The IT-ISAC is celebrating its 25th Anniversary this year. This has caused me to reflect on the new challenges we continue to face as a cybersecurity community. When I first joined the IT-ISAC in 2005, a leader of another ISAC (information sharing and analysis center) commented to me that his team would have a party every time a member shared information. In those early days, there was a dearth of even basic information about threat actors and attacks.
Today, the challenge is reversed. So much information is available to analysts that it’s hard to keep track of it all and understand what is accurate and relevant. Rather than scouring any source possible for any type of threat intelligence, a key role of our analytic team is now to turn the vast amount of available information into curated intelligence our members can use.
As one example, to help members understand threats and manage risks, the IT-ISAC began building, maintaining, and making available to members adversary attack playbooks. These playbooks are mapped to the MITRE ATT&CK Framework and track how actors get into a network, how they move around, and how defenders can identify and remove them. We use information provided by members, partners, and public sources.
We were thrilled with our results. We had an easy-to-consume way to keep members updated on threat actors and their tactics, techniques, and procedures (TTPs). But then we discovered a new problem: we were building more playbooks than our members can reasonably utilize. As of March 2025, we have playbooks on over 230 adversaries. So, rather than not having any information to share with our members, our problem was we had more than members could be expected to consume.
To address this, our team developed the Predictive Adversary Scoring System (PASS) in collaboration with our member companies. PASS provides a comprehensive scoring system based on various factors, including the adversary’s motivation, capabilities, and past actions, allowing members to assess their risk exposure and allocate resources accordingly.
PASS focuses on several key metrics to determine a specific adversarial risk:
- Level of Activity: How recently has the adversary been active.
- Frequency of Sector Targeting: The number of times the adversary has targeted the IT sector.
- Sophistication/Impact: The complexity of the adversary’s TTPs and their impact.
- Motivation: The driving force behind the adversary – financial, geopolitical, ideological, or recognitional.
PASS helps us prioritize the monitoring and analysis of known adversaries by producing a numerical score (0 – 128) for each actor based on the above criteria. This tool helps our analysts and members identify threat actors that pose the greatest danger to specific industries and industry segments. By applying PASS to those 230 adversaries we are monitoring, we were able to identify the 58 top adversaries seen in the IT Sector and to analyze them in detail. We are able to break this down further into specific segments within the IT sector.
The Top 5 Threat Actors
The top five threat actors in the IT sector, identified based on 2024’s data, were Lazarus, Scattered Spider, APT3/Gothic Panda, APT29, and RansomHub. Some of these organizations scored nearly as high as possible – underlining their danger to organizations within the sector. Understanding which actors are most active in the sector and their TTPs can help companies more effectively prioritize limited resources.
Motivation: A Mix of Politics and Financial Gain
In terms of actor motivation, there is nearly a down-the-middle split: 52% of actors seen in the IT sector are geopolitically driven and 48% are financially motivated.
Geopolitical attacks typically aim to disrupt operations, steal sensitive information, or weaken competitors, often as part of a broader state-sponsored agenda. In contrast, financially motivated ransomware groups focus on extortion, leveraging tactics such as data exfiltration and system encryption to demand payouts.
The IT sector’s diverse range of targets, troves of intellectual property and sensitive data, operational dependency, interconnected networks, and critical high-value digital infrastructure make it a prime focus for geopolitical and financial attackers.
How Can Organizations Protect Themselves?
With a threat landscape that is vast and challenging, protecting an enterprise can feel like an impossible task. This challenge appears even larger considering the budget constraints facing many security teams. Therefore, risk-informed decision making is essential to allocating limited resources to their maximized value.
Based on our analysis of active threat actors and their TTPs, several mitigations can help organizations lower the possibility of being successfully targeted by a threat actor. While no singular or combination of mitigations will make any organization immune from a successful attack, some key strategies include:
- Training employees thoroughly on how to avoid phishing tactics and avoid sharing personal details online.
- Enacting multi-factor authentication (MFA) on all accounts to ensure maximum security.
- Consulting and applying vendor-recommended guidance for security hardening. To the extent possible, enable security features at the highest possible setting.
- Staying updated on the latest cyber threat intelligence by following cybersecurity publications, prominent researchers, and vendors on social media.
- Implementing least privilege access, limiting the access and permissions granted to third parties, and ensuring they only have access to resources essential for their role.
- Joining an information-sharing organization such as an ISAC to stay connected with industry peers, collaborate directly with fellow analysts, and to remain up-to-date on emerging threats and zero-day vulnerabilities.
We issued a public report summarizing our findings, which is available here. A more detailed report that links to the adversary attack playbooks and other details is available to IT-ISAC members.
