Emerging evidence is suggesting that cybersecurity infrastructure complexity, blind spots and lack of observability have been favoring AI-empowered threat actors

Based on an analysis of 500+ major incident response cases in its user base across 38 countries in Oct­–Dec 2024, a cybersecurity firm has reported what it views as evolving trends in cyber threat strategies.

At the heart of their data analysis is the premise that attackers are succeeding not just because of new tactics, but because they exploit complexity, blind spots, and misplaced trust in traditional defenses.

Cybercriminals and state-sponsored syndicates have been finding it easier to breach systems and move fast because organizations are struggling to secure sprawling attack surfaces.

Cyber trends to watch for

According to the experts at Palo Alto Networks, keeping an eye out for the evolving trends below can guide cybersecurity staff in their threat intelligence and preemptive defenses:

  • Operational disruption as a primary goal: Attackers in the major incidents had been prioritizing sabotage over data theft, aiming to cripple businesses and maximize extortion.
  • Surges in insider threats linked to North Korea: Cases had tripled in 2024, with operatives targeting contract-based technical roles at major tech firms, financial services, media, and government defense contractors. Advanced techniques, including hardware-based KVM-over-IP devices and Visual Studio Code tunneling, have made detection more challenging.
  • Accelerated data exfiltration: Attackers in the major incidents analyzed have been exfiltrating data three times faster than in 2021 incidents analyzed, with 25% of cases seeing data stolen within five hours, and nearly 20% occurring in under an hour.
    • Expanded attack surfaces: 70% of the major incidents in the analysis involved three or more attack vectors, underscoring the need for comprehensive security across endpoints, networks, cloud environments, and human vulnerabilities. Web browsers remained a weak link, facilitating 44% of attacks via phishing, malicious redirects, and malware downloads.
  • Resurgence of phishing as a top entry point: 23% of the major attacks had begun with phishing, overtaking vulnerabilities as the leading attack vector. GenAI has made phishing campaigns more scalable, sophisticated, and difficult to detect.

Tips for cyber defense teams

  • Complexity in cybersecurity kills effective SecOps and incident response: Today’s IT and security environments often resemble a patchwork of legacy applications, bolt-on infrastructure, and incomplete transformation initiatives. This leads many organizations to rely on 50 or more disparate security tools. Acquired piecemeal to address individual threats, these tools typically lack integration, creating data silos and preventing teams from maintaining a unified view of their environments. Even when critical evidence of intrusion is present in the logs, defenders may not be alerted in time due to complex, disjointed systems that make vital intrusion alerts not readily accessible or effectively operationalized, allowing attackers to exploit the gaps undetected. At the same time, multiple data sources are essential to detect and respond effectively. When these systems don’t communicate — or the telemetry is incomplete — essential clues remain buried until it’s too late. 
  • You cannot secure what you do not know about: Enterprise-wide visibility is the backbone of effective security operations, yet gaps remain common. Cloud services, in particular, present a significant challenge. Some organizations spin up an average of 300 new cloud services each  month. Without proper runtime visibility, SecOps teams are unaware of both exposures and attack. Unmanaged and unmonitored assets provide attackers with easy entry points into an organization’s environment. In fact, issues with security tools and management were a contributing factor in nearly 40% of cases. These gaps had allowed attackers to establish a foothold, move laterally and escalate privileges without being detected.
  • Too much trust expands the cyber threat impact: Overly permissive access is a dangerous liability. Attackers consistently exploit overly permissive accounts and inadequate access controls to escalate their attacks. At least one contributing factor in major cyber incidents is usually related to issues with identity and access management, including overly permissioned accounts and roles. This leads to lateral movement, access to sensitive information and applications, and ultimately enables attackers to succeed. Cloud environments are especially vulnerable. In many cases, attackers had gained far more access than should have been granted to the types of roles compromised. Once initial access is gained — through phishing, credential theft or exploiting vulnerabilities — this excessive trust allows attackers to rapidly escalate privileges, exfiltrate data and disrupt operations.
  • Empower your security ops with comprehensive visibility across the enterprise, and the technology to identify the signal in the noise: Use AI and ML to sift through vast datasets, identifying hidden threats and anomalous behaviors. AI-assisted behavioral analytics help predict attacks before they fully materialize. Measure MTTD to gauge improvements. Regular threat hunting and correlation of signals from multiple sources tackle the “needle in a haystack” problem. Automating incident response workflows is critical for containing threats at machine speed, before an attacker can escalate privileges or exfiltrate sensitive data. Also, track MTTR to drive continuous improvement. Seamless integration between SOC platforms, IT systems and business applications also removes manual bottlenecks that delay remediation.
  • Transition from reactive to proactive security: Combine red team exercises, incident simulation, and continuous security assessments to refine detection logic and response playbooks. This consistent feedback loop ensures the security teams to adapt as new threats emerge. Elevating SOC skills through advanced training closes knowledge gaps and ensures that your organization is prepared for the next wave of attacks. Establish lifelines with battle-proven incident response consultants to have access to proactive services such as threat hunting, tabletop exercises and purple team assessments, fortifying SecOps readiness and sharpening defenses before attackers strike.
  • Accelerate the journey to end-to-end Zero Trust architecture: Evenverified entities should then be monitored continuously, minimizing unauthorized access.  Enforce strict least privilege access: Grant roles only the access they need, guided by context-aware rules that factor-in identity, device posture and data sensitivity. This neutralizes the “excessive trust” issue by limiting the range of damage if an account is compromised. Network segmentation further isolates critical assets and prevents attackers from moving laterally. Apply holistic security inspection: Analyze network traffic — including encrypted streams — to prevent and detect active threats without degrading performance. Tailor controls for distinct environments (e.g.,  cloud, IoT) to reduce operational complexity and avoid gaps in visibility. Control data access and movement: safeguard sensitive information by classifying data and enforcing robust handling policies. Have strong data loss prevention technologies in place to stop unauthorized transfers that could result in intellectual property theft, compliance violations and financial repercussions.
  • Secure apps and cloud from development to runtime: Prevent security issues from reaching production: Integrate security early in the development lifecycle. Harden development and DevOps tools, govern third-party and open-source components, and run continuous scans during the CI/CD process. This shift-left approach uncovers vulnerabilities before they reach production. Remediate newly discovered security weaknesses: Continuously monitor cloud infrastructure for misconfigurations, vulnerabilities and excessive permissions. Automated scanning and risk-based remediation ensure that once issues emerge, they are swiftly identified and contained. This is critical for stopping attackers before they gain a foothold. Identify and block runtime attacks: protect applications, APIs and workloads with real-time threat detection and preventive controls. Ongoing monitoring helps neutralize malicious activity in progress, minimizing operational disruption and cutting off attackers before threats escalate. Automate cloud detection and response: Leverage native cloud services and third-party security tools to orchestrate automated incident response. By removing manual bottlenecks, you reduce the time attackers have to pivot, exfiltrate data or escalate privileges.