Industry predictions for 2025 part 2: What does the threat landscape look like in the coming year?

Hackers and other threat actors are constantly evolving their tactics and strategies, taking advantage of new technologies to enhance their attacks.

Here’s what some of the industry’s best think the 2025 threat landscape might look like.

Shirley Salzman
CEO and co-founder of SeeMetrics

In 2025, cyber security organisations will recognise that adding more tools doesn’t necessarily equate to better security. Similarly, relying on compliance checkboxes for static reassurance will no longer suffice – not only in the face of dynamic and evolving threats but also in meeting executives’ growing expectations to demonstrate measurable progress and ROI.

Building on last year’s hype around the security data fabric, organisations will come to understand that true visibility and actionable insights require the ability to blend data from multiple tools. By correlating this data with programs, certifications, and threats, businesses can manage their defences with full context – reflecting the dynamic reality of their environment and the evolving threat landscape. This shift will empower organisations to measure and adapt their defences in real time, enabling them to proactively prioritise what matters most.

Lincoln Goldsmith
Director of channels and alliances, APJ, at Semperis

Hackers will increasingly target Active Directory (AD) in 2025. AD is the most widely used authentication and authorisation solution in enterprise IT networks globally and also a blind spot for many security teams. For most organisations, Active Directory is at the heart of their operational resilience because it manages access to nearly all users, groups, applications, and resources, which also makes it a top target for attackers.

Yet, only one-quarter (27 per cent) of the companies surveyed globally by Semperis said that they maintain dedicated, Active Directory-specific backups, which hackers have recognised and are increasingly taking advantage of. The Australian Signals Directorate and Five Eyes Alliance have recently warned Australian businesses of an uptick in attacks on AD, demonstrating that this will be a key priority area for 2025.

VIEW ALL

Kevin Kirkwood
CISO at Exabeam

In 2025, we can expect a rise in ‘living off the land’ attacks, where attackers exploit legitimate tools and processes within an organisation’s network to avoid detection. As geopolitical tensions rise, cyber criminals from nations like Russia, China and Iran may increase their use of this technique, spreading across networks, establishing multiple backdoors and ensuring they can re-enter if initial access points are cut off.

As these attacks grow more sophisticated, organisations will need to refine their ability to distinguish between normal operations and subtle deviations, focusing on baseline behaviour and anomaly detection. Law enforcement and cyber security agencies around the world will need to bolster their efforts to counter these evolving threats, ensuring they can anticipate and mitigate such stealthy incursions.

Simon Howe
Area vice president, ANZ, at ExtraHop

Geopolitical tensions are escalating globally, and as a result, cyber warfare experts are predicting intensifying ransomware attacks in the near term. Further exacerbated by a business climate in which most organisations are paying the ransom, there is no indication these attacks will slow down. The cyber crime gang Scattered Spider proved to be a sophisticated threat this past year, using modern techniques such as auto-generation of phishing pages to target financial institutions for lucrative ransom payouts.

The group and other ransomware threat actors are considered experts in social engineering, finding success in using techniques like phishing, push bombing, and subscriber identity module (SIM) swap attacks to obtain credentials and gain access to an organisation’s network. These social engineering attacks will only grow more complex as adversaries leverage AI and ML to be more convincing and evade existing controls. It’s up to organisations to improve their security posture and build resilience against these increasingly complex threats.

Darryl Jones
Vice president of CIAM at Ping Identity

Identity fraud is not a novel concept. From stolen credit cards to spam calls, consumers have been dealing with identity theft and its ramifications for years – and it’s an increasing risk as advancing technology like artificial intelligence (AI) becomes more prevalent in everyday lives. 2025 will mark the shift of consumers demanding more transparency from businesses around their security practices and use of AI.

In fact, 89 per cent of consumers already have concerns about AI when it comes to their identity security, and 97 per cent have concerns about their personal data being online. Consumers will begin holding companies accountable, insisting that the businesses they interact with do better when it comes to protecting their personal data amid the AI boom. Organisations deemed untrustworthy will become extinct by default and need to adjust their approach to digital identity in order to keep up with rising concerns – or else risk losing loyalty.

Morey J. Haber
Chief security adviser at BeyondTrust

While markets like healthcare and financial services will continue to be focal points for attacks, in 2025, we can expect critical infrastructure to become a significantly higher priority for nation-state threat actors. This will include the inherent risks (and the potential for nation-state cyber warfare) elevating critical infrastructure attacks to levels of national security.

