Today’s adversaries have long been accelerating and evolving their operations. Now they are developing a business-like structure, refining and scaling their successful strategies, and exploring new technologies to cultivate a more efficient approach to cyberattacks. 2024 was the year of the enterprising adversary.
The CrowdStrike Global Threat Report delivers critical insights into the evolving threat landscape and adversary behavior and tradecraft. When CrowdStrike’s Counter Adversary Operations team reflected on 2024, they saw threat actors becoming more focused and professional — much like the businesses they target. They’re quick to learn and adapt to changing defenses, all while staying focused on their goals.
These adversaries cannot be underestimated. Armed with the critical data and insights in this year’s report, businesses are better prepared to face them.
Learn more: Download the CrowdStrike 2025 Global Threat Report
The Rise of the Enterprising Adversary
Adversaries continue to become faster, smarter, and more elusive. The average eCrime breakout time — the time it takes for an adversary to move from an initially compromised host to another within the target organization — was 48 minutes in 2024, down from 62 minutes the previous year. The fastest recorded breakout time? A swift 51 seconds.
Before they break out, they have to break in. The business of social engineering dominated in 2024. Voice phishing (vishing) attacks skyrocketed 442% between H1 and H2 as threat actors turned to vishing, callback phishing, and help desk social engineering to gain a foothold in target networks. Adversaries also used compromised credentials to enter and move laterally through organizations, operating as legitimate users and evading detections. Access broker advertisements, often selling valid stolen credentials, surged 50% year-over-year. Most detections in 2024 were malware-free (79%), underscoring a broad rise in hands-on-keyboard activity.
In these efforts, enterprising adversaries are finding value in generative artificial intelligence. GenAI was used in 2024 to improve social engineering, accelerate misinformation operations, and support malicious network activity. CrowdStrike observed its use in business email compromise and phishing attacks, where large language models (LLMs) can generate email content and credential harvesting websites at least as well as humans. Despite its relative novelty, genAI’s low barrier to entry and powerful capabilities are fueling the scale, pace, and effectiveness of cyberattacks.
Nation-state adversary activity proliferated throughout 2024, with China at the forefront. China-nexus activity increased by 150% across all sectors, with a staggering 200-300% surge in key targeted industries including financial services, media, manufacturing, and industrials/engineering. CrowdStrike identified seven new China-nexus adversaries in 2024, indicating a shift toward more targeted intrusions. Groups such as LIMINAL PANDA and VAULT PANDA focused on specialized targets with greater sophistication.
CrowdStrike now tracks 257 named adversaries and over 140 emerging activity clusters. To stop these adversaries, it is imperative we understand their behaviors, motivations, and techniques. Below are more trends and findings we explore in this year’s report:
- Cloud environments are under siege: New and unattributed cloud intrusions increased by 26% year-over-year. Valid account abuse is the primary initial access method, accounting for 35% of cloud incidents in H1 2024.
- SaaS exploitation is a trend to watch: Adversaries increasingly targeted cloud-based SaaS applications for data theft, lateral movement, extortion, and third-party targeting. They often gained access by compromising single sign-on identities.
- Unpatched vulnerabilities are hot targets: Internet-exposed network appliances were commonly targeted in 2024 as adversaries exploit these devices’ inherent weaknesses to gain initial access where endpoint detection and response (EDR) visibility is limited.
- Insider threats quietly expand: Insider threat operations have grown more sophisticated, with adversaries embedding themselves as employees of target organizations. In 2024, CrowdStrike responded to 304 FAMOUS CHOLLIMA incidents, nearly 40% of which involved insider threat activity.
CrowdStrike pioneered the concept of adversary-focused cybersecurity because it’s the most effective way to defend organizations from modern threats. And with the intelligence we collect, we know the adversary better than anyone. Read the CrowdStrike 2025 Global Threat Report to gain a full picture of how today’s adversaries are operating and learn how to fortify your defenses against them.
Leave a Reply