Last year nation-state incidents dominated cybersecurity headlines, as Chinese Typhoon threat groups and others made waves across several industries. But throughout the first half of 2025, most publicly known, high-profile attacks have been the work of cybercrime actors.
Financially motivated attacks are on the rise, with retailers, industrial control systems, financial institutions, and healthcare among the hardest hit sectors this year.
The recent surge in ransomware incidents is taxing the capabilities of even well-prepared cybersecurity teams to detect, track, and eject cybercrime adversaries before significant damage is done. Remediation efforts have also been strained, as have security teams’ ability to incorporate lessons learned into their incident response plans once an incident has been resolved.
As such, experts believe that old cyber defense playbooks no longer work, placing even greater pressure on CISOs to develop more modern and effective programs for dealing with today’s intruders.
“Attackers are quicker, they’re smarter, they’re using more automated tools with AI and not legacy tools,” Matt Immler, regional CSO for Okta in the Eastern Americas, tells CSO. “When you’re looking at things that are these very static defenses, like regular passwords, perimeter firewalls, those sorts of things that have just been the classic security defense, they’re just not as effective against those modern techniques.”
Visibility and behavior tracking: More important than ever
Accelerating attack timelines are putting greater pressure on organizations’ ability to detect cybercrime activity before adversaries gain a foothold and spread laterally throughout organizational networks.
“If you would ask most CISOs, what’s your ability to detect something in 48 minutes or less, they would be hard pressed to give you an answer,” says Tom Etheridge, chief global professional services officer at CrowdStrike. “But we have seen the fastest recorded breakout time as low as 51 seconds. Those are the things that keep me up at night.”
Because the speed at which adversaries can cause problems is accelerating, CISOs must have clear visibility across their environments. “For many organizations, security teams and structures are set up to respond to alerts they’re seeing in their platform,” Etheridge says. “But if the alerts are not in that platform, they may not be aware of a zero-day vulnerability and a part of their infrastructure that a threat actor is exploiting.”
Another step to better spotting an intruder is to establish better tracking mechanisms — especially because most attackers these days rely on abusing the identities of authenticated users. “Identity is the front door to all these organizations and preventing intrusions within the network and looking at what an adversary [is doing] in the network” is essential, Okta’s Immler says.
“We have this saying, ‘Threat actors aren’t hacking in anymore; they’re logging in,’” CrowdStrike’s Etheridge says. “Once they’re able to gain access to privileged credentials, and then they’re in that breakout, time gets accelerated. Understanding identity and the cloud is another big area that threat actors converge on; they understand the lack of visibility and controls around the cloud plane. It’s a big target area for threat actors.”
As a result, today’s security teams must employ and emphasize anomaly detection techniques to more quickly ascertain when a seemingly authenticated user could be a threat actor operating in stealth. Anomalous behaviors are any deviations from a user’s routine activity. To detect them, security organizations need to establish baseline profiles for the various user types operating within their systems and networks.
“Building a specific profile for each identity isn’t always totally feasible,” Immler points out. “But building profiles based on either maybe department level or function level is. If somebody is working in accounting, should they be accessing an IT resource that’s not usual or vice versa?”
Developing these segment profiles can help security teams determine “isolation points” that can help them stop threat actors from gaining the entry to the systems they seek, says Pierre Cadieux, senior manager at Cisco Talos’ incident response group. Here, CISOs should ensure their behavior profile and network segmentation strategies operate in tandem.
“In the event of a compromise or an incident, you can say we’re dropping the shields on this specific network or these specific segments, or you have the ability of doing network isolation maybe on a building-wide, campus-wide, or regional basis depending on the kind of threat we’re dealing with,” Cadieux explains.
Threat actor containment: Increasingly ‘surgical’ and best with a plan
Even after an intruder has been identified, today’s rapid pace of adversary activity is also straining cybersecurity teams’ ability to contain intruders before they can cause damage.
“If I’m a CISO, if I’m responsible for detecting and remediating that incident before it progresses to becoming a big problem in my environment, I need to be able to move faster than the adversary,” CrowdStrike’s Etheridge says. “And being able to have the confidence in your capabilities in your team to be able to stop an adversary within 48 minutes of being able to break out in your environment is a daunting activity.”
The trick, Etheridge says, is not to overcorrect and jam up your systems. “You need to be very, very surgical about it. There are plenty of examples where containment actions can overcorrect and create business disruption, operational, and potentially financial impact.”
Resiliency in the face of intrusion has become a greater emphasis today, and CISOs must consider this as part of their containment plans. Here, Okta’s Immler advises employing automation to ensure a more targeted approach to triaging issues.
“I am always a big proponent of automation in those security systems as a first line of defense, particularly if it’s not going to be an overly damaging action,” Immler says. “Automations are really helpful as first lines of defense when you see something happen and you need a chance to triage it, where that can get problematic if you go overboard.”
He adds, “I think it’s good to be very nimble and selective and recognize this account just tried to do something that it should never be doing and disable that account for a little while or issue a logout for a universal logout, something like that to remove their access to what they’re doing until somebody’s had a chance to go, ‘Hey, is this what you should have been doing? Or did you mean to do this? Was it an accident?’”
Moreover, having an incident response plan beforehand and then following it is a must when containing a threat actor, Cisco Talos’ Cadieux emphasizes. “It goes back to the IR plan that they should have developed. There should be a basis for how to do containment, the options based on our people and technology, and how to execute those. And then, of course, the plan should be tested.”
The methods for containing and ejecting the intruders depend on the nature of the breach and response plan, “but the things that you can do technically to block them without them noticing immediately are the best,” Immler says. “Otherwise, if you see sensitive data going out, you have to bring down the hammer and cut them off.”
Incident post-mortems: Improving future responses to accelerating threats
The pace of adversarial activity is also placing greater emphasis on the importance of conducting post-mortems on any intrusion to fine-tune incident response plans for better future performance. Here, sound logging systems are essential, Immler says.
“That’s where having a good SIEM [security information and event management] system in place is vital for all of your critical systems because you’re going to go through your logs and say, ‘Okay, we identified and contained the attacker. Let’s look at every single system they touched,’” he says.
“Often when we deal with ransomware, for instance, we are dealing with an accelerated threat that’s happening right then, which the bad thing is actually triggering right now,” Cisco Talos’ Cadieux adds. “If root cause analysis or initial point of entry are critical, you must consider how long you retained those logs.”
After that, CISOs must stay ahead of the curve by following industry trends and staying informed about the latest threat actor characteristics. “You need to look at the newer technologies and ensure that you’re keeping up with them,” Immler advises. “So just because something worked last year or the year before or has served you well for 20 years doesn’t mean that it’s going to keep up with the changing landscape.”