Why can unskilled cybercriminals now run sophisticated attacks? Will cybercriminals outpace us in an AI arms race? And what is the next big thing in cybersecurity in 2025?

We asked Mary D’Angelo, a threat intelligence and dark web expert, for her insights on emerging cyber threats and how businesses can prepare to protect themselves.

The interview’s highlights

• AI and cybersecurity in 2025: 2025 is definitely going to be an AI arms race, with cybercriminals versus us.
• Key industries under attack: Financial, healthcare, and manufacturing will still be the hardest-hit sectors.
• The kill chain, cybercriminal tactics: Cybercriminals often follow the cyber kill chain, starting with gathering intel and ending with data exfiltration.
• Moving “left of boom” with threat intelligence: Threat intelligence lets you disrupt attacks during the reconnaissance phase before they escalate.
• The importance of proactive defense: No business is too small to be attacked, so businesses should make it more difficult for cybercriminals.

Cyber threats in 2025

Key insight #1: 2025 is going to be an AI arms race, with cybercriminals vs. us

NordLayer: As we closed 2024, what was the most common cyber threat?

Mary D’Angelo: The most common threat has been ransomware and other financially motivated attacks, a trend that is likely to continue in 2025. These attacks will become even more common because of the lower barrier to entry. Now, even relatively unskilled hackers can access different tools, like AI and malware, to run sophisticated attacks.

An example of this is the Lockbit source code leak that happened early in 2024. Many cybercriminals gained access to it, made minor tweaks to the code, and then deployed it onto their victims’ networks.

NordLayer: Gartner predicts that 25% of breaches will involve AI by 2028. What are the emerging threats in 2025 we should brace for, in your opinion?

Mary D’Angelo: I saw that stat, too, and I thought it was a really, really low number. From the research that I’ve done and the attacks that I’ve seen, most already include some level of AI. So by 2028, I think most attacks, not just 25%, will be using AI. 2025 is definitely going to be an AI arms race, with cybercriminals versus us.

Deepfakes will definitely be a huge one. Fake videos will be mostly used for social engineering tactics, and even phishing attempts will be automated by AI. For example, the content of phishing emails will seem much more authentic.

Another thing is AI-powered malware. It’s very sophisticated and can evolve based on the environment it’s in, making it harder to detect and neutralize.

There are also AI-poisoning tactics. As the name suggests, these involve manipulating AI models in security systems so that they produce incorrect results in cybersecurity operations. It’s a bit like the cat-and-mouse game, really.

NordLayer: These AI threats mean companies need to be more proactive. With cybercrime expected to cost $13.82 trillion by 2028, which industries will be hit hardest next year?

Mary D’Angelo: I think it’s the same as in 2024, so financial, healthcare, and manufacturing. Financial because it’s the most lucrative. Healthcare is often low-hanging fruit. Threat actors know it is stretched thin without the budget and resources to adopt better tools. However, healthcare has incredibly valuable data, which will always be a target. Manufacturing is at risk, too, mostly due to shadow IT and legacy systems. The infrastructure is often outdated, making it easier for threat actors to exploit.

However, there are attackers with a moral code. Some won’t target hospitals because of the ethics behind it. But they’ll justify attacking banks and large financial organizations. So, the financial sector will always be a top target.

Key insight #2: Bad actors typically use the cyber kill chain approach to carry out attacks

NordLayer: How do cybercriminals typically plan their attacks?

Mary D’Angelo: When you say cybercriminals plan their attacks, I think that gives them too much credit. They’re usually financially motivated, opportunistic, and sporadic. They’ll do research on who they want to target, but it’s not incredibly thorough because they look for the easiest prey and easy money.

NordLayer: And what tactics do cybercriminals use?

For their reconnaissance, they’ll go into the dark web, where many initial access brokers sell credentials at a decent price. But they follow what is called the cyber kill chain. It’s like the steps a threat actor takes to achieve their objective. The kill chain is basically six or seven stages, but it always starts with gathering intel. Then you have weaponization, where you develop the weapon you plan to use. Then, you have your command and control stage. Finally, data exfiltration or the attack.

