DirectDefense Releases Annual Security Operations Threat Report Identifying Top Attack Tactics and Emerging Threats for 2025

Growing focus on identity compromise by bad actors requires organizations to enforce zero trust principles and employ strong identity verification

DirectDefense, Inc., an information security services company, today released its “2025 Security Operations Threat Report” which identifies the type and frequency of threats, offers insight into attacker behavior and the evolution of security threats, and forecasts the biggest threats to be aware of for the remainder of 2025.

In 2024, DirectDefense processed more than 10 million log events, ensuring rapid detection, response, and mitigation of potential cyber threats. The company discovered that adversaries have refined their techniques, blending social engineering with AI and automation to evade detection. DirectDefense mapped these alerts to the MITRE ATT&CK® framework to identify these top five tactics:

1. Initial Access – The Gateway to Compromise

• Most Observed Technique: Valid Accounts – leveraging stolen credentials for unauthorized access.
• Alerts Triggered: First Ingress Authentication from Country, Multiple Country Ingress Authentications, Multiple Wireless Country Authentications.

2. Persistence – Remaining Hidden in the Environment

• Most Observed Technique: MFA Interception – attackers manipulating MFA settings to maintain access.
• Alerts Triggered: New MFA Authenticator App Added, Account Manipulation.

3. Lateral Movement – Expanding Control Across the Network

• Most Observed Technique: Valid Accounts – using stolen credentials to escalate privileges.
• Alerts Triggered: Lateral Movement – Local Credentials.

4. Execution – Deploying Malicious Payloads

• Most Observed Technique: Malicious File Execution – tricking users into running malware via phishing and social engineering.
• Alerts Triggered: Malicious File Detected.

5. Credential Access – Harvesting Sensitive Authentication Data

• Most Observed Technique: Brute Force – automated attacks on authentication systems.
• Alerts Triggered: Account Lockout Events.

These attack tactics highlight a growing focus on identity compromise by bad actors, which requires organizations to enforce zero trust principles and employ strong identity verification for all access requests. Additionally, organizations should:

• monitor identity-based events rigorously to detect anomalous MFA registrations and account modifications
• restrict lateral movement by implementing network segmentation and least privilege access
• enhance endpoint defenses through behavior-based detections and real-time anomaly detection
• strengthen password policies and enforce MFA with phishing-resistant methods

Emerging threats for 2025

Based on these attack tactics, the DirectDefense team identified emerging threats that top the list for security concerns:

• Faster and more sophisticated attacks: The average time from initial access to domain control has shrunk to under two hours, while ransomware deployment occurs in as little as six hours.
• AI’s double-edged sword: While AI helps cut through security alert noise, attackers are also leveraging AI to craft more convincing phishing attempts, deepfake scams, and automated attacks.
• Security vendor consolidation risks: Major vendors like Fortinet and Cisco faced security vulnerabilities in 2024, highlighting the risks of relying on broad, one-size-fits-all security solutions.
• Cloud environment threats: Companies struggle to secure multi-cloud environments, making cloud posture assessment and monitoring more critical than ever.
• Remote work and third-party risks: Attackers continue to exploit vulnerabilities in remote access tools and third-party vendors, necessitating stricter access controls and monitoring.

The report also highlights the growing threat to critical industries and the shift from ransomware to extortion tactics. The types of attack tactics vary year to year, but DirectDefense’s report reflects how the techniques and executions attackers use evolve over time.

“Attackers have honed their techniques to become faster and more powerful against a company’s defenses; conversely, security solutions are less able to withstand attacks on their own and need constant monitoring and tuning,” said Jim Broome, President and Chief Technology Officer for DirectDefense. “As adversaries refine their techniques, organizations need to stay ahead by adapting their security posture. It’s not just about responding to threats—it’s about anticipating and mitigating them before they cause harm.”

The full report can be found here.

Follow DirectDefense

LinkedIn: https://www.linkedin.com/company/directdefense/

X: https://x.com/direct_defense

Blog: https://www.directdefense.com/resources/blog/

About DirectDefense, Inc.

DirectDefense provides enterprise risk assessments, penetration testing, ICS/SCADA security services, and 24/7 managed security services for companies of all sizes. Focused on building security resiliency, the firm offers comprehensive security testing services with specialization in application security, vulnerability assessments, penetration testing, and compliance assurance testing. Its team of highly talented consultants has worked with the majority of the Fortune 100 companies, in industries such as power and utility, gaming, retail, financial, media, travel, aerospace, healthcare, and technology. More information can be found at www.directdefense.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250415845249/en/