Threat actors exploit detection gaps by moving 4x faster to exfiltration across cloud, identity, and endpoint zones
Unit 42 analysis of 2026 incident response cases reveals attackers deliberately strike multiple IT surfaces simultaneously to evade endpoint-only monitoring; critical intrusion evidence exists in logs but remains operationally inaccessible in 75% of incidents.
Attack Brief
TargetEnterprise SOCs relying on endpoint-centric detection; cloud services, IAM, SaaS applications, and unmanaged assetsVectorMulti-surface pivot attacks exploiting blind spots between isolated security tools: cloud-to-endpoint pivots via misconfigured access keys, DNS tunneling to cloud storage for C2, credential theft across SaaS platforms, and persistence via rogue/shadow IT devices
Technical Details
MITRE ATT&CKT1078T1199T1550T1021
Impact
Confirmed DamageAttackers achieving 4x faster exfiltration speed compared to 2025; initial intrusion evidence present but undetected in 75% of investigated incidents due to data silos
Mitigation
DetectionAlert stitching across IT zones; ML-based incident scoring prioritizing business impact and user risk; user and entity behavior analytics to detect anomalous credential usage; continuous network monitoring and external attack surface management for rogue asset detection; centralized log repository ingesting telemetry from IAM, cloud assets, OT, IoT, AI workloads, code, and communications zones
Context
Similar AttacksCloud-to-endpoint pivots via misconfigured service access keys; DNS tunneling for covert C2; impossible travel alerts across SaaS applications; shadow IT and unmanaged device persistence