Skip to NavigationSkip to Content

21 Mar 2025

readTechnical

7 min reading time

Silent Threats: Why Risk-Based Security Matters in 2025

cyber security info stealers

Organisations today face a harsh truth: despite significant investments in cyber security tools and technologies, breaches continue to rise at an alarming rate. This challenging situation has made security leaders reconsider their vulnerability assessment and risk management approach.

At Chaleit, we've observed that traditional penetration testing alone is no longer enough to address today's complex threat picture. We’ve been talking about pen testing 2.0 and the need for a more holistic approach to security for years now.

Many organisations have caught up and are asking: What on earth is happening, and why aren't our current approaches working?

We have answers that make this problem clearer — plus practical recommendations.

From pen testing to risk assessment

Penetration testing has long been a cornerstone of security assessment programmes, often driven by compliance requirements. However, this approach typically focuses on finding as many issues as possible within a given timeframe without necessarily addressing the broader risk context.

Balaji Gopal, VP of Technical Services at Chaleit, explains:

"To thoroughly review controls, you have to conduct a risk-oriented assessment. This involves understanding all risks, evaluating existing controls and their effectiveness, and identifying gaps revealed by the risk assessment."

This change toward risk-based assessment represents an important development in how organisations should approach security. Rather than viewing security assessment as a box-ticking exercise, it becomes an integral part of understanding and managing organisational risk.

A broader view of the human error

When discussing cyber security vulnerabilities, the conversation often defaults to phishing attacks. While these are significant threats, our experts at Chaleit emphasise that human error extends far further than falling for fraudulent emails.

"Human error can happen in so many ways," explains Balaji. "Weak passwords, installing untrusted software, using unknown USBs, unchecked extensions, blind permissions, and mixing personal and work accounts — these and other security lapses, including social engineering, can cause significant harm."

This wider understanding of human error highlights the need for comprehensive security awareness programmes that address the full spectrum of user behaviours that can introduce risk.

The rising threat of information-stealers

Among the threats that demand attention in 2025, information stealers have become major players — the Australian Signals Directorate has dubbed the phenomenon The Silent Heist. These malicious info stealers quietly harvest sensitive data, including credentials, session tokens, and personally identifiable information.

"The count of info stealers has increased a lot. And the information being stolen is at a very high scale and is being rotated heavily in the dark web, allowing attackers to gain initial access easily," warns Balaji. "Most of them act stealthily. They are installed accidentally by users."

These threats are particularly challenging because they often evade detection by endpoint protection tools. Like a novel virus that initially escapes immune system detection, info-stealers can operate undetected, silently exfiltrating data to attackers' servers.

In a recent engagement, Chaleit worked with a client who had discovered info stealers operating within their systems. The client was particularly concerned about application logs being stolen — data that could potentially contain sensitive information.

The challenge was complex: How do you protect against data theft when you can't control the end-user devices?

Our approach involved multiple layers:

  1. Working with the client to review their application architecture through detailed threat modelling.

  2. Examining end-to-end data flows to identify points of vulnerability.

  3. Simulating various attack scenarios to test detection capabilities.

  4. Creating playbooks for rapid response when indicators of compromise are detected.

  5. Implementing protective measures such as HTTP-only cookies, clipboard restrictions, and avoiding sensitive data storage in local storage.

Improving detection and building resilience

An important insight from our work with clients is the importance of rapid detection and response. When session cookies are stolen, for instance, the window for effective response is narrow. Just blocking suspicious logins can create a frustrating loop: the user keeps trying to log in, gets blocked, tries again, and it never ends.

To avoid this, organisations need to build resilience into their systems and processes:

  • Implement multi-factor authentication to mitigate the impact of credential theft

  • Rotate API keys regularly to limit the damage if stolen

  • Send notifications for logins from unexpected locations

  • Limit concurrent sessions where appropriate

  • Design architecture to provide an early indication of compromise

  • Measure and continuously improve time to detect and respond metrics

Practical recommendations for 2025

Based on our extensive experience working with clients across various sectors, we recommend organisations take the following steps to strengthen their security posture:

  1. Adopt a risk-based approach to security assessment rather than relying solely on traditional penetration testing.

  2. Understand your assets thoroughly — maintain comprehensive asset inventories and know your infrastructure.

  3. Focus on human factors besides phishing — implement comprehensive awareness programmes that address the full spectrum of human error.

  4. Validate your controls — test the efficacy of security controls such as MFA and SSO under realistic attack scenarios.

  5. Establish rapid detection and response capabilities — particularly for threats like info stealers that can bypass preventive controls.

  6. Conduct regular purple team exercises that combine red team attacks with blue team defenders to improve detection and response.

As cyber threats grow in sophistication and scale, organisations need partners who understand not just the technical aspects of security but the broader risk context and human factors that contribute to vulnerabilities.

Our team works collaboratively with clients to build security programmes that address their specific risk profile and business objectives.

If you're concerned about information stealers or want to validate the efficacy of your existing security controls, we recommend scheduling a security health check. This assessment will provide valuable insights into your current security posture and identify opportunities to strengthen your defences against current and emerging threats, all without disrupting operations.

Because in today's threat reality, the question isn't whether you'll be targeted. It's whether your organisation has the resilience to detect, respond to, and recover from attacks when they inevitably occur.

Security health check

Schedule your assessment today to identify vulnerabilities before attackers do.

Book now

About this article

Series:

Behind the Scenes

Topics:

  • Technical

Related Insights

Technical

Defence in Depth: Security Control Assessment, Indication of Compromise, and Purple Teaming

purple team security

Technical

Purple Team Exercises: Turning Security Investment into Real Protection

Portrait of Shana.

Strategy

Risk as Opportunity: From Avoidance to Strategic Exploitation

Portrait of Steve.

Strategy

Risk Under Pressure: It’s Not About Being Right, It’s About Making Decisions

Your Cookie Preferences

We use cookies to improve your experience on this website. You may choose which types of cookies to allow and change your preferences at any time. Disabling cookies may impact your experience on this website. By clicking "Accept" you are agreeing to our privacy policy and terms of use.