Elastic Global Threat Report 2023: Top cybersecurity forecasts and recommendations


We are excited to announce the release of the 2023 Elastic Global Threat Report, a comprehensive analysis of over one billion data points. The report provides insights into the methods, techniques, and trends of threat actors from the perspective of defenders, helping customers, partners, and security teams to prioritize and improve their security posture.

The observations in the report are based on anonymized Elastic telemetry and public and third-party data submitted voluntarily. Our goal is to demonstrate how our unique perspective empowers security technology developers and practitioners.

Elastic Security forecasts and recommendations highlights

The Global Threat Report provides valuable insights into the cyber threats that you may face in 2024. It shows how threat actors are becoming more sophisticated and stealthy and how they leverage public tools and resources to conduct their attacks. It also offers guidance and best practices on how to protect yourself and your data from these attacks. Here are some of the key forecasts and recommendations from the report:


Adversaries will become more reliant on open-source communities for implants, tools, and infrastructure.

Cyber attackers are increasingly using commercial and open-source tools to compromise systems across different platforms. Tools such as Metasploit, Cobalt Strike, and Sliver framework are commonly used by threat groups to target Windows, Linux, and macOS devices. There is also a growing trend of malware-as-a-service and ransomware campaigns that use these tools to launch attacks. The attackers may be using open-source tools to reduce their operational costs.

Forecast 1Recommendation
Adversaries will become more reliant on open-source communities for implants, tools, and infrastructure.
  • Threat actors are using code from open sources in their attacks.
  • This includes legitimate libraries like OneDriveAPI, tools like SharpShares, and implants like Sliver.
  • Adversaries will continue to take advantage of publicly exposed projects.
Organizations should scrutinize direct downloads from code-sharing websites and consider limiting access. While this wouldn’t impact code reused by threat actors, it could prevent precompiled binaries or portable scripts from facilitating a compromise. Enterprises should evaluate their visibility of emerging adversarial frameworks.


Cloud credential exposure will be a primary source of data exposure incidents.

Attackers often use Credential Access techniques to gain access to data or systems. Credential Access is a broad term that includes passwords, tokens, and other authentication methods. We observed that about 7% of all endpoint behavior signals were related to this tactic, and 79% of them involved dumping credentials from the operating system using built-in tools or features.

For cloud service providers (CSPs), Credential Access accounted for about 45% of all detection signals. For AWS, these signals mainly involved unusual attempts to access secrets from Secrets Manager, environment variables from local EC2 hosts, and credential files. Credentials can also be leaked through code repositories, such as GitHub, if the code is not properly reviewed or cleaned.

Forecast 2Recommendation
Cloud credential exposure will be a primary source of data exposure incidents.
  • Adversaries are targeting cloud credentials to steal data and stage malware.
  • Cloud storage is often not segmented in large organizations, making it easy for adversaries to access with stolen credentials.
  • Exposed cloud computing credentials could increase the prevalence of coinminers and other malware.
Least privilege accounts and robust authentication mechanisms can be augmented by monitoring user-entity behaviors, solutions that may depend on reasonable segmentation of data.


Defense evasion is going to remain the top investment, and tampering will supersede masquerading.

The high prevalence of Defense Evasion techniques suggests that attackers are well-aware of the monitoring tools and security solutions in place and are developing strategies to work around them. This is a clear sign that adversaries are adapting to hostile environments and that they're investing time and resources to ensure their malicious activities remain under the radar.

Forecast 3Recommendation
Defense evasion is going to remain the top investment, and tampering will supersede masquerading.
  • Security industry dynamics have led to the development of robust endpoint prevention features, but adversaries are aware that bypassing these features is crucial for achieving their goals.
  • This trend is expected to lead to a decline in masquerading attacks.
  • Real-world evidence supports this shift, exemplified by tactics like Bring Your Own Vulnerable Driver.
Enterprises should evaluate the tamper-resistant nature of their endpoint security sensors and consider monitoring projects like living off the land drivers, which tracks the many vulnerable device drivers used to disable security technologies.

Stay ahead of attackers with Elastic Security

These forecasts provide just a brief snapshot of the threats, attackers, and defenses we expect to be in play in the coming year. They also show how we use this knowledge to improve Elastic Security and inform our future plans. For a more detailed overview of the security landscape and where it’s headed, you can access the full 2023 Elastic Global Threat Report.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.