Threat Landscape

The ENISA Threat Landscape (ETL) report is the annual report of the European Union Agency for Cybersecurity, ENISA, on the state of the cybersecurity threat landscape.

The ENISA Threat Landscape (ETL) report is the annual report of the European Union Agency for Cybersecurity, ENISA, on the state of the cybersecurity threat landscape. In October 2024, ENISA released the 12th edition of the report that covers a period of reporting starting from June 2023 up to July 2024.

The report report identifies prime threats, major trends observed with respect to threats, threat actors and attack techniques, and also describes relevant mitigation measures.

Top threats

The ENISA Threat Landscape 2024 report highlights and directs attention toward eight prime threat types. These particular threat types have been singled out due to their prominence over the years, their widespread occurrence and the significant impact resulting from the realisation of these threats.

Ransomware
According to ENISA’s Threat Landscape for Ransomware Attacks5 report, ransomware is defined as a type of attack where threat actors take control of a target’s assets and demand a ransom in exchange for the return of the asset’s availability or in exchange for publicly exposing the target’s data. This definition is needed to cover the changing ransomware threat landscape, the prevalence of multiple extortion techniques and the various goals, other than solely financial gains, of the perpetrators. Ransomware has been, once again, one of the prime threats during the reporting period, with several high profile and highly publicised incidents.
Malware
Malware, also referred to as malicious code and malicious logic, is an overarching term used to describe any software or firmware intended to perform an unauthorised process that will have an adverse impact on the confidentiality, integrity or availability of a system.
Social Engineering
Social engineering encompasses a broad range of activities that attempt to exploit human error or human behaviour with the objective of gaining access to information or services. It uses various forms of manipulation to trick victims into making mistakes or handing over sensitive or secret information. Users may be lured to open documents, files or e-mails, to visit websites or to grant access to systems or services. Although the lures and tricks used may abuse technology, they rely on a human element to be successful. This threat canvas consists mainly of the following attack vectors: phishing, spear-phishing, whaling, smishing, vishing, watering hole attack, baiting, pretexting, quid pro quo, honeytraps and scareware. 
Threats against data
A data breach is defined in the GDPR as any breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed (article 4.12 GDPR). Technically speaking, threats against data can be broadly classified as data breach or data leak. Though often used as interchangeably, they entail fundamentally different concepts that mostly lie in how they happen. Data breach is an intentional cyber-attack brought by a cybercriminal with the goal of gaining to unauthorised access and release sensitive, confidential or protected data. In other words, 
a data breach is a deliberate attack against a system or organisation with the intention of stealing data. Data leak is an event (such as misconfigurations, vulnerabilities or human errors) that can cause the unintentional loss or exposure of sensitive, confidential or 
protected data (intentional attacks are sometimes referred to as data exposure). 
Threats against availability: Denial of Service
DDoS targets system and data availability and, though it is not a new threat, it plays a significant role in the cybersecurity threat landscape. Attacks occur when users of a system or service are not able to access relevant data, services or other resources. This can be accomplished by exhausting the service and its resources or overloading the components of the network infrastructure.The impact of DDoS attacks is often limited and symbolic.
Information Manipulation
Foreign Information Manipulation and Interference (FIMI) describes a mostly non-illegal pattern of behaviour that threatens or has the potential to negatively impact values, procedures and political processes. Such activity is manipulative in character, conducted in an intentional and coordinated manner. FIMI can be carried out by state or non-state actors, including their proxies inside and outside their own territory; in this report we study the threat regardless of its origin. 

Main trends

  • Threats against availability (DDoS) and Ransomware ranked at the top during the reporting period for another year.
  • Living Off Trusted Sites (LOTS): Threat actors extended their stealth techniques into the cloud, using trusted sites and legitimate services to avoid detection and disguising Command and Control communications (C2) as ordinary traffic or innocuous messages on platforms like Slack and Telegram.
  • Geopolitics continued to be a strong driver for cyber malicious operations.
  • Advancements in defensive evasion techniques: Cybercrime groups, especially ransomware operators, evaded detection by using Living Off The Land (LOTL) 
    techniques. to blend into environments and mask their malicious activities