We stand at an interesting point in the never-ending arms race between attackers and defenders. The former are using AI, automation and a range of techniques to sometimes devastating effect. In fact, one report claims that 80% of ransomware-as-a-service (RaaS) groups now offer AI or automation as features – and, of course, there’s also a thriving market with tools that are specifically intended to evade security tools. Data breaches and associated costs have surged as a result.

But n the other hand, threat actors are just doing what they have done before – supercharging existing tactics, techniques and procedures (TTPs) to accelerate attacks. The time between initial access and lateral movement (breakout time), for example, is now measured in minutes. For defenders used to working in hours or days, things need to change.

A half-hour warning

Breakout time matters, because if network defenders can’t stop their adversaries at this point, then an initial intrusion may very quickly become a major incident. The average time to break out laterally is now around 30 minutes – in the region of 29% faster than a year previously – although some observers have seen it happen in less than a minute after initial access.

There are several reasons why the window for action is rapidly closing. Threat actors are:

  • Getting better at stealing/cracking/phishing legitimate credentials from your employees. Weak, reused and infrequently rotated passwords help them here (i.e., by making brute-force attacks easier). As does a lack of multifactor authentication (MFA). They’re also getting better at password-reset vishing attacks, either impersonating the helpdesk, or calling the helpdesk impersonating employees. With legit logins, they can masquerade as users without setting off any internal alarms.
  • Using zero-day exploits to target edge devices, such as Ivanti EPMM in order to gain a foothold in networks while remaining hidden from in-house security tools.
  • Getting better at reconnaissance, using open source techniques and AI to scour the web for publicly available information on high-value targets (with privileged credentials). They gather information on organizational structure, internal processes and the IT environment, to streamline attacks and design social engineering scripts.
  • Automating post-exploitation activity using AI-powered scripts for credential harvesting, living off the land, and even malware generation.
  • Exploiting the gaps between siloed teams and point solutions. As a result, activity that looks legitimate to the former might seem unusual to the latter, but without holistic visibility, edge cases may not be investigated. In some cases, threat actors take deliberate steps to disable or evade EDR.
  • Using living-off-the-land (LOTL) techniques to stay hidden. That means using valid credentials, legitimate remote access tools and protocols like SMB and RDP which means they blend in with regular activity.

Catching threat actors at this point is essential – especially as exfiltration (when it begins) is also being accelerated by AI. The fastest recorded case last year was just six minutes; down from 4 hours 29 minutes in 2024.

Fighting fire with (AI) fire

If attackers are able to access your network with elevated privileges or stay hidden on unobserved endpoints, and then move laterally without raising any alarms, human-powered response will often be too slow. You need to limit social engineering, update defensive posture to improve detection of suspicious behavior, and accelerate response times.

AI-powered extended detection and response (XDR) and managed detection and response (MDR) can help here by automatically flagging suspicious behavior, using contextual data to improve alert fidelity, and remediating where necessary. Advanced offerings may also help by clustering alerts and generating automated responses for stretched SOC teams, freeing up their time to work on high-value tasks like threat hunting.

A single, unified provider with insight across endpoint, networks, cloud and other layers can also shine a light onto those gaps that exist between point solutions, for full visibility of potential attack paths. Ensure that any such tools also have visibility of edge devices, and work seamlessly with your security information and event management (SIEM) and security orchestration and response (SOAR) tooling. 

Threat intelligence and threat hunting are also vital to keep pace with AI-supported adversaries. An approach that harnesses both will help teams focus on what matters – how attackers are targeting them and where they might move next. AI agents might in time be able to take on more of these tasks autonomously to further speed up response times.

Regaining the initiative

There are other ways to accelerate response times, including:

  • The continuous monitoring and awareness across endpoints, network, and cloud environments.
  • Automated steps – such as session termination, password reset or host isolation – that need to be taken in order to address suspicious activity and, where appropriate, automated analysis combined with human assessment to investigate alerts and inform the steps needed to contain a threat fast.
  • Least privilege access policies, micro-segmentation and other hallmarks of Zero Trust to ensure strict access controls and minimize the blast radius of attacks.
  • Enhanced identity-centric security based around strong, unique credentials managed in a password manager, and backed by phishing-resistant MFA.
  • Anti-vishing steps including updated helpdesk processes (e.g., out-of-band callbacks) and effective awareness training
  • Brute-force protection that blocks automated password-guessing attacks at entry.
  • Continuous monitoring of social media and dark web for exposed employee and company information that could be weaponized.
  • Monitoring of scripts and processes as they "decloak" in memory, to spot and block LOTL behavior.
  • Cloud sandbox execution of suspicious files to mitigate zero-day exploit threats.

None of these steps alone is a silver bullet. But when layered up and relying on AI-powered MDR/XDR from a reputable supplier, they can help defenders to regain the initiative. It may be an arms race, but it’s one with fundamentally no end in sight. That means there’s time to catch up.