NordLayer: The cyber kill chain is the hackers’ playbook, right?

Mary D’Angelo: Yes, the MITRE ATT&CK framework does a great job of defining the tactics a threat actor uses when trying to exfiltrate data from a network. Cybercriminals often don’t deviate from their playbook because it works. As the saying goes, if it ain’t broke, don’t fix it. They’ll try new approaches only when access is taken away from them, forcing them to start over.

It’s unfortunate, but organizations often fall behind because they lack the resources to implement better detection and response tools. Smaller organizations, including hospitals, don’t have those resources and hence are more vulnerable.

NordLayer: Given the threats and hacker tactics we’ve just discussed, what are the top 5 challenges businesses face this year?

Mary D’Angelo: Patching, technical debt, and legacy systems will be big challenges. Cloud security is still in its infancy for many organizations, so we’ll need to work on it collectively. Exposed and misconfigured vulnerabilities within systems also need attention.

Threat-specific responses

Key insight #3: “Moving left of boom” lets you stop attacks before they start.

NordLayer: How can threat intelligence solutions and security solutions work together to prevent cyber threats?

Mary D’Angelo: When it comes to threat intelligence, there are three buckets: tactical, operational, and strategic. If these three work alongside security operations, they can help you be more defensive rather than constantly reacting at the last minute. This way, you’re not always on the edge of your seat when threats or attacks come in.

Tactical threat intelligence helps security operations by providing background on indicators of compromise and ongoing threats. Strategic threat intelligence is about planning for the year. Executives will identify the ransomware groups more likely to target their organization and their tactics, then build a defense plan for the year to stay strong against them. Operational intelligence is about the day-to-day, ensuring your business has the right intel to respond effectively.

Most security tools don’t alert you until stages two or three of the kill chain. The advantage of dark web intelligence and threat intelligence is that you can be alerted at the very first stage—during the reconnaissance phase. This is when threat actors are doing their research to identify their next victim and how they plan to attack. By catching the threat early, you disrupt the cybercriminal, forcing them to start over with someone else.

That’s why threat intelligence is a powerful tool for organizations if done correctly and made actionable.

NordLayer: Threat intelligence has the power to break this cyber kill chain. How does it work?

Mary D’Angelo: Organizations often track their key criminal groups through strategic threat intelligence. For example, if I were in healthcare, I’d focus on the threat actors targeting the healthcare industry and understand their tactics and techniques. Once I identify these groups, I can set up systems to detect their activity.

A good analyst tracking the right dark web forums and marketplaces might come across an initial access broker selling credentials for a hospital. These brokers are very sneaky—they don’t directly name the hospital but mention the industry and the company’s revenue size. But if you’re sharp, you can identify the target hospital.

Once you know the attack is targeting you, you’re ahead of the game. The broker sells privileged access to the hospital, which could lead to a breach. By spotting this early, you can take action to mitigate the threat.

We always say “move left of boom,” a military term. It’s about getting as far left on the kill chain as possible. Instead of being alerted at stage three, when you’re panicking, you can act early and prevent the attack before it escalates.

NordLayer: So moving to the left of the kill chain also means always upgrading your security?

Mary D’Angelo: Yes, absolutely. Stressing that no business is too small to be attacked is never enough. So gear up for it and make it more difficult for cybercriminals.

NordLayer: Thank you very much for your insights.

Mary D’Angelo is a Cyber Threat Intelligence Solutions Lead at Filigran, where she focuses on democratizing threat intelligence. She started her career at Darktrace before joining Searchlight in 2021.

Outside of work, Mary is dedicated to supporting child safety initiatives through the Innocent Lives Foundation. She’s passionate about sharing her knowledge and continuing to learn as the cybersecurity field evolves.

How can NordLayer help?

Cybersecurity can feel overwhelming, but it starts with building awareness of safe digital practices. From there, focus on easy-to-deploy tools or partner with an MSP or MSSP to protect against opportunistic attacks.

