Finite State’s Take on CrowdStrike’s 2025 Global Threat Report

Every year, CrowdStrike’s Global Threat Report (GTR) distills where adversaries are winning and how defenders need to adapt. The 2025 edition is blunt: identity-driven, malware-free intrusions are faster, cloud-savvy, and increasingly fueled by access brokers and social engineering. Manufacturers, software producers, and supply-chain stakeholders should treat this as a clear mandate to harden both identity paths and the software supply chain embedded in connected products.

Below, our perspective on the most consequential trends and what to do next.

What Stood Out in This Year’s GTR

Hands-on-keyboard beats malware — CrowdStrike reports 79% of detections were malware-free in 2024, with average eCrime breakout time down to 48 minutes (fastest: 51 seconds)—a detection and response sprint, not a marathon.

Identity is the front door (and back door) — Valid account abuse drove 35% of cloud incidents; access-broker ads jumped ~50% YoY; and 52% of observed vulns tied to initial access, showing how creds and exposed services combine into reliable footholds.

Vishing & help-desk social engineering exploded — Telephone-oriented social engineering surged (+442% H2 vs H1 2024), with adversaries walking users into remote-access tooling and persistence.

Cloud control plane is target-rich — CrowdStrike observed +26% new/unattributed cloud intrusions, widespread CLI/IAM abuse, and persistence via alternate auth—now common across multiple actor sets.

Perimeter devices remain prime real estate — Threat actors repeatedly target network-periphery devices and reuse established vectors; exploit chaining and abusing legitimate features enable unauthenticated RCE and durable persistence.

Social engineering hits enterprises; CVEs pop edge devices — The GTR underscores the surge in phone-based social engineering (vishing, help-desk scams) as an enterprise initial-access method, and—separately—continued targeting of network-perimeter devices via disclosed CVEs and PoCs. This bifurcation matters: educate people and harden identity for the enterprise core, while aggressively managing vulnerabilities on the edge.

Exploit chains are the new norm — CrowdStrike documents multiple 2024 intrusions where individually “moderate” vulns were chained to reach pre-auth RCE, including Palo Alto Networks PAN-OS and Cisco IOS cases. Chaining also breaks severity-only patching, since post-auth bugs get deprioritized and later reused in chains.

Living off legitimate features for RCE — Beyond classic exploits, actors “finish the job” by abusing built-in features (e.g., integrated command shells / xp_cmdshell) to achieve RCE. Your device’s “helpful” features can be an attacker’s runtime.

Compromised devices fuel ORB infrastructure — CrowdStrike highlights operational relay box (ORB) networks—built from hundreds or thousands of compromised devices—used to proxy attacker traffic.

Other Observations Worth Your Attention

• Access brokers are scaling (nearly +50% YoY), making exposed services + stale components more monetizable than ever.
  
• Cloud IAM/CLI abuse and alternate MFA methods for persistence are now table stakes for threat actors—assume compromise and instrument for detection.

Why This Matters for the Future of Connected Products

The GTR makes it clear that risk isn’t just at the identity provider or the endpoint EDR sees; it’s baked into device firmware, third-party components, exposed services, and cloud/API integrations that products rely on.

If you build, ship, or operate connected products, your defensive posture must align to

1. adversary speed
2. identity-plus-vulnerability chaining
3. cloud control-plane abuse

all of which intersect your product’s software supply chain and device fleet.

How Finite State Helps Protect IoT Devices Against the GTR’s Key Threats

1) Initial-Access Vulns & Perimeter Device Exposure → SBOM-anchored visibility + binary analysis

• Generate, ingest, and continuously monitor SBOMs for firmware and software across your portfolio; correlate against 200+ vuln intel sources to surface exploited/zero-day exposure quickly.
  
• Binary SCA & Binary SAST go beyond source to uncover weaknesses and misconfigurations in monolithic, statically-linked firmware that traditional tools miss—critical for network appliances called out by CrowdStrike.
  
• Outcome: Shrink the window adversaries exploit on exposed devices and break exploit chains earlier.

2) “Prioritize what’s exploitable” vs. “patch everything” → Risk-based triage aligned to adversary tradecraft

• Our platform prioritizes & guides remediation with risk scores and exploit-availability context, integrating into CI/CD to move fixes quickly.
  
• Pair portfolio-level visibility with targeted pen testing to validate exploitability on web/VPN services, APIs, and cloud integrations used by your devices.
  
  

3) Cloud-Conscious Attack Paths from Device to Control Plane → Assess and harden product-to-cloud trust

• CrowdStrike shows valid account abuse = 35% of cloud incidents; we assess APIs, auth flows, and cloud configurations tied to device ecosystems, and validate controls around tokens, service identities, and tenant trust.
  
• Continuous SBOM monitoring plus policy & compliance workflows help document and enforce least-privilege changes across firmware, services, and cloud.
  
  

4) Regulatory Pressure Meets Real-World Threats → Prove due diligence across the product lifecycle

• From EU CRA/CE RED to the U.S. Cyber Trust Mark, we align findings to compliance reporting and provide expert services (virtual CPSO, managed security) to maintain posture over time.

The Bottom Line

CrowdStrike’s data underscores an uncomfortable truth: modern intrusions stitch together identity abuse, exploitable device/software components, and cloud control-plane gaps fast. If you secure your SBOMs, binaries, APIs, and cloud ties with the same rigor you apply to identity, you’ll cut off the most reliable attack paths.