{"id":628,"date":"2025-03-14T17:24:44","date_gmt":"2025-03-14T17:24:44","guid":{"rendered":"https:\/\/violethoward.com\/new\/51-seconds-to-breach-killing-cyberattacks-before-they-spread\/"},"modified":"2025-03-14T17:24:44","modified_gmt":"2025-03-14T17:24:44","slug":"51-seconds-to-breach-killing-cyberattacks-before-they-spread","status":"publish","type":"post","link":"https:\/\/violethoward.com\/new\/51-seconds-to-breach-killing-cyberattacks-before-they-spread\/","title":{"rendered":"51 seconds to breach: Killing cyberattacks before they spread"},"content":{"rendered":" \r\n<br><div>\n\t\t\t\t<div id=\"boilerplate_2682874\" class=\"post-boilerplate boilerplate-before\">\n<p><em>Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n<\/div><p>Fifty-one seconds. That\u2019s all it takes for an attacker to breach and move laterally across your network, undetected, using stolen credentials to evade detection.<\/p>\n\n\n\n<p>Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, explained to VentureBeat just how quickly intruders can escalate privileges and move laterally once they penetrate a system. \u201c[T]he next phase typically involves some form of lateral movement, and this is what we like to calculate as breakout time. In other words, from the initial access, how long does it take till they get into another system? The fastest breakout time we observed was 51 seconds. So these adversaries are getting faster, and this is something that makes the defender\u2019s job a lot harder,\u201d Meyers said.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-weaponized-ai-demanding-an-ever-greater-need-for-speed\"><strong>Weaponized AI demanding an ever-greater need for speed<\/strong><\/h2>\n\n\n\n<p>AI is far and away an attacker\u2019s weapon of choice today. It\u2019s cheap, fast and versatile, enabling attackers to create vishing (voice phishing) and deepfake scams and launch social engineering attacks in a fraction of the time previous technologies could.<\/p>\n\n\n\n<p>Vishing is out of control due in large part to attackers fine-turning their tradecraft with AI. CrowdStrike\u2019s 2025 Global Threat Report found that vishing exploded by 442% in 2024. It\u2019s the top initial access method attackers use to manipulate victims into revealing sensitive information, resetting credentials and granting remote access over the phone.<\/p>\n\n\n\n<p>\u201cWe saw a 442% increase in voice-based phishing in 2024. This is social engineering, and this is indicative of the fact that adversaries are finding new ways to gain access because\u2026we\u2019re kind of in this new world where adversaries have to work a little bit harder or differently to avoid modern endpoint security tools,\u201d Meyers said.<\/p>\n\n\n\n<p>Phishing, too, continues to be a threat. Meyers said, \u201cWe\u2019ve seen that with phishing emails, they have a higher click-through rate when it\u2019s AI-generated content, a 54% click-through rate, versus 12% when a human is behind it.\u201d<\/p>\n\n\n\n<p>The Chinese Green Cicada network has used an AI-driven content generator to create and run 5,000+ fake accounts on social media to spread election disinformation. North Korea\u2019s FAMOUS CHOLLIMA adversary group is using generative AI to create fake LinkedIn profiles of IT job candidates with the goal of infiltrating global aerospace, defense, software and tech companies as remote employees.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-cios-cisos-are-finding-new-ways-to-fight-back\"><strong>CIOs, CISOs are finding new ways to fight back<\/strong><\/h2>\n\n\n\n<p>A sure sign attackers\u2019 AI tradecraft is maturing fast is how successful they\u2019re being with identity-based attacks. Identity attacks are overtaking malware as the primary breach method.\u00a0Seventy-nine percent of attacks to gain initial access in 2024 were malware-free, relying instead on stolen credentials, AI-driven phishing and deepfake scams\u200b. One in three, or 35%, of cloud intrusions leveraged valid credentials\u200b last year.<\/p>\n\n\n\n<p>\u201cAdversaries have figured out that one of the fastest ways to gain access to an environment is to steal legitimate credentials or to use social engineering. Bringing malware into the modern enterprise that has modern security tools on it is kind of like trying to bring a water bottle into the airport \u2014 TSA is probably going to catch you,\u201d explains Meyers.<\/p>\n\n\n\n<p>\u201cWe found a gap in our ability to revoke legitimate identity session tokens at the resource side,\u201d Alex Philips, CIO at National Oilwell Varco (NOV), told VentureBeat in a recent interview. \u201cWe now have a startup company who is helping us create solutions for our most common resources where we would need to quickly revoke access. It isn\u2019t enough to just reset a password or disable an account. You have to revoke session tokens.