NordLayer is a toggle-ready platform that offers comprehensive security to protect your business. Our solutions include:

• Threat Prevention to stop malicious downloads or prevent access to harmful websites
• Business VPN for secure remote work
• Cloud Firewall for robust network access controls

We also recommend multi-layered Zero Trust Network Access (ZTNA) policies for stronger network protection. Need help? Our sales team is always ready to guide you every step of the way.

Monitoring the dark web is crucial for staying ahead of threats. This is where NordStellar comes in. It tackles vulnerabilities during the reconnaissance phase of the cyber kill chain.

The platform automates key security tasks, such as:

• Dark web monitoring to track company-related risks
• Leaked data management to protect employees and customers
• Attack surface assessments to identify and mitigate potential weaknesses.

Together, NordLayer and NordStellar provide a proactive, multi-layered defense to protect your business.

Cyber-attacks are growing more frequent and damaging. Critical sectors like healthcare and education are common targets. Threat actors are quick to exploit weak software. This leaves companies and users struggling to keep up. But there’s a better approach: build security into software from the start.

In 2023, CISA launched its Secure by Design campaign. It highlights the need for secure software development and corporate accountability. High-profile breaches like SolarWinds and Kaseya show the risks of weak defenses. They also show why software makers must take the lead on security.

This article will explore software development security best practices. It’s based on CISA’s guidelines and Secure Software Development Lifecycle ideas. Following these practices reduces risks and builds stronger, safer systems.

Why secure software development matters

Everyone agrees security is critical in software development, yet it’s often unclear how to achieve it. Without secure processes, businesses risk deploying vulnerable applications that bad actors can exploit.

Vulnerabilities by design

Technology powers every aspect of modern life. Internet-facing systems connect critical functions like healthcare and identity management. These innovations improve convenience but also create significant risks. Cyber-attacks have disrupted hospitals, leading to canceled surgeries and delayed care. A single flaw can let attackers exploit systems, threatening lives and data.

Secure software development tackles these risks by focusing on security from the start. Manufacturers who adopt secure design principles take responsibility for reducing risks. Features like default encryption and user authentication ensure fewer vulnerabilities for users.

Historical challenges with patching

Relying on patches after deployment creates extra work for users. For example, if a security flaw is discovered, customers must apply the fix themselves. This process can take time, leaving systems exposed to cyber-attacks. A real-world example is the WannaCry attack, which exploited unpatched systems worldwide.

Secure by Design addresses these challenges by fixing vulnerabilities before product launch. For instance, testing software for common weaknesses, like injection flaws, reduces the need for patches later. This approach aligns with secure software development lifecycle practices, saving time and boosting trust in the software.

Secure by design principles

Secure by Design means building security into every product from the beginning. A good example is adding multi-factor authentication (MFA) as a standard feature. It ensures users have a second layer of protection beyond passwords. Another example is setting safe defaults, like requiring strong passwords or enabling automatic updates.

Manufacturers should also follow software development security best practices, such as performing risk assessments during development. This step identifies potential threats and includes defenses against them. For instance, a defense-in-depth strategy can add multiple layers of protection, like firewalls, secure access controls, and network monitoring tools.

Reducing customer burden

Good software should make security easier for users. For instance, automated updates prevent users from forgetting critical patches. Another example is providing built-in network monitoring tools that alert about potential issues without manual setup. These features contribute to cloud security and cybersecurity resilience.

Manufacturers can also provide clear instructions to users. For example, warning users when they change secure default settings helps maintain safety. By easing the burden on customers, manufacturers ensure better protection and fewer missteps. Conducting security awareness training for users can further enhance security.

Leading by example in secure software

Some companies set the standard for secure development by making it a priority. For example, they use features like Cloud Firewall to support network segmentation. This strengthens security in development environments by blocking unauthorized access. It helps protect users, safeguard intellectual property, and improve access controls.

