From the field to the report and back again: How incident responders can use the Year in Review
Cisco Talos distills key findings from their 2025 Year in Review into actionable guidance for defenders and incident responders. Identity-based attacks accounted for 60% of Talos IR cases in 2024, with Active Directory targeted in 44% of incidents; MFA bypass via push fatigue and misconfigured policies remains the dominant initial access pattern. MFA spray attacks doubled in 2025 with a focus on privileged accounts, and device compromise rose significantly as actors pursue persistent, repeatable access. The article recommends mapping IR findings to MITRE ATT&CK to surface detection gaps — particularly around credential dumping (LSASS), EDR agent disabling by ransomware operators, and anomalous RDP lateral movement. Novel exploit-to-exploitation speed (e.g., React2Shell) and unpatched legacy network devices are flagged as systemic risks driving outsized attacker leverage.