2025 Security Operations Threat Report

The average time from initial access to domain control has shrunk to under two hours.

For Execution, the most observed technique by DirectDefense is Malicious File Execution, tricking users into running malware via phishing and social engineering. Alerts triggered for Execution include: Malicious File Detected.

For Credential Access, the most observed technique by DirectDefense is Brute Force, automated attacks on authentication systems. Alerts triggered for Credential Access include: Account Lockout Events.

For Initial Access, the most observed technique by DirectDefense is Valid Accounts, which involves leveraging stolen credentials for unauthorized access. Alerts triggered for Initial Access include: First Ingress Authentication from Country, Multiple Country Ingress Authentications, Multiple Wireless Country Authentications.

Ransomware deployment occurs in as little as six hours

DirectDefense mapped alerts to the MITRE ATT&CK® framework to identify the top five tactics. The top five tactics identified are: Initial Access, Persistence, Lateral Movement, Execution, and Credential Access.

For Persistence, the most observed technique by DirectDefense is MFA Interception, where attackers manipulate MFA settings to maintain access. Alerts triggered for Persistence include: New MFA Authenticator App Added, Account Manipulation.

For Lateral Movement, the most observed technique by DirectDefense is Valid Accounts, using stolen credentials to escalate privileges. Alerts triggered for Lateral Movement include: Lateral Movement – Local Credentials.