Threat Hunting Across Industry Sectors: Threats and Strategic Defences August 2025

Introduction

In an increasingly digitized world, the battle between organizations and cyber adversaries has never been more dynamic, or more consequential. Every industry, from financial services to healthcare, education, and beyond, faces attackers who are constantly evolving, armed with automation, AI-driven tactics, and global criminal networks. The question is no longer if adversaries will attempt to breach an organization, but how prepared defenders are to uncover them before damage is done.

This is where threat hunting becomes indispensable. Unlike reactive defences, hunting empowers organizations to proactively search for hidden threats, expose attacker techniques, and transform fleeting indicators into long-term detection capabilities. Threat hunting catches the threats that slip the net of automated detection, often identifying procedures that are especially evasive and what’s most revealing is how these hunts vary across industries: the tactics that surface in financial systems may look very different from those uncovered in hospitals or universities.

In the pages ahead, Fortra Intelligence and Research Experts (FIRE) explore the industries where successful threat hunts are emerging most often. For each sector, we’ll highlight the active threat landscape, the key risks uncovered, and the recommendations that can help organizations not only defend but stay one step ahead of adversaries in 2025 and beyond. Additionally, this article will conduct a detailed analysis of how these threats align with the MITRE Att&ck framework. MITRE ATT&CK is a globally recognized framework that catalogues adversary tactics and techniques. Using its standardized language when evaluating threats helps companies clearly compare risks across industries and align defences with proven best practices.

Financial Services & Fintech

Threat Landscape

Financial institutions remain among the most attractive targets for cybercriminals and state-sponsored actors due to the direct access to money, high-value data, and critical role in global economies. Threat actors frequently deploy phishing campaigns and credential theft schemes to infiltrate employee accounts, later escalating to business email compromise (BEC) and fraudulent transactions. Ransomware operators increasingly target banking and payment systems to disrupt operations, while advanced adversaries exploit APIs and fintech integrations to bypass traditional defences. AI-driven fraud and synthetic identity creation are accelerating, enabling attackers to blend into legitimate transaction flows with alarming precision.

Key Risks (linked to MITRE techniques)

Scheduled Task / Job (T1053): Attackers embed malicious routines into system schedulers (for example Windows Task Scheduler, cron, or system timers) so code executes automatically at boot or on a regular cadence. This enables persistent, repeatable activity — such as data collection or re-establishing access — that can run without the attacker’s direct interaction, increasing the risk of prolonged, unnoticed compromise.

Account Manipulation (T1098): Threat actors create, enable, or alter user and service accounts or change group memberships to gain or maintain elevated access. Such account changes can provide attackers with sustained administrative control or backdoor access, potentially exposing sensitive data and critical systems to broad exploitation.

System Services (T1569): Adversaries install or modify operating system services or daemons so malicious code runs with SYSTEM/root privileges at startup or on demand. Because services run with high system rights and often start automatically, they provide attackers with resilient footholds and the ability to perform wide-ranging actions across infrastructure.

Steal or Forge Kerberos Tickets (T1558): By stealing, reusing, or fabricating Kerberos tickets (including Golden or Silver Ticket techniques), attackers can impersonate users or services and authenticate across the environment without needing raw credentials. This approach allows stealthy lateral movement and access to resources that would otherwise require legitimate authentication, creating a vector for extensive, hard-to-detect access.

User Execution (T1204): Many intrusions begin when a user is tricked into running a malicious file, enabling macros, or visiting a malicious link, typically via targeted social engineering or phishing. This human-triggered vector provides attackers an initial foothold from which they can deploy further tooling, move laterally, or exfiltrate data.

