As the threat landscape continues to evolve, critical infrastructure sectors face a growing wave of sophisticated cyber threats. Traditional security strategies that focus solely on indicators of compromise (IoCs) are proving insufficient against the scale and speed of modern cyberattacks.
To address today’s challenges, organizations must adopt a threat-informed defense approach—one that shifts the focus from reactive responses to proactive, intelligence-driven security operations.
The rise of cybercrime-as-a-service
Today’s macro threat landscape is a flourishing ecosystem of cybercrime facilitated by crime-as-a-service (CaaS) models. Cybercriminal networks now operate like legitimate businesses, with specialized units dedicated to activities such as money laundering, malware development, and spear phishing. This ecosystem lowers the barrier to entry for cybercrime, enabling low-skilled adversaries to launch highly targeted and disruptive attacks with minimal effort.
One of the most concerning trends is the rise of reconnaissance-as-a-service, where threat actors conduct extensive network mapping before an attack. This intelligence is then packaged and sold to the highest bidder, increasing the likelihood of successful breaches. And with the weaponization of AI now in place, these reconnaissance efforts have become more automated and precise, allowing cybercriminals to scale their operations at an unprecedented rate.
The convergence of IT and OT threats
Cybercrime has historically targeted IT systems, while nation-state actors have focused on disrupting operational technology (OT) environments. However, this division is rapidly dissolving as financially motivated attackers recognize the high stakes involved in OT disruptions. Due to the potential financial and operational impact of attacks, manufacturing, energy, and utilities have now become prime targets.
For example, initial access brokers (IABs) now infiltrate OT networks and sell access to ransomware groups or other malicious actors. According to threat intelligence data presented at the Fortinet OT Summit 2025, cyberattacks targeting operational technology in the energy and utilities sector surged by 300% over 2024,[i] “with billions of threats detected across critical infrastructure sectors.” These attackers exploit weak security controls in legacy OT systems, leveraging reconnaissance data to refine their attack vectors.
AI-driven cyberattacks: A growing concern
The weaponization of AI has introduced new attack methodologies. While early cyberattacks relied on pre-programmed or automated algorithms—such as scripted scanning, enumeration, and basic exploitation—today’s adversaries are starting to use AI-driven, multi-stage attacks that can dynamically adapt in real-time. For example, generative AI assists attackers in reconnaissance and social engineering. This shift from automation to true AI-driven attack chains means defenders must adopt equally sophisticated defense mechanisms.
One alarming trend is using AI to craft highly personalized phishing campaigns in local languages, increasing their effectiveness. Additionally, attackers now leverage AI for advanced evasion techniques, such as blending malicious activities with legitimate system processes to avoid detection. The next phase of AI-driven threats will likely involve real-time decision-making during attacks, making them even more difficult to mitigate.
Operationalizing threat intelligence for defense
A threat-informed defense strategy requires organizations to continuously integrate threat intelligence into their security operations—not just to understand the threat landscape but to translate that understanding into active, adaptive defense. This concept, formalized by MITRE, emphasizes the cyclical integration of cyber threat intelligence, testing and evaluation, and defensive measures to create a continuously improving security posture.
Fortinet
The MITRE threat-informed defense (TID) model illustrates how each phase informs the next: Intelligence drives testing, testing validates defenses, and the results of those defenses refine future intelligence. This ongoing loop is central to building resilience against advanced and persistent threats. In many ways, this approach parallels the industry’s shift toward continuous threat exposure management (CTEM).
Building on this model, four key components form the operational backbone of an effective TID strategy:
Cyber threat intelligence: Curate and contextualize threat data to understand adversary tactics, techniques, and procedures (TTPs); campaign trends; and potential risks to your specific environment.
Testing and evaluation: Through red teaming, blue teaming, and purple teaming, continuously simulate and assess real-world attack scenarios to uncover exposures and test detection and response mechanisms.
Detection engineering: Adapt existing defenses and build new detection logic as attackers develop novel or evasive techniques. This includes engineering for visibility into OT-specific threats and cross-domain attack paths.
Defensive measures and automated response: Employ AI and automation—via tools like SOAR and EDR—to reduce response times and ensure coordinated, consistent defense across IT and OT environments.
Together, these elements reinforce MITRE’s vision for threat-informed defense: a living, dynamic security model built on actionable intelligence, validated testing, and resilient defenses that evolve with the threat landscape.
Industry collaboration: A collective defense model
No single entity can tackle the cyber threat landscape alone. Industry-wide collaboration is essential to improving collective defenses. Public-private partnerships, threat intelligence sharing, and joint initiatives—such as the Cyber Threat Alliance and Cybercrime Atlas—help organizations stay ahead of adversaries. Working closely with law enforcement agencies, these initiatives have led to the takedown of major cybercrime operations and the arrest of thousands of cybercriminals.
Additionally, frameworks like MITRE ATT&CK for ICS provide a standardized approach to understanding OT-specific adversary behaviors. Organizations should be leveraging these insights to tailor their defenses against sector-specific threats.
Looking ahead: The future of OT security
The rapid convergence of IT, OT, and cloud environments presents both challenges and opportunities for cybersecurity professionals. As attackers continue to refine their strategies, defenders must embrace a proactive, intelligence-driven approach.
Organizations can shift from a reactive security posture to a resilient, threat-informed defense strategy by integrating AI-driven threat intelligence, automating incident response, and fostering industry collaboration. As the cyber battlefield evolves, the key to success lies in understanding the adversary, anticipating their moves, and taking decisive action before an attack occurs.
The value of a threat-informed defense
It is critical to remember that threat-informed defense is not just an interesting concept but a crucial necessity in today’s cyber threat landscape. As attacks grow in sophistication, organizations must move from static security models to dynamic, intelligence-driven strategies.
By operationalizing threat intelligence, embracing automation, and collaborating with industry peers, critical infrastructure sectors can fortify and maintain their defenses to stay ahead of emerging threats.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization.
[i]Fortinet OT Summit 2025, Derek Manky, “Threat-Informed Defense for Operational Technology: Moving from Information to Action to Operationalize Threat Intel,” presented March 2025. FortiGuard Labs threat intelligence data indicated a 300% increase in OT-related cyberattacks in North America’s energy and utilities sector between Q1 and Q4 of 2024.
No Responses