What we learned mapping a year’s worth of AI-enabled cyber threats
What we learned mapping a year’s worth of AI-enabled cyber threats
我们从绘制一年的人工智能网络威胁图谱中学到了什么
As AI transforms the nature of and methods behind cyberattacks, how well do the techniques and frameworks used by the security community hold up? 随着人工智能改变了网络攻击的本质和手段,安全社区所使用的技术和框架是否依然有效?
In a new report, we seek to answer that question. We examine 832 accounts that were banned for malicious cyber activity between March 2025 and March 2026 and map them onto MITRE ATT&CK, a longstanding database of the tactics and techniques used by cyberattackers. We published some of these results in Verizon’s 2026 Data Breach Investigations Report (DBIR), and are sharing a more detailed analysis here. These 832 cases are just a subset of the total number of accounts banned during this period, but they represent those where we had enough detail to conduct a thorough assessment of the attackers’ techniques. 在一份新报告中,我们试图回答这个问题。我们审查了 2025 年 3 月至 2026 年 3 月期间因恶意网络活动而被封禁的 832 个账户,并将它们映射到 MITRE ATT&CK(一个长期记录网络攻击者所用战术和技术的数据库)中。我们已在 Verizon 的《2026 年数据泄露调查报告》(DBIR) 中发布了部分结果,并在此分享更详细的分析。这 832 个案例仅是该期间被封禁账户总数的一小部分,但它们代表了我们拥有足够细节以进行彻底评估的攻击者技术。
There were three main conclusions from our analysis: 我们的分析得出了三个主要结论:
-
Malicious actors are using AI in ways that make them more dangerous. More specifically, threat actors are using AI in the later, more complex stages of their cyber operations.
-
恶意行为者正在以使其更具危险性的方式使用人工智能。更具体地说,威胁行为者正在其网络行动的后期、更复杂的阶段使用人工智能。
-
Cyberattacks are becoming more autonomous, and the fact that AI can be used to chain together many parts of the attack means that the old ways of differentiating high- from low-risk actors are no longer as effective.
-
网络攻击正变得越来越自动化,而人工智能可以被用来将攻击的多个环节串联起来,这意味着区分高风险和低风险行为者的旧方法已不再那么有效。
-
The MITRE ATT&CK framework does not fully capture the tools and activities that make AI-enabled attackers so dangerous.
-
MITRE ATT&CK 框架并未完全涵盖使人工智能驱动的攻击者如此危险的工具和活动。
Below we provide a summary of each of these conclusions. You can read a longer analysis on our Frontier Red Team blog. 以下我们对这些结论进行了总结。您可以在我们的 Frontier Red Team 博客上阅读更详细的分析。
How AI makes attackers more dangerous
人工智能如何使攻击者更具危险性
The most common AI-enabled activities in our database related to preparing for a cyberattack, such as writing malware (560 of the 832 accounts we studied, or 67.3%, used AI for this purpose). A smaller number of actors use AI for more complex activities—for example, 54 of the 832 actors (6.5%) used AI to assist with “lateral movement,” which involves navigating deep inside a compromised network. 我们数据库中最常见的 AI 辅助活动与网络攻击准备工作有关,例如编写恶意软件(我们研究的 832 个账户中有 560 个,即 67.3%,使用 AI 进行此项工作)。少数行为者将 AI 用于更复杂的活动——例如,832 个行为者中有 54 个(6.5%)使用 AI 辅助“横向移动”,这涉及在受损网络内部进行深度渗透。
We found evidence consistent with AI being used to help increase the threat level of attackers. In the first six-month period of our analysis, 33% of actors were classified by our risk-scoring system as medium risk or higher. But by the second six-month period, that share had jumped to 56%—a roughly 1.7-fold increase. 我们发现的证据表明,人工智能正被用于提高攻击者的威胁等级。在我们分析的前六个月里,我们的风险评分系统将 33% 的行为者归类为中等风险或更高。但到了后六个月,这一比例跃升至 56%——增长了约 1.7 倍。
Across the period we studied, attackers’ use of AI shifted from techniques to gain initial access to a system towards activity carried out once they were inside the system. For example, the use of AI for account discovery—identifying valid accounts inside a compromised environment—rose 8.9%, while AI-assisted phishing—a common technique to gain access to a system—fell 8.6%. This suggests that attackers are increasingly applying AI deeper in the attack life cycle. 在我们研究的整个期间,攻击者对 AI 的使用从获取系统初始访问权限的技术,转向了进入系统后开展的活动。例如,利用 AI 进行账户发现(识别受损环境内的有效账户)的比例上升了 8.9%,而 AI 辅助的网络钓鱼(一种获取系统访问权限的常见技术)则下降了 8.6%。这表明攻击者正越来越多地将 AI 应用于攻击生命周期的更深层阶段。
These sorts of “post-compromise” techniques used to be restricted to actors with the technical knowledge to carry them out. Our investigation shows that AI can now be made to perform these activities on behalf of less sophisticated actors. 这类“入侵后”技术过去仅限于具备相应技术知识的行为者。我们的调查显示,现在可以利用人工智能代表技术水平较低的行为者执行这些活动。
