Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023

With attackers moving at greater speed and scale than ever before, the fundamentals of cybersecurity have become even more important. Unit 42 has gathered data from hundreds of incidents across the globe to identify the soft spots in security postures that made cyberattacks in 2023 more risky and painful than they needed to be.

Effective patch and vulnerability management, complete visibility and comprehensive identity management practices often feel out of reach. Our 2024 Incident Response report reveals the need for defenders to prioritize these security fundamentals more than ever.

Ineffective Patch and Vulnerability Management

Software and API vulnerabilities are a prime target for bad actors. According to the Unit 42 Incident Response Report, 38% of breaches exploited these flaws last year, dethroning phishing and social engineering as the top attack vector for the previous two years.

Vulnerabilities in software, like the MOVEit file sharing service, allowed attackers to mount large-scale intrusion campaigns. We found that over 85% of organizations had Remote Desktop Protocol internet-accessible for at least 25% of a month, significantly increasing the risk of a ransomware attack.

Organizations must get their arms around their internet-facing attack surface, which is more easily said than done.

• Zero-day vulnerabilities kick off a race between the threat actors and the defenders (including developers, vendors and customers) to exploit or remediate the impacted systems. Unfortunately, attackers have speed on their side. Defenders must wait for developers to release a patch, then test that patch before applying it to live systems, making sure the patch won't break anything mission-critical.
• Vulnerabilities are discovered at a far greater rate than even the most efficient team's ability to patch them. According to NIST, over 28,000 vulnerabilities were reported in 2023. When a major vulnerability is announced, attackers can scan the entire internet for exposed instances and exploit them within hours. Meanwhile, it takes enterprises an average of three weeks to fix them.
• Patches aren't the only vulnerabilities affording attackers an entry point. Insecure configurations in cloud services, infrastructure and other resources can provide a foothold. They can't be patched in the conventional sense, and they deserve equal priority.

While vulnerabilities themselves are inevitable, your organization's response is not. Establishing a system for vulnerability awareness and remediation is critical for good security hygiene. This system starts with a complete and maintained inventory of assets, coupled with ongoing monitoring of CVE databases.

However, discovering all the vulnerabilities in your purview isn't enough. Teams need processes and tools that allow them to score and prioritize the vulnerabilities that present the most risk. Other controls that hinder attackers, like segmenting systems and subnets, can make some vulnerabilities less critical by imposing speed bumps and dead ends on attackers' progress.

Gaps in Monitoring and Coverage

Organizations with partial or incomplete deployment of security controls allowed attackers to operate from parts of the network that weren't defended. Imagine a fortified castle with shadowy corners that are never patrolled; that's the risk of partial security control deployment.

The modern IT landscape is only growing in complexity. Organizations juggle a mix of on-premises infrastructure, cloud deployments, hybrid environments and even multicloud architectures. This diversity makes consistent eXtended detection and response (XDR) deployment across all endpoints a challenge. This challenge is compounded by the sheer variety of devices (desktops, laptops, mobile devices and even IoT products) connecting to the network.

This complexity is further amplified in bring-your-own-device (BYOD) situations, where endpoints regularly move inside and outside the corporate network. Additionally, integrating XDR tools with existing security infrastructure (i.e., firewalls, security information and event management (SIEM) systems, and other endpoint solutions) can be difficult, creating gaps in overall coverage. Achieving full coverage often requires a complex tool stack, leading to increased costs, redundancy and a greater maintenance burden.

Fortunately, organizations can consolidate tools into unified security platforms, like extended security intelligence and automation management (XSIAM) solutions. These platforms offer a centralized view of security events across the entire network, simplifying management and reducing tool sprawl.

Leveraging strong relationships with those who can help you defend is vital to success. These partners can identify potential uncertainties through tailor-made strategies and services, like vulnerability scanning, to ensure comprehensive security coverage across the entire IT environment. By adopting these strategies, organizations can move from a partially secured castle to a fully fortified stronghold.

Overprivileged Identity and Access Management

Credential theft is still rising, accounting for 20% of attacks last year, which is up 4% from 2021 and 13% from 2022. With privileged credentials in hand, attackers can penetrate systems, move laterally and escalate privileges to reach more sensitive assets.

