Summary: We spoke with Mary D’Angelo about how “moving left of the boom” in the cyber kill chain can help your business stay secure.
Why can unskilled cybercriminals now run sophisticated attacks? Will cybercriminals outpace us in an AI arms race? And what is the next big thing in cybersecurity in 2025?
We asked Mary D’Angelo, a threat intelligence and dark web expert, for her insights on emerging cyber threats and how businesses can prepare to protect themselves.
NordLayer: As we closed 2024, what was the most common cyber threat?
Mary D'Angelo: The most common threat has been ransomware and other financially motivated attacks, a trend that is likely to continue in 2025. These attacks will become even more common because of the lower barrier to entry. Now, even relatively unskilled hackers can access different tools, like AI and malware, to run sophisticated attacks.
An example of this is the Lockbit source code leak that happened early in 2024. Many cybercriminals gained access to it, made minor tweaks to the code, and then deployed it onto their victims’ networks.
NordLayer: Gartner predicts that 25% of breaches will involve AI by 2028. What are the emerging threats in 2025 we should brace for, in your opinion?
Mary D'Angelo: I saw that stat, too, and I thought it was a really, really low number. From the research that I've done and the attacks that I've seen, most already include some level of AI. So by 2028, I think most attacks, not just 25%, will be using AI. 2025 is definitely going to be an AI arms race, with cybercriminals versus us.
Deepfakes will definitely be a huge one. Fake videos will be mostly used for social engineering tactics, and even phishing attempts will be automated by AI. For example, the content of phishing emails will seem much more authentic.
Another thing is AI-powered malware. It’s very sophisticated and can evolve based on the environment it's in, making it harder to detect and neutralize.
There are also AI-poisoning tactics. As the name suggests, these involve manipulating AI models in security systems so that they produce incorrect results in cybersecurity operations. It’s a bit like the cat-and-mouse game, really.
NordLayer: These AI threats mean companies need to be more proactive. With cybercrime expected to cost $13.82 trillion by 2028, which industries will be hit hardest next year?
Mary D'Angelo: I think it's the same as in 2024, so financial, healthcare, and manufacturing. Financial because it's the most lucrative. Healthcare is often low-hanging fruit. Threat actors know it is stretched thin without the budget and resources to adopt better tools. However, healthcare has incredibly valuable data, which will always be a target. Manufacturing is at risk, too, mostly due to shadow IT and legacy systems. The infrastructure is often outdated, making it easier for threat actors to exploit.
However, there are attackers with a moral code. Some won’t target hospitals because of the ethics behind it. But they’ll justify attacking banks and large financial organizations. So, the financial sector will always be a top target.
NordLayer: How do cybercriminals typically plan their attacks?
Mary D'Angelo: When you say cybercriminals plan their attacks, I think that gives them too much credit. They're usually financially motivated, opportunistic, and sporadic. They'll do research on who they want to target, but it's not incredibly thorough because they look for the easiest prey and easy money.
NordLayer: And what tactics do cybercriminals use?
For their reconnaissance, they'll go into the dark web, where many initial access brokers sell credentials at a decent price. But they follow what is called the cyber kill chain. It's like the steps a threat actor takes to achieve their objective. The kill chain is basically six or seven stages, but it always starts with gathering intel. Then you have weaponization, where you develop the weapon you plan to use. Then, you have your command and control stage. Finally, data exfiltration or the attack.
NordLayer: The cyber kill chain is the hackers’ playbook, right?
Mary D'Angelo: Yes, the MITRE ATT&CK framework does a great job of defining the tactics a threat actor uses when trying to exfiltrate data from a network. Cybercriminals often don't deviate from their playbook because it works. As the saying goes, if it ain't broke, don't fix it. They'll try new approaches only when access is taken away from them, forcing them to start over.
It's unfortunate, but organizations often fall behind because they lack the resources to implement better detection and response tools. Smaller organizations, including hospitals, don't have those resources and hence are more vulnerable.
NordLayer: Given the threats and hacker tactics we’ve just discussed, what are the top 5 challenges businesses face this year?
