Leader in SOC Efficiency and Operational Excellence in MITRE ATT&CK 2024 Results
In the 2024 MITRE ATT&CK® Enterprise Evaluation, Cybereason demonstrated why out-of-the-box detection coverage and operational efficiency matter more than ever.
Cybereason Security Services Team
In 2026, incident response (IR) will continue its shift away from traditional malware-centric investigations toward identity-driven intrusions, abuse of trusted cloud services, and low-signal, high-impact activity that blends seamlessly into normal business operations. Rather than relying on technical exploits, threat actors are prioritizing legitimate access, persistence, and operational efficiency, enabling them to evade users, security controls, and automated detection.
Over the last 12 months, we saw phishing and social engineering as the initial intrusion vector for 40% of all our cases worldwide, more than double the next two most popular vectors, credential abuse and CVE exploitation. Despite massive advancements in email security, attackers have been able to circumvent traditional defenses by avoiding traditional malware.
As a result, incidents will be defined less by obvious compromise indicators and more by subtle misuse of authentication flows, cloud applications, and established business workflows, challenging defenders to distinguish malicious activity from routine behavior.
By 2026, compromise will look less like an intrusion and more like business as usual.
Modern compromises will increasingly resemble normal user behavior rather than traditional breaches. Threat actors will continue to deprioritize malware in favor of abusing identity systems, cloud access, and trusted applications.
Attackers will increasingly rely on:
Investigations will hinge on identity telemetry, including authentication and sign-in logs, token lifetimes, OAuth grants, consent history, and anomalous access patterns, rather than traditional endpoint artifacts or malware analysis.
Attackers will increasingly establish persistence through API-driven access paths, using OAuth primarily as the authorization layer rather than the end goal. Once access is granted, malicious activity shifts to app-only and background API operations that require no user interaction and often survive password resets, MFA resets, and session revocation.
This enables durable, low-noise persistence that bypasses traditional identity-based remediation and is difficult to detect using login-centric controls.
OAuth gets them in, APIs keep them there.
OAuth-based persistence will mature into a default post-compromise technique, including:
2026 reality: Attackers will increasingly pivot into trusted integrations instead of individual users, relying on API access that blends into normal business operations.
Persistence is no longer about staying logged in, it’s about staying authorized.
Attackers will rely less on passwords and more on authorized access that survives remediation; OAuth apps, API tokens, and third-party integrations that look legitimate and quietly persist. IR timelines will increasingly require app-level analysis, not just account resets. Missed OAuth artifacts will result in re-compromise.
BEC is no longer about tricking users into clicking malicious links. Instead, it has evolved into quietly operating inside trusted business environments using legitimate access. BEC is no longer strictly an email problem, either. It is now an identity and collaboration abuse problem.
BEC will increasingly expand into:
IR teams must correlate email, collaboration platforms, file access, and finance workflows to fully scope impact. BEC no longer lives in the inbox, it lives inside the business.
While there are still plenty of attacks involving living-off-the-land tactics with tools like Powershell or WMI, in cloud-centric incidents, the environment itself becomes the weapon. Rather than deploying malware or external tooling, threat actors increasingly abuse native tenant features, trusted services, and existing configurations to establish and maintain access.
Attackers will increasingly rely on:
When attackers no longer need tools, the tenant itself becomes the attack surface. The absence of malware will no longer imply low risk. Investigators must prove negative evidence, what didn’t happen, as much as what did.
To address the continued shift toward identity-driven and cloud-native attacks, organizations and their risk advisors should prioritize the following:
In 2026, the most dangerous breaches won’t announce themselves. They will blend in, persist quietly, and exploit trust, forcing DFIR teams to become identity investigators, cloud auditors, and storytellers all at once. To counteract that, defense should start with identity, visibility, and the assumption that attackers will operate using trusted access.
Jamie Mamroe, Incident Responder
Jamie Mamroe is an Incident Responder at Cybereason, a LevelBlue company, where she investigates complex cyber incidents with a focus on identity-based attacks. She brings over seven years of experience in digital forensics and incident response, where she led and supported a wide range of investigations spanning ransomware, insider threat, and large-scale business email compromise (BEC) events. Jamie specializes in Microsoft 365 forensics and cloud-centric investigations, helping organizations understand attacker behavior and reduce ongoing risk. She holds GIAC Certified Forensic Examiner (GCFE) and GIAC Certified Forensic Analyst (GCFA) certifications.
In the 2024 MITRE ATT&CK® Enterprise Evaluation, Cybereason demonstrated why out-of-the-box detection coverage and operational efficiency matter more than ever.
MITRE is the preeminent third-party security solution evaluator. We explain the key metrics to look for in their upcoming Enterprise ATT&CK Evaluation...
In the 2024 MITRE ATT&CK® Enterprise Evaluation, Cybereason demonstrated why out-of-the-box detection coverage and operational efficiency matter more than ever.
MITRE is the preeminent third-party security solution evaluator. We explain the key metrics to look for in their upcoming Enterprise ATT&CK Evaluation...
Get the latest research, expert insights, and security industry news.
Subscribe
Facts Only
Cybereason participated in the 2024 MITRE ATT&CK® Enterprise Evaluation.
Phishing and social engineering were the initial intrusion vectors in 40% of cases worldwide over the past 12 months.
Credential abuse and CVE exploitation were the next most common intrusion vectors.
By 2026, threat actors are expected to prioritize legitimate access, persistence, and operational efficiency.
