According to CrowdStrike's 2025 Threat Hunting Report, 81% of intrusions were malware free. That confirms that attackers aren't dropping files anymore, they are logging in. That's a big change in Tactics, Techniques, and Procedures for 2025.
In 2025, threat hunting is evolving to address increasingly sophisticated adversaries who are moving away from traditional malware-based attacks. Instead, attackers are leveraging legitimate credentials to gain access and remain undetected, making identity protection a critical priority. Security teams must now focus on behavioral analysis, monitoring for anomalous account activities, and implementing advanced authentication methods to detect and prevent these stealthy intrusions.
Malware-free intrusions refer to cyber-attacks where adversaries do not use traditional malicious software to breach systems. Instead, they exploit valid user credentials to log in, bypassing many legacy security controls that focus on detecting malware. This technique allows attackers to blend in with regular user activity, making it harder for security teams to spot unauthorized access. As a result, organizations must shift their focus from solely detecting malware to monitoring suspicious account behaviors and strengthening identity protection measures.
If adversaries are shifting tactics, we all need to pivot our defenses. It’s not as much about catching malware, it’s about stopping identity-based attacks.
Here are the two big takeaways every organization should pay attention to:
- Roll out strong MFA everywhere (preferably FIDO2 like YubiKeys).
- YubiKeys are hardware-based authentication devices that provide strong protection against identity-based attacks. By requiring physical possession of the key in addition to a password, YubiKeys help prevent unauthorized access even if credentials are compromised. They support modern authentication standards like FIDO2 and are resistant to phishing, making them an effective choice for organizations seeking to enhance security through robust multi-factor authentication.
- FIDO2 is an open authentication standard designed to enable pass-wordless login and enhance security by using cryptographic credentials instead of traditional passwords. It allows users to authenticate using devices such as security keys or built-in platform authenticators, which require a physical action (like tapping a YubiKey or using a fingerprint) to complete the login process. This approach significantly reduces the risk of phishing and credential theft, making it especially valuable for organizations focused on stopping identity-based attacks.
- Double check that web browsers like Google Chrome are properly configured. (Chrome Settings -> Privacy and Security -> Go to Safety Check).
The full Crowdstrike report can be found here: https://lnkd.in/epBAvDKw
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments