NetSPI CISO Norman Kromberg was featured in CSO’s latest article on emerging threats in 2023. Read a preview below or view it online here.


In cybersecurity’s never-ending cat-and-mouse game with hackers and grifters, the threats are always evolving. Here are some of the main attacks experts see as the biggest and baddest on the horizon.

Companies using Microsoft Teams got news earlier in the summer of 2023 that a Russian hacker group was using the platform to launch phishing attacks, putting a new spin on a long-known attack strategy. According to Microsoft Threat Intelligence, the hackers, identified as Midnight Blizzard, used Microsoft 365 tenants owned by small businesses compromised in previous attacks to host and launch new social engineering attacks.

Threats evolve constantly as hackers and grifters gain access to new technologies or come up with new ways to exploit old vulnerabilities. “It’s a cat and mouse game,” says Mark Ruchie, CISO of security firm Entrust.

Phishing remains the most common attack, with the 2023 Comcast Business Cybersecurity Threat Report finding that nine out of 10 attempts to breach its customers’ networks started with a phish.

The volume and velocity of attacks have increased, as have the costs incurred by victims, with the 2022 Official Cybercrimes Report from Cybersecurity Ventures estimating that the cost of cybercrime will jump from $3 trillion in 2015 to a projected $10.5 trillion in 2025.

At the same time, security leaders say they see new takes on standard attack methods — such as the attacks launched by Midnight Blizzard (which has also been identified by the names APT29, Cozy Bear and NOBELIUM) — as well as novel attack strategies. Data poisoning, SEO poisoning and AI-enabled threat actors are among the emerging threats facing CISOs today.

“The moment you agree to be a CISO, you agree to get into a race you never win completely, and there are constantly evolving things that you have to have on your screen,” says Andreas Wuchner, field CISO for security company Panaseer and a member of the company’s advisory board.

Preparing for what’s next

A majority of CISOs are anticipating a changing threat landscape: 58% of security leaders expect a different set of cyber risks in the upcoming five years, according to a poll taken by search firm Heidrick & Struggles for its 2023 Global Chief Information Security Officer (CISO) Survey.

CISOs list AI and machine learning as the top themes in most significant cyber risks, with 46% saying as much. CISOs also list geopolitical, attacks, threats, cloud, quantum, and supply chain as other top cyber risk themes.

Authors of the Heidrick & Struggles survey noted that respondents offered some thoughts on the topic. For example, one wrote that there will be “a continued arms race for automation.” Another wrote, “As attackers increase [the] attack cycle, respondents must move faster.” A third shared that “Cyber threats [will be] at machine speed, whereas defenses will be at human speed.”

The authors added, “Others expressed similar concerns, that skills will not scale from old to new. Still others had more existential fears, citing the ‘dramatic erosion in our ability to discern truth from fiction.'”

Security leaders say the best way to prepare for evolving threats and any new ones that might emerge is to follow established best practices while also layering in new technologies and strategies to strengthen defenses and create proactive elements into enterprise security.

“It’s taking the fundamentals and applying new techniques where you can to advance [your security posture] and create a defense in depth so you can get to that next level, so you can get to a point where you could detect anything novel,” says Norman Kromberg, CISO of security software company NetSPI. “That approach could give you enough capability to identify that unknown thing.”

You can read the full article at