Analysis: AI-Powered Cyberattacks Are Here, But Real Threat Is Still Humans With A Keyboard

CrowdStrike’s Adam Meyers says manual attacks from hackers remain a massive problem for organizations—especially those primarily focused on protecting their endpoints.

We may be well into the era of AI-enhanced cyberattacks at this point, but one thing is clear heading into 2025: You still can’t top a hacker with a keyboard.

And crucially, threat actors are very aware of this fact, according to CrowdStrike’s Adam Meyers.

Manually executed attacks have actually been gaining in popularity lately, said Meyers, senior vice president of counter adversary operations at CrowdStrike, during a discussion with media this week.

“More adversaries are conducting hands-on-keyboard attacks,” he said, referring to attacks that do not rely on malware or another tool.

Instead, in hands-on-keyboard attacks, hackers are interacting directly with a compromised system the old-fashioned way. Who needs automation?

Organizations should take note because the manual approach remains “very difficult for security tools to detect,” Meyers said.

The reason is simple: It's behavioral.

“It’s not malware or [an] exploit,” he said. “It’s literally somebody using Microsoft Edge or PowerShell or Python or a Bash shell to interact with the system.”

Other factors are exacerbating the threat from rising hands-on-keyboard attacks. Paired with the continuing move to cross-domain attacks—cyberattacks that don’t just focus on one type of device or environment—manual hacking tactics become exceedingly tough to counter.

Meyers pointed to methods of Scattered Spider—a group of young hackers blamed for the hugely disruptive 2023 attacks against casino operators MGM and Caesars Entertainment—as a case in point.

Their tactics have included phishing to obtain credentials, leveraging the credentials to compromise cloud environments, establishing a foothold on a cloud-hosted virtual machine and establishing persistence on an endpoint by creating a new user.

In other words, these attackers don’t sit still for long.

And for organizations with a traditional security approach focused on protecting endpoints, that’s a huge risk.

“If you’re only looking at one of those things—if you're only looking at the endpoint—you’re not going to see the identity or the cloud activity,” Meyers said. “And that means that you’re missing an opportunity to stop that threat actor from becoming successful.”

Likewise, “if you’re only focused on identity or cloud, you’re not going to have that comprehensive visibility to understand what’s happening across the entire environment. And threat actors thrive on this.”