Recommendations (boardroom-level)

• Strengthen oversight of account and system access: Implement clear policies and monitoring for all high-privilege accounts, with regular audits to prevent unauthorized modifications.
• Enhance employee awareness: Conduct ongoing training and simulations to reduce the risk of phishing and unintentional execution of malicious files.
• Improve operational monitoring: Ensure leadership receives visibility into critical scheduled tasks, system service changes, and authentication anomalies that could indicate ongoing attacks.
• Prioritize proactive detection and response: Maintain programs to detect early signs of persistence and lateral movement, minimizing potential financial and reputational impact.
• Ensure compliance and risk governance: Embed security checks into business processes to meet regulatory obligations and protect client data.

Technology & Software

Threat Landscape

Tech companies operate at the intersection of innovation and risk, making them prime targets for adversaries looking to exploit cutting-edge platforms before they mature. Zero-day vulnerabilities are actively weaponized against widely deployed software, while cloud misconfigurations and insecure APIs expose massive amounts of customer data. Threat hunts often surface supply chain intrusions, such as malware hidden in open-source libraries or poisoned dependencies within CI/CD pipelines, that ripple across industries relying on these platforms. In addition, the high concentration of privileged access within engineering teams makes insider threats a persistent concern, particularly when combined with stolen developer credentials from breached repositories.

Key Risks (linked to MITRE techniques)

Command and Scripting Interpreter (T1059): Attackers run unauthorized scripts or leverage scripting engines (PowerShell, Bash, Python, etc.) and automated tools to execute commands, manipulate systems, and orchestrate multi-step attacks. Because scripts can perform wide-ranging, programmatic actions quickly, their use enables rapid compromise, lateral movement, and automation of data collection or destructive operations across many systems.

External Remote Services (T1133): Adversaries exploit remote-access services (VPNs, RDP, SSH, remote management portals, third-party remote tools) to gain initial entry or persist access into corporate networks. Compromise of these entry points can provide attackers with remote, often persistent connectivity into internal systems, creating a direct path to sensitive assets and increasing the risk of large-scale intrusion.

File and Directory Discovery (T1083): Attackers systematically search file systems, shares, and directories to locate sensitive documents, configuration files, credentials, or intellectual property. This reconnaissance step informs what assets are valuable and accessible and directly drives targeted data theft or the selection of systems for privilege escalation and lateral movement.

Server Software Component (T1505): Threat actors compromise server-side components, such as web application modules, plugins, or middleware, to embed malicious payloads or backdoors that execute on demand. Because these components run inside trusted server processes, their compromise can silently affect many users or services, enabling data exfiltration, customer-facing manipulation, or supply-chain style impacts.

OS Credential Dumping (T1003): Attackers extract stored credentials (passwords, hashes, tokens) from operating system memory, credential stores, or local files to escalate privileges and impersonate legitimate users. Harvested credentials allow attackers to move laterally and access high-value systems without exploiting vulnerabilities each time, multiplying the potential scope of a breach.

Phishing (T1566): Through targeted emails, messages, or social engineering, adversaries trick employees or contractors into revealing credentials, clicking malicious links, or executing attachments, which serves as the initial access vector. Successful phishing can convert human trust into immediate access for attackers, leading to compromise of accounts, systems, and downstream data or service disruption.

Cloud Infrastructure Discovery (T1580) & Cloud Service Discovery (T1526): Attackers map cloud environments and enumerate cloud services, resources, and configurations to identify misconfigurations, exposed services, or high-value targets. Knowledge of the cloud topology and active services enables attackers to exploit weaknesses at scale, from misconfigured storage to overly-permissive roles, potentially affecting large sets of cloud-hosted data and workloads.

Account Discovery (T1087): Adversaries probe directories and services to identify user, service, and privileged accounts available in the environment. Knowing which accounts exist, which are privileged, and where they operate allows attackers to prioritize targets for credential theft or takeover and to plan efficient paths to critical systems.

System Information Discovery (T1082): Attackers collect details about operating systems, installed software, network configuration, and hardware to tailor exploits and operational plans. This environmental awareness enables more effective exploitation, increases the likelihood of successful privilege escalation, and helps attackers choose tools and timing that evade detection.

