Key Takeaways: Emerging Threats
A one-page reference. Reread before an exam or before moving on. Dense by design.
How threats evolve (the model that outlasts the list)
| Force | What it does | Chapter example |
|---|---|---|
| Commoditization | Skilled few package & sell to the many → volume explodes | RaaS; rentable voice-cloning |
| Specialization | Division of labor → efficiency + resilience + harder attribution | Initial access brokers, operators, affiliates, launderers |
| Adaptation to defenses | The perpetual arms race; your success forces the next move | EDR success → living-off-the-land |
Model the market, don't memorize the list. For any new threat ask: what's getting cheaper, what's getting more valuable, and what are my own defensive wins pushing attackers to do next?
Ransomware: it's an industry
| Term | One-line definition |
|---|---|
| Ransomware-as-a-service (RaaS) | Operators build/rent the platform; affiliates run the attacks; proceeds split |
| Initial access broker | Criminal who breaks in and sells the foothold to others |
| Living-off-the-land | Abusing legit built-in tools (PowerShell, WMI) to avoid detectable malware (LOLBins) |
| Single → Double → Triple extortion | Encrypt → exfiltrate-then-threaten-publish → also harass customers / add DoS |
Key fact: detonation is the last event after days/weeks of quiet dwell → catch ransomware before the ransom note.
Ransomware-resilience checklist (assume the encryption succeeds)
- [ ] Backups: immutable + offline/isolated + restoration-tested (untested = a prayer)
- [ ] Quiet-phase detection: anomalous PowerShell/WMI, new admin accounts, internal scanning, backup-server access
- [ ] Egress monitoring: large/unusual outbound from file servers → catches double-extortion theft + scopes the breach
- [ ] Segmentation + least privilege: a foothold in one zone ≠ detonation everywhere
- [ ] Rehearsed ransomware IR plan: decision criteria for data theft, leak site, payment, law enforcement, insurer
Backups defend availability, not confidentiality. Against double extortion, "we have backups" is false confidence — the data is already stolen.
Supply chain, next generation (builds on Ch.29)
| Flavor | Mechanism | Hardest part |
|---|---|---|
| Build/vendor compromise (SolarWinds) | Malicious code inserted before signing → ships legitimately signed | Passes every integrity check at install |
| Open-source dependency | Malicious contribution, package takeover, typosquatting | Buried deep in the dependency tree |
| Dependency confusion | Public package with same name as internal one + higher version | Build tool prefers the attacker's version |
| Hardware/firmware | Chips, network gear, firmware | Can't patch your way out |
Defenses: SBOM (know what you run → answer "are we exposed?" in minutes), provenance/SLSA (prove where it came from), behavioral detection of trusted software (even signed implants must act), least privilege for vendor agents (does it really need domain-admin?).
Deepfakes & synthetic media
- Synthetic media = AI-generated/altered audio/image/video; deepfake = convincing fake of a real, specific person. They degrade seeing/hearing as proof of identity.
- Attacks: executive-impersonation fraud (deepfake BEC); synthetic-identity account fraud (defeats biometric liveness); disinformation/reputation.
- Defense principle: do NOT rely on the fake looking fake. Artifact-detection is a losing arms race.
Deepfake-verification checklist (for any money/sensitive-data request)
- [ ] Out-of-band callback to a known, pre-established channel (directory number, not one in the request)
- [ ] Pre-shared verification phrase / challenge the real party knows (the fake wasn't trained on it)
- [ ] Phishing-resistant step-up auth (hardware key) — not biometrics alone
- [ ] Procedural friction against urgency — no urgent request skips verification, however senior the source
- [ ] Name the threat in training — staff who know deepfakes exist are far harder to rush
The quantum clock & PQC
| Crypto type | Quantum impact | Examples | Action |
|---|---|---|---|
| Asymmetric (public-key) | BROKEN (Shor's algorithm) | RSA, ECC, ECDSA, ECDHE, DH | Migrate to PQC |
| Symmetric | Weakened (Grover's), fixed by 2× key size | AES-256 | Keep (256-bit is fine) |
| Hashes | Weakened (Grover's), still strong | SHA-256/3, Argon2, bcrypt | Keep |
- Harvest-now-decrypt-later: adversary stores encrypted data now, decrypts later once quantum exists → the threat to long-lived secrets is present-day. Deadline = now − data's required secrecy lifetime.
