Ransomware
1. Ransomware Attacks Will Continue—especially Against the Healthcare and Education Sectors
a. Educational and healthcare institutions frequently operate on limited cybersecurity budgets and with legacy systems in place. Both sectors also handle significant amounts of sensitive personal data. Add to the fact that, in the case of healthcare, ransomware attacks disrupt essential, life-saving operations, and you have a perfect storm of pressure that helps attackers secure quick ransom payments. That means these sectors will continue to be two of the biggest targets of ransomware attacks. (Chester Wisniewski, director, global field CTO)
AI
1. The honeymoon ends, and reality Sets in as AI becomes a target for vulnerabilities, malware, and attacks
a. Every new internet technology has a honeymoon period that ends when reality sets in. That time is coming for the latest LLMs as vulnerabilities and malware emerge. Microsoft has been issuing patches for AI products over the past year, and we’re starting to see how attackers can use LLMs to deploy malware such as trojans. In the following year, a clearer picture will emerge of the risks of AI—and AI users and security professionals will need to figure out the best way to patch these vulnerabilities, safeguard against malware, and protect against the eventual attacks that inevitably follow vulnerabilities and malware. (Christopher Budd, director, Sophos X-Ops)
2. Generative AI is the risk that keeps on giving
a. Thanks to AI, certain cybercriminal activities have been democratized. Low-skilled, opportunistic attackers can now ask some AI platforms for “educational” information on how to build anything terrible, from a believable phishing lure to a sample of code from popular ransomware. While AI-generated attacks have a low success rate and often seem obvious, they contribute to a growing flood of “noise” in offensive operations, obscuring the real threats. (Aaron Bugal, field CTO)
3. Rather than changing the world, we’re going to see incremental changes in LLMs
a. Large language models (LLMs) like ChatGPT signaled a significant breakthrough in the development of AI in the past few years. Much like the prior deep learning breakthrough 12 years ago, future progress will be incremental—at least for a while. The improvement and development of AI is a slow-moving process punctuated by significant changes. We still have so many optimizations and improvements that can be made with the current iteration of LLMs, such as power and cost efficiencies. These smaller improvements will be the expected advancements in the next few years. (Ben Gelman, senior data scientist)
4. There will be a rise in multi-agent systems
a. The next evolution in utilizing LLMs will be chaining them together to create more complex tasks. So, rather than opening up ChatGPT and asking it to write a line of code, researchers and possibly cybercriminals will orchestrate multiple LLMs and other AI models to carry out more complex tasks like automated cybersecurity penetration systems, customer service, and integrated assistants. This is similar to what Sophos created in its “scampaign” — a fully automated constructor for fake, AI-generated e-commerce websites. (Ben Gelman, senior data scientist)
Nation-States
1. Nation-state attacks aren’t just for enterprises anymore
a. Nation-state groups have turned their attention to edge devices to build useful proxy networks for chaos and sabotage. These edge devices are frequently unpatched and vulnerable, especially since many companies still have end-of-life (EOL) devices deployed in the wild. With nation-state groups building proxy networks, the victim pool has broadened—and companies of all sizes may now be targeted. (Chester Wisniewski, director, global field CTO)
Attacker Tactics
1. Cybercriminals will bring the noise to distract targets
a. Throwing a smokescreen or a flash bang and causing disruption, distraction, and confusion takes the focus off the real threat – and cybercriminals know this. To evade detection, cybercriminals are using distraction tactics to pull incident responders’ attention away from their primary objective. Attackers can overwhelm response teams by creating “noise”—such as minor attacks or false incidents—allowing more significant threats to advance undetected. These distraction tactics are becoming a serious challenge, draining resources and stretching even well-equipped security teams thin, weakening defenses and making organizations vulnerable. (Aaron Bugal, field CTO)
2. When the security community zigs, the criminals zag
a. As organizations implement more advanced endpoint security tools and deploy multi-factor authentication (MFA), attackers increasingly target cloud environments. This is partly because companies are less likely to use MFA with their cloud access tokens. This also means that, where passwords used to be an attacker’s prize, they’re now looking for cloud assets and authentication tokens to gain footholds. (Chester Wisniewski, director, global field CTO)
3. Expect attackers to focus on the supply chain
a. Two of 2024’s most prominent cybersecurity events have targeted third-party software suppliers: Blue Yonder and CDK. The latter disrupted thousands of car dealerships across the United States for over a week, and the former hit major retailers during the holiday shopping week. Expect more attacks like these in the coming year. Attacks against the software supply chain have far-reaching consequences beyond the initial company targeted. Software supply chain attacks are highly effective for attackers to increase pressure on victims since affected customers often have limited options while awaiting remediation. (Chester Wisniewski, director, global field CTO)
Lessons Learned:
1. Plan for disruption. With the rise in supply chain attacks, companies must proactively plan for vendor disruptions. This includes thoroughly evaluating vendors’ security measures and testing incident response plans during procurement. Organizations are often blind to these single points of failure, which needs to change in 2025. (Chester Wisniewski, director, global field CTO)
2. Prioritize patching and MFA. Most compromises still begin with unpatched software and systems or through a stolen password. Internet-facing networking equipment without MFA is particularly vulnerable. Companies prioritizingpatching and MFA can dramatically improve their security posture. (Chester Wisniewski, director, global field CTO)
3. Strengthening the security of products. Efforts like Secure by Design and Secure by Demand, launched by the US government CISA, are positive developments in the cybersecurity community. Going forward, pushing technology vendors to improve the security and quality of their products from the start will be crucial in safeguarding the world’s supply chains, which are increasingly under threat. (Chester Wisniewski, director, global field CTO)
4. Reporting Helps Prevention. Educating users on best practices regarding suspicious emails and attachments is still good, but it is unlikely to detect today’s more sophisticated lures. Most importantly, users are trained to report when something is unexpected or suspicious so theycan investigate and potentially respond to those threats before they cause more harm. Early warnings from vigilant users can help protect less sophisticated users and kick off a threat hunt before the attackers can fully exploit your systems. (Chester Wisniewski, director, global field CTO)
5. Fatigue and Burnout are No Longer Risks; They’re Apparent. Burnout and fatigue are now the norm, not the exception, within the cybersecurity community. People are exhausted from being under-resourced and dealing with technology that has either aged out or is not being used to its full potential. In addition, cybersecurity professionals deal with ill-defined processes, responsibilities, and governance. Organizations should look for ways to identify burnout within employees, harness technology, and leverage managed detection and response (MDR) services from security vendors to help scale stretched employees. (Aaron Bugal, field CTO)
