Full Report
ReliaQuest warns threat actor innovation and infostealer activity helped to accelerate breakout time by 22% in 2024
Analysis Summary
# Incident Report: Accelerating Threat Actor Breakout Times in 2024
## Executive Summary
Analysis of customer data by ReliaQuest in 2024 indicates a significant acceleration in threat actor speed, with the mean time from initial access to lateral movement ("breakout time") decreasing by 22% compared to the previous year. This rapid progression, sometimes occurring in under 30 minutes, outpaces manual incident response capabilities, largely driven by the increased use of Initial Access Brokers (IABs), specialized ransomware assembly lines, and the integration of AI in attack execution.
## Incident Details
- Discovery Date: Analysis conducted in 2024 (based on customer data comparison)
- Incident Date: Events observed throughout 2024
- Affected Organization: ReliaQuest Customers (Industry/Geography varied)
- Sector: Diverse (Implied by generalized customer analysis)
- Geography: Not specified (Global trends)
## Timeline of Events
### Initial Access
- Date/Time: Highly variable, but often swift (e.g., 4 minutes between initial email wave and phishing message in vishing scenarios).
- Vector: Valid/Exposed Credentials (50% of hands-on-keyboard activity), Initial Access Brokers (IABs), Voice Phishing (Vishing) targeting IT helpdesks.
- Details: Purchase of access from IABs bypasses traditional infiltration; vishing involves spamming an inbox before calling, establishing remote access via legitimate software.
### Lateral Movement
- Date/Time: Extremely rapid; quickest recorded breakout time was 27 minutes (average decreased by 22%).
- Vector: Specialized RaaS affiliates, automated scripts generated by AI support.
- Details: Attackers quickly move past initial compromise to deploy ransomware or steal data, often possessing pre-installed backdoors or admin-level privileges from IAB access.
### Data Exfiltration/Impact
- Details: Focus indicated on data theft and ransomware deployment, facilitated by rapid advancement through the network.
### Detection & Response
- Detection: Analysis based on comparison of customer data.
- Response Actions: Organizations relying solely on manual containment strategies had a Mean Time to Contain (MTTC) of 8 hours 12 minutes, insufficient against sub-30-minute breakouts.
## Attack Methodology
- Initial Access: Valid or exposed credentials (50%), IAB-sourced access (66% of ransomware incidents), Voice Phishing (17% of incidents).
- Persistence: Not explicitly detailed, but facilitated by pre-installed backdoors from IABs.
- Privilege Escalation: AI used to write scripts for privilege escalation tasks.
- Defense Evasion: AI assists in customizing payloads to bypass detection.
- Credential Access: Implied via IAB access and techniques leveraged after initial compromise.
- Discovery: AI aids in automating reconnaissance and vulnerability spotting faster.
- Lateral Movement: Enabled by specialized RaaS affiliates and accelerated by AI/automation, leading to rapid breakout times.
- Collection: Data gathering focused on targets relevant for ransomware or theft.
- Exfiltration: Primary goal following successful lateral movement.
- Impact: Ransomware deployment or data theft.
## Impact Assessment
- Financial: Not specified, but substantial effort required to manage MTTC of over 8 hours against rapid attacks.
- Data Breach: Data theft indicated as a primary objective.
- Operational: Significant business disruption implied by the speed required to contain active attacks.
- Reputational: Not specified.
## Indicators of Compromise
- Network indicators: Establishment of Command-and-Control (C2) often within minutes of phishing contact.
- File indicators: Not specified.
- Behavioral indicators: Rapid pivot following initial access; use of remote management and monitoring (RMM) tools post-social engineering.
## Response Actions
- Containment: Manual containment strategies proved slow (MTTC: 8h 12m).
- Eradication: Not detailed.
- Recovery: Not detailed.
## Lessons Learned
- Attack velocity has significantly increased (22% faster breakout time).
- Manual incident response is increasingly ineffective against modern attack speeds.
- Leveraging IABs and sophisticated RaaS "assembly lines" allows threat actors to skip time-consuming infiltration phases.
- AI tools are being deployed by attackers to rapidly automate reconnaissance, exploit identification, and script generation.
## Recommendations
- Accelerate the implementation of automated detection and response capabilities to significantly reduce MTTC below the current sub-30-minute threat window.
- Enhance monitoring around valid credential usage, as 50% of hands-on-keyboard activity leveraged them.
- Implement stronger controls and verification procedures around IT helpdesk interactions (especially vishing) to prevent remote access setup via social engineering.
- Increase investment in tools and training that leverage AI defensively to counter attacker acceleration.