Identity is a fundamental of strong security - knowing who's doing what, and whether they should be doing it.

Fortifying defenses against credential-based attacks goes beyond implementing multifactor authentication (MFA) and other table-stakes controls. Teams must cultivate the ability to stitch together data points from disparate sources, painting a bigger picture of behavior that may indicate an attack pattern. As it stands, security teams universally struggle with the sheer volume of data generated by their tools, and they cannot analyze audit logs and maintain correlation rules.

Though forensics following a breach may suggest these patterns are obvious, that's simply not the case.

A tension between security and productivity prevents security teams from effectively leveraging this data. Personnel are commonly granted excessive privileges for the sake of convenience and productivity. However, they don't always have a deeper security training to safeguard these privileges, which can create low-hanging fruit for attackers.

To effectively combat these challenges, organizations can deploy a streamlined detection strategy focused on identifying unusual activity within their systems:

• Unusual Tool Usage: Monitor the environment for unfamiliar tools or unexpected versions of familiar tools. Investigate when personnel outside of IT are suddenly using remote access tools.
• Account Management: Establish and audit protocols for account creation and implement alerts for new accounts that deviate from established naming conventions. Scrutinize the reactivation of disabled privileged accounts and mandate escalation procedures, like live verification when needed.
• Virtual Desktop Monitoring: Monitor the behavior of virtual desktop systems to detect abnormal process trees or unusual storage usage patterns, which could be indicative of attempts to stage data exfiltration.
• Scrutinize Outbound Traffic: Look for network connections that resemble encrypted tunnels, particularly those originating from new or unmanaged systems, and familiar file-hosting providers.
• MFA and Beyond: Enable MFA wherever possible and train employees to reject unsolicited MFA requests. Implement an extra layer of verification for changes to high-privilege accounts.

Organizations can significantly bolster their defenses against credential theft and social engineering attacks by implementing vigilant detection strategies, strong authentication protocols and robust identity and access management (IAM) practices.

Get the Right Tools for the Job

Palo Alto Networks offerings can empower your organization to address key security challenges and bad security hygiene:

Patch and Vulnerability Management:

• The Cortex Xpanse and Cortex XDR-integrated solution goes beyond traditional vulnerability management. Cortex Xpanse actively discovers and eliminates risks across all internet-connected systems and services, including unmanaged IT infrastructure. It leverages machine learning models to map your attack surface, prioritize remediation efforts and automatically resolve vulnerabilities through built-in playbooks, reducing the burden on your IT team and your attack surface.
• The Unit 42 Attack Surface Assessment helps you gain comprehensive visibility into your internet-connected assets and provides prioritized recommendations to strengthen your organization's defenses.

Consistent Security Coverage:

• Cortex XDR extends your reach beyond traditional endpoints by incorporating additional security data from diverse sources, including network traffic, cloud environments and other endpoints. This holistic approach leads to a more streamlined and effective method for threat detection and response.
• With the Unit 42 SOC Assessment, you can take your secure operations center (SOC) to the next level. We'll help you gain the insights to refine your playbooks and processes, creating a roadmap to SOC excellence.

Identity and Access Management:

• Leverage the power of AI to enhance your incident response capabilities with Cortex XSIAM. Out of the box AI models help you uncover the complete picture of an incident, enabling teams to rapidly detect and respond to suspicious behavior with greater precision. These models continuously learn and adapt, further reducing manual effort and accelerating remediation times.
• Implement a robust Zero Trust security model with the help of Unit 42 Zero Trust consulting. Their expertise encompasses defining your security perimeter, mapping transaction flows, architecting a Zero Trust network and policies, and ensuring ongoing monitoring and maintenance.

Attackers are moving with greater speed, scale and sophistication than ever. Modern tools can only help you so much without progressive security mindsets and frameworks that are built and maintained to guard you against today's attacks. A Unit 42 Retainer gives your team access to the elite backup they need to stay vigilant and work smarter.

To get a full picture of what our incident response team has observed while responding to real attacks on organizations last year, access the Unit 42 Incident Response Report.

Public link

Please use the above public link if you want to share this noodl on another website.