Hackers are using ransomware to accelerate the timeline for cyberattacks, moving on average four times faster than just a year ago, according to an incident response report released Tuesday by Palo Alto Networks. 

AI is being used for reconnaissance, phishing and scripting, and operational execution in many cases. In the most efficient attacks, groups exfiltrate data just 72 minutes after initial access. 

Identity is a primary element in attacks, showing up in 90% of incident response cases. Threat groups are increasingly using stolen identities and tokens to gain entry without triggering security warnings.  

“Once an attacker has legitimate credentials, they’re not breaking in, they’re logging in,” Sam Rubin, a senior vice president at Palo Alto Networks’ Unit 42, told Cybersecurity Dive. “When an adversary blends into normal traffic, detection becomes incredibly challenging for even mature defenders.”

The report is based on analysis of more than 750 incident response cases across the globe that involved Unit 42 analysts and researchers. 

The report analyzed how threat groups are using AI to operate with unprecedented speed and scale, running simultaneous attacks and taking advantage of known software flaws to go after vulnerable targets before those victims can take preventative measures. 

For example, attackers are now targeting vulnerabilities within 15 minutes of a CVE disclosure.

Hackers are also using AI to run reconnaissance and initial access attempts against hundreds of targets at the same time. 

The report shows attackers are abusing trusted integrations to launch attacks against software-as-a-service applications. Nearly one-quarter of incidents involved these types of attacks over the past year. 

These integrations provide legitimate, privileged access, making exploitation of these trusted connections more difficult to defend.

“This is a structural shift in supply chain risk that moves beyond vulnerable code to the abuse of trusted links,” Rubin said.