Harden MFA and identity as automated attacks rise

Cisco Talos issued Year in Review guidance urging organizations to harden multifactor authentication and identity infrastructure after tracking a rise in automated attacks and a 178% increase in device compromises. The guidance identifies identity systems, exposed legacy assets and trust-brokering platforms as primary targets for automated campaigns.

Talos described a recent incident affecting ADT customers as an example of identity-targeted intrusion. Attackers used a voice phishing campaign to compromise an employee’s Okta single sign-on account, which allowed access to customer data and later led to extortion. Talos reported that roughly 5.5 million ADT customer records were exposed in the incident.

The threat group’s review cites multiple examples of rapid exploitation. A critical flaw in a popular Python package for lightweight large language models was actively exploited within 36 hours of disclosure. Talos also found a widely downloaded open-source package and its container image had been altered to distribute an info-stealing payload.

Talos’ incident response data for the first quarter shows phishing returned as the top initial access vector in the health care and public administration sectors. The team credited early mitigation for preventing ransomware deployment in several cases. The 178% rise in device compromises was highlighted as evidence of how quickly automated tooling can expand successful operations once attackers gain a foothold.

The guidance lists operational priorities for security teams to reduce exposure. It recommends treating identity infrastructure as a top-tier critical asset and tightening MFA workflows with stricter verification checks to prevent session takeover. Teams should build baseline detections of normal post-login activity so anomalous behavior becomes apparent, and prioritize patches based on whether vulnerabilities are exposed to the internet rather than relying only on severity scores. Talos also advised actively hunting for legacy risks that can persist unnoticed, increasing telemetry on management-plane systems, and tuning detection to focus on unusual events to reduce alert fatigue.

“Because adversaries inevitably reuse infrastructure and fail to mimic legitimate user behavior, defenders maintain a distinct advantage if they know exactly where to look,” Talos wrote, advising focused detection and response around identity and session management.

Talos also demonstrated defensive uses of generative AI, showing AI-powered honeypots that can adaptively interact with malicious agents to gather threat intelligence and slow automated attacks. The group urged organizations to apply the listed controls immediately to improve detection of automated campaigns that generate observable anomalies after login.