Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Lessons learned from the Cyber Security battlefield
In our experience handling cyber incidents, the process always concludes with a meeting to analyze the lessons learned. Undoubtedly, 2024 saw a notable increase in both the volume and complexity of these incidents. For this reason, this article aims to compile the key lessons organizations should consider to face the challenges of 2025.
Ransomware takes center stage
The predominant attack type in 2024 was ransomware, particularly in its double and triple extortion forms. The main lessons learned in this context revolve around four key aspects: the attack vector, persistence methods, lateral movements, and command and control.
1. How the attack begins
Analysis shows that phishing remains the primary attack vector. This technique enables attackers to deceive employees or third parties with network access into executing malicious actions, such as installing malware or establishing remote connections.
However, 2024 also saw an increase in the exploitation of common business tools like VPNs and remote access services. Attackers leverage exposed credentials, the lack of regular password changes, the absence of multifactor authentication, or known vulnerabilities on these platforms. Once inside, attackers are difficult to detect as they use legitimate credentials and exhibit seemingly normal behavior.
2. How they stay in the network
Attackers use persistence techniques to ensure continuous access to compromised systems, even after reboots or defensive measures. Common methods include scheduling automated tasks, enabling malicious services, and creating administrative users.
A key lesson from 2024 is the importance of managing identities within the network. Quickly detecting the creation of suspicious users or unusual activities associated with privileged accounts can make a critical difference in preventing attackers from maintaining a foothold.
3. How they move undetected
Lateral movement and privilege escalation are two essential techniques for attackers. In lateral movement, they compromise valid user accounts to access multiple systems, mimicking normal behavior. In privilege escalation, they exploit misconfigurations or excessive permissions to gain administrative rights.
It is crucial to review configurations to ensure that standard user accounts do not have unnecessary privileges and to monitor the use of tools like remote desktops and IT services.
4. External control: command and control
Command and control refers to the mechanism through which attackers manage compromised machines from outside the network. For example, they can issue commands to encrypt data on all infected devices via signals to external servers, often camouflaged within web traffic or even messages from applications like WhatsApp or Telegram.
Detecting traffic to suspicious external IP addresses, particularly low-volume but frequent communications, should be a priority in monitoring strategies.
Lessons for 2025
Based on the learnings from 2024, here are the key actions organizations should implement:
- Minimize privileges: No device should routinely be used with high-privilege accounts. This hinders malicious activities and reduces breach impact.
- Monitor user creation: Even when following an approved procedure, the creation of new users should always be treated as a critical activity to monitor.
- Understand internal network services: Knowing the normal behavior of services allows the detection of anomalies, such as off-hours connections or unusual uses of remote desktops.
- Detect anomalous traffic to external IPs: Set up alerts to identify suspicious patterns in network communications.
- Manage and monitor privileged users: Identifying the regular activities of high-privilege accounts and monitoring unusual changes is essential for effective prevention and response.
Finally, it is imperative to emphasize that no monitoring system is infallible. Therefore, organizations must be prepared to respond to incidents by defining clear roles and responsibilities within the response team. As Sun Tzu said in The Art of War,
Know yourself and know your enemy, and you will win a thousand battles.
