Cybercriminals are no longer lone actors working in isolation. They are part of sophisticated, well-resourced operations that use automation and AI to execute attacks at both scale and speed. Over the past year, Palo Alto Networks’ threat intelligence team, Unit 42, has seen a sharp rise in how quickly and effectively these cyberattacks are being carried out across industries. For businesses in Southeast Asia, this shift has serious implications. As the region continues to embrace digital transformation through cloud adoption, growing cross-border data flows, and complex supply chains, the attack surface is expanding rapidly.
The 2025 Unit 42 Global Incident Response Report highlights some of these pressing threats observed over the past year, many of which point to deep, ongoing vulnerabilities that continue to affect organisations. For business leaders in the region, the findings offer four key lessons, each a chance to strengthen cybersecurity as a foundation for digital trust and long-term resilience.
Lesson 1: Fragmented defences are no match for coordinated attacks
Not long ago, to get into a system, an attacker might only exploit a single weak link, such as a misconfigured server or an easy-to-guess password. Today’s threats are more sophisticated, with attackers launching coordinated campaigns that hit multiple entry points at once, taking advantage of fragmented tools and inconsistent visibility.
Attackers are increasingly targeting web browsers, leveraging them as an initial entry point to breach enterprise environments. In 44% of cases, the browser was the first vector for attacks. This is largely because day-to-day work now heavily relies on browsers for collaboration, file sharing, and content creation, making them a prime target. These attacks often begin with phishing websites, malicious downloads, or redirects from compromised ads. These initial breaches rarely act alone: 70% of incidents involved three or more different attack vectors, spanning endpoints, networks, cloud services, and even human behaviour.
Organisations will need to move beyond disconnected point solutions. Security teams must be able to see and act across the full environment — cloud, endpoint, identity, and network — in real time. That means shifting towards integrated systems that work together, not in silos. Otherwise, defenders will remain reactive, always one step behind attackers who move fluidly across disconnected systems.
Lesson 2: AI-powered phishing demands AI-powered defences
Phishing has long been one of the most common ways attackers gain access, and it is only getting smarter. In 2024, it returned as the leading initial access method, responsible for 23% of incidents investigated by Unit 42.
What has changed is the level of sophistication. Attackers are now using generative AI to create phishing emails that are more polished, believable, and targeted. These messages can mimic the tone and style of internal communications and even reference real workflows. The result is a new generation of phishing campaigns that feel legitimate and are extremely difficult to detect.
To keep up, businesses will need more than just traditional email protection. They will have to adopt broader security approaches that emphasise behaviour-based detection, automated threat correlation, and real-time analysis. These practices can surface anomalies across email, messaging platforms, and user activity before they result in compromise. Automation also helps security teams respond faster and with greater consistency, reducing manual triage and speeding up containment.
Employees remain a critical line of defence, and their readiness is paramount. Traditional, annual security training is no longer enough to keep pace with the rapidly changing digital landscape. To be effective, training must be continuous, practical, and focused on building habits such as promptly reporting suspicious activity. This creates a human firewall that can actively improve an organisation’s security posture.
However, training alone isn’t a silver bullet. The speed at which threats evolve, particularly with attackers leveraging AI to create highly convincing phishing attempts, requires an equally advanced response. Automated detection and response systems can analyse vast amounts of data in real time, detecting and mitigating threats at a scale that humans cannot match. A combination of employee training and advanced AI security tools is critical for a complete defence strategy.
Lesson 3: Trust must be verified, especially internally
Some of the most damaging attacks investigated last year didn’t start at the firewall; they started with someone already inside. Insider threats tripled in 2024, and in many cases, these weren’t disgruntled employees or careless users. They were highly skilled operatives from nation-state groups, intentionally placed in technical roles within finance, media, tech, and defence companies.
One Unit 42 investigation found that North Korean operatives used deepfake video tools to impersonate job candidates during remote interviews. With little more than open-source software and readily available graphics units, they created convincing identities in under 70 minutes. Companies hired these fake candidates and granted them access to sensitive systems and data, all without triggering alerts. This highlights where traditional security models fall short: when attackers appear to be authorised users, traditional intrusion detection methods often fail.
The lesson is clear: trust can’t be granted once and left unchecked. Identity must be continuously verified, especially for contractors and third parties. Adopting a zero-trust model means applying least-privilege access, monitoring user behaviour, and treating every access request as potentially risky, no matter who it comes from. Attackers are getting better at blending in. Defenders must stop assuming trust and start validating it at every step.
Lesson 4: Speed is now a security imperative
Attackers are moving faster than ever before. According to findings from Unit 42, one in four incidents involved data exfiltration within five hours of initial access, down from 15 hours just four years ago. In nearly 20% of cases, that window shrank to just one hour.
This acceleration is driven by automation and AI, and the scale enabled by their combined use. Ransomware as a service and AI-powered techniques have lowered the barrier to entry for attackers, making it easier to launch high-impact campaigns quickly. For defenders, this means the window to detect and respond is now alarmingly short.
Unfortunately, many security operations centres still rely on manual processes, siloed telemetry, and time-consuming triage. These workflows make it difficult to keep pace with today’s attacks. In 86% of cases, individuals became less concerned about data loss, believing the information was already exposed. Meanwhile, businesses faced prolonged downtime, and by the time alerts were analysed, threat actors had often already escalated demands.
To stay ahead, organisations need to build speed into the DNA of their security operations. That means using AI to spot suspicious behaviour early, automating repetitive tasks, and giving analysts a unified view of threats across their environment. The goal is not to replace people, but to help them move faster. When every minute counts, automation is essential for resilience.
Turning risk into resilience
According to an investigation by our researchers, the most damaging breaches often stem from three systemic issues: too much complexity, too little visibility, and too much trust. These are strategic blind spots for organisations. For ASEAN enterprises navigating rapid digital growth, cybersecurity can no longer be treated as a side project; it must be part of the long game.
In the evolving threat landscape, a proactive, threat-led approach is essential. The path forward involves simplifying operations with automation and unified visibility, accelerating zero-trust adoption, and embedding security from code to cloud.
Looking ahead, the organisations best positioned to thrive will be those that treat security as an intelligence-led discipline. This means using real-world threat insights to guide strategy, test resilience, and respond at speed. For businesses in ASEAN, taking this proactive approach will be critical to sustaining digital trust and resilience as the region’s digital economy continues to expand.
