Executive Summary
In 2025, cyberattacks accelerated significantly, with the average breakout time—the duration for attackers to move from initial intrusion to other network systems—dropping to 29 minutes, a 65% increase in speed from the previous year. Notably, the fastest recorded breakout time was 27 seconds. This rapid progression was facilitated by attackers refining their techniques, leveraging social engineering to access high-privilege systems swiftly, and exploiting gaps across cloud, identity, enterprise, and unmanaged network devices. Consequently, defenders faced increased challenges, including burnout and stress, leading to potential mistakes. Additionally, CrowdStrike identified 281 threat groups by the end of 2025, including 24 new threats named throughout the year, highlighting the expanding and evolving threat landscape.
The urgency of this issue is underscored by the 37% year-over-year increase in cloud-focused attacks, with a staggering 266% surge in such activities from nation-state threat groups. Furthermore, 82% of attacks detected in 2025 were malware-free, indicating a shift towards hands-on-keyboard operations and the abuse of legitimate tools and credentials. This trend emphasizes the need for organizations to enhance their security measures, focusing on rapid detection and response capabilities to mitigate the risks posed by increasingly sophisticated and swift cyber adversaries.
Why This Matters Now
The rapid acceleration of cyberattack breakout times, coupled with the increasing sophistication of threat actors exploiting legitimate tools and credentials, underscores the urgent need for organizations to bolster their security postures. The significant rise in cloud-focused attacks and the prevalence of malware-free intrusions highlight the necessity for enhanced detection and response strategies to effectively counter these evolving threats.
Attack Path Analysis
Attackers gained initial access through social engineering tactics, exploiting valid credentials to infiltrate cloud environments. They escalated privileges by exploiting zero-day vulnerabilities in edge devices, allowing deeper access. Utilizing valid accounts, they moved laterally across cloud services, evading detection. Established command and control channels enabled persistent access and data exfiltration. Sensitive data was exfiltrated to external servers, compromising confidentiality. The attack culminated in operational disruption and potential financial loss.
Kill Chain Progression
Initial Compromise
Description
Attackers used social engineering to obtain valid credentials, gaining initial access to cloud environments.
MITRE ATT&CK® Techniques
Techniques identified for rapid lateral movement and credential abuse; further enrichment with STIX/TAXII data is planned.
Exploitation of Remote Services
Valid Accounts
Use of Alternate Authentication Material
Remote Services
Application Layer Protocol
External Remote Services
Phishing
Indicator Removal on Host
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users and Administrators
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Enforce Least Privilege Access
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure to 29-minute network breakout attacks targeting cloud infrastructure, with encrypted traffic vulnerabilities threatening compliance with banking regulations and customer data protection.
Health Care / Life Sciences
Healthcare systems face severe risk from multi-vector campaigns exploiting edge devices and cloud environments, compromising HIPAA compliance and patient data through lateral movement attacks.
Information Technology/IT
IT infrastructure particularly vulnerable to zero-day exploits and living-off-the-land techniques, requiring enhanced east-west traffic security and kubernetes protection for cloud-native environments.
Government Administration
Government networks targeted by nation-state actors with 130% increase in North Korea attacks, exploiting cross-domain gaps in cloud identity systems and critical infrastructure.
Sources
- CrowdStrike says attackers are moving through networks in under 30 minuteshttps://cyberscoop.com/crowdstrike-annual-global-threat-report-attack-breakout-time/Verified
- CrowdStrike Releases 2025 Global Threat Report: Cyber Threats Reach New Highshttps://www.crowdstrike.com/en-us/press-releases/crowdstrike-releases-2025-global-threat-report/Verified
- CrowdStrike 2025 Global Threat Report: Executive Summaryhttps://www.crowdstrike.com/en-us/resources/reports/global-threat-report-executive-summary-2025/Verified
- CrowdStrike 2025 Global Threat Report: Beware the Enterprising Adversaryhttps://www.crowdstrike.com/en-us/blog/crowdstrike-2025-global-threat-report-findings/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial credential compromise, it could likely limit the attacker's ability to exploit these credentials to gain deeper access.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by restricting access paths within the network.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely limit the establishment of command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling outbound traffic.
While Aviatrix CNSF may not prevent initial access, it could likely limit the overall impact by constraining the attacker's ability to escalate privileges, move laterally, and exfiltrate data.
Impact at a Glance
Affected Business Functions
- Network Operations
- Cloud Infrastructure Management
- Identity and Access Management
- Incident Response
Estimated downtime: 2 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data due to unauthorized access through compromised credentials and exploitation of trusted systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within cloud environments.
- • Enforce Multi-Factor Authentication (MFA) to mitigate risks associated with credential compromise.
- • Deploy Inline Intrusion Prevention Systems (IPS) to detect and prevent exploitation of zero-day vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Establish Egress Security & Policy Enforcement to monitor and control data exfiltration attempts.
