AI Slashes Attacker Breakout Time to 4 Minutes

The rapid adoption of artificial intelligence is dramatically compressing the timeline of cyberattacks, creating a critical challenge for security teams. A new industry analysis reveals that threat actors are leveraging automation and AI to slash their average breakout time, the period from initial access to lateral movement, to just 34 minutes, a 29% acceleration from the previous year. In the most extreme case observed, an attacker achieved lateral movement in a mere four minutes. This blistering pace is largely fueled by the widespread adoption of these technologies among ransomware groups, with an estimated 80% utilizing automation, AI, or both in their campaigns.

Beyond accelerating execution, AI tools are enhancing the reconnaissance phase of attacks. They can automatically sift through social media profiles, corporate websites, and public data sources to pinpoint high-value targets and generate highly convincing social engineering scripts. This preparatory work contributes to the prevalence of social engineering, which was used in a quarter of all attacks for initial access last year. A specific technique known as ClickFix was responsible for delivering the majority of top malware families, helping to make drive-by compromises the leading initial access method, just ahead of traditional phishing.

Security teams often struggle to keep pace with this new velocity due to several common control failures. These persistent gaps create opportunities for attackers to move swiftly and undetected. The most significant issues include insufficient logging that allows attacks to proceed unnoticed, and unmanaged devices lacking essential endpoint protection or monitoring. Insecure virtual private networks without multi-factor authentication or device certificates enable the easy exploitation of stolen credentials, while external exposures on internet-facing devices provide direct entry points. Procedural weaknesses at organizational helpdesks make companies vulnerable to social engineering, and poor password policies, featuring weak, reused, or infrequently changed credentials, facilitate rapid privileged access and lateral movement. Furthermore, overprivileged and misconfigured cloud accounts grant attackers extensive access to these critical environments.

While AI empowers attackers, it also offers a powerful countermeasure for defenders. Security professionals emphasize that the same technologies changing the offensive game can be harnessed for defense. Agentic AI systems can analyze vast datasets of threat intelligence, adapt findings to a specific organization’s environment, and proactively close security gaps before an attack occurs. This capability enables a shift from reactive to predictive security. In practice, defenders utilizing such AI can achieve containment of threats in an average of four minutes, a speed essential to rival the observed breakout times. Manual response processes, which average 16 hours without automation, simply cannot compete in this new landscape.

To build an effective defense, organizations must prioritize comprehensive visibility. This means ensuring all devices and access paths, especially edge devices, are visible to security operations teams. Continuous risk management across the external attack surface is also crucial, requiring a maintained, current inventory of assets and the prompt remediation of any new exposures. Finally, strengthening identity controls is non-negotiable. Key measures include implementing high-assurance verification for helpdesk resets, minimizing standing privileges, and enforcing phishing-resistant methods for all privileged access.

(Source: InfoSecurity Magazine)