SANS Threat Analysis Rundown in Review: Breaking Down April 2025’s Discussion

In this month’s SANS Threat Analysis Rundown, I focused on one of my favorite times of year in cybersecurity: annual report season. Every spring, several major threat reports are released, each packed with valuable insights. I know reading hundreds of pages can be overwhelming, so during the stream, I pulled out key highlights and recurring themes from four major reports: the Verizon DBIR, Mandiant M-Trends, CrowdStrike’s Global Threat Report, and the Red Canary Threat Detection Report. I also shared how I personally use these reports to strengthen threat detection and intelligence practices. Here’s a quick recap of the discussion.

Why Annual Reports Matter

I started the livestream by explaining why annual threat reports are so valuable: they offer a concise overview of the threat landscape and help you focus on the most prevalent threats. No single report provides a complete picture, but when you compare multiple sources, clear patterns start to emerge.

I encouraged viewers to use these reports as a catalyst for action. If multiple sources highlight the same technique or issue, that’s a strong signal it should be a priority. While I couldn’t cover every report out there, you can find many more in this excellent GitHub repository that collects annual security reports.

Verizon DBIR 2025 Highlights

The first report I covered was the Verizon Data Breach Investigations Report (DBIR). I always appreciate the DBIR’s broad, data-driven view based on thousands of real incidents contributed by a range of organizations. We kicked things off by discussing the lesser-known VERIS framework behind the report, which breaks down intrusions into structured data to help identify trends.

Key takeaways:

• Human error remains a major cause of breaches — especially misconfigurations, misdelivery of sensitive information, and credential reuse.
• Credentials are still the number one target for adversaries. If attackers can get a username and password, they often don’t need malware.
• Adversaries prioritize low-effort, high-reward methods like credential theft over complex attacks.

The DBIR underscores the ongoing importance of basic security hygiene. It might not be flashy, but enforcing multi-factor authentication (MFA), reducing credential reuse, and educating users about phishing still go a long way. Many organizations know what needs to be done — like patching and MFA — but struggle to consistently implement these basics.

Mandiant M-Trends

Next, I walked through the Mandiant M-Trends report, which offers a different lens because it draws from more targeted, hands-on-keyboard intrusions.

Here’s what stood out:

• Dwell time — the period adversaries remain undetected — increased slightly from 10 to 11 days. While not a huge jump, it suggests detection timelines could be improving more slowly than we’d like.
• Edge device vulnerabilities remain a popular access point. Prioritize patching these systems, and minimize the number of Internet-facing assets.
• Valid accounts are a growing concern, with adversaries frequently using legitimate credentials to move laterally — a theme echoed across all reports.
• Lateral movement often uses legitimate, built-in tools, which makes it harder to distinguish attacker activity from normal operations.
• Many breaches still involve known vulnerabilities and techniques, reinforcing that we can’t focus solely on zero-days.
• CrowdStrike Global Threat Report
• I also covered the CrowdStrike 2025 Global Threat Report, which offers a strong look at eCrime and nation-state activity.

What caught my attention:

• Over 80% of interactive intrusions involved identity-based tactics — including credential theft, session hijacking, and authentication service abuse. (Yes, another clear theme!)
• Cloud intrusions increased 75% year over year, signaling how quickly attackers are pivoting to cloud targets. I mentioned Scattered Spider as an example of a group leveraging social engineering and stolen credentials to attack cloud identity providers. Even with that group’s disruption, similar tactics will persist.
• Malware-free intrusions accounted for 75% of observed incidents — proving attackers don’t always need malware if they can "live off the land."
• Built-in tools and legitimate services continue to be abused for stealthy access, making detection more challenging. (Yes, this theme should be sounding familiar by now.)

This report reinforced the need to detect identity abuse and suspicious behavior in cloud environments, not just rely on traditional malware detection.

Red Canary Threat Detection Report

Lastly, I shared highlights from the Red Canary Threat Detection Report. (Full disclosure: I work at Red Canary, but I genuinely believe this report is a valuable community resource. I tried to keep my take as neutral as possible.)

Top findings:

• Command and Scripting Interpreter techniques — like PowerShell and CMD — remain prevalent. But because this is such a broad category, defenders need to dig into specific procedures to build effective detections.
• Valid accounts once again emerged as a top technique. That makes four out of four reports highlighting credential misuse — so it’s definitely worth paying attention.
• Many techniques seen this year were also common in previous years — attackers continue using what works.

One takeaway I emphasized: while it’s important to stay informed about novel threats, don’t neglect “old” but reliable techniques. Strong detections for credential abuse, suspicious command-line activity, and identity anomalies can significantly boost your defensive capabilities.

In Closing

While reading these reports cover-to-cover is worthwhile, if you’re short on time, I hope this summary helped. These reports draw from different datasets but share common insights that can guide your threat detection and intelligence strategies. They’re also great resources for educating leadership and building support for a stronger security program.

Thanks again to everyone who joined live or caught the replay. I’ll be back next month with another STAR Livestream to share more threat intel and detection ideas to help us all stay ahead of evolving threats. Hope to see you then!