Organisations must prioritise their cybersecurity measures to effectively navigate this evolving landscape.

AI – A Double-Edged Sword

Artificial Intelligence (AI) is a powerful force in cybersecurity, strengthening defences and increasing threats.

It enhances cybersecurity capabilities through real-time threat detection and response. Machine learning algorithms analyse vast data sets to identify patterns and anomalies that may signal cyber-attacks, allowing organisations to respond swiftly and minimise damage.

AI poses both advantages and challenges in digital security. While it enhances defence mechanisms, cybercriminals leverage AI to create sophisticated malware and more effective phishing attacks.

This duality reshapes the security landscape and highlights the need for constant advancements in cybersecurity technologies and strategies to combat evolving threats.

The cybersecurity landscape faces significant challenges due to a 67% rise in AI-driven attacks. These sophisticated attacks use advanced machine learning to adapt and evade traditional security measures.

This highlights the dual nature of artificial intelligence in cybersecurity, as it is both a tool for enhancing security and a weapon for malicious actors.

The rise of autonomous AI agents raises significant concerns for cybersecurity experts. These agents can execute complex cyberattacks independently, prompting critical questions about accountability and the effectiveness of current security protocols.

Cybersecurity professionals face increasing challenges as AI capabilities evolve, highlighting the need for proactive and adaptive strategies to protect digital assets.

Evaluating the ethical and operational implications of integrating AI in cybersecurity is crucial. AI-powered security tools can significantly enhance real-time threat detection, enabling quicker and more accurate responses to cyber threats. However, these advancements also introduce certain risks.

Investing in robust AI governance frameworks is crucial to address risks associated with AI technologies. These frameworks should guide responsible use and measures to prevent misuse, such as manipulation or biased decision-making.

Balancing AI’s advantages with its risks is essential for maintaining the integrity and security of our digital infrastructures, ensuring that AI enhances cybersecurity without compromising ethics or effectiveness.

Ransomware Evolution

Ransomware is once again dominating news headlines as it evolves into a sophisticated service-based model fundamentally altering the threat landscape.

This shift is not merely a passing trend; it signifies a pressing call to action for individuals and organisations to remain vigilant.

Ransomware as a service (RaaS) enables cybercriminals to easily launch attacks using accessible tools, increasing the frequency and severity of ransomware incidents across all business sectors.

As attackers become more advanced and targeted, robust cybersecurity measures and ongoing education on threats are essential.

In response to the growing ransomware threat, everyone in an organisation must take proactive measures to strengthen defences.

This includes regular data backups, advanced security software, and fostering cybersecurity awareness among employees. Staying vigilant against evolving ransomware tactics is crucial to protecting our digital lives.

The cybersecurity landscape is facing significant challenges due to the rise of RaaS. This trend democratises access to sophisticated cyberattack tools, effectively lowering the barriers for individuals and groups seeking to engage in cybercrime.

As a result, there has been a marked increase in cyber threats aimed particularly at small and medium-sized enterprises (SMEs), which often lack robust security measures compared to larger organizations.

Critical infrastructure sectors such as healthcare, energy, and transportation are prime targets for cybercriminals seeking high-profile breaches.

The emergence of RaaS highlights the professionalization of cybercrime, as experienced criminals support less skilled attackers.

This collaboration strengthens the underground market and complicates defenses against evolving threats. Thus, there’s an urgent need for enhanced cybersecurity strategies and a better understanding of risks faced by businesses and critical infrastructure.

In today’s digital landscape, organizations face an increasing array of cyber threats that can jeopardize their sensitive data and operational integrity.

To combat these evolving threats effectively, Organisations must conduct thorough assessments of their security vulnerabilities, identifying potential weaknesses within their systems, networks, and processes.

Enhancing endpoint protection is a foundational step in bolstering cybersecurity. This includes deploying advanced antivirus solutions, implementing firewalls, and utilising threat detection technologies to monitor and respond to suspicious device activities. Organizations should also consider adopting real-time monitoring solutions and automated responses to mitigate potential breaches.