A strong example is a company implementing Zero Trust Network Access (ZTNA) to limit system access. By requiring users to verify identity and devices, they reduce risks. Such practices, combined with secure coding practices, highlight the value of adopting a secure software development framework.

Common cyber-attacks for software development

1. SQL Injection

SQL injection (SQLi) is a dangerous cyber-attack targeting databases. It happens when bad actors add malicious code to input fields. This trick lets them bypass normal security checks and access data. For example, they can use a login form to steal sensitive information. SQL injection remains one of the most common web application vulnerabilities.

The impact of SQL injection is severe. It allows attackers to steal or delete sensitive data. In some cases, they can even take full control of the system. For example, an attacker might enter “OR 1 = 1” into a login field. This tricks the database into granting access without a password. According to reports, SQLi attacks accounted for 23% of major vulnerabilities in 2023.

Organizations handling sensitive data are prime targets. SQL injection attacks can expose personal records, financial data, and trade secrets. For instance, an attacker could use SQLi to steal customer payment information. In extreme cases, attackers have deleted entire databases. Such attacks often result in financial loss, lawsuits, and reputational damage.

SQL injection can also exploit error messages to learn about a system. Some attacks use “stacked queries” to execute multiple commands at once. For example, “DROP TABLE Users;” can delete critical data. In another example, attackers might extract usernames and passwords using the “UNION” SQL operator. This type of attack affects industries like retail, travel, and finance the most.

Preventing SQL injection requires strong secure coding practices. Developers should use prepared statements and validate all user input. Web application firewalls (WAFs) add an extra layer of defense. Regular security audits and vulnerability scans help catch issues early.

2. Command injection

Command injection is a critical software vulnerability. It lets attackers run harmful commands on systems. These commands can grant unauthorized access or full system control.

This issue arises when user input isn’t validated properly. Attackers craft input to manipulate how commands are executed. For example, CVE-2024-20399 involved crafted input to exploit Cisco NX-OS software. This allowed attackers to execute commands with root privileges.

The CVE-2024-20399 flaw affected many Cisco devices, including Nexus and MDS switches. A China-linked group called “Velvet Ant” used it in a cyber-espionage campaign. They targeted network devices to maintain long-term access to organizational systems.

Secure design practices, like input validation, can prevent these issues. Separating commands from input can reduce risks and stop attackers from exploiting systems.

3. Cross-site scripting (XSS)

Cross-site scripting (XSS) is a common vulnerability in web applications. It happens when an application does not validate or sanitize user inputs. This allows bad actors to inject malicious scripts into the application. These scripts can then run on the browser of another user.

Attackers use XSS to manipulate or steal user data. For example, they might inject code into a comment section on a website. When another user views the comment, the script could steal their session cookies. These cookies can give attackers access to the victim’s account. XSS can also redirect users to fake login pages or load harmful files.

XSS is a big problem because it is widespread and preventable. A report from the Open Web Application Security Project (OWASP) lists XSS as one of the most common web application security issues. Proper input validation and using secure coding practices can stop these attacks. Modern web frameworks also help by encoding data to prevent malicious code execution.

Businesses need to take XSS seriously because it can harm many users. One mistake in code can expose millions of people to risk. Regular code reviews, automated tools, and aggressive security testing can help eliminate this threat. Addressing XSS early in the secure software development process is essential to protect applications and their users.

4. Exploitation of known vulnerabilities

Bad actors often exploit known vulnerabilities in software, tracked by unique IDs called CVEs (Common Vulnerabilities and Exposures). These vulnerabilities are listed publicly to help organizations manage and fix security flaws. When actively exploited, attackers use them to spread malware, steal data, or lock systems with ransomware. For example, some types of malware, like worms, spread automatically without user interaction, underscoring the urgency of remediation.

The KEV catalog highlights vulnerabilities actively exploited in real-world attacks. Organizations should prioritize fixing these issues using automated tools to save time and reduce risks. Installing updates, removing outdated software, or applying temporary fixes are key steps to protect systems from exploitation.

