The Global Incident Response Report 2025 outlines evolving cybersecurity threats, including disruptive extortion attacks, sophisticated cloud and supply chain breaches, rapid intrusion speeds, insider threats linked to North Korea, and emerging AI-assisted attacks. It emphasizes the need for organizations to adopt Zero Trust strategies, enhance operational resilience, and employ automation and AI-driven analytics to defend against increasingly complex cyber threats. #Unit42 #Wagemole #SpoiledScorpius #MuddledLibra #AI-assistedAttacks
Keypoints
- The report typically includes an Executive Summary, Introduction, Emerging Threats and Trends, Analysis of Threat Actor Tactics, Defender Recommendations, an Appendix with MITRE ATT&CK® data, and information about contributors and organizations.
- Executive Summary highlights five major trends: disruptive extortion attacks, increased software supply chain and cloud attacks, faster attack speed reducing response time, escalation of North Korean insider threats, and AI-assisted cyberattacks.
- Extortion attacks have evolved through three waves: encryption-based ransomware, data exfiltration and harassment, and intentional operational disruption causing severe downtime and damage.
- In 2024, 86% of Unit 42 incident responses involved business disruption; median initial ransom demands rose nearly 80% to $1.25 million, though negotiated payments remain significantly lower.
- Cloud-related incidents accounted for 29% of cases, with identity and access management issues such as excessive permissions and misconfigurations facilitating attacks and enabling large-scale scanning and data exfiltration.
- Threat actors exploit cloud environments using techniques like stolen API keys, environment variable exposure, and valid account compromises to move laterally and persist in environments.
- Software supply chain attacks continue to pose risks, illustrated by vulnerabilities in widely used libraries and VPN appliances, emphasizing the importance of patching and supply chain security.
- Attack speed has accelerated dramatically due to automation, ransomware-as-a-service, and generative AI, with exfiltration happening within hours in many cases and dwell time decreasing 46% to an average of 7 days.
- North Korean insider threats have tripled, targeting contract technical workers globally and employing sophisticated tactics including hardware-based KVM devices and code repository manipulations.
- AI-assisted attacks are emerging, using large language models to automate phishing, malware development, and speed up attack progression, elevating the complexity and scale of cyber threats.
- Recurring themes include the complexity of modern cyberattacks, the need for Zero Trust architecture, continuous monitoring, regular incident simulations, and integration of AI and automation in defense strategies.
- Significant findings stress that threat actors frequently combine multiple tactics across networks, endpoints, cloud, and human factors, necessitating multi-layered and adaptive security postures.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)