惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
N
Netflix TechBlog - Medium
博客园_首页
J
Java Code Geeks
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Y
Y Combinator Blog
腾讯CDC
V
V2EX
Microsoft Security Blog
Microsoft Security Blog
大猫的无限游戏
大猫的无限游戏
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
L
LINUX DO - 最新话题
Schneier on Security
Schneier on Security
Microsoft Azure Blog
Microsoft Azure Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Hacker News: Ask HN
Hacker News: Ask HN
Martin Fowler
Martin Fowler
Google DeepMind News
Google DeepMind News
G
Google Developers Blog
U
Unit 42
WordPress大学
WordPress大学
N
News and Events Feed by Topic
S
Schneier on Security
T
The Blog of Author Tim Ferriss
B
Blog
博客园 - 叶小钗
Forbes - Security
Forbes - Security
F
Fortinet All Blogs
Project Zero
Project Zero
K
Kaspersky official blog
Apple Machine Learning Research
Apple Machine Learning Research
L
LINUX DO - 热门话题
The GitHub Blog
The GitHub Blog
H
Hacker News: Front Page
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
PCI Perspectives
PCI Perspectives
The Register - Security
The Register - Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
W
WeLiveSecurity
C
Cyber Attacks, Cyber Crime and Cyber Security
罗磊的独立博客
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog
P
Proofpoint News Feed
S
SegmentFault 最新的问题
D
Docker
量子位
M
MIT News - Artificial intelligence

Business Insights Cybersecurity Blog by Bitdefender

What’s New in GravityZone July 2026 (v 6.75) Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR Bitdefender Threat Debrief | July 2026 Trust Under Attack: How Deepfakes Are Rewriting Cybercrime Your AI SOC Won’t Catch Ransomware by Itself 2026 Cybersecurity Assessment: The Gap Between Knowing and Doing MSP Strategic Defense: Why MDR Is the New Security Baseline for MSPs Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices Bitdefender Recognized in the 2026 Gartner® Europe Context: Magic Quadrant™ for Endpoint Protection CISA Mandates Change for Structured, Prioritized Updates and Vulnerability Management Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags What’s New in GravityZone June 2026 (v 6.74) Bitdefender Threat Intelligence: Built for How Security Teams Work Bitdefender Threat Debrief | June 2026 Cut Complexity in Half While Reducing Risk Across Your Endpoint Environment Bitdefender Named a Visionary in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection How Leading Organizations Turn EDR Into Operational Resilience Bitdefender Supports Ferrari Through Cybersecurity Built on Trust Bitdefender at Infosecurity Europe 2026: Staying Ahead of Faster Threats Endpoint Detection & Response Is Table Stakes Security MSP Strategic Defense: Why Dual-Layer Email Security (SEG + API) Is Now Essential Bitdefender GravityZone: 100% Telemetry in AV-Comparatives 2026 EDR Test Bitdefender Threat Debrief | May 2026 Bitdefender Named an Omdia Champion: What It Means for MSPs Ready to Lead Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS What’s New in GravityZone May 2026 (v 6.73) Endpoint Protection in Practice: How Customers Use Bitdefender to Reduce Risk Introducing Proactive Hardening and Attack Surface Reduction (PHASR) for Linux and macOS A Cybersecurity Lifeline for Lean IT Teams: Introducing C.R.E.W. Bitdefender at Black Hat Asia 2026: Disrupt Attacker Playbooks Introducing Extended Email Security What’s New in GravityZone April 2026 (v 6.72) What Mythos Reveals About Zero Trust’s Scope Problem Shut the Front Door on Email Attacks: How to Scale Security Services Without Increasing Workload Technical Advisory: Axios npm Supply Chain Attack - Cross-Platform RAT Deployed via Compromised Maintainer Account Your Biggest Cyber Risk Could Be What You Already Trust RSAC 2026: What to Expect from Bitdefender A Cyber Resilience Agenda: Inside the European Central Bank’s 2026–2028 Priorities AI in Cybersecurity: Is It Worth the Effort for Lean Security Teams? MSP Strategic Defense: Building Compliance on Dynamic Attack Surface Reduction Master XDR Investigations: A Deep Dive into the GravityZone XDR Demo Incident IDC Market Note: Surging Demand for EU Data Sovereignty Drives New Cybersecurity-Cloud Partnership
Your Last Red Team Tested the Wrong Attack
Nicholas Jackson · 2026-06-26 · via Business Insights Cybersecurity Blog by Bitdefender

If your most recent red team engagement focused on malware execution, lateral movement across endpoints, and noisy intrusion chains (and the report came back clean), it’s worth asking what wasn’t tested.

