activity and delivers detection and response at machine speed.
Please can you share any examples of how adversaries have engaged in cross-domain attacks?
One case in the 2025 Threat Hunting Report highlights the eCrime group BLOCKADE SPIDER. They gained access through a VPN, conducted
Cross-domain attack techniques to watch
• Credential theft: adversaries stealing legitimate login details to bypass defences and access cloud services.
• Lateral movement: pivoting from one compromised endpoint or identity to others across domains.
• Cloud control manipulation: attackers changing or disabling policies and configurations to maintain persistence.
• Data exfiltration: adversaries blending with normal traffic to steal sensitive enterprise information undetected.
• Ransomware deployment: embedding into identities and systems before encrypting data to demand payment. reconnaissance and privilege escalation, then pivoted to the endpoint to disrupt the Falcon sensor. When that failed, they moved laterally across identities and cloud environments to dump credentials and add compromised accounts to new Active Directory groups.
CrowdStrike OverWatch tracked this using Falcon Next-Gen Identity Security, correlating IAM logs through Falcon Next-Gen SIEM. This enabled constant monitoring and alerts as the adversary shifted across unmanaged on-premises systems and cloud environments. Despite BLOCKADE SPIDER embedding deeply, the Falcon Platform provided the unified visibility needed to disrupt and shut down their access.
What role do SIEM and XDR capabilities play in helping protect against these types of attacks?
Adversaries increasingly use hands-on-keyboard techniques and legitimate tools to blend in with normal operations, evading traditional defences. Unlike malware-driven intrusions caught with
38 WWW. INTELLIGENTCISO. COM