The threats you can’t see, and the steps you need to take

The threat landscape for 2025 is accelerating in both scale and sophistication. Double and triple extortion ransomware, memory-resident threats, zero-day exploits, and state-sponsored campaigns are increasingly targeting critical infrastructure, ERP ecosystems, cloud environments, and OT/IT converged networks. Attacks are more persistent, leveraging trusted relationships across supply chains, and exploiting complex ERP and cloud dependencies. At the same time, regulatory tightening across India, the UK, and the US is raising the bar for compliance, resilience, and incident response. For CISOs, this means moving beyond perimeter hygiene to adaptive, cloud-native, identity-centric security that scales with hybrid work, multi-cloud, and supply-chain ecosystems. The path forward is less than one-off patches and more about continuous risk reduction through Zero Trust, behavioral analytics, and proactive governance.

Scenario: Why this quarter’s threat activity matters to your enterprise

● Ransomware has evolved into multi-extortion, with data exfiltration driving pressure alongside encryption and DDoS/disruption tactics.

● State-sponsored campaigns and geopolitically aligned espionage are targeting government, defense, energy, finance, healthcare, and critical infrastructure, underscoring supply chain and OT/IT convergence risks.

● ERP ecosystems (notably SAP NetWeaver) remain high-value, with attackers leveraging deep access to disrupt core operations.

● Cloud interfaces, identity platforms, and edge devices are increasingly leveraged as attack surfaces; patching cadence and config hygiene need acceleration.

● Regulators globally are tightening cybersecurity accountability, affecting budgets, staffing, and governance across BFSI, utilities, healthcare, and government sectors.

Problems CISOs should anticipate and address:

● Patch fatigue and delay: High-impact vulnerabilities in widely used enterprise platforms create a rolling risk frontier.

● In-memory and fileless threats: Signature-based defenses miss memory-resident malware; detection relies on behavioral analytics and EDR/XDR telemetry.

● Identity as the new attack surface: Weak identity governance and MFA gaps enable lateral movement and data theft.

● ERP and supply-chain risk: SAP/other ERP environments are prized targets; third-party access and low-segmentation increase exposure.

● Incident response realism: Ransomware resilience depends on robust backups, offline/immutable copies, and practiced playbooks across PR, legal, and operations.

● Threat intelligence integration: Timely, sector-focused intelligence sharing and cross-agency coordination improve early warning and containment.

Solutions CISOs can apply now:

Embrace Zero Trust across the enterprise:

● Enforce MFA everywhere; reduce privileged access; segment networks (including OT-IT and supplier access points).

● Apply least-privilege and continuous verification for identities and workloads, including cloud and edge.

Accelerate patch governance and vulnerability management:

● Use automated patching workflows; track critical CVEs (with KEV alignment) and SAP NetWeaver exposure.

● Implement vulnerability management integrated with asset discovery, risk scoring, and remediation SLAs.

Deploy advanced, behaviour-based detection:

● Invest in EDR/XDR with memory-forensic capabilities; enable script-blocking and DLL tampering alerts.

● Implement real-time telemetry across endpoints, network, and cloud; normalise into a centralised SOC for rapid triage.

Strengthen ransomware resilience:

● Maintain segmented, immutable backups; test restoration regularly; implement offline/air-gapped backups where feasible.

● Enforce network egress controls to block known malicious C2 endpoints; detect anomalous data exfiltration patterns.

Harden ERP and supply chain security:

● Deploy SAP ETD or equivalent monitoring; monitor for PipeMagic/Brute Ratel indicators; restrict admin access and perform regular SAP security audits.

● Segment ERP from other critical systems; monitor database activity; apply third-party risk controls and threat hunting for persistence.

Fortify cloud and edge security:

● Treat cloud services as high-risk assets; implement zero-trust for cloud interfaces; deploy CWPPs and behavior-based protections.

● Enforce strict patch governance for edge devices and network appliances; monitor firmware integrity and management interfaces.

Elevate cyber maturity through red team and information sharing:

● Conduct regular red-team exercises focused on identity, PowerShell usage, and lateral movement.

● Engage with CERTs/ISACs for threat intelligence and cross-sector collaboration to improve speed of detection and response.

Real case studies examples:

● ERP risk and defense: SAP environments faced sophisticated attackers deploying PipeMagic and Brute Ratel across nets; organisations that paired rapid SAP security audits with threat-hunting for ERP persistence could detect anomalies early and limit exposure.

● In-memory threats and detection: Groups employing memory-resident loaders (e.g., NETXLOADER) emphasised the need for memory telemetry, script-blocking, and lateral-movement analytics—precursors to a mature EDR/XDR capability.

● Ransomware evolution: Double and triple extortion campaigns intensified; organisations with robust backup strategies, offline copies, and coordinated incident response minimised operational disruption and reputational damage.

● Supply chain and OT/IT segmentation: Campaigns against upstream IT providers and critical OT exposed the risk of indirect compromise; the most resilient entities maintained strong supply-chain governance and network segmentation between IT/OT.

Lessons CISOs can operationalise

● Build double extortion readiness: Harden email security, RDP access, and data exfiltration monitoring; ensure immutable backups and clear communications playbooks for incident response.

● Invest in threat visibility, not just tools: Move beyond antivirus; deploy behaviour-based detection with cross-domain telemetry (endpoints, cloud, network) to spot post-exploitation activity and dwell time.

● Accelerate patching and vulnerability intelligence: Use proactive patching cadences, KEV-aligned prioritisation, and automated remediation workflows to reduce exploitable windows.

● Foster proactive cyber awareness and red teaming: Continuous phishing simulations, blue/RED team exercises, and threat intelligence sharing strengthen organisational muscle against human factors and opportunistic attacks.

● Strengthen identity and cloud resilience: Achieve and maintain Zero Trust maturity across users, devices, and workloads; deploy MFA everywhere and monitor for anomalous identity behavior.

● Prepare for regulatory impact: Align with evolving frameworks and circulars (e.g., SEBI CSCRF, NIS-like directives) to anticipate compliance budgets and staffing needs.

Recommendations for CISOs:

● Make Zero Trust a program, not a project: Roadmap phases such as identity-centric access controls, micro-segmentation, continuous authentication, and adaptive access policies.

● Turbocharge patch and risk prioritisation: Implement automated, policy-driven patch management; tie fixes to asset criticality and exploitability signals.

● Build a unified threat visibility platform: Centralise telemetry from endpoints, network, cloud, and OT; deploy AI-assisted analytics to reduce mean time to detect and respond.

● Elevate ERP/cloud security posture: Establish ERP-specific monitoring, including ERP access audits, segmentation, and threat-hunting for persistence mechanisms.

● Strengthen resilience through resilient backups and incident playbooks: Validate offline backups; rehearse with public relations, legal, and operations to ensure coordinated action during incidents.

CISOs must institutionalise proactive patching, zero-trust-driven identity governance, memory-aware detection, and robust recovery playbooks. By acting now—embedding Zero Trust, accelerating patch management, and embracing behaviour-based threat detection—you can reduce not just risk, but also the potential impact on operations, trust, and shareholder value.

This marks the wrap-up of our AMJ (April - May - June) report, and we will soon share fresh insights in our upcoming quarterly report for July, August, and September. Tata Communications stands ready to partner on this journey, providing the expertise, scale, and collaboration required to navigate this evolving digital battlefield and sustain a differentiated, secure, and agile enterprise.

Do explore the newly redesigned Tata Communications website, built to strengthen engagements with existing customers while opening new opportunities for prospects—at www.tatacommunications.com, today!