Cybercriminals blend AI and social engineering to bypass detection

Attackers are focusing more on stealing identities. Because of this, companies need to use zero trust principles. They should also verify user identities more carefully, says DirectDefense.

Researchers analyzed thousands of alerts, mapping them to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

Top five attack tactics

Initial access: Initial access remains the most frequently-observed adversarial tactic, representing more than 27% of escalated alerts. In 2024, threat actors consistently exploited valid accounts to gain unauthorized access to systems, often by leveraging stolen credentials.

Persistence: Adversaries are increasingly prioritizing persistence within compromised networks to maintain access despite detection efforts. In 17% of escalated cases, persistence tactics were leveraged to evade detection.

Lateral movement: Once inside a compromised network, adversaries often seek to move laterally to escalate privileges and access sensitive data. Lateral movement accounted for 10% of escalated alerts, with valid accounts being a predominant technique.

Execution: Execution tactics focus on running malicious code within an environment to either expand access or directly impact business operations. The analysis found that malicious file execution (T1204) was one of the most exploited techniques, often linked to malicious file detected alerts. These alerts frequently stemmed from email phishing attacks, web downloads, and lateral movements involving PowerShell or macro-based payloads.

Credential access: Credential access tactics involve stealing or cracking authentication credentials to escalate privileges or facilitate further attacks. Brute force (T1110) was one of the most prominent techniques observed in 6% of escalated cases, with account lockout events serving as a key indicator of unauthorized access attempts.

Ransomware timelines shrink to hours

Big vendors like Fortinet and Cisco often acquire other security companies to strengthen their existing solutions, but these add-ons can create greater security risks for customers. For example, there has been an enormous uptick in the number of CVEs being issued – more than 100 each day in 2024. Both of these vendors were forced to address significant vulnerabilities that were utilized as initial points of attack in high-profile breaches.

In response to law enforcement’s efforts to break apart cyber criminal networks, threat actors are investing heavily in AI, going after the biggest payout potential.

With improved attack strategies, bad actors have compressed the average time from initial access to full control of a domain environment to less than
two hours.

Similarly, while a couple of years ago it would take a few days for attackers to deploy ransomware, it’s now being detonated in under a day and even in as few as six hours. With such short timeframes between the attack and the exfiltration of data, companies are simply not prepared.

Historically, attackers avoided breaching “sensitive” industries like healthcare, utilities, and critical infrastructures because of the direct impact to people’s lives. However, law enforcement’s efforts in 2024 to stop cyber criminal activity has caused attackers to adopt a retaliatory “gloves off” approach that puts every industry in jeopardy.

Now, attackers have gone after organizations like American Water, the largest supplier of drinking water and wastewater services in the U.S.

AI’s benefits come with new cybersecurity risks

Ransomware used to be the endgame – the way attackers would get their payout. Now, they’re using ransomware as a means to an end, exfiltrating company data and then deploying ransomware as a “calling card” to show they were there.

Going forward, companies will have to reconcile the benefits of AI with its many risks. Implementing AI solutions expands a company’s attack surface and increases the risk of data getting leaked or stolen by attackers or third parties. Threat actors are using AI efficiently, to the point where any AI employee training you may have conducted is already outdated.

AI has allowed attackers to bypass all the usual red flags you’re taught to look for, like grammatical errors, misspelled words, non-regional speech or writing, and a lack of context to your organization.

Adversaries have refined their techniques, blending social engineering with AI and automation to evade detection.

Companies are still struggling with how to control remote employee activity, and gaining proper visibility is cost prohibitive for many companies.

“Attackers have honed their techniques to become faster and more powerful against a company’s defenses; conversely, security solutions are less able to withstand attacks on their own and need constant monitoring and tuning,” said Jim Broome, President and CTO for DirectDefense. “As adversaries refine their techniques, organizations need to stay ahead by adapting their security posture. It’s not just about responding to threats—it’s about anticipating and mitigating them before they cause harm.”