IBM Asks: How is the Cybersecurity Landscape Evolving?

Cybercriminals continue to alter their approach, crafting sophisticated and identity-based attacks that exploit stolen credentials and legitimate access.

This change is having a transformative impact on the wider cyber landscape, with AI-led and campaign-oriented attacks becoming increasingly difficult to detect. 

In light of this, IBM has released its ‘IBM X-Force 2025 Threat Intelligence Index’, stressing the need to modernise cyber defence strategies amidst the rise of identity-centric, AI-fuelled attacks. 

It empowers defenders with actionable insights to protect, adapt and pre-empt tomorrow’s threats today. 

Not only does IBM strive to equip organisations with up-to-date intelligence on how, where and why attacks are happening, but it also encourages CISOs to implement zero trust architectures and invest in identity consolidation to foster collective resilience. 

IBM states: “The pattern is familiar. Organisations devote ever-growing resources to detect threats, protect networks and deter disruption. And despite this, cyberattacks continue to grow in scale, speed and sophistication.

“But over the past 18-24 months, there has been a marked change in tactics. Threat actors are pursuing broader-scale campaigns—demonstrating a level of coordination, automation, and prowess not seen before—and raising the likelihood and impact associated with operational risks. 

“Unlike incidents of the past, where data breaches and reputational harm were the greatest concern, widespread business disruption is now a real possibility—something every boardroom needs to be aware of and act upon.”

The prominence of identity-based intrusions

IBM’s report points to identity-based instructions as one of the most vital and rapidly growing cybersecurity threats.

Identity-based attacks make up 30% of total intrusions reported. These intrusions used valid account credentials, making it one of the two top initial access methods, alongside public-facing application exploitation. 

This rise in identity-based attacks is largely driven by a rise in phishing emails delivering infostealer malware, which is up 84% year-on-year.

Infostealers siphon credentials and then sell or use these directly in follow-on attacks. 

Attacks also rely on credential phishing campaigns, encouraging users to fake login portals so they can gain logins. 

Threat actors exploit weak points, caused as organisations expand across cloud and hybrid infrastructures and create gaps in identity management, to gain unauthorised access without triggering security alerts.

The IBM report highlights the fact that identity has become the new battleground. Attacks increasingly exploit human behaviour, authentication gaps and access mismanagement. 

Therefore, organisations must modernise their identity strategies and secure credentials at scale to handle the use of stolen credentials from cybercriminals.

Ransomware evolution and resilience

IBM points to the changing role of ransomware in today’s cyber threat landscape. Even though overall incident volumes involving ransomware are declining, the tactics, resilience and impact of ransomware operators are becoming more persistent and complex.

Just over a quarter (28%) of all malware incidents involved ransomware, making it the single largest category among malware types.

However, IBM highlights that ransomware incident volumes have declined for the third consecutive year. This is due to law enforcement interventions, enhanced defensive capabilities and organisational reluctance to pay ransoms.

Ransomware continues to thrive in underground forums, with related activity on the dark web increasing by 25% year-over-year. High-profile ransomware families like Lockbit3, Clop and RansomHub were the most active based on dark web mentions.

Threat actors are adopting multi-extortion tactics, including public shaming, data theft and threats of release. These all aim to pressure victims into paying. 

Ransomware groups have embraced cross-platform strategies to target Linux, Windows and ESXi environments as standard. 

The ransomware ecosystem mirrors commercial SaaS models, with crime-as-a-service infrastructure enabling low-skill attackers to launch sophisticated ransomware campaigns. 

Although the pace of ransomware’s growth has slowed, its resilience and adaptive strategies ensure it remains one of the most dangerous threats. 

IBM recommends several proactive countermeasures, such as robust backup and recovery protocols, advanced EDR and threat detection, and intelligence monitoring of dark web activity.

How is AI both a target and a tool?

IBM highlights that AI is now both a tool used by attackers and a target for cyberattacks. 

Threat actors are using Gen AI to create deepfakes, build phishing websites, write malicious code and craft phishing emails. This use of AI helps cybercriminals to scale and personalise social engineering campaigns, increasing both the success rates and credibility of attacks.

Not only does AI enhance attackers’ ability to amplify the speed and scale of intrusions, but it also enables the more efficient deployment of infostealers and campaign coordination.

Attackers are focusing on targeting AI infrastructure, such as foundation models (FMs), training data and machine learning operations platforms. 

These platforms are used by enterprises to train and deploy LLMs, creating new attack surfaces.

Only 24% of Gen AI projects are currently secured, indicating a significant vulnerability window for threat actors to exploit.

To handle the rise in AI adoption, organisations must embed security controls at every stage, treat the AI development pipeline as critical infrastructure, and use AI defensively to match attackers’ speed and sophistication.

What do CISOs need to do next?

IBM details several urgent recommendations for Chief Information Security Officers (CISOs), focusing on enhancing visibility, resilience and proactive defence strategies as the cyber threat landscape becomes more sophisticated. 

CISOs should move from reactive risk management towards community-based measures, such as real-time threat intelligence sharing and strengthening supply chain collaboration. 

IBM urges executives to expand the use of multifactor authentication (MFA) for all users, consolidate identity systems into a unified identity fabric and modernise identity strategy to be adaptive, scalable and continuously audited.

By monitoring dark web forums for leaked credentials, developing a cyber crisis response plan and regularly educating employees on credential hygiene and phishing risks, IBM believes CISOs can contribute to a more resilient and stronger cyber ecosystem. 

Did you know? You can hear Nabeel Nawaz, Global CIO M&A Leader at IBM, at Tech & AI LIVE London 2025. To get your exclusive tickets, click here.

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. 

Cyber Magazine is a BizClik brand