CrowdStrike’s 2024/25 observations describe a definitive shift toward Identity (#4) and Legitimate Function Abuse (#1). The adversary is becoming "malware-free" and highly efficient, compressing defender reaction times.
1. Executive Summary: Strategic Shift Strategic
This report analyzes the 2025 CrowdStrike data through the TLCTC lens. The core finding is the dominance of non-malware vectors, specifically the "Identity Triangle" of clusters #1, #4, and #9.
Attackers lead with #1 Abuse of Functions and #4 Identity Theft rather than Malware.
Major surge in #9 Social Engineering as the primary entry vector.
Cloud initial access is dominated by #4 Identity Theft followed by control plane abuse.
Compresses defender Δt, forcing a shift to automated prevention.
- Access Broker Ads (+50%): Commoditization of #4 Identity Theft (selling sessions/creds).
- Initial Access Vulns (52%): Continued materiality of #2 Exploiting Server as "door openers".
2. Strategic Management Layer Analysis
The "Enterprising Adversary" profile is characterized by high scores in three specific clusters:
#1 Abuse of Functions The Dominant "Workhorse"
Definition: Manipulating legitimate features/APIs without needing a code flaw.
Insight: Once attackers have a foothold, they "live inside" admin consoles, RMM tools, and SaaS search features. This drives the 79% "malware-free" statistic.
#4 Identity Theft Primary Initial Access
Definition: Presenting credentials/tokens to operate as another identity.
Insight: "Identity is infrastructure." In TLCTC, credential compromise acts as the central pivot for modern intrusions.
#9 Social Engineering The "Bypass"
Definition: Psychologically manipulating individuals (Human Layer).
Insight: Spiking because it bypasses software hardening. The "Help Desk Reset" pattern is a clean #9 → #4 bridge.
3. Operational Attack Paths Cause-Side
CrowdStrike identifies several recurring sequences. We map these to TLCTC notation to highlight the causal chain.
1) Vishing to Remote Support
Malware-Free EntryAnalysis: #9 (Phone manipulation) drives user to run legitimate RMM tools (#1). Attackers then steal creds (#4) to operate as users.
2) Help Desk Social Engineering → SaaS
Typical PathAnalysis: #9 (MFA Reset) leads to #4 (New Creds). Then #1 (Test access/Mailbox rules) and finally #1 (SaaS distribution features).
3) AiTM Phishing (Cloud Auth)
Cloud-SpecificAnalysis: #9 (Lure) → #5 (Proxy Auth/MitM) → #4 (Stolen Session Token).
4. Strategic Control Priorities
| Priority | Target | Control |
|---|---|---|
| P1 | Break the #9 → #4 Bridge | Stronger ID verification for resets (Video ID). Train specifically for vishing. |
| P2 | Harden #4 Identity Theft | Phishing-resistant MFA (FIDO2). Detect identity abuse across Endpoint+Cloud. |
| P3 | Constrain #1 Abuse | Reduce standing privileges. Lock down RMM usage. Monitor policy tampering. |
Conclusion
The 2025 landscape forces defenders to look beyond file-based malware detection. By understanding the "Identity Triangle" of Social Engineering (#9), Identity Theft (#4), and Abuse of Functions (#1), organizations can map controls to the actual paths adversaries are using today.
References
- CrowdStrike 2025 Global Threat Report
- Kreinz, B. Top Level Cyber Threat Clusters (TLCTC), White Paper V2.0