The recent publication of Verizon’s 2025 Data Breach Investigations Report (DBIR) has revealed a fascinating shift in cyber-attack strategies, with analysis of over 22,000 real-world security incidents examined in a comprehensive 117-page study. Six Degrees contributed to the report, lending our qualitative and quantitative insights to support education and awareness around the rapidly changing threat landscape.
Among the various headlines from the past 12 months is the growing prevalence of vulnerability exploitation, which has overtaken phishing as the leading method of initial network access.
Indeed, over the last year, there was a 34% rise in attackers gaining initial access to networks via this route, with services and devices targeted at the network borders, often via recently released n-day exploits, rather than relying on more traditional social engineering methods. The overall rate of phishing-based breaches has stayed largely stable, and although it continues to be widely used, it is no longer as dominant as it once was. In contrast, vulnerability exploitation has the potential to deliver faster, more reliable results with fewer steps.
The report also revealed a 22% increase in attacks targeting perimeter devices specifically, including VPN gateways and firewalls, up from just 3% the year before. Although phishing remains a consistent tactic for many groups, it’s interesting to note that its popularity is seemingly beginning to decline slightly in favour of more efficient methods.
A rise in advanced tactics, such as authentication token theft, with attackers intercepting or extracting valid authentication tokens to bypass multi-factor authentication (MFA) security, has also come to light. An even more complex variation of this approach involves adversary-in-the-middle strategies, where adversaries insert their own infrastructure between a user and the target service to proxy and intercept credentials and tokens. Although currently involved in a smaller proportion of incidents (around 9%), it’s an approach which is likely to become more commonplace.
Unsurprisingly, the ransomware threat continues to grow, with a 44% year-on-year increase in the number of breaches where it was deployed. This trend has been driven by the ongoing evolution of Ransomware-as-a-Service (RaaS) models, which make sophisticated attack kits readily available to affiliates and lower the technical barrier to entry for cybercrime.
Behind the headlines
In attempting to understand what’s happening behind the numbers, it’s important to appreciate that many threat actors are looking to automate their processes, including scanning for vulnerable endpoints en masse and deploying their tools before organisations have time to apply patches.
As a result, perimeter devices have become particularly attractive targets because they often represent a single point of failure. For instance, firewalls and VPN endpoints are outward-facing by design, and when left unpatched or misconfigured, can provide a direct path into sensitive internal systems. The increase in attacks on these devices is clear evidence that attackers are focusing on this high-leverage tactic, not least because it is successful.
Phishing, by contrast, requires more sustained effort. Success depends on a sequence of events successfully taking place, from convincing the target that an email is real and bypassing security protections to then harvesting credentials and often navigating MFA. Overall, however, phishing tactics remain relatively static, and as a result, attackers are gravitating towards other options that are less time-consuming and don’t rely so heavily on user behaviour.
Elsewhere, the increase in adversary-in-the-middle strategies is allowing attackers to bypass authentication entirely once credentials are acquired. These techniques require more planning and infrastructure, but they’re proving effective against organisations that rely heavily on MFA. By intercepting authentication flows and reusing valid tokens, attackers can sidestep one of the most widely adopted security controls.
Turning to ransomware, its continued growth is similarly driven by the pursuit of efficiency and scale. In particular, RaaS models enable threat groups to outsource the technical work to affiliates, who can use pre-built kits and instruction sets to launch attacks quickly. This forms part of a wider commercialisation culture among cybercriminals, with organisations increasingly run along the lines of a legitimate business, with leadership teams and properly organised workflows.
What each of these tactics has in common, however, is a desire by attackers to pursue the path of least resistance. Whether that means exploiting a newly disclosed vulnerability or sidestepping security controls through token reuse, the motivation is the same – to achieve access and impact with the fewest possible obstacles.
This creates some complex challenges for defenders. While these methods aren’t necessarily more sophisticated than before, they are often more dynamic and harder to predict – an issue that places a premium on each organisation’s ability to adapt faster to threats. Security teams should also be mindful of the false sense of confidence associated with legacy defences, which may not keep pace with the speed and variability of modern attack techniques.
Join our LinkedIn group Information Security Community!
