Last year reaffirmed what we’ve observed at Tidal Cyber since our founding: the pace of adversary TTP evolution is increasing, and with that the need for TTP intelligence. Most defenders know that indicators and infrastructure can shift daily or even hourly. Threat actors can quickly change the server they use to run a phishing campaign.
Now, behaviors and tools are evolving rapidly as well.
On the positive side, this often reflects the increasing strength of organizations’ defenses. As traditional attack vectors close, threat actors are forced to find new ones. Bad actors are also constantly seeking ways to expand their activities, especially in the cybercrime domain. These factors all contribute to our assessment that ransomware and edge device compromise will continue, and adversaries will increasingly use AI for their operations in 2025.
We’ll see the pace of adversary TTP evolution accelerate and impact organizations in the following ways:
Ransomware will remain a top concern as threat actors continue abusing legitimate tools.
The ransomware tool ecosystem has expanded to include legitimate tools versus relying solely on specially crafted malicious software. Ransomware actors can co-opt these tools for malicious purposes including to gain access, move laterally, exfiltrate data, and evade detection. Let’s take remote access and admin tools as an example. Threat actors simply download the software from a vendor’s site, and then pose as a member of the victim’s IT support team and trick them into downloading the software. They can gain direct access to a victim’s laptop without having to pay for malicious software or write it themselves.
Defenders are increasingly vigilant at putting a new defense in place whenever a new adversary tool is identified. But some of these defenses are brittle. In other words, they’re good at blocking one ransomware enablement tool, but not effective against others. Plus, we can’t ignore the human factor. Threat actors are adept at impersonating IT support.
Alternatively, defenders can maintain a comprehensive blocklist and selectively allow approved tools. But with hundreds of legitimate tools being used for malicious purposes, this is easier said than done.
To help defenders prioritize relevant adversary TTPs, Tidal Cyber maintains a list of ransomware enablement tools across a range of capability types enriched with defensive context including how specific tools have been used within specific campaigns and relevant defensive capabilities. Our Community and Enterprise Editions enable multiple best practice workflows for applying this intelligence.
Threat actors will increase use of AI to lower the barrier to entry into existing TTPs.
The big concern among defenders is that threat actors will use AI to launch a full attack. So far, we don’t see evidence of this. Instead, we see adversaries using AI to help facilitate initial access to an environment. The classic example is using AI to write a more polished email, but it is also being used to improve social engineering, accelerate vulnerability research, and draft scripts used for select purposes, among other things.
Informed by Rachel James’ “Adversary use of Artificial Intelligence and LLMs” research project, recent additions to Tidal Cyber’s knowledge base show that the 10 named groups linked to AI usage are associated with a whopping 277 total techniques. Their adoption of AI technology could lower barriers and increase the chance of observing these post-compromise behaviors in future campaigns.
Many of the recently identified threat actors are Chinese APT espionage groups, so some defenders may think such groups won’t target them. But many of these groups are in fact known to compromise entities in a very wide range of industries and locations. If they are writing scripts to carry out compromises on a wide scale, there’s a chance that organizations that weren’t impacted previously could be.
Heading into 2025, Tidal’s additional categorization of these techniques is crucial for defenders looking to understand and anticipate adversary behaviors in an increasingly AI-driven environment.
APT espionage groups will continue to exploit network edge devices.
As defenders have improved protection of more traditional access vectors, such as web-facing assets, adversaries are targeting routers and other network “edge” devices. These devices require technical sophistication to successfully compromise, but they provide fertile ground because defender visibility is often limited.
APT espionage groups have the skills and resources to carry out these campaigns which include using botnets, novel vulnerability exploits, and custom malware to successfully target firewalls and other perimeter devices. Once they gain access, they operate stealthily – establishing persistence, collecting information, and using these devices to pivot to more valuable parts of the network.
Considering the inherent challenges in securing network devices, such as telemetry collection and detection tuning, defenders need to think through additional security strategies. In just one case, Tidal Cyber recently added an extensive set of TTPs (45 Technique Relationships) to our Enterprise platform associated with the “Pacific Rim” edge device campaign, which can be useful for identifying post-exploit opportunities for detection or mitigation. This allows for layering of defenses against sophisticated network device campaigns, which we expect will continue and potentially gain momentum throughout 2025.
The cat and mouse game perpetuates.
As defenses improve, adversaries are forced to seek out novel tools and non-traditional targets that are more difficult to protect. The pace of adversary TTP evolution is increasing, so organizations must stay vigilant and regularly reassess their defenses against the latest TTPs used by relevant threats. This creates a steady flow of new challenges that Tidal Cyber’s Threat-Informed Defense helps our customers stem.