Attackers are increasingly abusing identity systems, cloud access, and trusted applications.
OAuth-based persistence is becoming a default post-compromise technique.
Business Email Compromise (BEC) is evolving into identity and collaboration abuse.
Attackers are using native tenant features and trusted services to establish and maintain access.
Investigations will increasingly rely on identity telemetry, including authentication logs and token lifetimes.
Cybereason recommends prioritizing identity visibility and assuming attackers will exploit trusted access.
Jamie Mamroe, an Incident Responder at Cybereason, specializes in Microsoft 365 forensics and cloud-centric investigations.
The 2024 MITRE ATT&CK® Enterprise Evaluation emphasizes out-of-the-box detection coverage and operational efficiency.
Executive Summary
Cybereason's 2024 MITRE ATT&CK® Enterprise Evaluation highlights a shift in cyber threats toward identity-driven intrusions and cloud service abuse, moving away from traditional malware-centric attacks. Over the past year, phishing and social engineering accounted for 40% of initial intrusion vectors, surpassing credential abuse and CVE exploitation. By 2026, attackers are expected to prioritize legitimate access, persistence, and operational efficiency, blending malicious activity into normal business operations. Key tactics include OAuth-based persistence, API-driven access, and abuse of trusted cloud applications, making detection more challenging. Business Email Compromise (BEC) is evolving beyond email fraud, now involving identity and collaboration platform abuse. Defenders must adapt by focusing on identity telemetry, app-level analysis, and cloud-native threat detection. Cybereason emphasizes the need for organizations to prioritize identity visibility and assume attackers will exploit trusted access.
The analysis underscores the growing complexity of cyber threats, where attackers leverage legitimate tools and workflows to evade detection. Traditional security measures, such as endpoint artifacts and malware analysis, are becoming less effective. Instead, investigations will rely on authentication logs, token lifetimes, and anomalous access patterns. The report also highlights the importance of correlating email, collaboration platforms, and financial workflows to fully scope BEC incidents. As attackers increasingly weaponize cloud environments, defenders must prove negative evidence—what didn’t happen—as much as what did. The narrative suggests a future where cybersecurity requires a holistic approach, integrating identity management, cloud auditing, and narrative-driven investigations.
Full Take
The strongest version of this narrative is its clear articulation of a paradigm shift in cyber threats—from malware-centric attacks to identity-driven, cloud-native intrusions. Cybereason effectively highlights the evolving tactics of threat actors, who now prioritize legitimate access and persistence over traditional exploits. The emphasis on OAuth-based persistence and API-driven access is particularly compelling, as it underscores the growing sophistication of attackers who blend into normal business operations. The report also rightly points out the limitations of traditional security measures, advocating for a more holistic approach that integrates identity management and cloud auditing. This narrative serves as a valuable wake-up call for organizations to adapt their defenses to the changing threat landscape.
However, the analysis could benefit from a deeper exploration of the systemic challenges that enable these shifts. For instance, the reliance on OAuth and APIs is not just a tactical choice by attackers but also a reflection of the broader digital ecosystem's design flaws. The report assumes that organizations can readily implement the recommended changes, but it does not address the resource constraints or organizational inertia that may hinder such adaptations. Additionally, while the focus on identity and cloud security is timely, it risks overshadowing other critical areas, such as supply chain vulnerabilities or insider threats, which may also evolve in parallel.
Root Cause: The narrative is driven by the assumption that cybersecurity is primarily a technical challenge, solvable through better tools and processes. However, it understates the human and organizational dimensions of security—such as user behavior, corporate culture, and the economic incentives that shape both attacker and defender actions. Historically, this echoes the cat-and-mouse dynamic of cybersecurity, where defenders are perpetually reacting to attacker innovations rather than proactively shaping the environment.
Implications: The shift toward identity-driven attacks has significant consequences for human agency and dignity. As attackers exploit trusted access, the burden of detection falls increasingly on individuals and organizations to distinguish malicious activity from routine behavior. This could lead to heightened surveillance and stricter access controls, potentially eroding privacy and autonomy. The economic costs will likely be borne by organizations that must invest in new security frameworks, while the benefits accrue to cybersecurity vendors and consultants who provide these solutions.
Bridge Questions: What are the ethical implications of shifting cybersecurity toward identity surveillance? How can organizations balance the need for security with the preservation of user privacy and trust? What role do regulatory frameworks play in shaping the evolution of cyber threats and defenses?
Counterstrike Scan: If this narrative were part of a coordinated influence campaign, the playbook would likely involve amplifying fear around identity-driven attacks to drive demand for specific cybersecurity solutions. The content does align with this pattern to some extent, as it emphasizes the urgency of adopting new security measures while positioning Cybereason as a thought leader in this space. However, the analysis remains grounded in observable trends and does not engage in overt fear-mongering or exaggerated claims. The focus on operational efficiency and detection coverage is consistent with legitimate cybersecurity concerns, making it difficult to classify this as a manipulative campaign.
Patterns detected: ARC-0024 Ambiguity (implied urgency without explicit evidence of immediate threat), ARC-0043 Motte-and-Bailey (broad claims about future threats with specific examples that may not fully support the general narrative)
Sentinel — Human
The analyzed article is likely human-written, with evidence of idiosyncratic phrasing and personal voice. The stylometric analysis suggests a deviation from the rhythm typically seen in AI-generated content.
