Celebrating 25 Years of IT-ISAC: Reflecting on the Evolution of Cybersecurity Challenges
This year marks a significant milestone for the Information Technology Information Sharing and Analysis Center (IT-ISAC) as it celebrates its 25th anniversary. This occasion prompts a reflection on the evolving landscape of cybersecurity and the new challenges that the community faces. When I first joined IT-ISAC in 2005, the cybersecurity environment was vastly different. A leader from another Information Sharing and Analysis Center (ISAC) once remarked that his team would celebrate every time a member shared information, highlighting the scarcity of even basic threat intelligence at that time.
From Scarcity to Abundance: The Information Overload Dilemma
Fast forward to today, and the challenge has flipped on its head. The cybersecurity community is inundated with an overwhelming amount of information. Analysts now grapple with the task of sifting through vast quantities of data to discern what is accurate and relevant. Instead of desperately searching for any scrap of threat intelligence, our analytic team has taken on the critical role of transforming this deluge of information into curated intelligence that our members can effectively utilize.
The Development of Adversary Attack Playbooks
To assist members in understanding threats and managing risks, IT-ISAC has developed adversary attack playbooks. These playbooks are meticulously crafted and mapped to the MITRE ATT&CK Framework, detailing how adversaries infiltrate networks, navigate through them, and how defenders can identify and eliminate these threats. The information used to create these playbooks is sourced from members, partners, and public intelligence.
The initial results were promising. We provided an easily digestible format for keeping members informed about threat actors and their tactics, techniques, and procedures (TTPs). However, we soon encountered a new challenge: the sheer volume of playbooks we were generating exceeded what our members could realistically consume. As of March 2025, we had developed playbooks for over 230 adversaries, leading to an information overload rather than a lack of data.
Introducing the Predictive Adversary Scoring System (PASS)
To tackle this issue, our team collaborated with member companies to create the Predictive Adversary Scoring System (PASS). This innovative tool offers a comprehensive scoring system based on multiple factors, including an adversary’s motivation, capabilities, and historical actions. By utilizing PASS, members can assess their risk exposure and allocate resources more effectively.
PASS evaluates several key metrics to determine specific adversarial risks:
- Level of Activity: How recently has the adversary been active?
- Frequency of Sector Targeting: How many times has the adversary targeted the IT sector?
- Sophistication/Impact: What is the complexity of the adversary’s TTPs and their potential impact?
- Motivation: What drives the adversary—financial gain, geopolitical interests, ideological beliefs, or recognition?
By producing a numerical score (ranging from 0 to 128) for each actor based on these criteria, PASS enables our analysts and members to prioritize monitoring and analysis efforts on the most dangerous adversaries specific to their industries.
Identifying the Top Threat Actors
In our analysis of the IT sector, we identified the top five threat actors based on data from 2024: Lazarus, Scattered Spider, APT3/Gothic Panda, APT29, and RansomHub. Some of these organizations scored alarmingly high on the PASS scale, underscoring their significant threat to organizations within the sector. Understanding which actors are most active and their TTPs allows companies to prioritize their limited resources more effectively.
The Motivation Behind Cyber Threats
When examining the motivations of these threat actors, we found a near-even split: 52% of actors in the IT sector are driven by geopolitical factors, while 48% are financially motivated. Geopolitical attacks often aim to disrupt operations, steal sensitive information, or weaken competitors as part of a broader state-sponsored agenda. Conversely, financially motivated ransomware groups focus on extortion, employing tactics like data exfiltration and system encryption to demand payouts.
The IT sector’s diverse range of targets, rich intellectual property, sensitive data, and critical digital infrastructure make it an attractive target for both geopolitical and financial attackers.
Strategies for Organizational Protection
In a vast and challenging threat landscape, protecting an enterprise can seem daunting, especially given the budget constraints many security teams face. Therefore, risk-informed decision-making is crucial for allocating limited resources effectively. Based on our analysis of active threat actors and their TTPs, several mitigation strategies can help organizations reduce their vulnerability:
- Employee Training: Thoroughly educate employees on avoiding phishing tactics and the importance of safeguarding personal information online.
- Multi-Factor Authentication (MFA): Implement MFA on all accounts to enhance security.
- Security Hardening: Follow vendor-recommended guidance for security hardening and enable security features at the highest possible settings.
- Stay Informed: Keep up with the latest cyber threat intelligence by following cybersecurity publications, researchers, and vendors on social media.
- Least Privilege Access: Limit access and permissions granted to third parties, ensuring they only have access to resources essential for their roles.
- Join an ISAC: Become a member of an information-sharing organization like IT-ISAC to connect with industry peers, collaborate with fellow analysts, and stay updated on emerging threats and vulnerabilities.
Conclusion
As we celebrate the 25th anniversary of IT-ISAC, it is essential to recognize the progress we have made in the cybersecurity community while acknowledging the challenges that lie ahead. The evolution from a scarcity of information to an abundance of data presents both opportunities and obstacles. By leveraging tools like PASS and fostering collaboration among members, we can navigate this complex landscape and enhance our collective resilience against cyber threats. For further insights, we have issued a public report summarizing our findings, which is available here. A more detailed report, including links to adversary attack playbooks, is accessible to IT-ISAC members.