Recommendations (boardroom-level)

• Strengthen employee awareness and access governance: Promote a culture of vigilance around phishing and remote access use and establish oversight for privileged accounts.
• Improve visibility across systems and cloud environments: Ensure executives have dashboards highlighting unusual activity, misconfigurations, or high-risk access points.
• Enhance strategic risk management for software development and deployments: Regularly review server components, APIs, and CI/CD processes to ensure security is built into products from the start.
• Protect credentials and sensitive data: Implement policies to reduce unnecessary privileged access, enforce strong authentication, and audit sensitive data access.
• Prioritize proactive detection and monitoring: Invest in solutions that alert leadership to unusual behaviour or reconnaissance activity before it escalates into a breach.

Healthcare & Medical

Threat Landscape

Healthcare organizations face a unique convergence of high-value data, mission-critical operations, and vulnerable infrastructure. Adversaries regularly exploit legacy systems that cannot be easily patched, gaining persistence in hospital networks where uptime is prioritized over security. Ransomware groups view healthcare as a lucrative sector due to the pressure to restore life-critical systems quickly, often resulting in ransom payments. Increasingly, medical IoT devices such as infusion pumps, imaging systems, and patient monitors are targeted as entry points, with attackers leveraging weak security protocols to pivot deeper into clinical networks. Beyond ransomware, data theft of patient records and research IP is a growing priority for both cybercriminals and nation-state actors.

Key Risks (linked to MITRE techniques)

Active Scanning (T1595): Attackers actively probe networks, hosts, services, or applications using techniques such as port scans, web crawling, or service enumeration to identify targets, open ports, and potential weaknesses. This reconnaissance activity helps them map the attack surface and prioritize exploitable services before further intrusion.

Subvert Trust Controls (T1553): Adversaries compromise or abuse mechanisms that establish system trust, including tampering with certificates, manipulating authentication or provisioning, or exploiting package managers, so that malicious components appear legitimate. This allows attackers to bypass validation controls and deploy malware or updates with reduced likelihood of detection.

Exploitation for Client Execution (T1203): Attackers exploit vulnerabilities in client-side software such as browsers, document viewers, or media players to execute code on a user’s machine via crafted webpages, documents, or media. This provides a stealthy entry point without requiring explicit user action, enabling further compromise.

Event Triggered Execution (T1546): Malicious actors use system events or scheduled triggers, such as services, scheduled tasks/cron jobs, WMI events, or autoruns, to execute code automatically under specific conditions. This technique supports persistence and timed execution without user involvement, offering attackers reliable, stealthy access.

Recommendations (boardroom-level)

• Proactively manage risk across systems: Conduct regular reviews of all medical and clinical systems to identify potential vulnerabilities and ensure accountability for updates and patches.
• Strengthen oversight of privileged accounts and device access: Establish policies and monitoring for critical user accounts and connected medical devices to prevent misuse and ensure rapid detection of anomalies.
• Enhance incident preparedness: Develop clear response protocols for ransomware or malicious execution events, including coordination with clinical teams to minimize disruption to patient care.
• Increase visibility for executives: Implement dashboards and reporting that highlight potential persistent threats and unusual activity, enabling informed decisions at the leadership level.
• Protect critical patient and research data: Define ownership, access policies, and auditing practices for sensitive records and intellectual property, ensuring compliance and reducing exposure.

Education & Academia

Threat Landscape

Universities and academic institutions manage vast troves of personal data, intellectual property, and research that is attractive to both financially motivated attackers and state-sponsored groups. Phishing remains the most common initial access vector, with large and decentralized user populations offering ample attack surfaces. Ransomware campaigns increasingly disrupt online learning environments, exploiting underfunded and poorly maintained IT systems. DDoS attacks are frequently launched against virtual learning platforms, either as extortion attempts or to cause reputational damage. Research institutions are also targeted for espionage, with adversaries seeking to exfiltrate sensitive scientific data and advanced technologies, often through compromised faculty accounts or insecure remote access systems.

