Attackers bypass defenses via direct-to-IP communication
📊 Analytics2026-06-11, 09:44
Palo Alto Networks has published a report explaining how threat actors circumvent traditional network perimeter security controls. The key finding of the report is that malicious activity is increasingly conducted via direct IP address connections, reducing the effectiveness of DNS- and URL-based filtering controls. You can read the full report at the link or below — here are the key points:
🔷 About 23% of malicious connections are using direct-to-IP communication. Moreover, 37% of these connections route through trusted CDNs and cloud infrastructures, which makes inspection and attribution much harder. The same IP ranges of trusted providers are often shared with legitimate services, meaning IP blocking can disrupt normal operations.
🔷 52% of IP addresses used for such connections are absent from public TI feeds. The average delay between detecting malicious activity and the associated IP addresses appearing in open-source intelligence was 20 days.
The problem is compounded by the use of AI services to generate large numbers of short‑lived IP addresses, while deploying AI agents in corporate environments widens the attack surface. Even with the most comprehensive threat data, a physical firewall can block only a small fraction of the millions of malicious IPs active at any given time.
Researchers emphasize that risk assessment can no longer rely on static threat data sources. In the age of fast‑evolving, AI‑driven attacks, protection must shift to continuous, real‑time behavioral validation of every connection — considering its context and intent, not just the source IP and past reputation.
Vendors
Published
2026-06-11, 09:44