Learning from the Shadows: Key Insights from the Red Canary 2025 Threat Detection Report for Breached Companies

Breached Company

Breached Company

5 min read
Learning from the Shadows: Key Insights from the Red Canary 2025 Threat Detection Report for Breached Companies
Photo by Bruno Kelzer / Unsplash

Welcome back to the Breached.Company blog. We understand firsthand the disruption and concern that a security incident can bring. As we navigate the ever-evolving threat landscape, it's crucial to not only recover but also to learn and adapt our defenses. That's why we've delved into Red Canary's recently released 2025 Threat Detection Report, a comprehensive analysis of nearly 93,000 confirmed threats detected across their customers' environments in 2024. This report offers valuable insights into the tactics, techniques, and procedures (TTPs) that adversaries are actively using, providing crucial lessons for any organization, especially those who have experienced a breach.

Here are the major trends highlighted in the report and their critical implications for us at Breached.Company:

1. Ransomware: A Persistent and Evolving Threat

Despite law enforcement efforts, ransomware continues to be a highly profitable business for criminals, with increasingly sophisticated operations and demands for higher payouts. Red Canary's analysis focused on the early stages of ransomware intrusions, the "ransomware precursors" such as initial access, reconnaissance, lateral movement, and command and control. While no specific ransomware group topped their threat list, likely due to their focus on early detection [Me], the report identifies several common precursors like Impacket, SocGholish, HijackLoader, Mimikatz, Gootloader, and NetSupport Manager.

  • Implication for Breached.Company: Understanding these precursors is vital. Our past breach may have involved one or more of these tools or techniques in its early stages. Focusing our detection efforts on identifying such activity early on is crucial to preventing future ransomware incidents. We must enhance our endpoint visibility, meticulously monitor the usage of administrative tools, and educate our employees about social engineering tactics used in initial access.

2. Initial Access Tradecraft: Tricking the Unsuspecting

Adversaries in 2024 demonstrated a diverse and evolving toolkit for gaining initial access. This included the rise of "paste and run" techniques using fake CAPTCHA lures, fake browser updates, SEO poisoning, malvertising, and various phishing methods like email, QR codes, SMS, and voice calls. Notably, VPNs were also leveraged as an initial access vector, often through password spraying attacks targeting accounts without MFA. Exploitation of vulnerabilities in software like ScreenConnect and Fortinet also remained a significant entry point.

  • Implication for Breached.Company: Our initial access controls need a significant review. The success of "paste and run" highlights the importance of user education on suspicious prompts and the dangers of blindly executing commands. We must reinforce training on identifying phishing attempts across all communication channels. Furthermore, securing our perimeter, especially VPN infrastructure, with strong passwords and multi-factor authentication (MFA) is non-negotiable. Timely patching of vulnerabilities, especially in internet-facing devices, is also paramount.

3. Identity Attacks: The Keys to the Kingdom

Red Canary observed a dramatic fourfold increase in identity threats in 2024, attributed to expanded visibility into cloud and identity infrastructure. Cloud-native techniques related to identity, such as "Cloud Accounts" and "Email Forwarding Rule," were prominent. Adversaries prioritize compromising identities to gain broad access to various applications and systems. Common attack vectors include phishing, malware (especially stealers), session hijacking, vulnerability exploitation, credential stuffing, password spraying, data leaks, and man-in-the-middle (MitM) attacks, often with the goal of bypassing MFA.

  • Implication for Breached.Company: Our breach likely involved compromised credentials. We must adopt a zero-trust approach that centers on verifying every access attempt. Enforcing strong MFA on all accounts, implementing conditional access policies, utilizing short-lived access tokens, and actively monitoring for suspicious login attempts are critical. We should also consider the potential for MFA circumvention techniques and implement safeguards against them.