5. Memory safety exploits

Memory safety exploits are a common and serious threat. These happen when software written in memory-unsafe languages, like C or C++, mishandles memory. Mistakes in managing memory can cause vulnerabilities like buffer overflows or use-after-free errors. These allow attackers to take control of software, systems, or data. For example, a buffer overflow can let attackers execute malicious code.

Most open-source software (OSS) projects rely on memory-unsafe languages. About 52% of critical OSS projects analyzed include memory-unsafe code. In total, 55% of the lines of code in these projects are written in unsafe languages. Even projects written in memory-safe languages often depend on unsafe components. This increases the risk of memory safety vulnerabilities spreading through dependencies.

The largest OSS projects are more likely to have unsafe code. Among the ten biggest projects analyzed, the median unsafe code usage is 62.5%. In four of these projects, over 94% of the code is unsafe.

These vulnerabilities are especially dangerous in performance-critical software, like operating systems or cryptography tools. Attackers target these systems to exploit weaknesses.

Using memory-safe programming languages, like Rust, can reduce these risks. These languages automatically handle memory management, which helps prevent errors. However, developers sometimes disable safety features to improve performance. This can create new vulnerabilities. Memory safety exploits remain a major challenge and require secure coding practices to minimize risks.

Software development security best practices

Implementing software development security best practices is vital for creating secure applications. These strategies help protect users from security risks while improving software reliability. When applied throughout the secure software development lifecycle, they address vulnerabilities and strengthen defenses. Below are key principles and approaches to ensure secure software and reduce evolving threats.

1. Secure by default practices

Ensuring software is secure “out of the box” minimizes user burden and proactively addresses security vulnerabilities. This approach forms a foundation for secure software development.

• Eliminate default passwords. Replace default credentials with strong, unique passwords during setup. For example, enforce minimum password lengths and block known compromised passwords to protect secure access.
• Conduct field tests. Evaluate software security features in real-world environments. Insights from red team exercises can identify gaps in firewall settings or weak points in VPN implementations.
• Discourage unsafe legacy features. Phase out insecure protocols like outdated TLS versions. Use seamless upgrade paths and in-product alerts to encourage the adoption of safer options while maintaining compatibility with cloud security standards.

2. Secure product development practices

Embedding secure coding practices into every stage of the secure software development framework ensures long-term protection against threats and enables secure development.

• Document secure SDLC framework conformance. Use frameworks like the NIST Secure Software Development Framework (SSDF) to guide development. Publish security requirements and justify alternative approaches for unique use cases in cloud computing environments.
• Mature vulnerability management. Move beyond patching to address root causes of security vulnerabilities. For example, implement quality improvement strategies to prevent recurring issues in applications involving VPN or network monitoring tools.
• Foster a workforce that understands security. Conduct security awareness training to educate developers on secure coding practices. Integrate security topics into hiring processes and collaborate with institutions to strengthen cybersecurity skills among future developers.

3. Application hardening techniques

Application hardening strengthens software against exploitation by reducing security risks and making it more resilient.

• Validate user input. Prevent common attacks like SQL injection and cross-site scripting by sanitizing inputs. For example, in cloud computing environments, validate APIs to protect data integrity.
• Adopt memory-safe programming. Use languages like Rust to eliminate memory-related security vulnerabilities. This is particularly critical in applications involving sensitive operations like network monitoring or firewall configurations.
• Implement cryptographic safeguards. Secure sensitive data with encryption and hardware-backed key management. For instance, use hardware modules to store keys securely in VPN or cloud security systems.

4. Reducing attack surfaces

Minimizing unnecessary exposure is a critical component of software development security best practices. Reducing attack surfaces enhances secure software development.

• Remove unused features. Disable or eliminate features no longer needed, such as legacy APIs. For example, retiring outdated services in cloud computing environments reduces security risks.
• Create secure configuration templates. Provide templates tailored for low, medium, and high-risk environments. This simplifies secure development while ensuring adherence to security requirements.
• Implement attention-grabbing alerts. Notify users of unsafe configurations like admin accounts without MFA. For instance, persistent alerts can improve software security by encouraging secure settings in applications.

