CrowdStrike Says Attackers Are Moving Through Networks in Under 30 Minutes

An anonymous reader shares a report: Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.

The average breakout time -- how long it took financially-motivated attackers to move from initial intrusion to other network systems -- dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. "The fastest breakout time a year ago was 51 seconds. This year it's 27 seconds," Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop. Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims' cloud infrastructure undetected.

"Adversary"

[bjoast]

It's irritating to me that the word "adversary" has started being used to mean "attacker". They are not the same thing. An adversary is an idealized opponent with certain well-defined capabilities often seen in cryptographic proofs or threat models. It's not the same as an attacker, which is a concrete person, or group of persons, having attacked a system or is currently in the process of doing so.

Re:

[SlashbotAgent]

An attacker that can pivot or move laterally within 27 seconds of initial breach is a rather "idealized opponent with certain well-defined capabilities".

So, there's that.

I refer to rage against the acronym LOLBins. They're just stupidererer.

Re:

[TwistedGreen]

Yeah but it sounds cooler, so...

Re:

[balaam's ass]

Says you.https://csrc.nist.gov/glossary... [nist.gov]

Re:

[gweihir]

I expect some state-run outfits have complained about being called "attackers". Same thing with backdoors.

Re:

[phantomfive]

Any attacker is a nation state actor adversary until proven otherwise.

It makes your customer feel better that way, and gets better headlines.

Re:

[swillden]

It's irritating to me that the word "adversary" has started being used to mean "attacker". They are not the same thing. An adversary is an idealized opponent with certain well-defined capabilities often seen in cryptographic proofs or threat models. It's not the same as an attacker, which is a concrete person, or group of persons, having attacked a system or is currently in the process of doing so.

Interesting. I've been working in computer security for nearly 30 years, and your post is the first time I ever heard someone assign different meanings to the two words.

we finally found

[toutankh]

A use case for LLMs

Re:

[gweihir]

Indeed. Although this has been expected for a while. Time to build actually secure systems and throw out the current mainstream crap.

Oh No!

[SlashbotAgent]

What shoudl we do? Should we secure our systems?

No! Buy CrowdStrike, instead.

NGL, the product is top notch.

Re:

[ebunga]

I've never understood the appeal of a self-updating cloud-connected system that has more access to your systems than you do. I mean, I do as I'm told, and I know that crowdstrike at its worst is still better than most of the alternatives, but still.

Re:

[Z00L00K]

I'm just waiting for the day that Crowdstrike is compromised and is used as an attack vector.

Until then Crowdstrike is one of the resource hogs that slows down your computer.

Re:

[ebunga]

It's an inevitability, just like someone fat-fingering something that wipes out all customer-owned data at a major cloud provider. Fortunately, every single nation state has their own people on the inside protecting their access to all the great intelligence sources of the world, so it's going to take a while.

Re:

[thegarbz]

I understand them. I understand that regardless of how good I think I (or indeed any end user that isn't part of a larger dedicated security department) is, security is a cat and mouse game, and managing it manually will always put you on the back foot compared to criminals.

The question isn't "what is the appeal of doing X" it's "what is the risk of not doing X".

Re:

[phantomfive]

Adding an extra layer (like crowdstrike or Okta or whatever) often just introduces vulnerabilities. You can still use them, but you should take into consideration when you are doing your security analysis (and not blindly following the crowd) that they will add vulnerabilities to your system.

Re:

[thegarbz]

Everything adds a vulnerability, that's the nature of more code. Again it's a cost benefit analysis. Putting passwords on a system adds just another layer for something to go wrong, such as a user to lock themselves out. But is that worse than not having passwords and anyone being able to lock you out?

Just like what I said above only differently, the question isn't whether there's a vulnerability introduced, the question is whether that vulnerability is easier or harder to exploit than not having the softwa

Re:

[The-Ixian]

Until they render your computer unbootable anyway

Re:Oh No!

[bussdriver]

Hey! nobody hacked those computers while they were unable to boot!

Re:

[swillden]

Hey! nobody hacked those computers while they were unable to boot!

That's what they want you to believe.

They all envy crowdstrike

[HnT]

They all envy crodstrike for their global complete-DoS capabilities eehhh special features! ;)

Still slower than Crowdstrike itself

[haruchai]

when Crowdstrike pushed their shi***y update in Jul 2024, they took down my company's network a whole lot quicker than 1/2 hour and there wasn't a ****ing thing we could do

Re:

[Anonymous Coward]

You know what hurts more? Ransomware.

Honestly? People need to fuck off with the bashing of the next-gen AV's like Crowdstrike and S1. No good comes from this. It's a matter of WHEN you'll be compromised and not IF. These products help minimize the damage as one of the many layers of security that everyone needs. Yes Crowdstrike hosed a lot of companies in 2024 but then so has Microsoft, AWS, Cloudflare, Solarwinds, etc.

Bitch and moan all you want. The most recent company I've seen get hit was a compa

Re:

[EnvyRAM]

Painful, but nowhere near as painful or long as a ransomware recovery across 15k systems and 20 sites. Given the track record, there is a lot better chance on a given day of an org being a target of ransomware threat actors, or others, out there throwing their net out, trying to get you, than CrowdStrike letting through something that will take your systems down for two weeks.

There were several orgs I responded to last year where they ended pulling off Falcon on all or some of their systems after being upse

Re:

[phantomfive]

I'm not sure why you think CrowdStrike prevents ransomware.

Re:

[EnvyRAM]

Because I've been handling ransomware (and pre-ransomware) incidents on a daily basis for years now and have developed a pretty good sense of which tools and controls are actually effective at preventing effective ransomware deployment/mitigating risk.

Their market dominance will kill us all

[damn_registrars]

Crowdstrike has such a strangehold on corporate IT that we will only see more - not fewer - occurrences of their software itself taking down networks. We all remember the fairly recent event where crowdstrike did billions of dollars in damage to networks around the world with a faulty update. Since then even more companies have adopted it.

I work with many large companies who run crowdstrike. When I ask their IT folks how it works - or even how it is configured - I get blank stares back. Presumably someone knows how to configure it, but that someone is never the person I get to interact with. If I'm doing an installation and just need to connect a USB drive to a new PC it can take hours just to get permission to do so. If I install our software first (before connecting the new PC to their network at all) and then they install crowdstrike, crowdstrike can render the PC completely unusable without warning - leaving us no choice but to nuke the PC and start over from the OS installation. If they install crowdstrike first it might lock out so many ports and services on the PC that I won't be able to install our hardware and software at all.

Again, virtually nobody on the IT staff know how to handle the issues. I'll spend hours at the keyboard with them, with them using various admin accounts, and we won't get anywhere. And there is no way to predict which setups will go sideways with crowdstrike installed first versus which will go sideways if it is installed later.

One important thing I have learned - crowdstrike updates and policies are far, far from instantaneous. IT will install them and it may be an hour or more for everything to take effect as the updates and policies come down from the server. Something that works at 2:30pm might suddenly be irreversibly broken at 2:40pm, without warning.

This is not how IT security should work.