Cyber-attackers have evolved their tactics, and are focusing on not getting caught by advanced endpoint tools.

In what CrowdStrike are calling ‘the year of the enterprise adversary”, its new 2025 Global Threat Report found that adversaries worldwide are weaponising AI-generated deception, exploiting stolen credentials and increasingly executing cross-domain attacks.

This involves exploiting gaps across endpoint, cloud and identity to bypass security controls and operate undetected in the shadows. 

Cross Domain

Speaking on a press call in advance of the report launch, Adam Meyers, head of counter adversary operations at CrowdStrike, said the concept of cross domain was introduced in the 2024 report, and it refers to multiple targeting of identities, cloud infrastructure and endpoints, “and you need to have cross-domain visibility because you may only see pieces of the intrusion,” he said.

“On the identity side and on the cloud side, and on the endpoint side, if you can see across all three of those domains and also [via] third-party data through things like next-gen SIEM, that really enables you to have effective visibility to look for these intrusions.”

Meyers claimed that this cross domain visibility is important to visibility of attackers, as a lot of organisations “don't think about cloud security as much as they do about enterprise security, and that needs to change,” he said.

“You have to be out there and looking for cross domain attackers. You need to be out there looking for any indication that there's an adversary making access, and as soon as that happens, you need to be able to respond.

“So that really comes down to 24x7 threat hunting, and making sure that you have threat hunters that are out there that are looking for this stuff and not waiting for For something to pop up because you know, by the time it pops up, it's it's too late.”

Malware-Free

Amongst the report’s findings, 79 percent of attacks are now malware-free, while there was a rise in the number of insider threat operations, with 40 percent of adversaries operating under the guise of legitimate employment to gain system access and carry out malicious activity.

Also, unpatched vulnerabilities remain a key target as 52 percent of vulnerabilities observed were related to initial access, reinforcing the critical need to secure entry points before adversaries establish persistence.

Meyers said attackers typically go after the network infrastructure via a vulnerability, and once they're inside of a cloud environment, “they'll bring their own Island as we like to call it, meaning they'll install their own virtual machine, which has all of their tools on it so that they could avoid detection on a system that might be monitored.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.