In the fastest cases, attackers moved from initial access to data exfiltration in 72 minutes, four times faster than the previous year.

Comcast Business detected 4.7 billion phishing attempts, which specifically targeted human error and poor credential hygiene.

SCATTERED SPIDER moved from initial access to encryption by deploying ransomware in under 24 hours in one observed case

The top initial access vector observed in 2024 was a tie between exploitation of public facing applications and use of valid account credentials, both representing 30% of X-Force incidence response engagements.

The average time from initial access to domain control has shrunk to under two hours.

For Initial Access, the most observed technique by DirectDefense is Valid Accounts, which involves leveraging stolen credentials for unauthorized access. Alerts triggered for Initial Access include: First Ingress Authentication from Country, Multiple Country Ingress Authentications, Multiple Wireless Country Authentications.

DirectDefense mapped alerts to the MITRE ATT&CK® framework to identify the top five tactics. The top five tactics identified are: Initial Access, Persistence, Lateral Movement, Execution, and Credential Access.

4 of 5 (83%) financial fraud claims began with email.

Email was the preferred entry vector for cybercriminals, driving 43% of claims.