CrowdStrike published its Global Threat Report in February 2025. We have been reading it carefully over the past month. First off, many thanks to CrowdStrike for assembling this data and designing such a well-presented report. The report is rich in details and examples; we took a lot of notes based on what CrowdStrike has seen during 2024.
Highlights:
- CrowdStrike writes about threat actors using AI, something we have highlighted too. Key points made by CrowdStrike on the use of AI: threat actors are increasing their productivity by using AI, threat actors are “early and avid adopters” of generative AI, and it’s still early days for the weaponization of AI in malicious attacks (we don’t yet know how far it will go). CrowdStrike’s conclusion is clear through: all the evidence points to threat actors making greater use of generative AI in 2025 in multiple types of threat campaigns, e.g., social engineering, network intrusion, insider threat, and election interference.
- The report is rich in details on the cyber threat and espionage activities of nation-state and nation-aligned actors (e.g., North Korea, China). For what CrowdStrike refers to as China-nexus adversaries, 2024 was a year in which “operations matured in capability and capacity” and involved “increasingly bold targeting, stealthier tactics, and specialized operations.” CrowdStrike tracked significant growth in intrusions from China-nexus adversaries in 2024 across all sectors, along with efforts by adversaries to obfuscate their threat operations. From an Osterman Research perspective, if there was ever a time when other nations need at least top-level defensive programs and government agencies providing point on responding to cyber activities, now is it. In this regard, the current political games around CISA are undermining national security and cybersecurity within the United States.
- Email security is a significant research area at Osterman Research. CrowdStrike asserts that threat actors are moving away from phishing to alternative access methods for gaining a foothold into networks, with a particular emphasis on social engineering with phone calls, including callback phishing and help desk social engineering attacks. Yes, we agree that there is growth in the second, but whether that’s at the expense of the first or in combination with the first is unclear. We’d agree that threat actors are increasingly using multi-stage phishing attacks that use some combination of email, phone interaction, and an attempt to shift interactions to other less-secured apps rather than phishing by email alone.
- The report profiles the efforts of North Korea-nexus adversaries at infiltrating organizations with IT workers. This offers access to sensitive data and system privileges for malicious purposes, as well as the salary. IT workers from North Korea that infiltrate organizations set up means of retaining access to cloud and IT resources even if their employment is terminated.
- The threat of identity compromise is a theme in the report, with CrowdStrike indicating that attacks leveraging compromised identities are “among the most effective entry methods” and the primary initial vector for one third of all cloud incidents in 1H 2024. On page 23, CrowdStrike talks about a malvertising campaign linked with identity security compromise. You won’t get disagreement from us on the threat of compromised identity. See our recent research on MFA for our 2024 contribution to strengthening identity security. We will be extending this in 2025, as there is more to be done.
- The section on exploiting vulnerabilities (starts page 34) talks about exploit chaining, among other approaches used by threat actors. The report raises a fundamental implication of exploit chaining for how organizations prioritize patches. Since vulnerabilities are often analyzed by defenders in isolation based on their individual characteristics, decisions on which ones to patch and on what cadence ignore the calculus of chaining. CrowdStrike gives the example of pre-authentication vulnerabilities being patched faster than post-authentication vulnerabilities, the latter of which may be ignored altogether, which is good news for threat actors looking at vulnerabilities more holistically because of the unpatched post-auth backlog just waiting for the right conditions.
- Also from a vulnerabilities perspective, we often see patching at a slower cadence than threat actors’ exploitation activities. CrowdStrike gives an example of this on page 39, where early exploitation activity for three vulnerabilities is detected only 24 hours after a technical blog was published providing exploitation guidance.
In conclusion, the report is excellent. It is replete with rich details. It will, mind you, take a while to read and digest fully.
What’s missing from CrowdStrike’s report?
The report is missing a major threat section and specific cybersecurity incident. The missing section would be titled “Supply chain cybersecurity risks” and the incident the one that CrowdStrike inadvertently unleashed on the world on July 19, 2024. The fallout from that incident caused disruption to some 8.5 million computers, bringing entire companies to a halt, including banks and airlines. The direct financial costs of the incident were estimated at $5.4 billion, not including the indirect and consequential costs of lost productivity and reputational damages. Organizations need protections in place against the threats and risks that CrowdStrike so well covers in its report, but at the same time, protections against single point of failure incidents that disrupt business operations around the globe.