- Microsoft AI investments cause cloud operating income growth to plunge
- This is the SSD enclosure I trust to keep my storage drive safe and cool when traveling
- Have a .gov email address? You can get Perplexity Pro free for a year - here's now
- Mistral AI says its Small 3 model is a local, open-source alternative to GPT-4o mini
- The first EU AI Act deadline is here: How can enterprises simplifying compliance?
Breakout Time Accelerates 22% as Cyber-Attacks Speed Up
Threat actors exploited new vulnerabilities and moved from initial access to lateral movement much faster in 2024, challenging network defenders to accelerate incident response, according to ReliaQuest.
The security operations (SecOps) specialist analyzed customer data and compared its findings with external industry reporting, to better understand attack trends over the past year.
It claimed that the time it took threat actors to progress from initial access to lateral movement (“breakout time”) in 2024 was 22% shorter than the previous year. This is important because once adversaries reach this stage, attacks become harder to detect and contain, the vendor said.
The quickest breakout time recorded was just 27 minutes, almost half the 48 minute average.
“The mean time to contain (MTTC) attacks for security teams relying solely on manual incident containment strategies is 8 hours 12 minutes,” said ReliaQuest in a blog post. “This leaves organizations fighting a losing battle against attackers who are in and through a network in under 30 minutes.”
Read more on breakout time: Attacker Breakout Time Falls to Just One Hour
The firm has three theories to explain why attacks are getting quicker.
First is the combination of infostealers and initial access brokers (IABs). There was more than a 50% annual increase in infostealer logs posted on the dark web in 2024, while IAB listings surged by 142%. Some 50% of hands-on-keyboard activity in 2024 used valid or exposed credentials for initial access, and 66% of ransomware incidents involved IAB-related access.
“By purchasing access from IABs, attackers skip the time-consuming process of network infiltration and gain immediate entry, often with admin-level privileges or pre-installed backdoors,” ReliaQuest noted.
“This drastically reduces breakout time, enabling threat actors to focus on deploying ransomware or stealing data with minimal delay.”
Ransomware Actors Innovate
Second is ransomware actor innovation.
Specialized “ransomware assembly lines” have apparently emerged in which separate affiliates handle different stages of a ransomware-as-a-service (RaaS) attack. This means affiliates get better at their specialized task(s) and are more like to have the resources and tools they need to do the job.
“As a result, affiliates can finish their part of the attack at lightning speed, far exceeding manual containment efforts,” ReliaQuest said. “By having one affiliate in charge of the breakout phase, RaaS groups ensure maximum efficiency and that the attack is not disrupted before lateral movement.”
The report pointed to IT helpdesk “vishing” as further accelerating breakout times. In 2024, 17% of incidents involved voice phishing for initial access, with threat actors typically spamming a victim’s inbox before calling them pretending to be an IT engineer and establishing remote access via legitimate software.
“We recorded a mean time of just four minutes between the initial email wave and the phishing message, with another four minutes to establish command-and-control (C2), demonstrating how quickly threat actors can move,” said ReliaQuest.
“The breakneck speed at which threat actors can socially engineer users, send a phishing message via instant messaging, and then use native Remote Management and Monitoring (RMM) tools to establish a C2 connection allows the threat actor to swiftly advance their attack and achieve rapid breakout times.”
AI Speeds Breakout Times
Finally, ReliaQuest pointed to greater threat actor use of AI to “automate reconnaissance, spot vulnerabilities faster, and adapt exploitation techniques” in real time, noting a 62% reduction in the time between a software flaw being discovered and its exploitation.
GenAI is being used alongside pen testing tools to:
- Generate instant guidance on how to use pen testing tools more effectively
- Write scripts for tasks like network scanning, privilege escalation and payload customization to bypass detection
- Analyze scan results and suggest the best exploits
“As a result, they skip the manual, time-consuming trial-and-error processes to achieve faster lateral movement and payload deployment, which significantly reduces breakout time,” ReliaQuest concluded.