Threat actors typically target environments with the least resistance and easiest political or financial gains to achieve their nefarious missions. Aging equipment, the lack of cyber security funding, and the lack of maturity around cyber security best practices make critical infrastructure an easy target.

The current vulnerability of critical infrastructure and its potential for political risk is already a matter of awareness, with rising geopolitical turmoil slowly increasing focus. However, it will only take one successful breach to cause the loss of life or service that will raise these types of attacks to the level of national security.

With the current flaws in OT and IT environments, it is probable that we will see a significant incident of this type unfold in 2025. It will take government funding and mandates to ensure public critical infrastructure services don’t become the next historic disaster.

Chester Wisniewski
Director and global field CTO at Sophos

Educational and healthcare institutions frequently operate on limited cyber security budgets and with legacy systems in place. Both sectors also handle significant amounts of sensitive personal data. Add to the fact that, in the case of healthcare, ransomware attacks disrupt essential, life-saving operations, and you have a perfect storm of pressure that helps attackers secure quick ransom payments. That means these sectors will continue to be two of the biggest targets of ransomware attacks.

Aaron Bugal
Field CTO at Sophos

Throwing a smokescreen or a flash bang and causing disruption, distraction, and confusion takes the focus off the real threat – and cyber criminals know this. To evade detection, cyber criminals are using distraction tactics to pull incident responders’ attention away from their primary objective. By creating “noise” – such as minor attacks or false incidents – attackers can overwhelm response teams, allowing larger threats to advance undetected. These distraction tactics are becoming a serious challenge, draining resources, and stretching even well-equipped security teams thin, weakening defences and making organisations vulnerable.

Robert Le Busque
Regional vice president, Asia-Pacific, at Verizon Business Group

Deepfakes will become a major tool for cyber attacks. Highly accessible to anyone with a laptop, the technology is becoming more accessible, partly due to the availability of open-source software, making it easier for bad actors to use in social engineering and phishing scams.

The Asia-Pacific region has experienced a 1,530 per cent surge in deepfake cases from 2022 to 2023. With AI-driven fraud remaining the most prominent challenge across various industries, crypto is the main target sector followed by fintech.

The primary barriers to widespread adoption have been access to generative AI platforms and the cost of processing power (GPU availability), but these obstacles are quickly diminishing.

Ken Dunham
Cyber threat director for Qualys Threat Research Unit

Nation-state attacks and cloud-based compromises with extremely long dwell times will continue to emerge at an increasing rate with large-scale impact as security catches up with post-COVID and digital transformation efforts from the last few years, where adversaries are increasingly able to maintain “stealth for survival”.

Beyond that, complex DevSecOps, API, and integrated cloud solutions will emerge as one of the leading threats as an attack vector for significant impact. We’re also going to see more accidental disclosure and insider threat risks for exfiltration, and challenges with preventing data leakage, due to how companies are still adopting technology without adequate security controls and architecture in place.

Recovery from incidents and breaches will become increasingly difficult and take longer for organisations as adversaries become efficient at destroying backups and other resiliency measures that are in place, in an attempt to improve extortion payouts.

Daniel dos Santos
Head of research at Forescout, Vedere Labs

In 2024, we saw threat actors increasingly target network perimeter devices like routers, firewalls, and VPNs. In the first half of the year alone, 20 per cent of newly exploited vulnerabilities focused on these devices, a trend I expect to persist with growing sophistication.

Notably, advanced persistent threats from state-sponsored actors have developed several custom malware for espionage on perimeter devices recently – such as ZuoRAT, HiatusRAT, and COATHANGER – and deployed those on thousands of devices across the world, supposedly as part of pre-positioning activities.

Sophisticated targeting of perimeter devices through custom malware and other methods can lead to privileged access to networks, making them high-value targets for state-sponsored actors in 2025.

Glenn Chisholm
Chief product officer at Obsidian Security

Historically, attackers gained initial access to networks through the endpoint; the sheer amount and diversity of these devices made them a prime target. But that’s not where the data is anymore. I expect identities to represent an increasingly frequent point of attack as these threat actors evolve their efforts and attention to where the biggest payout is: the data within cloud-based SaaS and PaaS applications.

There have been more SaaS breaches in the last six months than [in] the prior two years combined, and these compromises are generally identity-based attacks. With single sign-on (SSO), once an identity is compromised, attackers can use that one credential and its privileges to move laterally and access additional data through connected services. That is a massive haul, making every identity an attacker can obtain that much more valuable.

The key takeaway is that the next wave of threats will be targeted at SaaS identities since they – combined with SSO – make lateral movement free.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.