New Security Operations Threat Report from DirectDefense Highlights Top Threats from 2023 and Emerging Trends for 2024

DENVER April 24, 2024DirectDefense, Inc., an information security services company, today released its “2023 Security Operations Threat Report” which identifies the top threats from 2023 and what’s already trending for 2024. Using its proprietary ThreatAdvisor platform, DirectDefense gathered and analyzed intelligence from nearly 2 million hours of alert investigation across its client base.

Cyber attackers are using increasingly sophisticated techniques to breach organizations’ defenses. As new threats and tactics are used, it’s becoming more challenging for organizations to keep up with the latest threats and implement effective defenses. DirectDefense’s ThreatAdvisor SOAR platform enabled its team to help clients launch key security initiatives and significantly improve their preparedness and overall security posture.

Primary threats from 2023

In 2023, DirectDefense helped its clients identify, respond to and remediate the following five primary threats:

Multi-factor authentication (MFA) abuse: Abusing and bypassing MFA became so prominent in 2023 that DirectDefense created custom alerts to catch more attacks. There has been a surge in identity-based attacks where attackers are being more interactive and using generative AI to be more targeted.

Social engineering: Social engineering attacks have become more impactful with AI. Attackers are using AI to localize their attacks and appear more familiar, so misspellings or language differences are no longer key ways to identify a social engineering attack. The combination of AI and the willingness of attackers to spend more money to commit a cybercrime make these attacks more automated.

Single sign-on (SSO) attacks: SSO gives attackers a single entry point for multiple environments. They can steal the sign-on information once and use it many times, so organizations should be aware of the vulnerabilities that exist when multiple environments can be accessed with the same login information.

Multi-cloud attacks: As people continue to push toward the cloud, there is a growing concern about the gaps in visibility that exist in cloud environments. In 2023, DirectDefense used newer technologies to see attacks taking place in real-time in multiple clouds, respond, and remediate using additional security solutions.

Living of the Land (LotL) abuse: Once threat actors are on a computer, they are able to use admin tools and permissions to move around freely. Attackers are using the same tools organizations use to protect their network to stay inside the environment.

Emerging threats for 2024

In looking at 2024, the DirectDefense team identified the five emerging threats that top the list for security concerns:

SIM Swapping: SIM swapping side-steps MFA measures by taking over phone accounts for key personnel and porting those phone numbers over to the attacker’s own SIM card on another device. Now, the attacker controls the victim’s phone and can receive SMS-based codes for MFA and gain access to corporate networks and services.

Use of Generative AI: AI has made it harder than ever for organizations to protect against social engineering attacks, even with security awareness. Threat actors are becoming a lot savvier about localizing attacks to fit the target region, and generative AI is making that tactic far more effective. Beyond localization, which includes using the right accents and terminology to appear safe and familiar, AI also allows attackers to go so far as to impersonate identities and craft believable emails.

Compromising Corporate AI Tools: In addition to using AI as an attack vector, threat actors are also using an organization’s own AI platform to gain network access. Organizations will have to implement policies and procedures for safely implementing and using AI tools to account for the vulnerabilities that exist.

Going Around Endpoints: Attackers are simply avoiding endpoints altogether and going right into an organization’s network to attack on-premise cloud environments. Endpoint avoidance works because there is little to no oversight for cloud product development and if an organization also has poor network segmentation, there are few if any barriers keeping an attacker from moving easily throughout a cloud-networked environment.

Infiltrating Incident Response Communications: Attackers are increasingly adding insult to injury by taking over incident response communication activities following their attack to make it harder for organizations to facilitate disaster recovery activities. If the attacker infiltrates an organization’s communication systems, it drastically undermines disaster recovery and incident response procedures, delaying the organization’s ability to notify the right people, get systems back online, recover data, and get back to business as usual.

ThreatAdvisor, a single-platform SOAR solution for continuous security monitoring and management, is a critical piece of DirectDefense’s managed services offerings as it provides complete network visibility in a centralized location. It helped DirectDefense achieve an average time to respond to triaged critical security events of 8 minutes. Over 90% of standard managed detection and response (MDR) events were triaged by DirectDefense without engaging the client’s security team. Nearly one-third of events were promoted and triaged in collaboration with client security teams and 80% of those were custom alerts that go beyond standard MDR monitoring.

“Cybercrime is big business and it’s driving up the volume and sophistication of cyberattacks, making it impossible for organizations to stay on top of every threat,” said Jim Broome, President and Chief Technology Officer for DirectDefense. “Getting additional support from an MSSP can be invaluable to an organization’s security program by helping to ensure attackers can’t breach your network in the first place. Because once they’re in, they can do a significant amount of damage and cost your company millions.”

The full report can be found at:

Follow DirectDefense

X (Formally Twitter):

About DirectDefense

DirectDefense provides enterprise risk assessments, penetration testing, ICS/SCADA security services, and 24/7 managed security services for companies of all sizes. Focused on building security resiliency, the firm offers comprehensive security testing services with specialization in application security, vulnerability assessments, penetration testing, and compliance assurance testing. Its team of highly talented consultants has worked with the majority of the Fortune 100 companies, in industries such as power and utility, gaming, retail, financial, media, travel, aerospace, healthcare, and technology. More information can be found at


Press contact:
Cathy Summers
Summers PR


2023 Security Operations Threat Report