Refining backup strategies is crucial alongside endpoint protection. Organizations should implement comprehensive data backup protocols with regular automated backups both on-site and off-site to ensure quick restoration of critical data during ransomware attacks or other data loss incidents. Regular testing of backup systems is also essential to ensure their effectiveness.

Promoting cybersecurity awareness among employees is another key component in a robust defense strategy. Training programs should be implemented to educate staff about recognizing phishing attempts, following safe browsing practices, and understanding their role in maintaining the organization’s security posture. Regularly updating this training helps to keep security awareness fresh and aligned with emerging threats.

Furthermore, developing robust incident response plans is essential for minimizing damage during a cybersecurity incident. These plans should outline specific procedures for detecting, responding to, and recovering from security incidents. Regularly rehearsing these plans through simulations ensures that all team members understand their roles and can act swiftly in a real scenario.

By implementing these comprehensive strategies, enhancing endpoint protection, refining backup strategies, fostering cybersecurity awareness, and developing effective incident response plans—organizations can significantly strengthen their defenses and safeguard against the increasing tide of cyber-attacks.

Zero Trust Architecture

The transition to Zero Trust Network Access (ZTNA) represents a major change in cybersecurity. Unlike traditional models that rely on perimeter defenses, ZTNA operates on a “never trust, always verify” principle.

This means every user, device, and application must be authenticated and authorized before accessing resources, enhancing the protection of sensitive information, especially in remote environments.

Organizations are integrating multi-factor authentication (MFA) into their access control measures alongside ZTNA.

MFA requires users to provide multiple verification forms, like a password combined with a biometric scan or a temporary code sent to their mobile device. This extra security layer protects sensitive data even if user credentials are compromised.

Continuous monitoring is crucial for real-time threat detection. By leveraging advanced analytics and machine learning, organizations can track user behaviour to identify anomalies indicating unauthorized access or internal threats.

Maintaining vigilance and adjusting security measures based on these observations can significantly lower the risk of data breaches.

In response to escalating cybersecurity threats, companies must adopt the “never trust, always verify” principle. This approach demands a comprehensive reevaluation of access controls and identity management.

Every user, device, and connection must be rigorously validated before granting access to sensitive systems, regardless of whether they operate within or outside the network. By firmly implementing this principle, organizations will significantly enhance their security posture and effectively tackle the challenges posed by modern cybersecurity risks.

Organisations are decisively adopting ZTNA frameworks across their networks to significantly enhance security.

In addition, they are integrating multi-factor authentication and implementing continuous monitoring practices to strengthen their defences against potential threats. This proactive strategy creates a safer digital environment and effectively mitigates risks.

Conclusion

Get ready for an exciting journey into Cybersecurity in 2025 and beyond! This future combines advanced technology with strategic thinking. Organisations can adopt innovative solutions to protect their digital assets and foster growth as we identify emerging risks. Cybersecurity will focus not just on defence but also on proactive strategies to thrive in a complex landscape.

*Ademola is the first Nigerian Professor of Cyber Security and Information Technology Management. He is also the first Professor of African descent to achieve Chartered Manager Status and serves as the General Evangelist of CAC Nigeria and Overseas.

The threat landscape has expanded in recent years as our world has become more interconnected. This has resulted in cybercriminals seeking out more opportunities to exploit vulnerabilities for profit.

Cybercriminals are far more organised than ever before and what we would typically call a “gang” is made up of a team of people that look a lot like their own legitimate business with departments for recruitment and finance.

As a result, attacks have moved away from simple virus disruptions to costly incidents that involve ransomware, encryption and Denial-of-Service.

Trend Micro has been tracking and monitoring the evolution of these organised crime groups in an effort to turn the tide against these illicit enterprises and create a safer digital world.

To have a true impact and combat the threat of cybercriminals, we share this threat intelligence with other security vendors, as well as academics and law enforcement agencies.

This “better together” way of thinking has seen us train up hundreds of law enforcers over the past decade or more and has contributed to the dismantling of highly successful criminal organisations.

