Information Security 7 min read

Assessing infrastructure readiness for cyberattacks: beyond compliance

Building real enterprise cyber resilience in the NIS2 era, avoiding paper audit traps, and protecting infrastructure through Security by Design.

The modern threat landscape leaves no room for illusions regarding cyber defense. According to the ENISA Threat Landscape 2025 report, 4,875 incidents were recorded and analyzed between July 1, 2024, and June 30, 2025. Most notably, 53.7% of all affected organizations were essential entities subject to the European NIS2 directive. This highlights a systemic issue: strict regulatory pressure and mandatory compliance are not synonymous with actual protection against targeted attacks.

For large enterprises, telecom operators, and critical infrastructure facilities, security audits often become a formal process. However, attackers do not read audit reports—they exploit supply chain vulnerabilities, use outdated communication protocols, and leverage legitimate administrative tools to move through networks undetected. The primary challenge for CTOs and CISOs is shifting from paper-based compliance to true operational resilience.

The trap of paper compliance: why audit reports do not prevent incidents

Regulatory requirements like NIS2 create a necessary baseline for security. They force organizations to inventory assets and develop response plans. However, formal compliance captures only a static state of the infrastructure at the time of inspection, whereas real cybersecurity requires a continuous process of adaptation.

For a comprehensive assessment of infrastructure readiness, it is advisable to use structured approaches. For instance, the Cisco Cybersecurity Readiness Index 2025 framework suggests building defense around five core pillars: Identity Intelligence, Machine Trustworthiness, Network Resilience, Cloud Reinforcement, and AI Fortification. Only an integrated approach guarantees resilience. An NIS2 certificate of compliance is an important legal requirement, but it does not automatically guarantee protection against hackers.

Analyzing access vectors: from phishing to supply chain compromise

To build a robust defense, it is necessary to understand current vectors for initial penetration and subsequent attack development:

  • Phishing as a primary vector: Gaining unauthorized access through compromised credentials remains the main entry method. Attackers are increasingly bypassing basic multi-factor authentication.
  • Supply chain attacks: Instead of directly breaching the corporate perimeter, attackers compromise software or contractor services that have legitimate access to the target infrastructure.
  • Exploitation of signaling protocols: In telecommunications, a critical issue is the use of legacy protocols (SS7, Diameter) in mobile networks, which allows for traffic interception.
  • Digital identity fraud: Subscription fraud via stolen identities causes massive losses. According to the CFCA Global Fraud Loss Survey 2025, global losses from telecom fraud reached approximately $41.82 billion.

Overall, digital infrastructure and services are among the primary targets of attacks, accounting for over a quarter (27.7%) of all incidents according to ENISA.

Threat modeling as a first step: assessing infrastructure readiness

Threat modeling should precede the deployment of any security measures. This process helps identify critical assets, potential compromise paths, and blind spots in the existing architecture. Instead of reactively patching vulnerabilities, architects gain a proactive risk map.

For organizations deploying AI-based systems, classical modeling is no longer sufficient. In such cases, specialized standards like the NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0) are applied. This framework structures AI risk management into four functions: Govern, Map, Measure, and Manage. It does not replace classical cybersecurity but complements it in the context of new technologies.

Special attention should be paid to the threat of lateral movement. If the internal corporate network is flat, the compromise of a single workstation allows attackers to escalate privileges and move freely toward critical databases.

The principle of Security by Design: security embedded in architecture

Attempting to protect a vulnerable system with external add-ons is ineffective. Real resilience is achieved only when security is embedded at the development stage (Security by Design).

This principle is at the core of the expertise of Softengi (part of the Intecracy Group alliance) in developing and deploying custom enterprise solutions. To avoid typical architectural vulnerabilities, development is often conducted on the low-code UnityBase platform (created by InBase). UnityBase is a full-stack JavaScript platform that already includes enterprise-grade certified security mechanisms.