- PQC = post-quantum cryptography: classical-computer algorithms that resist quantum attack. NIST standardized it in 2024.
| FIPS | Algorithm (former name) | Purpose |
|---|---|---|
| FIPS 203 | ML-KEM (CRYSTALS-Kyber) | Key establishment / encapsulation |
| FIPS 204 | ML-DSA (CRYSTALS-Dilithium) | Digital signatures |
| FIPS 205 | SLH-DSA (SPHINCS+) | Hash-based digital signatures |
PQC migration steps
- Crypto-inventory — you can't migrate what you can't find (most orgs can't find theirs).
- Prioritize by quantum exposure = asymmetric algorithm × data confidentiality lifetime. Long-lived data (archives, signing keys) first; short-lived TLS lower (even if heavily attacked).
- Mandate crypto-agility in all new systems (stop digging the hole deeper).
- Migrate HIGH systems to FIPS 203/204/205; prefer hybrid (classical + PQC) where supported.
- Track NIST standards, regulator guidance, and vendor PQC roadmaps.
- Crypto-agility = swap algorithms by configuration, not by rebuilding. The PQC migration is really a forcing function to finally build crypto-agility — which outlasts this migration.
Horizon scanning (the governable habit)
Inputs (CISA, Verizon DBIR, NIST, sector ISAC, vendor TI) → cadence (monthly/quarterly) → triage → emerging-threat watch tied to the risk register.
| Triage decision | Meaning | Chapter example |
|---|---|---|
| Act now | Real, present threat to us | Double-extortion ransomware; deepfake fraud |
| Prepare | Coming, long runway | PQC migration |
| Watch | Plausible, not yet relevant | Hardware/firmware supply chain |
| Dismiss | Hype that doesn't apply (say so explicitly) | (org-specific) |
Filter question (keeps it from alarmism/theater): does this actually reach an asset we care about, given our environment and controls?
Certification crosswalk
| Concept | CompTIA Security+ | (ISC)² CISSP domain |
|---|---|---|
| RaaS, extortion evolution, initial access broker, LOTL | 2.0 Threats, Vulnerabilities & Mitigations | Security Operations; Security & Risk Mgmt |
| Supply chain attacks, SBOM, provenance | 2.0; 3.0 Security Architecture | Security & Risk Mgmt (D1); Software Dev Security (D8) |
| Deepfakes / AI-enabled attacks, BEC | 2.0 Threats | Security & Risk Mgmt; Security Operations |
| Quantum threat, PQC, crypto-agility, harvest-now-decrypt-later | 1.0 General Security Concepts (crypto) | Security Architecture & Engineering (D3) |
| Horizon scanning / threat intelligence | 4.0 Security Operations | Security Operations; Security & Risk Mgmt |
Project additions this chapter
- Meridian program: emerging-threat watch (act/prepare/watch/dismiss + owners) + a crypto-agility statement committing to crypto-inventory, agile-by-default design, and tracking NIST PQC toward phased migration.
bluekittoolkit:cryptutil.pyextended withcrypto_inventory(systems)— classifies each system's quantum exposure (HIGH/MEDIUM/LOW) by algorithm type × data lifetime and sorts highest-risk first.
Common pitfalls
- Saying "ransomware-proof" instead of designing for resilience (assume the encryption succeeds).
- "We have backups" as false confidence — not immutable, not isolated, never restore-tested; and useless against the confidentiality half of double extortion.
- Trying to spot deepfakes by glitches instead of building out-of-band verification.
- Waiting on PQC "until quantum exists" — harvest-now-decrypt-later means long-lived data is at risk today.
- Prioritizing PQC migration by "where is RSA" instead of by quantum exposure (algorithm × data lifetime).
- Treating emerging threats as scary headlines rather than running them through a horizon-scanning triage.