Key Risks (mapped to MITRE ATT&CK)

Phishing (T1566): Attackers send deceptive emails or messages aimed at students, faculty, or staff to harvest credentials or deliver malicious content; because universities rely on a large, diverse user base and frequent external collaboration, successful phishing can quickly expose account credentials, grant initial access, and enable further compromise across campus systems.

Subvert Trust Controls (T1553): Threat actors abuse legitimately signed academic software, drivers, or certificates — or compromise the supply chain that issues them — so malicious code appears trusted by systems and security tools; this allows persistent, hard-to-detect access because the malicious components inherit the same trust as sanctioned campus software.

File and Directory Permissions Modification (T1222): By altering permissions on shared drives, research data stores, or departmental file systems, attackers elevate privileges or broaden access to sensitive datasets and systems; on campuses where collaboration and shared resources are common, such modifications can enable data theft, unauthorized data alteration, or lateral movement across research and administration environments.

Deployment Tools (T1072): Adversaries leverage legitimate remote administration and deployment tools used by IT or research groups to distribute malware, move laterally, or control multiple endpoints across departments; because these tools are commonly trusted and widely deployed, their abuse can provide efficient, large-scale access to institutional assets.

Hide Artifacts (T1564): Attackers erase logs, tamper with audit trails, or conceal their presence on shared research servers and systems to evade detection and prolong their operations; this deliberate obfuscation complicates incident discovery and forensic investigation, increasing the chance of sustained data exposure or manipulation.

Recommendations (boardroom-level)

• Strengthen user awareness and culture: Implement regular training and simulations to ensure students and staff recognize phishing and other social engineering attempts.
• Enhance governance over privileged access: Establish clear policies for certificate use and privileged accounts, with oversight to prevent misuse.
• Formalize technology oversight: Review deployment and use of administrative tools across systems to ensure proper controls and accountability.
• Improve monitoring and reporting: Ensure executive dashboards and reporting highlight unusual activity and potential threats for timely decision-making.
• Protect critical data and assets: Adopt strategic initiatives to secure research data and sensitive student information, including clear ownership, access controls, and audit practices.

Retail & Consumer Goods

Threat Landscape

The retail sector faces relentless attacks aimed at both digital and physical sales channels. Point-of-sale (POS) malware and web skimming campaigns (Magecart-style attacks) remain widespread, harvesting customer payment data in real time. E-commerce platforms are constant targets of credential stuffing, automated bot fraud, and account takeover attacks, all designed to blend in with legitimate traffic. Threat hunts often reveal weaknesses in third-party integrations and supply chain partners, particularly within logistics and delivery services that are increasingly digitized. With consumer trust hinging on secure transactions, adversaries continue to weaponize the high transaction volumes of peak retail seasons to mask fraudulent activity.

Key Risks (linked to MITRE techniques)

Remote Services (T1021): Attackers exploit legitimate remote access services, such as RDP, SSH, VNC, Windows admin shares, or cloud management interfaces, to move laterally or infiltrate systems. Once connected, they can operate as authorized users, making detection difficult. Compromised remote services can disrupt operations, expose sensitive customer or payment data, and threaten the integrity of critical retail systems across stores, warehouses, and supply-chain platforms.

Adversary-in-the-Middle (T1557): Attackers intercept or manipulate communications between systems, including point-of-sale devices, e-commerce platforms, payment gateways, or mobile apps, to steal credentials, alter financial transactions, or access customer information. These attacks directly threaten revenue, operational continuity, and customer trust, as even brief compromises can result in financial loss, data exposure, and reputational damage in high-volume transaction environments.

Recommendations (boardroom-level)

• Strengthen oversight of remote access: Implement policies and monitoring for all remote connections to critical systems, including third-party vendors.
• Protect transaction integrity: Ensure encryption and monitoring of communications to prevent interception or tampering.
• Enhance visibility for executives: Maintain dashboards and reporting that highlight unusual network activity or anomalous transactions for timely intervention.
• Prioritize customer trust and data protection: Regularly review and strengthen controls for payment processing, e-commerce, and mobile platforms.
• Embed security into vendor management: Ensure third-party partners adhere to strict security standards and are included in risk assessments.

