Adapting to a Changing Threat Landscape

By Martin Lee, Technical Lead, Security Research – EMEA, Cisco Talos Security Intelligence & Research

The cyber threat landscape is constantly in flux. Bad guys are always looking for new opportunities to conduct attacks and explore how new technology can be subverted to their ends.

Yet this is no cause for panic. The defenders’ toolkit is constantly expanding too. In most cases, defences are more than equal to the attackers’ capabilities. Indeed, the bad guys are aware of this and will look for the easiest, most weakly defended targets and ways into an organisation.

Keeping abreast of how the bad guys are changing their activities allows defenders to keep one step ahead.

Getting Under the Skin of Bad Actors

Humanity is driven by a complex set of altruistic and selfish desires. Faced with new opportunities, we may seek to apply our skills and knowledge to provide services or goods to others, to improve the environment or society in general, or steal, defraud, and cause harm to the detriment of others. This negative side of humanity is as old as humanity itself. There have always been thieves and fraudsters.

Although technology may continuously change, the motivations of bad guys remain remarkably constant. Nevertheless, the skills and operating models of the bad guys are in constant evolution as criminals seek new opportunities to apply their skills and refine their techniques to make illicit gain.

Consider bank theft. The motivation to steal money held by financial institutions on behalf of their customers may be the same. But the techniques of 21st-century bank robbers are very different from those of the last century.

Films and TV shows of the mid-20th century depict bank theft as involving stolen cars driven fast, masked and disguised robbers wielding sawn-off shotguns. Yet modern bank theft is committed online with little more equipment than a laptop, an internet connection, and banking trojan malware.

The nature of theft is evolving too. Petty theft is still common in the physical world but also afflicts virtual environments. Criminals seek access to online gaming accounts to steal in-game items to sell for real-world cash. The items may not physically exist, but they can still be stolen virtually, and, because they have value, can be sold on illicitly. If something has value, someone will try to steal it.

Allegiances to nation states or ideology are also a feature of humanity. Bad guys may seek to cause harm to a system as part of service to a foreign nation or deface systems to promote an ideology. Theft of service or data may not be as simple as a criminal looking for profit but may be part of a more complex set of allegiances. In such a case, the threat actor may consider themselves as the ‘good guy’ and the victim of the attack as the ‘bad guy’.

Damage or destruction of computer systems or data may be part of an effort by the threat actor to redress some long-held sense of injustice or right some notion of having been wronged. While this is not an excuse for the threat actor’s activity, understanding their motivations helps the defender to anticipate their actions.

The Increasing Prevalence of Cyber Conflict

War and armed conflict are also features of humanity. For as long as wars have been fought, belligerents have sought to disrupt the capability of their adversaries to wage war. During the 20th century, this included disrupting transport and supply networks to prevent supplies being delivered to armies or the destruction of industrial targets to prevent resupply.

The armies, nation states, and societies of modern states rely on networked computer systems to function. Hence, we can expect computer systems will be targeted during future conflict to disrupt the capability to conduct war, but also to demoralise and destabilise the population in general.

Similar but distinct from cyber-attacks is the notion of information warfare. Hostile states may use psychological campaigns, spreading disinformation to reduce trust in democratic institutions or to cause division within societies. These campaigns sap the will and ability of a target population to participate in conflicts or resist offensives launched against them.

These attacks may not be perpetrated directly by an enemy state but by proxy actors. Such actors may be under the direction and support of a nation-state but operate with enough freedom and flexibility that their actions may be plausibly denied by a hostile state.

Crowdsourcing well-meaning individuals who wish to participate in cyber-attacks as proxy actors will likely be a feature of modern conflict. These proxy actors may conduct offensive operations under the direction of a state or other proxy actors or may provide a smoke screen under which the offensive cyber capability of a state can be deployed. Again, allowing cyber-attacks to be conducted at arm’s length with plausible deniability and augmenting the cyber capability of a state without additional investment.

Our Collective Roles and Responsibilities

As members of the societies in which we live, it is in our interests to protect and defend the assets and institutions keeping our societies functioning. This is in addition to any moral obligation that we may have to defend our society.

Anyone who owns or controls a networked computer system should take steps to ensure that the system is resistant to cyber-attacks and cannot be used as a staging point for further attacks. These steps may be as simple as installing software patches and having endpoint protection in place, but not having any protection is to invite compromise.

