51 seconds to breach: Killing cyberattacks before they spread

Fifty-one seconds. That’s all it takes for an attacker to breach and move laterally across your network, undetected, using stolen credentials to evade detection.

Adam Meyers, senior vice president of counter adversary operations at CrowdStrikeexplained to VentureBeat just how quickly intruders can escalate privileges and move laterally once they penetrate a system. “(T)he next phase typically involves some form of lateral movement, and this is what we like to calculate as breakout time. In other words, from the initial access, how long does it take till they get into another system? The fastest breakout time we observed was 51 seconds. So these adversaries are getting faster, and this is something that makes the defender’s job a lot harder,” Meyers said.

Weaponized AI demanding an ever-greater need for speed

AI is far and away an attacker’s weapon of choice today. It’s cheap, fast and versatile, enabling attackers to create vishing (voice phishing) and deepfake scams and launch social engineering attacks in a fraction of the time previous technologies could.

Vishing is out of control due in large part to attackers fine-turning their tradecraft with AI. CrowdStrike’s 2025 Global Threat Report found that vishing exploded by 442% in 2024. It’s the top initial access method attackers use to manipulate victims into revealing sensitive information, resetting credentials and granting remote access over the phone.

“We saw a 442% increase in voice-based phishing in 2024. This is social engineering, and this is indicative of the fact that adversaries are finding new ways to gain access because…we’re kind of in this new world where adversaries have to work a little bit harder or differently to avoid modern endpoint security tools,” Meyers said.

Phishing, too, continues to be a threat. Meyers said, “We’ve seen that with phishing emails, they have a higher click-through rate when it’s AI-generated content, a 54% click-through rate, versus 12% when a human is behind it.”

The Chinese Green Cicada network has used an AI-driven content generator to create and run 5,000+ fake accounts on social media to spread election disinformation. North Korea’s FAMOUS CHOLLIMA adversary group is using generative AI to create fake LinkedIn profiles of IT job candidates with the goal of infiltrating global aerospace, defense, software and tech companies as remote employees.

CIOs, CISOs are finding new ways to fight back

A sure sign attackers’ AI tradecraft is maturing fast is how successful they’re being with identity-based attacks. Identity attacks are overtaking malware as the primary breach method. Seventy-nine percent of attacks to gain initial access in 2024 were malware-free, relying instead on stolen credentials, AI-driven phishing and deepfake scams​. One in three, or 35%, of cloud intrusions leveraged valid credentials​ last year.

“Adversaries have figured out that one of the fastest ways to gain access to an environment is to steal legitimate credentials or to use social engineering. Bringing malware into the modern enterprise that has modern security tools on it is kind of like trying to bring a water bottle into the airport — TSA is probably going to catch you,” explains Meyers.

“We found a gap in our ability to revoke legitimate identity session tokens at the resource side,” Alex Philips, CIO at National Oilwell Varco (NOV), told VentureBeat in a recent interview. “We now have a startup company who is helping us create solutions for our most common resources where we would need to quickly revoke access. It isn’t enough to just reset a password or disable an account. You have to revoke session tokens.”

NOV is fighting back against attacks using a wide variety of techniques. Philips shared the following as essential for shutting down increasingly AI-driven attacks that rely on deception through vishing, stolen credentials and identities:

• “Zero trust isn’t just helpful; it’s mandatory. It gives us a forced security policy enforcement gateway that makes stolen session tokens useless,” advises Philips. “Identity session token theft is what is used in some of the more advanced attacks.” With these types of attacks increasing, NOV is tightening identity policies, enforcing conditional access and finding quick ways to revoke valid tokens when they’re stolen.

• Philips’ advice to peers looking to shut down ultra-fast identity-based attacks is focus on eliminating single points of failure. “Be sure to have a separation of duties; ensure no one person or service account can reset a password, multi-factor access and bypass conditional access. Have already-tested processes to revoke valid identity session tokens,” Philips recommends.

• Don’t waste time resetting passwords; immediately revoke session tokens. “Resetting a password isn’t enough anymore — you have to revoke session tokens instantly to stop lateral movement,” Philips told VentureBeat.

Three core strategies for stopping lightning-fast breaches

51-second breakouts are a symptom of a much larger and more severe identity and access management (IAM) weakness in organizations. Core to this breakdown in IAM security is assuming trust is enough to protect your business (it isn’t). Authenticating every identity, session and request for resources is. Assuming your company has been breached is the place to start.

What follows are three lessons about about shutting down lightning-fast breaches, shared by Philips and validated by CrowdStrike’s research showing these attacks are the new normal of weaponized AI:

Cut off attacks at the authentication layer first, before the breach spreads. Make stolen credentials and session tokens useless as fast as you can. That needs to start with identifying how to shorten token lifetimes and implement real-time revocation to stop attackers mid-movement.

• If you don’t have one already, begin to define a solid framework and plan for zero trust — a framework tailored to your business. Read more about the zero-trust framework in the NIST standarda widely referenced document among cybersecurity planning teams.
• Double down on IAM verification techniques with more rigorous authentication controls to verify that an entity calling is who they say they are. Philips relies on multiple forms of authentication to verify the identities of those calling in for credentials, password resets or remote access. “We drastically reduced who can perform password or multi-factor resets. No one person should be able to bypass these controls,” he said.

Use AI-driven threat detection to spot attacks in real time. AI and machine learning (ML) excel at anomaly detection across large datasets that they also train on over time. Identifying a potential breach or intrusion attempt and containing it in real time is the goal. AI and ML techniques continue to improve as the attack datasets they’re trained on improve.

• Enterprises are seeing strong results from AI-powered SIEM and identity analytics that immediately identify suspicious login attempts, enforcing segmentation for a given endpoint or entry point.
• NOV is leveraging AI to detect identity misuse and credential-based threats in real time. Philips told VentureBeat that “we now have AI examining all of our SIEM logs and identifying incidents or (the) high probability of incidents. Not 100% real time, but short-lag time.”

Unify endpoint, cloud and identity security to stop lateral movement. Core to zero trust is defining segmentation at the endpoint and network level in order to contain a breach within the segments’ boundaries. The goal is to keep enterprise systems and infrastructure secure. By having them unified, lightning-quick attacks are contained and don’t spread laterally across a network.

• Correlate identity, cloud and endpoint telemetry and use the combined data to identify and expose intrusions, breaches and emerging threats.
• Adversaries are exploiting vulnerabilities to gain initial access. Fifty-two percent of observed vulnerabilities were linked to initial access, reinforcing the need to secure exposed systems before attackers establish a foothold. This finding underscores the need to lock down SaaS and cloud control planes to prevent unauthorized access and lateral movement.
• Shift from malware detection to credential abuse prevention. That needs to start with an audit of all cloud access accounts, deleting those that are no longer needed.

Using AI to block high-speed attacks

To win the AI war, attackers are weaponizing AI to launch lightning-quick attacks while at the same time creating vishing, deepfakes and social engineered campaigns to steal identities. Phillips’ methods for stopping them, including employing AI-driven detection and instantly revoking tokens to kill stolen sessions before they spread, are proving effective.

At the center of Philips’ and many other cybersecurity and IT leaders’ strategies is the need for zero trust. Time and again, VentureBeat sees security leaders who succeed in battling back against machine-speed attacks are those championing least privileged access, network and endpoint segmentation, monitoring every transaction and request for resources, and continually verifying identities.

Daily insights on business use cases with VB Daily

If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI.

Read our Privacy Policy

Thanks for subscribing. Check out more VB newsletters here.

An error occured.