive data hosted on apps that may or may not be secure. Cyber threats to mobile applications certainly aren’t new to offensive security practitioners, but we believe it is critical to continue prioritization of this ubiquitous technology in order to understand emerging threats against it.

If you need a resource to dive into mobile application security, this open-source curriculum offers 20+ virtual courses tailored to mobile threats and hacking if you are looking to improve your skills in this area.

Cheers to 2023

We can’t wait to see new challenges that adversaries bring to attack surfaces in 2023. We’re relentlessly learning and getting smarter because attackers are constantly evolving and getting smarter, too. At Bishop Fox, we’ve always vowed to never stop improving and 2023 will be no different.