James Blake is the Vice President of Cyber Resiliency at Cohesity and has over 30 years of experience as a CISO and in incident response.
In 2023, we saw ransomware revenue exceed $1 billion. In 2024, nation-states started to prepare for a potential kinetic attack. What does 2025 hold for CISOs trying to build resilience?
1. There will be increased use of AI by both adversaries and defenders.
The internet is awash with vendor claims that AI will enable a barrage of unstoppable cyberattacks that only their all-in-one AI-powered products can prevent. Reality will be slightly less hyperbolic. AI will be a force multiplier on both sides, but we shouldn’t be lulled into a false sense of security or despair.
The use of large language models (LLMs) has indeed enabled adversaries to hone the tone and grammar of their phishing lures to the degree that many of the things users are trained to look out for are no longer sufficient to distinguish phishing from legitimate emails. This increases our reliance on technical preventative controls and response and recovery capabilities should a user inadvertently fall prey to a social engineering attempt.
In 2023, however, phishing became the second-most initial access vector, with vulnerability exploitation forming the bulk of how ransomware gets into organizations. AI has allowed adversaries to reverse-engineer vendor patches into exploits that can be weaponized on ransomware-as-a-service (RaaS) platforms in only a handful of days. A five-day patch window is impossible to achieve for most organizations. Instead, companies must assume that adversaries will gain access to their systems and build appropriate defense-in-depth and resilience measures to deal with this reality.
We’re dealing with human adversaries that constantly adapt their tools, tactics and procedures. Although anomaly detection is very good at identifying deviations from the norm and machine learning is excellent at classification, AI can’t piece together an understanding of an attack that produces a definitive set of tasks that need to be undertaken to remediate threats. AI helps analysts be more effective and efficient when undertaking their tasks, but it can’t undertake them end-to-end without the involvement of a human. Recovery without remediation and bolstering controls leaves an organization open to reinfection from the same threat actor or future attacks from an affiliate of the same RaaS platform.
CISOs need to embrace AI in defense but be realistic about its current capabilities, or they risk making promises that will come back and bite them when they become victims of an attack and suffer from extended downtime because AI-driven protection fails to eliminate threats.
2. There will be more evasion of traditional detection and prevention tooling.
During 2024, RaaS platforms increasingly baked in endpoint and network security control evasions, rendering the primary means most organizations use to detect and investigate destructive cyberattacks unreliable as the sole means. These endpoints also become isolated islands when the containment stage of incident response is implemented.
In 2025, organizations need to be able to rapidly rebuild security tooling to a trusted state, along with providing access to all of the other resources needed to respond to an incident, including communication with internal and external stakeholders like insurance companies, the press, regulators and impacted data subjects. In addition, organizations will need to think about how tasks like threat hunting and digital forensics can be achieved when the impacted hosts and networks are isolated or security tooling has been targeted.
3. The global geopolitical situation will result in an increased likelihood of wiper attacks.
Russia and Iran are two of the most prolific users of wiper malware, and both are embroiled in conflicts that could make Western organizations the target of future attacks. In 2024, the China-aligned Volt Typhoon group was also seen to be pre-positioning inside Western critical national infrastructure. Organizations likely to be the target of actors need to build resilience appropriate to investigating and eradicating threats from these highly skilled and motivated groups.
4. There will be increased collaboration between nation-states and ransomware gangs.
One of the most alarming developments in 2024 was the collaboration between nation-state actors and ransomware operators. Iranian state-aligned actor Pioneer Kitten was seen providing the initial access it had gained to several ransomware operators. In 2025, we’ll see this type of collaboration increase, motivated by the desire of those nation-state groups to cause continued disruption to the economies of their adversaries and as “false-flag” cover for their espionage operations.
5. There will continue to be unnecessary impacts on organizations that ignore best practices in cyber incident response.
Some organizations will continue to treat destructive cyberattacks as business continuity and disaster recovery (BC/DR) scenarios, resulting in extended downtime due to reinfection and reattack. Often, responsibility for dealing with ransomware attacks is handed wholesale to the IT department, as they’ve traditionally been responsible for BC/DR. But the response and recovery strategies needed for destructive cyberattacks differ from those needed to handle scenarios like flood, fire, equipment failure, loss of power or misconfiguration. The root causes of these events are easily established, and the recovery strategy is to restore the last snapshot of the impacted systems back into a production environment.
Contrast this with destructive cyberattacks, where the cause of the incident is constantly shifting. Along with this, adversaries know how to evade detection, and they can choose any number of hundreds of techniques to conduct their multistage attack.
Recovery without sufficient investigation and mitigation of threats can result in an organization leaving vulnerabilities and control gaps in situ and rapidly becoming infected again. In 2025, CISOs and CIOs need to collaborate to ensure a shared responsibility model and integrated platforms to optimize the speed of investigation, mitigation and recovery.
Quick recovery times that don’t introduce more risk by being premature can be achieved by optimizing workflows and platforms to allow the rebuilding of operating systems and applications while investigating incidents and recovering data in parallel. This optimizes resource utilization, allowing your teams to apply the necessary remediations to minimize the risk of reinfection or reattack.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?