Threat Briefing

Evolution of the threat landscape: Attackers shift from damaging devices to stealing data, requiring a redefinition of enterprise security strategies.

The focus of cybersecurity attacks has shifted from disrupting devices to stealing data. This article analyzes the changes in attack methods, the risks faced by enterprises, and proposes defense recommendations based on identity security, zero trust, and data protection.

事件概览

长期以来,网络安全攻击的主要目标是破坏设备运行——例如通过病毒使系统崩溃或锁定文件。然而,根据CNET近期分析及FBI 2025年互联网犯罪报告,攻击者的策略已发生根本性转变:他们不再满足于“制造麻烦”,而是将目标对准个人与企业数据的窃取。2025年,美国因网络犯罪损失约210亿美元;Identity Theft Resource Center追踪到3322起数据泄露事件,创下历史新高。

这一趋势对企业安全负责人(CISO)而言意味着:传统的以设备为中心的防御模型正迅速失效,数据安全必须成为安全架构的核心。

技术与风险分析

攻击方式演变:从破坏到窃取

传统恶意软件常以文件加密、系统崩溃为主要表现,攻击者主要通过勒索赎金获利。但如今,攻击链更复杂且隐蔽:

  • 社会工程与AI赋能:攻击者利用AI生成高度逼真的钓鱼邮件、语音克隆,甚至伪造视频,以获取凭证或敏感信息。这类攻击不再需要用户“犯错”,而是通过精准的心理操控降低警惕。
  • 勒索软件的双重勒索:攻击者不仅加密数据,还会在加密前窃取数据,并威胁公开泄露。这增加了企业的数据泄露风险和合规压力。
  • 中间人攻击(Adversary-in-the-Middle):攻击者拦截用户与应用之间的通信,窃取传输中的敏感数据,或篡改通信内容以诱导进一步泄露。
  • 针对企业数据库的定向攻击:攻击者通过漏洞利用、凭证窃取或供应链入侵,直接访问企业核心数据库,批量获取客户、员工及业务数据。

受影响资产:从终端到数据湖

传统上,安全团队重点保护端点(台式机、服务器)。但当前,攻击者瞄准的是:

  • 身份系统:通过钓鱼或凭证填充获取特权账户访问权限。
  • 云环境:利用错误配置或API漏洞访问存储桶、数据库。
  • 协作平台:如电子邮件、Slack、Teams,成为社会工程和数据外泄的通道。
  • 第三方集成:通过合作伙伴或供应商的系统间接渗透。

企业影响分析

从企业视角看,数据窃取带来的风险远甚于设备瘫痪:

Event Overview

For a long time, the main goal of cybersecurity attacks was to disrupt device operations—such as crashing systems or locking files with viruses. However, according to recent analysis by CNET and the FBI's 2025 Internet Crime Report, attackers' strategies have fundamentally shifted: they are no longer content with "causing trouble" but instead target the theft of personal and corporate data. In 2025, cybercrime losses in the United States amounted to approximately $21 billion; the Identity Theft Resource Center tracked 3,322 data breaches, a historic high.

For enterprise security leaders (CISOs), this trend means that traditional device-centric defense models are rapidly becoming ineffective, and data security must become the core of security architecture.

Technology and Risk Analysis

Evolution of Attack Methods: From Destruction to Theft

Traditional malware often manifested as file encryption or system crashes, with attackers primarily profiting through ransom demands. But today, attack chains are more complex and covert:

  • Social Engineering and AI Empowerment: Attackers use AI to generate highly realistic phishing emails, voice clones, and even fake videos to obtain credentials or sensitive information. Such attacks no longer require users to "make mistakes"; instead, they lower vigilance through precise psychological manipulation.
  • Double Extortion in Ransomware: Attackers not only encrypt data but also exfiltrate it before encryption and threaten public disclosure. This increases the risk of data breaches and compliance pressure for enterprises.
  • Adversary-in-the-Middle Attacks: Attackers intercept communication between users and applications, stealing sensitive data in transit or tampering with communication content to induce further leaks.
  • Targeted Attacks on Enterprise Databases: Attackers exploit vulnerabilities, steal credentials, or infiltrate supply chains to directly access core enterprise databases, bulk-gathering customer, employee, and business data.

Affected Assets: From Endpoints to Data Lakes

Traditionally, security teams focused on protecting endpoints (desktops, servers). But currently, attackers are targeting:

  • Identity Systems: Gaining privileged account access through phishing or credential stuffing.
  • Cloud Environments: Accessing storage buckets and databases via misconfigurations or API vulnerabilities.
  • Collaboration Platforms: Such as email, Slack, and Teams, becoming channels for social engineering and data exfiltration.
  • Third-Party Integrations: Penetrating indirectly through partners or vendors' systems.