Government, Nonprofit & Public Services

Threat Landscape

Government agencies and nonprofit organizations are frequently targeted by both opportunistic cybercriminals and well-funded nation-state groups. Legacy infrastructure and constrained budgets make many systems vulnerable to exploitation, while the sensitive nature of citizen, donor, or mission-related data raises the stakes of compromise. Ransomware remains a dominant threat, with public services often pressured to pay quickly to restore operations. Social engineering campaigns are particularly prevalent, with attackers impersonating trusted officials or partners to gain access. Advanced persistent threats (APTs) also target public sector entities for espionage, using stealthy techniques to remain undetected for long periods while exfiltrating sensitive intelligence.

Key Risks (linked to MITRE techniques)

Hide Artifacts (T1564): Adversaries deliberately conceal malicious files, processes, registry keys, or communications to avoid detection and prolong their presence. By obscuring indicators of compromise, through techniques like timestamping, log tampering, or encoding and encryption of traffic, attackers increase the time they can operate undetected, raising the risk of sustained data access or unobserved system manipulation.

Active Scanning (T1595): Attackers systematically probe networks, hosts, services, or applications, using port scans, service enumeration, or web crawling, to map the attack surface and discover exploitable weaknesses. This reconnaissance phase enables prioritised targeting of vulnerable systems and often precedes intrusion or lateral movement, increasing the likelihood of successful compromise if left unaddressed.

Recommendations (boardroom-level)

• Modernize critical infrastructure: Prioritize investment in replacing or upgrading legacy systems that represent the highest security risks.
• Enhance transparency and oversight: Establish clear reporting to leadership on unusual activity, including scanning attempts and potential evasion techniques.
• Focus on resilience and continuity: Build plans to ensure essential services remain available even if systems are disrupted by a cyberattack.
• Strengthen partnerships and intelligence sharing: Work with private-sector partners and peer organizations to stay informed on the latest threats and mitigation strategies.
• Protect public trust: Implement visible, organization-wide cybersecurity practices that reassure citizens, donors, and stakeholders of a strong security posture.

Real Estate & Infrastructure

Threat Landscape

The real estate and infrastructure sector faces growing cyber risks as financial transactions, building systems, and tenant services become increasingly digitized. Threat hunts often uncover attempts to exploit IoT vulnerabilities in smart building management systems, such as HVAC, lighting, or access controls, which are frequently overlooked in patch cycles. Business email compromise schemes are common during high-value property deals, with attackers deploying deepfake audio and video impersonation to manipulate negotiations and redirect funds. Lease management and tenant portals are also prime targets for data theft, with attackers leveraging stolen credentials or exploiting weak authentication to gain access to sensitive financial records and contracts.

Key Risks (linked to MITRE techniques)

Remote Services (T1021):
Attackers exploit legitimate remote access services - such as RDP, SSH, VNC, Windows admin shares, or cloud management consoles - to gain entry into financial management systems, tenant/estate management platforms, or building management and facilities systems. In public-sector contexts this access can let adversaries manipulate billing, disrupt public buildings or housing operations, or move laterally into systems that support essential services, creating operational risk and potential harm to citizens and staff.

Adversary-in-the-Middle (T1557):
Adversaries intercept or manipulate communications involved in property transactions, procurement processes, or infrastructure operations, for example altering transactional messages, tampering with sensor or control data for facilities, or harvesting credentials during administrative exchanges. Such compromises threaten fiscal integrity, disrupt service delivery, and can erode public trust when sensitive citizen or transactional data is exposed, or transactions are corrupted.