Similarly, as citizens, we should be vigilant in identifying disinformation campaigns where a hostile threat actor seeks to spread propaganda or exploit divisions in our societies to our detriment. While healthy debate is to be welcomed, we should reflect on the origin and nature of any information we may seek to amplify through our social media accounts.

New Technology Investments Will Be Prime Targets

Any new investment in technology can be expected to be targeted by threat actors. Attackers will seek software vulnerabilities to exploit to gain access to the systems to steal what they can. Data can be encrypted and held to ransom or threatened with public release as a data breach extortion. Network capacity can be stolen to launch denial of service attacks or used as a platform to launch further attacks against additional systems. Equally, CPU cycles can be stolen to mine cryptocurrency.

Stealing access credentials allows bad guys to masquerade as others. This is serious when the attacker can gain access to the account of someone with administrator privileges. However, with the advent of virtual reality environments if an attacker gains access to an account they take over the whole persona of the hacked individual.

There have been several incidents where individuals’ or brands’ social media accounts were taken over by threat actors, who have caused reputational damage. With individuals and brands looking to participate in virtual reality environments, having your representation and means of engagement with others under the control of a malicious entity is a recipe for disaster.

However, there are other techniques for hijacking reputations. Advances in artificial intelligence allow the creation of increasingly convincing computer-generated impersonations of individuals. These can range from voice impersonations to full video representations.

These representations differ from human impersonators in that they are available to anyone with access to the necessary software. Self-publishing platforms, including social media, rarely verify the origin of content. Hence, convincing fake video footage of someone uttering controversial comments can rapidly spread across the internet before it is identified as fake.

How You Can Bolster Your Defences

Assuring the cybersecurity of systems is not an impossible task. Cybersecurity begins with assessing risks, understanding what an attacker might seek to achieve by attacking a system and how they might go about this.

The motivations of attackers are unlikely to change suddenly. Many case studies and much research demonstrate the high-level goals sought by threat actors. Similarly, there are only so many tactics and techniques that a threat actor can use to compromise or abuse a system – and these are well described too.

Armed with such understanding, we can conduct a threat intelligence-based risk analysis of any new system and identify what an attacker might do and how they might go about it. From this, we can design the defences and mitigation measures that will both frustrate the threat actor in achieving their goals and help uncover their presence.

Nevertheless, don’t overlook the damage that can be caused by a trusted insider acting maliciously or the chaos that can be generated by a well-meaning insider accidentally performing the wrong action. Not all cybersecurity incidents are due to malicious threat actors outside the organisation.

Defences come with two caveats. Firstly, any defence must be proportionate to the asset being defended. Don’t skimp on defences for high-value assets, and don’t blow the budget on defending a low-value asset of little consequence if it is breached. Secondly, no defence is ever 100% effective. Plan for an incident to occur and how defenders will respond.

Vigilance is a key part of any cybersecurity strategy. Attacks leave traces which can be identified, allowing teams to identify successful attacks before the attacker can cause harm. Remediating an attack requires planning and possibly more resources than the defending team can immediately deploy. Understanding how an attack may be uncovered and what will be required to remediate the attack is a vital part of any cybersecurity strategy.


Innovation and technological progress are bringing new opportunities. However, the negative sides of humanity will seek to exploit these opportunities for their own ends. Predicting how malicious threat actors will seek to achieve their ends allows us to plan and design in features to thwart attacks.

Although not every defensive measure will be completely successful, each barrier an attacker must breach increases the costs to the attacker as well as the chances their efforts will be detected. Once detected, incident response plans can be activated to remediate the attack.


Martin Lee is Technical Lead at Cisco Talos Security Intelligence and Research Group, the largest private threat-detection network in the world. Martin began his career in molecular biology by spotting patterns in human virus genomes at the University of Oxford but made a huge U-turn when he discovered the world of computer programming and the internet in the 90s. As a researcher within Cisco Talos, he seeks to improve the resilience of the Internet and awareness of current threats through researching system vulnerabilities and changes in the threat landscape. With 15 years of experience within the security industry, he is CISSP certified, a Chartered Engineer, and holds degrees from the universities of Bristol, Cambridge, Paris and Oxford.

Cyber Security Review online – September 2022