Ransomware
1. Ransomware Attacks Will Continue—especially Against the Healthcare and Education Sectors
A. Educational and healthcare institutions frequently operate on limited cybersecurity budgets and with legacy systems in place. Both sectors also handle significant amounts of sensitive personal data. Add to the fact that, in the case of healthcare, ransomware attacks disrupt essential, life-saving operations, and you have a perfect storm of pressure that helps attackers secure quick ransom payments. That means these sectors will continue to be two of the biggest targets of ransomware attacks. (Chester Wisniewski, director, global field CTO)
AI
1. The honeymoon ends and reality Sets in as AI becomes a target for vulnerabilities, malware and attacks
A. Every new internet technology has a honeymoon period that ultimately ends when reality sets in. That time is coming for the latest LLMs as vulnerabilities and malware emerge. Microsoft has been issuing patches for AI products over the course of the past year, and we’re starting to see how attackers can use LLMs to deploy malware such as trojans. In the next year, a clearer picture will emerge of the risks of AI—and AI users and security professionals will need to figure out the best way to patch these vulnerabilities, safeguard against malware and protect against the eventual attacks that inevitably follow vulnerabilities and malware. (Christopher Budd, director, Sophos X-Ops)
2. Generative AI is the risk that keeps on giving
A. Thanks to AI, certain cybercriminal activities have been democratised. Low skilled, opportunistic attackers can now ask some AI platforms for “educational” information on how to build anything bad, from a believable phishing lure to a sample of code from popular ransomware. While AI-generated attacks have a low success rate and often seem obvious, they contribute to a growing flood of “noise” in offensive operations, obscuring the real threats. (Aaron Bugal, field CTO)
3. Rather than changing the world, we’re going to see incremental changes in LLMs
A. Large language models (LLMs) like ChatGPT signaled a major breakthrough in the development of AI in the past few years. Much like the prior deep learning breakthrough 12 years ago, future progress will be incremental—at least for a while. The improvement and development of AI is actually a slow-moving process punctuated by big changes. We still have so much optimisation and improvements that can be made with the current iteration of LLMs, such as power and cost efficiencies. These smaller improvements will be the type of advancements we should expect to see in the next few years. (Ben Gelman, senior data scientist)
4. There will be a rise in multi-agent systems
A. The next evolution in the utilisation of LLMs will be chaining them together to create more complex tasks. So, rather than opening up ChatGPT and asking it to write a line of code, researchers and possibly cybercriminals will orchestrate multiple LLMs and other AI models to carry out more complex tasks like automated cybersecurity penetration systems, customer service, and integrated assistants. This is similar to what Sophos created in its “scampaign” — a fully automated constructor for fake, AI-generated e-commerce websites. (Ben Gelman, senior data scientist)
Nation-States
5. Nation-State attacks aren’t just for enteprises anymore
A. Nation-state groups have turned their attention to edge devices to build useful proxy networks for chaos and sabotage. These edge devices are frequently unpatched and vulnerable, especially since many companies still have end-of-life (EOL) devices deployed in the wild. With nation-state groups building proxy networks, the victim pool has broadened—and companies of all sizes may now be targeted. (Chester Wisniewski, director, global field CTO)
Attacker Tactics
1. Cyber criminals will bring the noise to distract targets
A. Throwing a smokescreen or a flash bang and causing disruption, distraction and confusion takes the focus off the real threat – and cybercriminals know this. To evade detection, cybercriminals are using distraction tactics to pull incident responders’ attention away from their primary objective. By creating “noise”—such as minor attacks or false incidents—attackers can overwhelm response teams, allowing larger threats to advance undetected. These distractions tactics are becoming a serious challenge, draining resources and stretching even well-equipped security teams thin, weakening defenses and making organisations vulnerable. (Aaron Bugal, field CTO)
2. When the security community zigs, the criminals zag
A. As organisations implement more advanced endpoint security tools and deploy multi-factor authentication (MFA), attackers are increasingly targeting cloud environments. This is in part because companies are less likely to use MFA with their cloud access tokens. This also means that, where passwords used to be the prize for an attacker, now they’re looking for cloud assets and authentication tokens to gain footholds. (Chester Wisniewski, director, global field CTO)
3. Expect attackers to focus on the supply chain
A. Two of the biggest cybersecurity events of 2024 have targeted third-party software suppliers: Blue Yonder and CDK. The latter disrupted thousands of car dealerships across the United States for over a week, and the former hit major retailers during the holiday shopping week. Expect more attacks like these in the coming year. Attacks against the software supply chain have reverberating consequences far beyond the initial company targeted. Software supply chain attacks are a highly effective way for attackers to increase pressure on victims since affected customers often have limited options while awaiting remediation. (Chester Wisniewski, director, global field CTO)
Lessons Learned:
1. Plan for disruption. With the rise in supply chain attacks, companies need to proactively plan for vendor disruptions. This includes thoroughly evaluating vendors’ security measures and testing incident response plans during the procurement process. Organisations are often blind to these single points of failure, and that needs to change in 2025. (Chester Wisniewski, director, global field CTO)
2. Prioritise patching and MFA. The majority of compromises still begin with unpatched software and systems or through a stolen password. Internet-facing networking equipment without MFA is particularly vulnerable. If companies prioritise patching and MFA, they can dramatically improve their security posture. (Chester Wisniewski, director, global field CTO)
3. Strengthening the security of products. Efforts like Secure by Design and Secure by Demand, launched by the US government CISA, are positive developments in the cybersecurity community. Going forward, pushing technology vendors to improve the security and quality of their products from the start will be crucial in safeguarding the world’s supply chains, which are increasingly under threat. (Chester Wisniewski, director, global field CTO)
4. Reporting Helps Prevention. Educating users on best practices regarding suspicious emails and attachments is still a good practice, but it is unlikely to detect today’s more sophisticated lures. What’s most important is that users are trained to report when something is unexpected or suspicious so you can investigate and potentially respond to those threats before they cause more harm. Early warnings from vigilant users can help protect less sophisticated users as well as kick-off a threat hunt before the attackers are able to fully exploit your systems. (Chester Wisniewski, director, global field CTO)
5. Fatigue and Burnout are No Longer a Risk; They’re Apparent. Burn out and fatigue is now the norm, not the exception within the cybersecurity community. People are exhausted from being under-resourced and dealing with technology that has either aged out or is not being used to its full potential. In addition, cybersecurity professionals are dealing with processes, responsibilities and governance that are ill defined. Organisations should look for ways to identify burnout within employees, look for ways to harness technology and leverage Managed Detection and Response (MDR) services from security vendors to help scale stretched employees. (Aaron Bugal, field CTO)