\u201d<\/p>\n\n\n\n<p>NOV is fighting back against attacks using a wide variety of techniques. Philips shared the following as essential for shutting down increasingly AI-driven attacks that rely on deception through vishing, stolen credentials and identities:\u00a0\u00a0\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u201cZero trust isn\u2019t just helpful; it\u2019s mandatory. <\/strong>It gives us a forced security policy enforcement gateway that makes stolen session tokens useless,\u201d<strong> <\/strong>advises Philips. \u201cIdentity session token theft is what is used in some of the more advanced attacks.\u201d With these types of attacks increasing, NOV is tightening identity policies, enforcing conditional access and finding quick ways to revoke valid tokens when they\u2019re stolen.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Philips\u2019 advice to peers looking to shut down ultra-fast identity-based attacks is focus on eliminating single points of failure<\/strong>. \u201cBe sure to have a separation of duties; ensure no one person or service account can reset a password, multi-factor access and bypass conditional access.\u00a0Have already-tested processes to revoke valid identity session tokens,\u201d Philips recommends.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Don\u2019t waste time resetting passwords; immediately revoke session tokens. <\/strong>\u201cResetting a password isn\u2019t enough anymore \u2014 you have to revoke session tokens instantly to stop lateral movement,\u201d Philips told VentureBeat.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-three-core-strategies-for-stopping-lightning-fast-breaches\"><strong>Three core strategies for stopping lightning-fast breaches<\/strong><\/h2>\n\n\n\n<p>51-second breakouts are a symptom of a much larger and more severe identity and access management (IAM) weakness in organizations. Core to this breakdown in IAM security is assuming trust is enough to protect your business (it isn\u2019t). Authenticating every identity, session and request for resources is. Assuming your company <em>has<\/em> been breached is the place to start.\u00a0<\/p>\n\n\n\n<p>What follows are three lessons about about shutting down lightning-fast breaches, shared by Philips and validated by CrowdStrike\u2019s research showing these attacks are the new normal of weaponized AI:<\/p>\n\n\n\n<p><strong>Cut off attacks at the authentication layer first, before the breach spreads. <\/strong>Make stolen credentials and session tokens useless as fast as you can. That needs to start with identifying how to shorten token lifetimes and implement real-time revocation to stop attackers mid-movement.<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\"\/>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you don\u2019t have one already, begin to define a solid framework and plan for zero trust \u2014 a framework tailored to your business. Read more about the zero-trust framework in the NIST standard, a widely referenced document among cybersecurity planning teams.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Double down on IAM verification techniques with more rigorous authentication controls to verify that an entity calling is who they say they are. Philips relies on multiple forms of authentication to verify the identities of those calling in for credentials, password resets or remote access.\u00a0\u201cWe drastically reduced who can perform password or multi-factor resets. No one person should be able to bypass these controls,\u201d he said.<\/li>\n<\/ul>\n\n\n\n<p><strong>Use AI-driven threat detection to spot attacks in real time.\u00a0<\/strong>AI and machine learning (ML) excel at anomaly detection across large datasets that they also train on over time. Identifying a potential breach or intrusion attempt and containing it in real time is the goal. AI and ML techniques continue to improve as the attack datasets they\u2019re trained on improve.<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\"\/>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enterprises are seeing strong results from AI-powered SIEM and identity analytics that immediately identify suspicious login attempts, enforcing segmentation for a given endpoint or entry point. <\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NOV is leveraging AI to detect identity misuse and credential-based threats in real time. Philips told VentureBeat that \u201cwe now have AI examining all of our SIEM logs and identifying incidents or [the] high probability of incidents.\u00a0Not 100% real time, but short-lag time.