As enterprises continue to strengthen their security tactics, threat actors are continuously refining their methods to sidestep them. In 2024, advanced tactics, techniques, and procedures (TTPs) evolved significantly, shaping the threat landscape with greater efficiency and effectiveness. These advancements have intensified enterprise cybersecurity threats, making proactive defense strategies more critical than ever.
With the dust now settled, let’s look at the TTPs most frequently leveraged against enterprises, which proved most impactful, and how enterprises can detect these threats before it’s too late.
TTPs Targeting Enterprises Today
1. Exfiltration
The concept behind data extortion attacks is straightforward: steal sensitive data and use it as ransom leverage. Threat actors have evolved beyond traditional encryption-based attacks, finding new avenues for data access and leaking stolen information directly — often with devastating success. This shift explains why Exfiltration appeared in 79% of Coveware by Veeam’s incidents in 2024, either as part of an encryption attack or as the sole objective.
One of the most widely used techniques is Exfiltration Over Web Services (T1567), where attackers leverage legitimate cloud-based services to move stolen data. Tools such as MegaSync, RClone, Windows Secure Copy, and FileZilla facilitate data transfers to trusted cloud storage providers, often over outbound 443/HTTPS connections. By blending malicious activity with routine web traffic, adversaries bypass traditional perimeter defenses, making detection significantly more difficult. The abuse of legitimate cloud platforms allows attackers to exfiltrate data without triggering standard security alerts, making this method increasingly favored.
Beyond direct data theft, attackers are increasingly targeting third- and fourth-party suppliers — such as managed service providers (MSPs), software vendors, and supply chain partners — to exploit weaker security controls in downstream ecosystems. By compromising a single cloud-based repository or trusted third-party service, attackers gain access to multiple organizations simultaneously, amplifying the scope, damage, and complexity of the breach. These indirect attack vectors enable threat actors to bypass hardened enterprise defenses by infiltrating less secure suppliers, making exfiltration attempts harder to detect and contain before critical data is exposed.
2. Lateral Movement
Lateral Movement, where threat actors stealthily navigate a compromised environment, played a role in 74% of incidents in 2024. Attackers exploit network security weaknesses, particularly inadequate segmentation and lax access controls, which are intended to prevent unauthorized movement but often fail against sophisticated intrusion tactics.
In 2024, Microsoft Remote Desktop Protocol (RDP) and Secure Shell (SSH) remained primary tools for lateral movement, allowing attackers to traverse networks undetected. The ongoing abuse of built-in administrative tools in Windows environments and VMware ESXi hosts enables adversaries to blend in with legitimate network activity, making detection significantly harder.
Beyond direct credential abuse, threat actors expand their foothold by exploiting remote services, launching internal phishing campaigns, and compromising privileged accounts. These tactics allow them to deepen their infiltration, escalate privileges, and increase the overall impact of an attack, often setting the stage for encryption, data exfiltration, and further persistence within the network.
3. Impact
Encryption-based Impact tactics were observed in 55% of Coveware by Veeam’s incidents in 2024. However, this figure is misleading, as confirmed data encryption occurred in 92% of cases quarter over quarter. The gap in forensic reporting is largely due to VMware ESXi encryption, which remains challenging to capture accurately due to credential tampering and system reinstallation wiping forensic artifacts.
Among impact tactics, ESXi encryption surged to 45% of cases in 2024, making it one of the most disruptive attack methods. ESXi ransomware not only halts operations but also erases critical forensic evidence. Attackers frequently change administrative credentials or corrupt system files, forcing victims to reinstall the hypervisor to regain access to datastores. This process eliminates valuable forensic artifacts, significantly complicating post-incident investigations.
While ESXi encryption dominated enterprise attacks, Microsoft environments remain a persistent target for ransomware operations. Attackers continue to exploit Windows-based infrastructures, including Active Directory and domain controllers, using living-off-the-land techniques and built-in administrative tools to encrypt systems at scale. These attacks disable security services, spread rapidly through networks, and severely disrupt business continuity, underscoring the continued prevalence of encryption-based impact tactics across both Windows and ESXi environments.
4. Discovery
Discovery tactics were observed in 41% of cases in 2024, making them a critical phase in cyber intrusions. These techniques enable attackers to map environments, identify vulnerabilities, and prepare for further exploitation, laying the groundwork for lateral movement, privilege escalation, and data exfiltration.
Network Service Discovery and Process Discovery were the most commonly observed techniques, as attackers sought to identify active services, running processes, and system architecture. These methods allow adversaries to pinpoint high-value targets, such as security tools, backup solutions, and administrative services, which can then be disabled or exploited to maximize impact.
Beyond this, Account Discovery and Application Window Discovery provided attackers with insights into user roles, privileges, and open applications, allowing them to refine attack strategies and target key systems more effectively. Cloud-Service Discovery was also widely used to catalog cloud assets and configurations, exposing misconfigurations and high-value data repositories for exfiltration.
5. Command and Control
At 40%, Command and Control (C2) remains a top five tactic in 2024, with adversaries increasingly favoring legitimate Remote Monitoring and Management (RMM) tools over traditional C2 frameworks like Cobalt Strike and Impacket. This shift allows attackers to seamlessly blend malicious activity into normal administrative traffic, making detection more challenging and prolonging intrusions.
Additionally, cloud-based tools — including cloud storage platforms, collaboration tools, and SaaS applications — are being leveraged to establish and maintain persistent access. These services offer global availability, built-in encryption, and routine business use cases, making them ideal for stealthy Command and Control operations while evading traditional security controls.
Honorable Mention: Credential Access
Credential Access remains a key focus of cyberattacks, appearing in 37% of reported incidents in 2024. Brute force attacks continue to be a widely used method, as attackers systematically attempt password combinations to breach accounts. Attackers continue to prioritize credential theft early in their campaigns to enable stealthier lateral movement and unauthorized access to sensitive systems.
Any credential present on a compromised host becomes a target of opportunity whether stored within the operating system, cached in memory, or saved in a browser. Successfully harvested credentials allow attackers to bypass security controls, escalate privileges, and execute subsequent attack stages with minimal resistance, often extending their foothold across the network undetected.
Strategic Implications
The evolving threat landscape demands proactive security strategies to mitigate risks and reduce operational impact.
- Enhance monitoring and anomaly detection to identify lateral movement and reconnaissance before they escalate into encryption or data exfiltration.
- Implement Zero Trust security models, enforce strict access controls, and deploy endpoint detection to minimize the risks of credential theft and unauthorized access.
- Accelerate patching of internal and external vulnerabilities to prevent the exploitation of known security gaps.
- Strengthen backup and incident response capabilities to reduce reliance on ransom payments during attacks.
- Invest in employee training and enforce robust access controls to mitigate human risk.
- Apply strict cybersecurity standards across vendor and third-party interactions to prevent supply chain threats.
- Deploy Data Loss Prevention (DLP) tools and enhance network monitoring to prevent unauthorized data access and movement.
Conclusion
As threat actors refine their tactics, organizations must continuously strengthen their defenses to stay ahead of emerging cyber risks and rethink their approach to ransomware incident response. Learn how the experts are doing it.
