• Home
  • /Learn
  • /Threat Actors are Becoming Smarter and Moving Faster
background image


Threat Actors are Becoming Smarter and Moving Faster


The Crowdstrike 2021 Threat Hunting Report makes some interesting revelations about threat actors:

  • Between July 2020 and June 2021, intrusion activity increased by 60%

  • 68% of intrusion detections were “malware-free,” indicating that malware is no longer the only weapon of choice for threat actors

  • eCrime now constitutes 75% of intrusions

But the most worrying revelation is that threat actors are moving faster than ever before. These adversaries can now move laterally inside a target environment within just 92 minutes of gaining access.

Here’s why this is a problem, and here’s what organizations can do about it.

Threat Actors Rising to New Heights

The capabilities of threat actors are rising to new heights, particularly if measured by breakout time. Breakout time refers to the time taken by adversaries to move laterally through a victim environment from initial access to a point where they can infect other hosts.

According to Crowdstrike, in the June 2020 – July 2021 period, the average breakout time was just 1 hour and 32 minutes. In 2018, Crowdstrike estimated that the breakout time was 1 hour, 58 minutes. Simply put, in 2021, threat actors take 26 minutes less to move laterally through a network than they did in 2018. And if that weren’t enough, in 36% of detected intrusions, they were able to move laterally in less than 30 minutes and start causing serious damage.

Real-world Implications of Reduced Breakout Time

After adversaries break into the environment, for example, through spear-phishing or some kind of strategic web compromise, they may be able to penetrate deeper into the network and ultimately compromise other systems. They may perform reconnaissance and remain within the network for days, weeks, or months or scope out targets for data exfiltration or some other malicious purpose.

Now, the entire process from initial compromise to lateral movement takes only 92 minutes. The affected organization must detect and respond to the intruder within this small and critical time window. If it fails, the probability of a catastrophic data loss or serious asset compromise goes up exponentially. That’s why speed is so vital in identifying and containing a threat actor and stopping a breach before it spreads through the network.

Key Drivers of Reduced Breakout Time

One key factor responsible for bringing down the average breakout time is Ransomware-as-a-Service (RaaS) ‘s increasing ubiquity. RaaS providers are threat actors producing automated and expertly coded “ransomware toolkits” that they sell on the Dark Web. Other threat actors buy a “subscription” to these toolkits to execute sophisticated cyber attacks. They often succeed even if they’re not technically proficient or coding experts because the toolkit provides everything they need to distribute ransomware and claim victims. RaaS makes it easy to launch ransomware attacks and automate lateral movement, driving the drop in breakout time.

The growing importance of access brokers is another problem. Access brokers like PROPHET SPIDER specialize in breaching networks and sell that access to other threat actors to help them stage their intrusion campaigns and quickly move through a victim network.

Finally, attackers are growing bolder and more capable due to cryptocurrency.  Attackers prefer ransom payments in cryptocurrency because it provides anonymity and gives them greater confidence to move laterally across a network.

A Race Against Time

As the cyberthreat landscape expands, threat actors will likely move laterally across networks even faster. That’s why security teams must proactively and continuously look for threats in their enterprise environments. They must also act quickly to contain and remediate threats before a threat actor can do serious damage.

Penetration testing is one of the best ways to take a proactive stance against threat actors. By “thinking like a hacker,” a pen tester can find gaps in an organization’s cybersecurity posture and provide remediation recommendations to keep threat actors out of the network.


The penetration testing services from Packetlabs can help enterprises find security weaknesses that vulnerability scanners and other automated tools frequently overlook. Our highly skilled pen testers evaluate the security of IT systems through simulated cyber attacks. They proactively find weaknesses, perform root cause analyses, and deliver detailed prescriptive recommendations to strengthen security defences. Click here for a free, no-obligation quote.