For security professionals, a year in review may seem somewhat overwhelming. Between alert fatigue and the constantly expanding attack surface, 2024 brought with it a long list of unexpected threats. However, as with everything else, having a meaningful “lessons learned” discussion can improve the organization’s proactive security risk mitigations by identifying areas of improvement.
As organizations look to defend themselves against the onslaught of attacks that 2025 will surely bring, these insights from 2024 and suggested strategies can help define a path forward.
Insights from 2024
While 2024 may be an objective in the rearview mirror, the insights gained are definitely larger than they appear. As organizations move into the new year, they can expect to see a continuation of some activities they may already recognize.
Flourishing hacktivism
2024 had a high level of online hacktivism attacks that echoed geopolitical conflicts in Ukraine, Gaza, and elsewhere. Hacktivist groups were formed online to DDoS countries and companies that were perceived to be opponents of their side of the issue.
Many of these hacktivist groups gamify their bots. For example, they offer a rewards point or scoring system that rewards cybercriminals for adding more nodes to a bot. Then, these criminal users can spend their points when choosing the target they get to attack.
The use of AI techniques, ChatGPT, and other technological advances has democratized the hacktivist space. Today, almost anyone can generate and send a bulk social engineering message that entices people to click malicious links. Further, these advancements mean that malicious actors no longer require specialized skills to develop tools that infiltrate and exploit vulnerabilities.
With the democratization of these capabilities and increased activism, the number and variety of infected hosts increase, making it easier to infiltrate more legitimate locations. For example, this increases the complexity of botnets. Instead of focusing on small Internet of Things (IoT) devices, hacktivists can use computers inside enterprises and legitimate data centers to carry out the attacks. As these come from more legitimate sources, organizations struggle to block the attacks.
Advanced DDoS attacks
Increased attacker capabilities mean that these groups will create or maintain a more sophisticated botnet. They make these available as a set of frontend tools on the dark web so that cybercriminal or hacktivist buyers can use them to attack an organization.
Learn more about DDoS Attacks.
The use of booter stressors
Some hackers learned that they could generate revenue by building DDoS bots on compromised webservers or cloud servers and offering them for sale using a booter or stressor. These are largely focused on single targets, acting as a powerful attack platform that creates a lot of bandwidth and generates a variety of different traffic types.
Increased carpet bombing attacks
With carpet bombing attacks, malicious actors target many destinations within a particular company. Originally, these started with service providers who had a lot of IP address space that provided attackers with a wide attack surface. However, these attacks increasingly target enterprises. They tend to be more impactful because defending against all the different types of technologies being hosted in those areas can be overwhelming.
The cybercriminal ecosystem makes deploying these attacks easier, too. The tooling inside the bot software means that the cybercriminal mainly just needs to use a checkbox to start the attack. With the ability to automate and add more infected endpoints to the bot, a sophisticated carpet bombing attack becomes a simple point-and-click process.
Read 2024: The Year of the Carpet Bomb Attack in DDoS.
Rise of artificial intelligence (AI) and machine learning (ML)
Beyond the use of AI for botnets, attackers are integrating the technology as part of writing social engineering emails and messages. Additionally, they use them to compromise hosts as part of data exfiltration.
On the defense side, security teams historically used ML for analysis. Now, they are experimenting with threat detection, being able to discern more subtle behaviors indicative of an incoming or steal attack. For example, many organizations that run networks and applications have high volumes of data that can help them understand trends. Now, AI and ML give them a way to sift through the data and gain insights.
Expanding cybercriminal ecosystem
The continued expansion of the cybercriminal ecosystem means that threat actors are both innovating and specializing. The Ransomware-as-a-Service (RaaS) ecosystem follows the same model as legitimate businesses, including things like help desks, ticketing systems, development teams, and infrastructure administrators and architect teams.
As the business model becomes more sophisticated, cybercriminals can focus on their specialties which, in turn, makes the attacks easier to deploy for unsophisticated malicious actors. Since cybercriminals have no compliance constraints, their focus is optimizing their return on investment as quickly as possible.
Continued growth of the IPv6 space
Despite spending 30 or more years discussing the demise of the IPv4 addresses, the current day is the reality of that ending. Increasingly, many regions prefer IPv6, and mobile networks are IPv6 only. This shift improves network efficiency and simplifies many network architectures, especially ones that support IoT devices.
Despite this growth, IPv6 currently remains a small component of the whole, primarily because certain natural barriers to IPv6 adoption exist. For example, the complexity requires a certain skill set that has yet to be cultivated within the networking world. As organizations seek to expand on the internet, they need to consider tools like DNS that make it more consumable and reduce the complexity.
Strategies for defending organizations in 2025
Armed with these insights, organizations should consider how to uplevel their security risk management and compliance postures. In some cases, digital infrastructure security may simply mean closing a specific gap. However, in other cases, this may require a more holistic approach.
Manage remote workforce risks
Employees’ devices remain a threat to enterprise and data security. Organizations often lack control over the home and public networks that people use. In 2025, using protective DNS that blocks access to risky websites provides another layer of security. A filtering DNS resolver can block threats like malware and connections to command and control servers. This protects devices even when the organization has no control over the network someone uses.
Evolve the security operations center (SOC) automation
To protect against continuously evolving threats, a SOC needs to be regularly trained and improved. They should be constantly evaluating processes and engaging in post mortems on every security event. They should look for any activity that offers an opportunity for improvement. Although most organizations already engage in these best practices, shrinking budgets may require SOCs to shift their processes a bit more.
Going into 2025, organizations should focus on better alignment between people and technologies. Technologies and automation can improve immediate response capabilities when dealing with known and well-understood threats. However, the SOC should continuously fine-tune this automation to ensure that it works as intended.
Embrace a multi-CDN environment
The CDN market’s consolidation during 2024 led to fewer providers while starting to standardize security offerings and protocols, like providing web application firewalls (WAF), DDoS protection, and bot mitigation. Moving to a multi-CDN solution enables organizations to diversify their security to reduce the potential for a single point of failure.
Discover how DNS is the key to making a multi-CDN strategy work.
Leverage DNSSEC
DNSSEC configurations provide data integrity by ensuring that the data received is identical to the data on the authoritative name users. These configurations mitigate risks like domain name spoofing. These security risk mitigations are becoming more important in the regulatory compliance context, too.
Learn more about DNSSEC.
Automate DNS-based validation
Historically, digital certificates have offered a sense of trust in an organization’s domain and digital landscape. Digital certificate lifespans have become increasingly short, starting at five years then reducing to one year, and possibly, less than one year in the future. Validating these certificates is increasingly important, especially when looking at a domain or list of domains. Using DNS-based validation and automating the process makes DNS and SSL integrations easier, enabling organizations to take a proactive approach to risk mitigation and compliance.
Find bundled services
Identification of assets across the digital landscape is critical to implementing the appropriate security risk mitigations. However, the diversity of assets may require multiple technologies that, when purchased individually, add to security tool sprawl. To optimize the security budget and reduce security gaps arising from disconnected tools, organizations should consider using providers who bundle offerings that enable holistic security across an area of concern. For example, organizations looking for comprehensive visibility into their digital infrastructure security could consider technology bundles that include:
- DDoS mitigation
- CDN
- API protection
- Cloud WAF
Vercara: Cloud-based security across the digital infrastructure
Vercara’s purpose-built platform provides layers of defense that safeguard your online presence, no matter what attackers target or where the attacks come from. Our suite of cloud-based solutions enables you to protect networks and applications against threats and downtime, ensuring that your employees and customers have continued access to critical services.
To see how Vercara can help you secure your online experience, contact us today for a demo.