4. Stealer Malware: Harvesting Credentials at Scale

The report highlights a rise in stealer malware targeting both Windows and macOS. These stealers are designed to opportunistically gather credentials and other sensitive data from web browsers, applications, and cryptocurrency wallets. LummaC2 emerged as the most prevalent stealer in 2024, often distributed through "paste and run" campaigns. macOS also saw a significant increase in stealer activity, with families like Atomic, Poseidon, and Banshee leveraging AppleScript. Adversaries quickly adapt stealers to bypass security measures like browser encryption.

  • Implication for Breached.Company: Stealers could have played a role in our breach by exfiltrating credentials. We need to strengthen our endpoint security controls on both Windows and macOS systems to detect and prevent stealer infections. Educating users about safe software sources and the risks of executing untrusted scripts is crucial. We must also have a robust incident response plan in place to identify and contain stealer infections, including steps to reset potentially compromised credentials.

5. Insider Threats: A Growing Concern

The Red Canary report highlights the increasing prominence of insider threats, particularly those potentially linked to state-sponsored actors like North Korea, who may infiltrate organizations for financial gain or other malicious purposes. These actors may use unusual VPN connections and remote access tools (RATs) to maintain access.

  • Implication for Breached.Company: While our past incident may not have been an insider threat, it's a risk we must be aware of. We should strengthen our employee vetting processes, implement policies regulating the use of VPNs and RMM tools, and monitor for unusual activity patterns, including logins from unexpected locations or the use of unsanctioned software.

6. VPN Abuse: Masking Malicious Activity

Adversaries consistently abuse Virtual Private Networks (VPNs) to conceal their origin and bypass location-based security controls. Popular consumer VPN services like Private Internet Access, CyberGhost, ExpressVPN, and NordVPN were commonly observed in threat activity targeting email systems. However, the report also notes the prevalence of legitimate VPN usage.

  • Implication for Breached.Company: Our incident may have involved an attacker using a VPN to hide their tracks. We need to develop clear policies regarding VPN usage within our organization. Implementing technical controls to limit unsanctioned VPN use, such as IP and ASN allowlisting, and building behavioral baselines to detect anomalous VPN connections are essential steps.

7. Cloud Attacks: Targeting Digital Infrastructure

Cloud attacks continued their upward trend in 2024, with most originating from compromised identities and misconfigurations. Common techniques include impairing defenses by disabling firewalls and logging, account manipulation for privilege escalation, and credential theft. The report also highlights the emerging threat of cloud service hijacking, including the potential for "LLMJacking" of large language models.

  • Implication for Breached.Company: As we increasingly rely on cloud services, securing our cloud environment is paramount. We must prioritize strong identity and access management in the cloud, implement the principle of least privilege, enforce MFA, and regularly audit our cloud configurations to identify and rectify any misconfigurations. Monitoring for anomalous activity and establishing deny policies for unused cloud services are also crucial to prevent service hijacking.
redcanarythreatreport
redcanarythreatreport.pdf
3 MB
download-circle

Key Takeaways for Breached.Company:

  • Early Detection is Paramount: The Red Canary report underscores the importance of detecting threats in their early stages. Our security strategy must shift beyond mere prevention to focus on robust detection capabilities across all layers of our infrastructure.
  • Identity Security is the New Perimeter: With the rise in identity attacks and cloud adoption, securing our identities is more critical than ever. Strong authentication, access controls, and continuous monitoring are essential.
  • User Education Remains a Crucial Defense: Many attack vectors rely on tricking users. Ongoing security awareness training on the latest social engineering tactics is a vital layer of defense.
  • Visibility is Key: Comprehensive visibility across our endpoints, networks, identities, and cloud environments is essential for effective threat detection and response.
  • Stay Vigilant and Adapt: The threat landscape is constantly evolving. We must continuously monitor for new threats and adapt our security strategies accordingly.

The insights from the Red Canary 2025 Threat Detection Report provide valuable lessons for Breached.Company as we work to strengthen our security posture following our incident. By focusing on early detection, robust identity security, user education, and continuous vigilance, we can learn from the shadows and build a more resilient defense against future threats.

Read more