Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Attacks on enterprise networks are becoming more frequent.
- Cybercriminals are using AI, but humans remain the weakest link.
- Defending against attacks requires structural changes to the network.
Here’s the paradox of modern cyberwarfare: Increasingly, the attackers are using machines that can work orders of magnitude faster than the humans who control them. In response, the targets are increasingly turning to automated systems to detect and repel those intruders.
But in this machine-versus-machine combat, humans remain the center of each battle, and we mere mortals continue to be the weak point. That’s the conclusion of this year’s survey of the enterprise security landscape from Mandiant, a US cybersecurity firm — now part of Google Cloud — that specializes in investigating major global security breaches and advising organizations on how to protect themselves from cyber threats.
Also: Stopping bugs before they ship: The shift to preventative security
Modern enterprise networks are widely distributed and can hand off tasks to partners via software-as-a-service. The bad guys are doing the same thing, according to Mandiant, using a “division of labor” model: one group uses low-impact techniques like malicious advertisements or fake browser updates to gain access to a network, then hands off the compromised target to a secondary group for hands-on access.
And this all happens at a startling pace. In 2022, Mandiant reports, this “time to hand off” was more than eight hours. In 2025, thanks to automation, those hand-offs were happening after an average of just 22 seconds. Likewise, the window to compromise systems with zero-day exploits is also plummeting, with the mean time to exploit vulnerabilities dropping to seven days before vendors have had time to issue a patch.
Identifying the attackers
According to Mandiant, the majority of attackers conducting “hands-on-keyboard operations” in compromised enterprise networks can be divided into two groups with distinctly different tactics and pacing: Cybercriminals pursue financial gain, using tools like ransomware, while espionage groups optimize for long-term, stealthy access.
On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection.
Those “dwell times” — that is, the time from intrusion to detection — average 14 days, but cyber espionage incidents can last much longer, with a median dwell time of 122 days.
Also: The patching treadmill: Why traditional application security is no longer enough
Mandiant identified more than 16 industry verticals that are being targeted, with the high-tech sector (17%) and the financial sector (14.6%) at the top of the list.
Where the intrusions come from
No surprises here: Nearly one-third of detected intrusions come from exploits. The second most commonly observed vector is “highly interactive, voice-based social engineering,” with groups targeting IT help desks “to bypass multifactor authentication (MFA) and gain initial access to software-as-a-service (SaaS) environments.”
Also unsurprising is the increasing adoption of artificial intelligence tools for reconnaissance, social engineering, and malware development. After gaining access to a network, they report, “attackers are weaponizing AI … the QUIETVAULT credential stealer was observed checking targeted machines for AI [command-line] tools to execute predefined prompts to search for configuration files and collect GitHub and NPM tokens.”
Also: These 4 critical AI vulnerabilities are being exploited faster than defenders can respond
However, AI is still playing a secondary role. “Despite these rapid technological advancements,” the report notes, “we do not consider 2025 to be the year where breaches were the direct result of AI. From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures.”
The bad guys are moving faster and breaking things
The entire tech industry has learned from Mark Zuckerberg’s infamous imperative for Facebook engineers: “Move fast and break things.” That’s also true for cybercriminals, who have discovered that ransomware attacks are even more effective when they also target the virtual infrastructure that supports backup tools:
Ransomware groups are no longer just encrypting data; they are actively destroying the ability to recover. … actively deleting backup objects from cloud storage. … By targeting the virtualization storage layer directly or encrypting hypervisor datastores, they can render all associated virtual machines inoperable simultaneously.
Also: 1 in 2 security leaders say they’re not ready for AI attacks – 4 actions to take now
The good news is that the targets are getting smarter, too. “Organizations are improving their internal visibility. Across all 2025 investigations, 52% of the time organizations first detected evidence of malicious activity internally, an increase from 43% in 2024.” The sooner you discover evidence of an intrusion, the sooner you can begin the recovery process.
How to fight back
As attackers get more sophisticated and persistent, IT workers have to step up their game as well. Mandiant’s advice includes advanced training for employees and help desk staff on how to recognize modern attack vectors: recognizing social engineering attacks using voice-based tools and messaging apps, as well as unauthorized MFA reset requests.
Here are five other defensive strategies that involve changes in network infrastructure:
- Treat virtualization and management platforms as Tier-0 assets with the strictest access constraints.
- To counter the destruction of recovery capabilities, decouple backup environments from the corporate Active Directory domain and utilize immutable storage.
- Deploy advanced threat detection across the entire ecosystem and extend log retention policies well beyond standard 90-day windows.
- Regularly audit SaaS integrations and route all SaaS applications through a central identity provider (IdP).
- Implement behavior-based detection models that flag anomalous activity and deviations from established baselines.
Also: Cloud attacks are getting faster and deadlier – here’s your best defense plan
In its conclusion, Mandiant’s researchers note that “identity is the new perimeter.” Simply rotating passwords and enforcing MFA isn’t enough anymore. Focusing on hardening identity controls and shifting to continuous identity verification, especially with third-party vendors, is crucial.