International collaboration with INTERPOL

One of our longest standing law enforcement partnerships is with INTERPOL. From providing information about malicious actors to the threats and infrastructure used in their many attacks, our information provides valuable intelligence for their use.

This strategic partnership aims to enhance cyber expertise within law enforcement agencies, empowering them to effectively investigate and counter cybercriminal activities.

A key part of Trend’s partnership with INTERPOL is the work we do together under the Africa Cyber Surge Operation.

Started in 2022, the first round of the operation was so successful that a second campaign ran for four months in 2023, which saw law enforcement organisations from 25 countries participate.

During this time, Trend provided investigators with information about over 3,700 malicious command and control servers, 1,500 malicious IP addresses located in South Africa, Egypt, the Seychelles, Algeria and Nigeria, and malicious traffic detections linked to scams, malware, phishing and command and control servers.

From this and other shared insights, police made 14 arrests and identified a massive 20,674 suspicious cybercrime networks linked to losses of over $40 million.

Global police do a fantastic job of hunting down those responsible for cybercrime. But resources and in-house expertise are often stretched.

That’s why public-private partnerships are so important to the ongoing fight against ceaseless malicious online activity.

Operation Cronos locks out LockBit

More recently, we witnessed the takedown of one of the world’s most notorious ransomware gangs, LockBit, thanks to the cooperation between trusted partners and law enforcement agencies.

The Ransomware-as-a-Service (RaaS) group was responsible for between 25% and 33% of all ransomware attacks in 2023, claiming thousands of victims since it was first observed in September 2019.

LockBit’s business model revolved around affiliates that would be responsible for the attacks with the group claiming a 20% cut of the ransomware payment.

In February this year, the UK’s National Crime Agency initiated Operation Cronos which saw the seizure of the group’s source code, its technical infrastructure used to carry out attacks and its leak site. With these in hand, law enforcement announced arrests, sanctions and cryptocurrency confiscations.

The operation was well publicised across LockBit’s network and site, which has helped to cast doubt on the gang’s once powerful reputation as a RaaS group.

Following Operation Cronos, Trend Micro received a sample of what is believed to be a new version of LockBit’s software.

With this sample, we have been able to pass on intelligence to our law enforcement partners and bolster our defences for customers.

These attacks will keep on coming unless we discomfort and disrupt the threat actors themselves. By sharing resources and intelligence, the cybersecurity industry has demonstrated it can cripple cybercriminals and their infrastructure.

We are after all working towards the same goal: a safer online environment for all.

The findings show a 36% increase in attacker dwell time, with a median intruder dwell time of 15 days in 2021 versus 11 days in 2020.

The report also reveals the impact of ProxyShell vulnerabilities in Microsoft Exchange, which Sophos believes some Initial Access Brokers (IABs) leveraged to breach networks and then sell that access to other attackers.

“The world of cybercrime has become incredibly diverse and specialized. IABs have developed a cottage cybercrime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turn-key access to ransomware gangs for their own attacks,” said John Shier, senior security advisor at Sophos. “In this increasingly dynamic, specialty-based cyberthreat landscape, it can be hard for organizations to keep up with the ever-changing tools and approaches attackers use. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralize attacks as fast as possible.”

Sophos’ research also shows that attacker dwell time was longer in smaller organizations’ environments. Attackers lingered for approximately 51 days in organizations with up to 250 employees, while they typically spent 20 days in organizations with 3,000 to 5,000 employees.

“Attackers consider larger organizations to be more valuable, so they are more motivated to get in, get what they want and get out. Smaller organizations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period. It’s also possible these attackers were less experienced and needed more time to figure out what to do once they were inside the network. Lastly, smaller organizations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence,” said Shier. “With opportunities from unpatched ProxyLogon and ProxyShell vulnerabilities and the uprise of IABs, we’re seeing more evidence of multiple attackers in a single target. If it’s crowded within a network, attackers will want to move fast to beat out their competition.”

