Executive Summary
In 2025, Unit 42 responded to over 750 major cyber incidents across more than 50 countries, revealing a significant acceleration in attack timelines. Threat actors, leveraging AI, reduced the time from initial access to data exfiltration to as little as 72 minutes, a fourfold increase from the previous year. Identity weaknesses were exploited in nearly 90% of cases, with attackers often using stolen credentials to escalate privileges and move laterally across multiple attack surfaces, including endpoints, networks, cloud services, and SaaS applications. (paloaltonetworks.com) This rapid evolution underscores the urgent need for organizations to enhance their cybersecurity posture. The increasing use of AI by adversaries, coupled with complex and fragmented identity systems, has expanded the attack surface, making traditional defenses insufficient. Organizations must adopt comprehensive security strategies that address these multifaceted threats to effectively mitigate risks. (paloaltonetworks.com)
Why This Matters Now
The 2026 Unit 42 Global Incident Response Report highlights a critical shift in the cyber threat landscape, with AI-driven attacks accelerating at unprecedented rates. Organizations must urgently reassess and strengthen their security frameworks to address these rapidly evolving threats and protect sensitive data. (paloaltonetworks.com)
Attack Path Analysis
An attacker exploited a misconfigured cloud service access key to gain initial access, escalated privileges by manipulating IAM roles, moved laterally across cloud environments, established command and control via DNS tunneling, exfiltrated sensitive data to an external cloud storage, and disrupted services by deploying ransomware.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a misconfigured cloud service access key to gain unauthorized access to the cloud environment.
MITRE ATT&CK® Techniques
Valid Accounts
Protocol Tunneling
Application Layer Protocol: DNS
Cloud Infrastructure Discovery
Cloud Service Discovery
Account Manipulation
Use Alternate Authentication Material: Application Access Token
Create Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Establish and maintain an inventory of system components
Control ID: 7.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Governance and Administration
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Multi-surface attack methodology targeting cloud-to-endpoint pivots threatens transaction systems, requiring enhanced east-west traffic monitoring and zero trust segmentation for regulatory compliance.
Health Care / Life Sciences
Detection beyond endpoints critical for HIPAA compliance as attackers exploit cloud services and identity theft to access patient data through covert channels.
Information Technology/IT
Primary target for multi-cloud visibility gaps and Kubernetes security vulnerabilities, requiring comprehensive threat detection across distributed infrastructure and AI workloads.
Government Administration
Shadow IT and rogue assets create national security risks through invisible lateral movement, demanding unified SOC platforms for critical infrastructure protection.
Sources
- Essential Data Sources for Detection Beyond the Endpointhttps://unit42.paloaltonetworks.com/detection-beyond-the-endpoint/Verified
- 2026 Unit 42 Global Incident Response Reporthttps://www.paloaltonetworks.com/resources/research/unit-42-incident-response-reportVerified
- Cloud Logging for Security and Beyondhttps://unit42.paloaltonetworks.com/cloud-logging-for-security/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF could have significantly constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data, thereby reducing the overall impact of the incident.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited by enforcing strict identity-based access controls and continuous verification of credentials.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained by enforcing least-privilege access and continuous verification of role changes.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been limited by segmenting workloads and enforcing strict east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control communications could have been constrained by monitoring and controlling DNS traffic across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been limited by enforcing strict egress policies and monitoring outbound traffic.
The attacker's ability to deploy ransomware could have been constrained by limiting lateral movement and enforcing strict access controls.
Impact at a Glance
Affected Business Functions
- Cloud Infrastructure Management
- Identity and Access Management
- Network Security Operations
- Incident Response
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including intellectual property and customer information, due to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent lateral movement.
- • Utilize East-West Traffic Security to monitor and control internal traffic flows, detecting unauthorized movements.
- • Deploy Egress Security & Policy Enforcement to filter outbound traffic and prevent data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Establish Multicloud Visibility & Control to gain comprehensive insights across cloud environments and enforce consistent security policies.