The platform provides architects with the following built-in tools:

  • Role-based security and row-level security (RBAC and Row-Level Security): Flexible access control at the system kernel level, which blocks unauthorized data reading even if the external interface is compromised.
  • Immutable audit trail: Automatic recording of all data changes and system processes, which is critical for timely incident investigation.
  • Support for encryption standards: Integration with Active Directory, OpenID Connect, and support for qualified electronic signatures (QES/DSTU).

Ready-made corporate products, such as the Megapolis.DocNet electronic document management system or the Scriptum business process automation solution, are built on the UnityBase platform. As a result, they pass formal compliance (including requirements for KSZI and NIS2) and demonstrate architectural resistance to lateral movement attempts.

Building operational resilience: practical steps

To transition to proactive defense, organizations should implement the following steps:

  1. Zero Trust architecture: No entity or device is considered trusted by default, regardless of its location in the network. Every action requires strict authentication and authorization.
  2. Network micro-segmentation: Dividing infrastructure into isolated zones. This localizes potential incidents and prevents attackers from moving freely to critical databases (e.g., Oracle RAC or MS SQL Server).
  3. Telecom infrastructure protection: To counter Caller ID spoofing in IP networks, it is worth implementing STIR/SHAKEN technology. While this is a highly specialized framework that does not solve all fraud problems, it is a necessary level of authentication.
  4. Supply chain audit: Regular verification of third-party APIs, libraries, and contractors for compliance with security policies.

Infrastructure maturity scale: from formal compliance to real resilience

Assess your organization's current security status using this basic scale:

Maturity LevelArchitectural Characteristics
Level 1: Reactive (Compliance-driven)Security relies on paper policies and antivirus software. Audits are passed for the sake of formality, and threats are analyzed post-factum.
Level 2: Perimeter-basedBasic SIEM and firewalls are implemented. Protection focuses on the external perimeter, but the internal network remains flat (weak resistance to lateral movement).
Level 3: Proactive segmentedThe network is divided into zones, and Identity Intelligence is implemented. Regular threat modeling is conducted for critical nodes.
Level 4: Resilient architecture (Zero Trust & Security by Design)Security is embedded in code and platforms (e.g., UnityBase solutions). Every action is authorized, and resistance to supply chain attacks is built into the architecture.

Full cyber resilience requires a comprehensive restructuring of processes. Only the synergy of the Security by Design architectural principle, the Zero Trust concept, and continuous threat modeling can ensure the reliable functioning of critical infrastructure in the face of modern targeted attacks.

FAQ

How can a company assess its real readiness for NIS2 requirements without formalism?

Instead of simply filling out questionnaires, it is necessary to conduct practical threat modeling and a technical audit based on the Zero Trust methodology. Assess the actual isolation of critical network segments, verify the resilience of the supply chain, and perform penetration testing by simulating attack vectors such as phishing or contractor account compromise.

What is lateral movement and how can it be blocked within a corporate network?

Lateral movement is a technique where an attacker, having gained initial access to the least protected device in the network, moves within the perimeter to seize control of critical servers. Blocking this vector requires implementing network micro-segmentation, using the principle of least privilege, continuous authentication of every request (Zero Trust), and implementing row-level security.

How can threat modeling be integrated into the development and deployment process of corporate software?

Threat modeling should be a mandatory stage of system design (Security by Design) before writing code. Use enterprise-level platforms like UnityBase, where basic security mechanisms (RBAC, audit logs) are already built-in. For systems with artificial intelligence, integrate specialized frameworks, such as the NIST AI RMF 1.0, during the planning and architecture testing stages.

Data sources

Fact trail

Sources

Links referenced in the article.

  1. ENISA Threat Landscape 2025
  2. Cisco Cybersecurity Readiness Index 2025
  3. CFCA Global Fraud Loss Survey 2025
  4. NIST: Artificial Intelligence Risk Management Framework (AI RMF 1.0)