Protocol Tunnelling (T1572):
Protocol tunnelling hides malicious traffic inside seemingly normal network protocols (for example encapsulating command and control or data exfiltration within widely allowed protocols), enabling attackers to evade monitoring and blend into routine network flows. For government and public services, this technique can allow sustained, covert access to critical systems and sensitive records, thereby increasing the risk of undetected data loss, manipulation of public-facing services, or prolonged operational interference.

Recommendations (boardroom-level)

• Secure high-value transactions: Use robust identity verification and encryption to protect sensitive communications, particularly in property sales or contract negotiations.
• Strengthen control of remote access: Ensure all remote connections into building management or corporate systems are tightly monitored and governed with clear accountability.
• Improve network visibility: Invest in monitoring tools that can detect hidden or tunnelled traffic and escalate alerts to decision-makers.
• Protect tenant and client trust: Demonstrate strong data protection practices, reassuring stakeholders that their financial and personal information is safe.
• Embed security into smart infrastructure: As smart buildings expand, ensure that security is part of procurement and design, not an afterthought.
•  

Summary & Strategic Recommendations

Cybersecurity is no longer a reactive function, it’s a strategic mission that demands proactive action. Across every industry, threat hunting has proven to be a game-changer: uncovering hidden adversaries, exposing weaknesses before they escalate, and turning intelligence into actionable defence. While each sector faces distinct challenges, clear patterns are emerging AI-enhanced attacks are growing more sophisticated, supply chain vulnerabilities remain a constant target, and persistent reconnaissance often signals the earliest stages of an attack.

Cross-Sector Recommendations

• Adopt Zero Trust: Assume breach, verify every access request, and segment critical systems to limit impact.
• Invest in Threat Hunting & Automation: Combine machine learning with structured hunts to detect anomalies that traditional defences may miss.
• Elevate Cyber Awareness: Train employees at every level to recognize subtle indicators of compromise and respond swiftly.
• Integrate Threat Hunting into Incident Response: Use hunting insights to accelerate containment, remediation, and recovery.
• Collaborate Across Sectors: Share intelligence and lessons learned to anticipate new attack methods before they reach your organization.

In 2025, resilience is defined by vigilance and action. Organizations that make threat hunting a central practice, actively searching for hidden threats, understanding sector-specific risks, and responding decisively, will not only survive but thrive against an evolving landscape of cyber adversaries.

Industry Sector Graph

The following graph provides Information regarding threat hunting incidents in the industry sector these customers fall under for August 2025

The totals in this graph represent the customers affected by threat hunting incidents in the industry sectors where those customers sit, rather than the total amount of threat hunting incidents escalated. (Some customers may have had more than one incident escalated to them as part of a hunt.)

References

1. Fortinet. (2025). Global Threat Landscape Report 2025. Fortinet. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2025.pdf
2. CrowdStrike. (2025). Threat Hunting Report 2025. CrowdStrike. https://www.crowdstrike.com/en-us/resources/reports/threat-hunting-report/
3. IBM X-Force. (2025). Threat Intelligence Index 2025. IBM. https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index
4. World Economic Forum. (2025). Global Cybersecurity Outlook 2025. WEF. https://www.weforum.org/publications/global-cybersecurity-outlook-2025/
5. SANS Institute. (2025). Threat Hunting Survey Report 2025. SANS. https://www.intel471.com/resources/whitepapers/sans-2025-threat-hunting-survey-report
6. Check Point. (2025). Cyber Security Report 2025. Check Point. https://www.checkpoint.com/security-report/
7. Google Cloud. (2025). M-Trends 2025. Google Cloud. https://cloud.google.com/security/resources/m-trends
8. SentinelOne. (2025). Cybersecurity Trends 2025. SentinelOne. https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-trends/
9. Accenture. (2025). State of Cybersecurity Resilience 2025. Accenture. https://www.accenture.com/us-en/insights/security/state-cybersecurity-2025
10. Europol. (2025). EU Serious and Organised Crime Threat Assessment 2025. AP News. https://apnews.com/article/846847536f6feb2bbb423943fd96e1f1