Enterprise Impact Analysis

  • From an enterprise perspective, the risks from data theft far exceed those from device paralysis:- Operational Risk: Service interruption due to data encryption or leakage, with high recovery costs.
  • Financial Risk: Direct financial losses, ransom payments, regulatory fines, and litigation compensation.
  • Compliance Risk: Regulations such as GDPR and CCPA require enterprises to report breaches within a specified timeframe and may face substantial penalties.
  • Brand and Reputation Risk: Decline in customer trust and loss of market share.
  • Data Asset Risk: Permanent loss of intellectual property, trade secrets, and customer data.

Industry Trend Observations

This shift is not an isolated incident but an inevitable outcome of the long-term evolution of the cybersecurity industry.

1. Data as the New "Currency": The trading prices of personal information, financial data, and medical records on the dark web continue to rise, giving rise to a specialized data theft industry chain. 2. The Double-Edged Sword of AI: AI is used by attackers for large-scale, personalized attacks and by defenders for threat detection and response. However, defenders are currently still catching up. 3. "Zero Trust" Moving from Concept to Practice: As boundaries disappear, enterprises begin to assume threats exist within the network as well, verifying every access request. 4. Rising Supply Chain Risk: Attackers target smaller vendors to reach larger enterprises, as seen in the 2020 SolarWinds incident. 5. Tightening Data Protection Regulations: Regions around the world are introducing requirements for data localization and breach notification, increasing corporate compliance costs.

Defense and Response Recommendations

Enterprise Level: Build a Data-Centric Defense Model

  • Identity and Access Management (IAM): Implement multi-factor authentication (MFA) and risk-based conditional access. Password managers and weak password detection tools should become standard.
  • Principle of Least Privilege: Restrict data access scope, implement fine-grained permission controls, and regularly review non-expiring access tokens.
  • Data Classification and Encryption: Apply encryption at rest and in transit to sensitive data, making it difficult to exploit even if stolen.
  • Continuous Monitoring and Detection: Deploy EDR, XDR, SIEM, combined with User and Entity Behavior Analytics (UEBA) to detect abnormal data access patterns.

Technical Level: Strengthen Key Security Capabilities

  • Endpoint Security: Use modern anti-malware (including behavioral detection) and vulnerability management tools to promptly patch known vulnerabilities.
  • Cloud Security Posture Management (CSPM): Automatically detect configuration errors in cloud environments, such as publicly exposed S3 buckets.
  • Data Loss Prevention (DLP): Monitor and prevent sensitive data from being exfiltrated via email, USB, cloud applications, and other channels.
  • Backup and Recovery: Implement a 3-2-1 backup strategy and regularly test recovery processes to ensure no reliance on a single backup copy.

Management Level: Build a Resilient System- Incident Response Plan: Ensure the plan covers data breach scenarios, including notification of law enforcement, regulatory authorities, and affected individuals. - Third-Party Risk Management: Conduct security assessments of vendors, and include data protection obligations and breach reporting requirements in contract terms. - Security Awareness Training: Regularly conduct training on phishing and social engineering, along with simulation exercises. - Data Governance: Establish data lifecycle management, periodically clean up unused accounts and unnecessary data retention.

SecurityPost Insight

From "attacking devices" to "attacking data," this shift profoundly reflects the upgrade of the cybercrime economic model. For enterprises, continuing to allocate security budgets primarily to network boundaries and endpoint protection is no longer sufficient to address threats. CISOs need to drive the board and business units to understand that data security is not just an IT issue but a core element of business continuity, compliance, and brand trust.

In the future, the core of data security will lie in continuous verification of "identity" and "access," along with comprehensive visibility into data flow. Enterprises should prioritize investments in zero-trust architecture, data encryption, and threat intelligence sharing. Meanwhile, tightening regulatory environments will force companies to incorporate data protection into their strategic risk framework.

It is worth noting that attackers are rapidly improving efficiency and stealth through AI, and defenders must equally leverage AI and automation to close the response time gap. In this data-driven era, protecting data means protecting the company’s future.

Evidence route · securitypost

securitypost frames this note through Security Post publishes defensive cybersecurity intelligence for enterprise security leaders, covering thre.... Threat Briefing / Enterprise Security / AI & Cybersecurity explains the local editorial angle: Source links should be opened before the summary is reused. dates, names and status changes still need checking.

Source URL

  1. https://www.cnet.com/tech/services-and-software/threat-landscape-evolution-target-data/Primary

Related articles

Back to channel