The traditional playbook still gets used, and defenders still have to catch it. But advanced attackers have added a second layer on top of it: identity-centric work, slow-and-quiet movement that fragments behavioral telemetry, and cloud governance abuse that does not generate the kind of telemetry your endpoint stack was built to detect. If the engagement only tested the first layer, a clean report only covers half the picture, and you have a gap. The next test needs to close it.

I run offensive engagements for Bitdefender. Allow me to explain what I see when an organization asks for a red team that looks like the last one they ran three years ago, and why that scope no longer covers the full threat.

image-png-Jun-25-2026-09-18-01-6553-PM

The Actual Offensive Playbook Today

Advanced attackers are less often “breaking in” and more often becoming you. Malware execution on endpoints still happens, but the high-value attack paths have widened to include session hijacking, token theft, and MFA bypass through OAuth abuse (attackers exploit application consent flows to inherit user permissions without triggering MFA challenges).

Threat actors also utilize SSO compromise via phishing or leaked credentials, and cloud identity takeover through excessive permissions or federated trust exploitation (attackers leverage external identity providers trusted by the target to inherit access without direct credential theft). The goal at this layer is to inherit legitimate access rather than force illegitimate access. As a result, an engagement that fails to probe identity compromise produces unrealistically easy results, because it tests only the layer that attackers expect to be hardened.

Findings from a Recent Red Team Engagement

During the initial access phase of a recent engagement, our traditional payload phishing attempts (modern delivery techniques like ClickFix and FileFix) were caught by the customer’s endpoint security stack. The endpoint defense worked as designed. But the same target’s conditional access policy was permissive enough that we abused the OAuth flow to hijack user sessions and reach one of their SaaS platforms without ever needing a payload to land. The endpoint test came back clean, unable to find this type of gap.

The identity test, had it been run, would have surfaced a real exposure and enabled the gap to be found and closed.

The attack shift is structural, not trendy. Defensive tooling has raised the cost of noisy endpoint intrusion: behavioral detection catches anomalous process trees, dynamic attack surface reduction blocks unapproved tools.

Attackers responded by adding paths that move away from the ground defenders hardened first. The identity and access layer is one of them, where behaviors look legitimate because the credentials are legitimate. A red team engagement that still centers on endpoint compromise is testing yesterday’s defensive posture against an offensive surface that has grown wider.

The Slowness Discipline

Identity-centric operations require being slow and human. Delayed actions across days or weeks. Staggered movement between sessions. Operational mimicry of working hours and keyboard rhythms. Throttled exfiltration bandwidth. Residential proxy infrastructure (connections routed through real home ISP addresses rather than datacenter IPs or cloud VPSs, making them indistinguishable from legitimate remote workers). Less automation, more hands-on keyboard work. What’s the result of all this? Telemetry fragments into user activity that defenders see every day, rather than clustering into the kind of timeline correlation that detection engines catch.

Here's a practical example: Lightweight Directory Access Protocol (LDAP) enumeration. The Bloodhound and SharpHound approach pulls a directory in one programmatic sweep. Fast, complete, and a telemetry spike that any tuned correlation engine will catch. Howerver, targeted manual queries against specific objects, spaced across days and folded into normal session activity will surface the same intelligence without the spike. Same operator goal. Same intelligence collected. Different telemetry footprint.and the slow path is far less likely to register as anomalous.

This is the current discipline sophisticated attackers bring, not a technique they have moved past. 

The AI Paradox

Defensive AI correlates behavior over a very long time frame, enabling it to connect actions across days or weeks that short-term anomaly detection would miss. This is making slow-and-quiet operations harder for attackers. You can be careful and still get caught, and AI has a better memory than a human. It correlates actions across weeks that a SOC analyst reviewing daily logs would never connect. That raises the difficulty bar for attackers who rely on temporal fragmentation and they are becoming more focused on staying below detection thresholds.