5. Balancing security and usability

Effective security practices must balance protection with usability. A focus on user experience ensures that secure software development lifecycle measures are effectively implemented.

• Reduce hardening guide complexity. Simplify guides for end users by automating security configurations. For instance, automated firewall rules and VPN policies can be used to streamline setup.
• Provide clear nudges. Regular reminders encourage users to address potential security risks, such as enabling MFA or updating to more secure cloud security protocols.
• Innovate thoughtfully. Design intuitive security features like Single Sign-On (SSO) to reduce friction for users. For example, SSO simplifies access without compromising secure access protocols.

These strategies ensure strong cybersecurity, effective protection in cloud computing, and robust safeguards through tools like VPN, firewall, and network monitoring.

Common mistakes to avoid

Building secure software requires careful planning and attention to detail. Common mistakes are grouped into product properties, security features, and organizational processes.

Product properties

Using memory-unsafe languages

Developing software in memory-unsafe languages like C or C++ without a roadmap to reduce vulnerabilities increases security risks. These languages can introduce critical flaws like buffer overflows, leaving systems exposed.

Software manufacturers should adopt a secure software development framework with a memory safety roadmap. Prioritize fixing vulnerabilities in sensitive areas, such as network-facing code and cryptographic functions. Following secure coding practices will significantly lower the likelihood of such security vulnerabilities.

Default passwords

Shipping products with default passwords is a dangerous practice. Default credentials are often easy to guess or publicly documented, making systems vulnerable to unauthorized access.

Always require users to set unique, strong passwords during installation.

Security features

Lack of multi-factor authentication (MFA)

Failing to include MFA in products that authenticate users significantly weakens security. Passwords alone are insufficient to protect against breaches.

Ensure MFA is supported in all products, especially for admin accounts. This practice is crucial for secure development and reducing security risks in critical systems. Aligning MFA with a secure software development lifecycle further strengthens defenses.

Inadequate logging for intrusions

Products without robust logging capabilities make it difficult for customers to detect and investigate intrusions. Logs should include critical data, such as configuration changes and user activities.

Software manufacturers should provide industry-standard logging features. For SaaS and cloud computing products, include at least six months of log retention. Enhanced network monitoring and cloud security tools help organizations meet key security requirements.

Organizational processes

Releasing software with known vulnerabilities

Releasing software that includes known exploitable vulnerabilities undermines security. Attackers often exploit these flaws before patches are issued.

Manufacturers must follow secure software development lifecycle practices, including scanning for vulnerabilities before release. Maintain a software bill of materials (SBOM) to track dependencies and ensure timely updates. Cloud security solutions and firewalls can further mitigate these risks.

Failing to disclose vulnerabilities

Not publishing CVEs (Common Vulnerabilities and Exposures) for critical flaws reduces transparency and puts users at risk. Customers depend on timely information to manage vulnerabilities.

Publish CVEs for all high-impact vulnerabilities promptly. Include details like CWE (Common Weakness Enumeration) codes to guide customers in understanding and mitigating risks. Conduct security awareness training for teams to improve processes and meet secure software development security requirements.

Case study: Successful software security with NordLayer

WeTransfer needed a reliable and flexible VPN to support global operations and meet ISO 27001 standards. Their outdated, on-site VPN couldn’t handle an office move or provide secure access for teams across 130+ regions. This created risks like phishing and ransomware.

NordLayer’s cloud-native solution offered a Dedicated server with Fixed IP for secure connectivity, Shared Gateway locations for secure internet access, and adaptive Okta integration to improve access control.

Switching to NordLayer improved operations. Developers can work faster with reduced network latency and secure access via NordLayer’s Business VPN. NordLayer also supported WeTransfer’s ISO 27001 compliance efforts. NordLayer’s platform helped WeTransfer secure its network and protect millions of users worldwide. 

Explore our cybersecurity solutions for software development, or contact our sales team to learn how NordLayer can secure your operations.