Mary D'Angelo: Patching, technical debt, and legacy systems will be big challenges. Cloud security is still in its infancy for many organizations, so we'll need to work on it collectively. Exposed and misconfigured vulnerabilities within systems also need attention.
NordLayer: How can threat intelligence solutions and security solutions work together to prevent cyber threats?
Mary D'Angelo: When it comes to threat intelligence, there are three buckets: tactical, operational, and strategic. If these three work alongside security operations, they can help you be more defensive rather than constantly reacting at the last minute. This way, you’re not always on the edge of your seat when threats or attacks come in.
Tactical threat intelligence helps security operations by providing background on indicators of compromise and ongoing threats. Strategic threat intelligence is about planning for the year. Executives will identify the ransomware groups more likely to target their organization and their tactics, then build a defense plan for the year to stay strong against them. Operational intelligence is about the day-to-day, ensuring your business has the right intel to respond effectively.
Most security tools don’t alert you until stages two or three of the kill chain. The advantage of dark web intelligence and threat intelligence is that you can be alerted at the very first stage—during the reconnaissance phase. This is when threat actors are doing their research to identify their next victim and how they plan to attack. By catching the threat early, you disrupt the cybercriminal, forcing them to start over with someone else.
That’s why threat intelligence is a powerful tool for organizations if done correctly and made actionable.
NordLayer: Threat intelligence has the power to break this cyber kill chain. How does it work?
Mary D'Angelo: Organizations often track their key criminal groups through strategic threat intelligence. For example, if I were in healthcare, I’d focus on the threat actors targeting the healthcare industry and understand their tactics and techniques. Once I identify these groups, I can set up systems to detect their activity.
A good analyst tracking the right dark web forums and marketplaces might come across an initial access broker selling credentials for a hospital. These brokers are very sneaky—they don’t directly name the hospital but mention the industry and the company’s revenue size. But if you’re sharp, you can identify the target hospital.
Once you know the attack is targeting you, you’re ahead of the game. The broker sells privileged access to the hospital, which could lead to a breach. By spotting this early, you can take action to mitigate the threat.
We always say “move left of boom,” a military term. It’s about getting as far left on the kill chain as possible. Instead of being alerted at stage three, when you're panicking, you can act early and prevent the attack before it escalates.
NordLayer: So moving to the left of the kill chain also means always upgrading your security?
Mary D'Angelo: Yes, absolutely. Stressing that no business is too small to be attacked is never enough. So gear up for it and make it more difficult for cybercriminals.
NordLayer: Thank you very much for your insights.
Mary D’Angelo is a Cyber Threat Intelligence Solutions Lead at Filigran, where she focuses on democratizing threat intelligence. She started her career at Darktrace before joining Searchlight in 2021.
Outside of work, Mary is dedicated to supporting child safety initiatives through the Innocent Lives Foundation. She’s passionate about sharing her knowledge and continuing to learn as the cybersecurity field evolves.
Cybersecurity can feel overwhelming, but it starts with building awareness of safe digital practices. From there, focus on easy-to-deploy tools or partner with an MSP or MSSP to protect against opportunistic attacks.
NordLayer is a toggle-ready platform that offers comprehensive security to protect your business. Our solutions include:
We also recommend multi-layered Zero Trust Network Access (ZTNA) policies for stronger network protection. Need help? Our sales team is always ready to guide you every step of the way.
Monitoring the dark web is crucial for staying ahead of threats. This is where NordStellar comes in. It tackles vulnerabilities during the reconnaissance phase of the cyber kill chain.
The platform automates key security tasks, such as:
Together, NordLayer and NordStellar provide a proactive, multi-layered defense to protect your business.
Joanna Krysińska
Senior Copywriter
A writer, tech enthusiast, dog walker, and amateur pastry chef, Joanna grew up in a family of engineers and mathematicians, so a techy mind is in her genes. She loves making complex tech topics less complex and digestible. She also has a keen interest in the mechanics of cybercrime.
Subscribe to our blog updates for in-depth perspectives on cybersecurity.
