Part 1: Foundations of Cybersecurity

The 2025 Cybersecurity Landscape and Threat Modeling

1.1 The 2025 Threat Landscape: Industrialization and Convergence

Knowledge: Defining the Modern Adversary

Welcome to the 2025 threat environment. To defend an organization, you must first understand who is attacking it and what they want. The modern threat landscape is not a monolith; it's a complex ecosystem of distinct actors, each with unique motives, capabilities, and targets.

We primarily categorize these actors into three main groups:

Nation-State Actors: These are the intelligence services and military cyber commands of a country. Their motives are geopolitical. They are not interested in a $5,000 ransom; they are playing a long-term game of espionage, intellectual property theft, and strategic disruption of critical infrastructure. Their capabilities are virtually unlimited, backed by state funding, and they are responsible for the most sophisticated "Advanced Persistent Threats" (APTs).

Organized Cybercrime: This is the most prevalent and financially damaging category. These are financially-motivated enterprises, run like a business with R&D, customer support, and affiliate programs. Their primary goal is profit. Their main weapons are Ransomware and large-scale fraud. They are the driving force behind the "industrialization" of cybercrime.

Hacktivists: These actors are ideologically-motivated. They use cyberattacks, primarily Denial of Service (DDoS) and website defacements, to make a political statement, protest a policy, or disrupt an organization they disagree with. Their capability varies wildly, from a single, low-skilled individual to highly organized, state-aligned groups.

While we once viewed these groups as separate, the 2025 landscape is defined by their convergence. Motives and methods are blurring. Financially-motivated groups now leak data for political leverage, and nation-states adopt ransomware tactics as a tool of statecraft, creating a chaotic and unpredictable environment for defenders.

2025 Application: Industrialization and Evasion

The defining trend of 2025 is the "industrialization" of cybercrime. Attackers are no longer lone artisans crafting individual attacks; they are customers of a massive, underground service-based economy. The most significant development here is Phishing-as-a-Service (PhaaS).

Platforms like EvilProxy, Tycoon 2FA, and Sneaky 2FA have productized sophisticated attacks. For a simple subscription, any low-skilled criminal can now launch campaigns that were once the domain of experts. These platforms provide everything: convincing email templates, pre-built credential-harvesting websites that look identical to a Microsoft 365 or Google login, and—most critically—built-in Adversary-in-the-Middle (AiTM) capabilities. These AiTM proxies sit between the victim and the real website, allowing them to steal not just the password but the multi-factor authentication (MFA) session cookie, completely bypassing one of our most trusted defenses.

This industrialization is paired with a new, highly effective evasion technique: "Living Off Trusted Sites (LOTS)". Why build your own malicious server that security tools can easily block when you can hide in plain sight? Attackers now route their Command and Control (C2) communications—the "heartbeat" that connects their malware to their server—through legitimate, trusted platforms.

For example, an infected computer might not send a suspicious-looking signal to an unknown IP address in Eastern Europe. Instead, it just sends a new message to a private channel in Slack, or updates a file in a Dropbox or Google Drive folder, or posts an innocuous comment on GitHub. To a security monitoring tool, this looks like normal, everyday employee traffic. This technique makes detection incredibly difficult, as blocking Slack or Microsoft Teams is not an option for most businesses.

Case Study: The ENISA Threat Landscape 2025

Our primary case study for this module is the ENISA Threat Landscape 2025 (ETL 2025) report. This comprehensive analysis, which reviewed nearly 4,900 verified incidents across the EU from July 2024 to June 2025, provides a data-driven snapshot of our current reality.

The findings are stark:

Target Concentration: Public administration was the most targeted sector, accounting for a staggering 38% of all incidents. This highlights a clear trend of both hacktivists and state-aligned groups targeting government bodies.

Hacktivism Dominance: A massive 80% of all recorded incidents were attributed to hacktivist operations, with DDoS attacks being their weapon of choice (accounting for 77% of all attacks by volume). While often short-lived, the sheer frequency of these attacks creates a constant state of disruption.

Phishing Reigns Supreme: Despite all our training, phishing remains the king of initial access, responsible for 60% of all intrusions. This is the gateway that enables the more severe attacks, like ransomware.

The Convergence: The ETL 2025 report's key finding is the convergence of TTPs (Tactics, Techniques, and Procedures). It's no longer a clear line. The report details how state-aligned actors and hacktivist groups are increasingly adopting the same TTPs, particularly in their coordinated DDoS campaigns against EU public administration and transport sectors.

The report also specifically calls out the evolution of phishing, noting the rise of "AI-supported" and "QR code phishing" (quishing). Attackers send benign-looking emails asking an employee to scan a QR code on their phone to access a document or re-validate their account. This bypasses email-based security filters entirely and moves the attack to a personal, less-secure device, where the user is then presented with a PhaaS-powered credential-stealing page.

Skill & Training: Threat Intelligence Consumption

This knowledge is only useful if it's actionable. Your first practical skill is Threat Intelligence Consumption. You will be given a sanitized, real-world threat intelligence report from a source like CrowdStrike or ENISA.

Your task is not to just read it; it is to perform a structured analysis. You must work in your group to find and extract the following actionable intelligence:

Who is being targeted? (e.g., financial services, healthcare).

What are the specific TTPs? (e.g., "AI-supported phishing," "CVE-2025-XXXX exploitation," "LOTS C2 via Telegram").

What are the Indicators of Compromise (IOCs)? (e.g., specific file hashes, IP addresses, domain names).

What are the recommended mitigations? (e.g., "Patch systems," "Implement FIDO2-based MFA," "Block TLD .xyz").

This exercise simulates the real-world job of a security analyst. You must translate a dense, technical report into a simple, clear set of risks and actions that your leadership can understand and act upon.

1.2 The AI Force Multiplier: GenAI-Driven Threats

Knowledge: Lowering the Barrier to Entry

For years, we've debated the potential of artificial intelligence in cyberattacks. In 2025, it is no longer a potential. It is a reality. Generative AI (GenAI) has not, for the most part, created a new class of "super-threat." Instead, it has acted as a force multiplier, dramatically lowering the barrier to entry for less-skilled actors and supercharging the effectiveness of existing ones.

Historically, crafting a sophisticated attack required significant expertise. An attacker needed to be a good programmer to write malware, a systems expert to understand network evasion, and a fluent, native speaker to write a convincing phishing email.

GenAI eliminates these barriers.

A non-native speaker can now use an LLM to write a perfectly-worded,-context-aware phishing email in any language, free of the grammar and spelling mistakes that were once a key red flag.

A novice script-kiddie can ask an AI to write polymorphic malware code—code that changes itself with each execution to evade signature-based antivirus tools.

An attacker can feed a target's public LinkedIn profile and a company's recent press release into a GenAI and ask it to craft a highly personalized, urgent spear-phishing email to a specific employee, a task that would have previously taken hours of manual research.

GenAI is the ultimate assistant, and it works just as well for the attacker as it does for the defender. It automates reconnaissance, scales social engineering, and refines malicious code, allowing a single attacker to do the work of a team.

2025 Application: Automated, Personalized Attacks at Scale

In 2025, we are moving beyond "experimentation." Adversaries are actively deploying AI-enabled attacks in the wild. The most common application is in social engineering. We are now seeing automated phishing and vishing (voice phishing) campaigns that are personalized at a scale never before possible. The AI can scrape social media to find a target's name, their boss's name, and a project they recently...