Racing the Clock: Outpacing Accelerating Attacks

The fastest recorded lateral movement occurred in just 27 minutes.

Only a small fraction (0.02%) of alerts led to lateral movement, meaning attacks are getting faster.

Initial access listings on cybercriminal platforms surged by 142% in the same period.

66% of customer ransomware incidents in 2024 involved initial access likely purchased from an IAB.

The average breakout time in 2024 was 48 minutes, which is 22% faster than in 2023.

There was a >50% increase in infostealer logs posted on the dark web in 2024 compared to 2023.

17% of incidents involved voice phishing for initial access, indicating help-desk scams.

The number of active ransomware groups increased from 60 in 2022 to almost 100 last year.

Attack speed increased by 22% in 2024 compared to 2023.

The mean time to contain (MTTC) attacks using manual incident containment strategies is 8 hours and 12 minutes.

In the breakout phase of attacks using an "assembly line" strategy, threat actors move from one technique to the next in an average of just 7 minutes.

Threat actors using IABs can achieve breakout times as fast as 27 minutes.

Vulnerability exploitation accounted for over 17% of initial access incidents among ReliaQuest customers in 2024.

The mean time between the initial email wave of a help-desk scam and the phishing message was just 4 minutes, with another 4 minutes to establish command and control (C2).

The time between a vulnerability being discovered and its exploitation by attackers (time to exploitation) decreased by 62%, from 47 days in 2023 to just 18 days in 2024.

50% of hands-on-keyboard incidents in 2024 used valid or exposed credentials for initial access.