\u201d<\/li>\n<\/ul>\n\n\n\n<p><strong>Unify endpoint, cloud and identity security to stop lateral movement. <\/strong>Core to zero trust is defining segmentation at the endpoint and network level in order to contain a breach within the segments\u2019 boundaries. The goal is to keep enterprise systems and infrastructure secure. By having them unified, lightning-quick attacks are contained and don\u2019t spread laterally across a network.<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\"\/>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Correlate identity, cloud and endpoint telemetry and use the combined data to identify and expose intrusions, breaches and emerging threats.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Adversaries are exploiting vulnerabilities to gain initial access. Fifty-two percent of observed vulnerabilities were linked to initial access, reinforcing the need to secure exposed systems before attackers establish a foothold. This finding underscores the need to lock down SaaS and cloud control planes to prevent unauthorized access and lateral movement.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shift from malware detection to credential abuse prevention. That needs to start with an audit of all cloud access accounts, deleting those that are no longer needed.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-using-ai-to-block-high-speed-attacks\"><strong>Using AI to block high-speed attacks<\/strong><\/h2>\n\n\n\n<p>To win the AI war, attackers are weaponizing AI to launch lightning-quick attacks while at the same time creating vishing, deepfakes and social engineered campaigns to steal identities. Phillips\u2019 methods for stopping them, including employing AI-driven detection and instantly revoking tokens to kill stolen sessions before they spread, are proving effective.<\/p>\n\n\n\n<p>At the center of Philips\u2019 and many other cybersecurity and IT leaders\u2019 strategies is the need for zero trust. Time and again, VentureBeat sees security leaders who succeed in battling back against machine-speed attacks are those championing least privileged access, network and endpoint segmentation, monitoring every transaction and request for resources, and continually verifying identities.<\/p>\n<div id=\"boilerplate_2660155\" class=\"post-boilerplate boilerplate-after\"><div class=\"Boilerplate__newsletter-container vb\">\n<div class=\"Boilerplate__newsletter-main\">\n<p><strong>Daily insights on business use cases with VB Daily<\/strong><\/p>\n<p class=\"copy\">If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI.<\/p>\n<p class=\"Form__newsletter-legal\">Read our Privacy Policy<\/p>\n<p class=\"Form__success\" id=\"boilerplateNewsletterConfirmation\">\n\t\t\t\t\tThanks for subscribing. Check out more VB newsletters here.\n\t\t\t\t<\/p>\n<p class=\"Form__error\">An error occured.<\/p>\n<\/p><\/div>\n<div class=\"image-container\">\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/venturebeat.com\/wp-content\/themes\/vb-news\/brand\/img\/vb-daily-phone.png\" alt=\"\"\/>\n\t\t\t\t<\/div>\n<\/p><\/div>\n<\/div>\t\t\t<\/div>\r\n<br>\r\n<br><a href=\"https:\/\/venturebeat.com\/security\/51-seconds-to-breach-how-cisos-are-fighting-back-against-lightning-fast-attacks\/\">Source link <\/a>","protected":false},"excerpt":{"rendered":"<p>Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More Fifty-one seconds. That\u2019s all it takes for an attacker to breach and move laterally across your network, undetected, using stolen credentials to evade detection. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, explained [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":629,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[33],"tags":[],"class_list":["post-628","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-automation"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/violethoward.com\/new\/wp-content\/uploads\/2025\/03\/51-seconds-to-breach-How-CISOs-are-fighting-back-against-lightning-fast-attacks-hero.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/posts\/628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/comments?post=628"}],"version-history":[{"count":0,"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/posts\/628\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/media\/629"}],"wp:attachment":[{"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/media?parent=628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/categories?post=628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/violethoward.com\/new\/wp-json\/wp\/v2\/tags?post=628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69b0ea1f46fa5c3231e56837. Config Timestamp: 2026-03-11 04:05:51 UTC, Cached Timestamp: 2026-04-08 06:26:15 UTC -->