Additional key findings in the playbook include:

• The median attacker dwell time before detection was longer for “stealth” intrusions that had not unfolded into a major attack such as ransomware, and for smaller organizations and industry sectors with fewer IT security resources. The median dwell time for organizations hit by ransomware was 11 days. For those that had been breached, but not yet affected by a major attack, such as ransomware (23% of all the incidents investigated), the median dwell time was 34 days. Organizations in the education sector or with fewer than 500 employees also had longer dwell times

• Longer dwell times and open entry points leave organizations vulnerable to multiple attackers. Forensic evidence uncovered instances where multiple adversaries, including IABs, ransomware gangs, cryptominers, and occasionally even multiple ransomware operators, were targeting the same organization simultaneously

• Despite a drop in using Remote Desktop Protocol (RDP) for external access, attackers increased their use of the tool for internal lateral movement. In 2020, attackers used RDP for external activity in 32% of the cases analyzed, but this decreased to 13% in 2021. While this shift is a welcome change and suggests organizations have improved their management of external attack surfaces, attackers are still abusing RDP for internal lateral movement. Sophos found that attackers used RDP for internal lateral movement in 82% of cases in 2021, up from 69% in 2020

• Common tool combinations used in attacks provide a powerful warning signal of intruder activity. For example, the incident investigations found that in 2021 PowerShell and malicious non-PowerShell scripts were seen together in 64% of cases; PowerShell and Cobalt Strike combined in 56% of cases; and PowerShell and PsExec were found in 51% of cases. The detection of such correlations can serve as an early warning of an impending attack or confirm the presence of an active attack

• Fifty percent of ransomware incidents involved confirmed data exfiltration – and with the available data, the mean gap between data theft and the deployment of ransomware was 4.28 days. Seventy-three percent of incidents Sophos responded to in 2021 involved ransomware. Of these ransomware incidents, 50% also involved data exfiltration. Data exfiltration is often the last stage of the attack before the release of the ransomware, and the incident investigations revealed the mean gap between them was 4.28 days and the median was 1.84 days

• Conti was the most prolific ransomware group seen in 2021, accounting for 18% of incidents overall. REvil ransomware accounted for one in 10 incidents, while other prevalent ransomware families included DarkSide, the RaaS behind the notorious attack on Colonial Pipeline in the U.S. and Black KingDom, one of the “new” ransomware families to appear in March 2021 in the wake of the ProxyLogon vulnerability. There were 41 different ransomware adversaries identified across the 144 incidents included in the analysis. Of these, around 28 were new groups first reported during 2021. Eighteen ransomware groups seen in incidents in 2020 had disappeared from the list in 2021

“The red flags that defenders should look out for include the detection of a legitimate tool, combination of tools, or activity in an unexpected place or at an uncommon time,” said Shier. “It is worth noting that there may also be times of little or no activity, but that doesn’t mean an organization hasn’t been breached. There are, for instance, likely to be many more ProxyLogon or ProxyShell breaches that are currently unknown, where web shells and backdoors have been implanted in targets for persistent access and are now sitting silently until that access is used or sold.

“Defenders need to be on the alert for any suspicious signals and investigate immediately. They need to patch critical bugs, especially those in widely used software, and, as a priority, harden the security of remote access services. Until exposed entry points are closed and everything that the attackers have done to establish and retain access is completely eradicated, just about anyone can walk in after them, and probably will.”

The Sophos Active Adversary Playbook 2022 is based on 144 incidents in 2021, targeting organizations of all sizes, in a wide range of industry sectors, and located in the U.S., Canada, the U.K., Germany, Italy, Spain, France, Switzerland, Belgium, Netherlands, Austria, the United Arab Emirates, Saudi Arabia, the Philippines, the Bahamas, Angola, and Japan.

The most represented sectors are manufacturing (17%), followed by retail (14%), healthcare (13%), IT (9%), construction (8%), and education (6%).  

The aim of Sophos’ report is help security teams understand what adversaries do during attacks and how to spot and defend against malicious activity on the network. To learn more about attacker behaviors, tools and techniques, read the Sophos Active Adversary Playbook 2022 on Sophos News.