But this pressure does not make slowness obsolete. It forces attackers to get more sophisticated: better operational mimicry, tighter adherence to normal working patterns, even longer delays between stages. The AI escalation is real. The response is escalation in return, not retreat. Red teams that do not replicate this pressure produce unrealistic results. If your last red team operated at automation speed and your defenses passed, you should ask another question: Would our defenses pass against an attacker willing to spend weeks fragmenting their work, as they create patterns our AI treats as normal user behavior?

Cloud Governance as the New Frontier

Attackers are also probing places where defensive AI is structurally weakest: cloud governance gaps. This includes things like IAM persistence via native mechanisms, excessive permissions that grant more access than job function requires, and federated trust relationships that inherit external identity without verification.

These are governance problems, not technical problems. They do not generate the kind of endpoint telemetry that behavioral detection catches because they operate through legitimate cloud control planes using legitimate credentials.

Here’s a real-world instance: Authentication and Persistence. During a pre-Bitdefender engagement, a red team exercise focused on a “cloud-to-on-prem” pivot at a company using Google Cloud Platform (GCP). On a compromised user’s local system, we found a privileged GCP service account key. We used that key to authenticate as the service account directly from outside the customer’s premises. The telemetry in place at the time did not cover that authentication path, so it went undetected.

And once we held the key, we no longer needed an internal foothold at all. Persistence lived outside the perimeter, in a credential that could be reused from anywhere, indefinitely, by whoever held it. That is the shape of governance-gap persistence: not malware on a host, but a credential artifact that grants legitimate-looking access with no host activity to flag.

Modern red team engagements push into this layer. An endpoint-focused engagement misses it entirely. If your last engagement scoped around host-level intrusion and did not test whether an attacker with valid cloud credentials could create persistent access through IAM role modification, or federation abuse, you have not tested the path advanced attackers are walking today.

Where Red Teams Hand Off to Prevention

Some paths advanced attackers use are off-limits to red teams. An indirect compromise through a trusted supply chain is a clear example. It requires third-party authorization, timelines longer than most engagements allow, and political capital that few organizations are willing to spend on an offensive test. We do not realistically simulate this path, not because it is unimportant, but because the scoping constraints make it impractical.

This is a scoping reality, not a red team failure. It is the boundary where red teams hand off to a prevention-first defensive posture. The paths we cannot push into are exactly the paths prevention can close.

Defensive AI is better at detecting direct compromise than third-party-led intrusion because the telemetry profile for direct work is denser and more anomalous. An attacker who compromises a trusted supplier and operates through that supplier’s legitimate access generates telemetry that appears to be the supplier doing their job. No behavioral baseline detects it because the behavior is the baseline.

Prevention closes that gap by shrinking the attack surface, lowering the odds an intrusion will even start.One example is that prevention limits trusted third-party access to what a specific job function requires, it enforces least-privilege on federated identities. It also monitors supply chain risk as a distinct category rather than assuming third-party access is safe by default. Red teaming validates whether your defenses catch what they are designed to catch. Prevention validates whether the things they are not designed to catch are things an attacker can reach in the first place.

Modern Red Teaming: Expanded and Increasingly Critical

Modern red teaming is critical because it has evolved with the threat landscape. If your last engagement focused on endpoint paths and came back clean, run a current one. Test identity compromise, test slow-and-quiet fragmentation, test cloud governance abuse. Pair it with prevention-first thinking, because the paths red teams cannot push into are exactly the paths prevention has to close. Modern attackers operate at this seam.

This post is the offensive view of that seam: what attackers are doing now and where red teams can and cannot follow them. The traditional playbook still gets used, and defenders still have to catch it. But advanced attackers have added a second layer on top, and we must test against that layer, too.

For more on this topic, and around prevention, watch my on-demand panel discussion,
The Lab, the SOC, the Red Team: Why Prevention Still Wins


The conversation brought research, response, and offense to the same table.

You can also learn more about Bitdefender offensive services and speak with an advisor if you need assistance.