Why it’s harder to assess an actor’s threat level
为什么评估行为者的威胁等级变得更难
How do security teams assess the risk level of a cyberattacker? Traditionally, they’ve used information like how many different techniques they employ and what tools or interfaces they use. But our analysis suggests that these signals no longer paint an accurate picture of the risk level of a given threat actor. 安全团队如何评估网络攻击者的风险等级?传统上,他们使用诸如攻击者采用了多少种不同技术、使用了什么工具或接口等信息。但我们的分析表明,这些信号已无法准确描绘特定威胁行为者的风险水平。
Now that AI can perform highly technical tasks on an actor’s behalf, there’s little correlation between the skill of a threat actor and how many techniques they use: the least-skilled actors in our dataset used about 16 distinct techniques on average, whereas the most skilled used about 20. Likewise, the specific platform used—Claude Code, an API, or a chat interface—also did not correlate with an actor’s risk level. 既然人工智能可以代表行为者执行高技术任务,威胁行为者的技能水平与其使用的技术数量之间几乎没有相关性:我们数据集中技能最低的行为者平均使用了约 16 种不同的技术,而技能最高的行为者使用了约 20 种。同样,所使用的具体平台(Claude Code、API 或聊天界面)也与行为者的风险等级无关。
What often helps distinguish higher-risk actors is where in the attack life cycle they apply AI. For example, they concentrate their use of AI on more operationally demanding techniques—those that require significant time, oversight, or real-time decision making to carry out—like account discovery, lateral movement, and privilege escalation, rather than just on tasks that allow them to gain initial access to the system. 区分高风险行为者的关键往往在于他们在攻击生命周期的哪个阶段应用人工智能。例如,他们将 AI 的使用集中在操作要求更高的技术上——即那些需要大量时间、监督或实时决策才能执行的技术——如账户发现、横向移动和权限提升,而不是仅仅用于获取系统初始访问权限的任务。
But even that signal is already eroding: as discussed in the previous section, those operational techniques are exactly where the broader population is heading as more actors get classified as higher risk. The more durable differentiator is the type of scaffolding attackers build around the model: higher-risk actors design architectures that allow models to chain together discrete stages of a cyberattack and carry them out with minimal human input. 但即使是这一信号也正在减弱:正如上一节所讨论的,随着越来越多的行为者被归类为高风险,这些操作性技术正是广大攻击者正在转向的方向。更持久的区分因素是攻击者围绕模型构建的“脚手架”类型:高风险行为者设计的架构允许模型将网络攻击的离散阶段串联起来,并在极少人工干预的情况下执行它们。
Why security frameworks need to change
为什么安全框架需要改变
Many of the behaviors that distinguish the highest-risk actors—such as the use of AI to orchestrate steps in the attack chain sequentially, make real-time decisions about what to do next, and execute without human intervention—are not yet included as attacker techniques in the MITRE ATT&CK framework. 许多区分最高风险行为者的行为——例如利用人工智能按顺序编排攻击链中的步骤、对下一步行动做出实时决策,以及在无人干预的情况下执行——尚未被纳入 MITRE ATT&CK 框架的攻击者技术中。
Consider the state-sponsored cyber espionage operation we disrupted in November 2025. In that case, a malicious actor manipulated Claude Code into attempting to infiltrate targets around the world, with little human intervention. Mapping it against the MITRE ATT&CK framework shows that the actor used 30 techniques across 13 tactics, which was comparable to many medium-risk actors in our dataset. Clearly, focusing on the number of techniques this actor used underplays how dangerous they really were (by contrast, applying our risk-scoring methodology to this attack earns it the maximum risk score of 100). 以我们在 2025 年 11 月挫败的国家支持的网络间谍行动为例。在那起案例中,一名恶意行为者操纵 Claude Code 试图渗透全球目标,且几乎无需人工干预。将其映射到 MITRE ATT&CK 框架显示,该行为者在 13 种战术中使用了 30 种技术,这与我们数据集中的许多中等风险行为者相当。显然,仅关注该行为者使用的技术数量,低估了他们的真实危险程度(相比之下,将我们的风险评分方法应用于此次攻击,其得分为最高风险分 100 分)。
In that attack, the model worked as an autonomous agent: it executed commands, exploited vulnerabilities, stole credentials, and made tactical decisions, only requiring human input at a few key moments. There is no ATT&CK ID for this type of agentic orchestration—yet these are precisely the behaviors we expect to see much more of as AI agents become more capable. 在那次攻击中,模型充当了自主代理:它执行命令、利用漏洞、窃取凭据并做出战术决策,仅在几个关键时刻需要人工输入。目前还没有针对这种代理编排的 ATT&CK ID——但随着人工智能代理能力越来越强,这些正是我们预期会看到更多的行为。