In the past year, we’ve seen threat actors making bigger moves faster to mount more sophisticated attacks against their targets.
As we helped hundreds of clients assess, respond and recover from attacks, we collected data about those attacks and compiled them into our 2024 Incident Response (IR) Report.
Here are the data points that tell the story of last year's attacks and the steps defenders can take to protect their organizations.
Attack vectors are the avenues by which attackers penetrate your organization’s defenses. Understanding how attackers get in can show you where to place controls to stop them.
The three most popular initial attack vectors we identified:
Shoring up these weak points is no easy task, and it requires a combination of tools, expertise and routine processes.
Last year, software and API vulnerabilities provided the initial access vectors for 38.6% of attacks we investigated – more than any other vector.
These attacks result from large-scale, automated intrusion campaigns. Often, attacks targeted key parts of the software supply chain, like Apache’s Log4j logging framework and Oracle’s WebLogic server, affecting governments, banks, shipping companies, airlines and others.
The IR Report demonstrates that these types of exploits are not anomalies. Instead, they represent an attack trend. A proactive patch management program is key to addressing realized vulnerabilities promptly and anticipating future vulnerabilities based on trends and threat intelligence.
The challenge lies in an uncomfortable truth – vulnerabilities are discovered at a far greater rate than teams’ ability to patch them. Thousands of vulnerabilities are reported each year, and each patch should be tested before being deployed in your environment.
Two of the top five Common Vulnerabilities and Exposures (CVEs) exploited in 2023 were identified years before that (2020 and 2021), which illustrates a significant lag in patching known vulnerabilities.
Previously compromised credentials provided the initial access vector in 20.5% of cases we investigated – a 5x rise over the past two years.
Compromised credentials overtook phishing and social engineering as an attack vector, and there is a persistent and active black market for them.
Good hygiene can limit the damage potential of stolen credentials, but controls must go beyond strong passwords and multifactor authentication (MFA).
As cybercriminal tactics evolve, teams must implement more dynamic and responsive security controls and policies. These include regular security audits, real-time threat detection and training programs aimed at credential-threat risk recognition and mitigation.
As attackers act with greater sophistication and subtlety, AI and machine learning are becoming vital to detect attack patterns early and position defenders to respond with precision.
Previously, social engineering and phishing were the top attack vectors, accounting for 17% of the attacks we investigated last year.
Our experience shows that social engineering and phishing attacks are increasingly aimed at the IT help desk rather than employees themselves. Attackers will call the target’s help desk and impersonate a real employee, asking for help with resetting their password or with changing the phone number associated with an account.
Defending against human nature is still the hardest task. Often, admins prove just as susceptible to phishing attacks as other team members. That’s because high-performing organizations are built on people helping one another. We go against our own goals and self-interest when we ask people not to trust or help each other.
In 2023, malware was implicated in 56% of all documented security incidents, with ransomware accounting for 33% of these cases.
We found a few noteworthy shifts in the details:
Comprehensive monitoring includes advanced threat detection technologies that analyze behaviors and patterns, integrate endpoint protection, and employ decryption capabilities to identify hidden exploits.
One of the biggest takeaways from our report is the speed at which attacks take place. Data breaches can now occur within days or even hours of an initial compromise.
In 2022, the median time between compromise and exfiltration was nine days. By 2024, it was two days. In almost 45% of cases, attackers exfiltrated data less than a day after compromise. Nearly half the time, organizations must now respond within hours because reacting more slowly means reacting too late.
But, the capabilities of defenders can get a boost from advanced analytics and real-time monitoring. AI and machine learning can help filter out the noise and empower teams to detect and respond with lightning speed.
Gaining visibility across your external and internal attack surfaces is step 1:
Palo Alto Networks Cortex XDR platform enables you to identify and quantify security vulnerabilities on any endpoint and application. It also evaluates the endpoints and applications impacted by a particular CVE, giving you the information you need to prioritize the most important vulnerabilities.
Mixing weak authentication controls, overprivileged accounts and improperly secured applications and information assets lead to critical breaches. This dangerous combination creates a straightforward pathway for attackers with an easy route in, as well as unfettered access to sensitive data and an unobstructed route for data exfiltration or other disruptive impacts.
Zero Trust principles involve implementing stringent authentication protocols, such as MFA and single sign-on (SSO), and applying network segmentation to prevent unauthorized lateral movements within the network.
Manual processes become less effective by the day. Many teams are still stuck in the mode of managing alerts because they do not have intelligent tools at their disposal.
Extended detection and response (XDR) with extended security intelligence and automation management provide a unified platform that captures and contextualizes security telemetry from endpoints, networks and cloud environments. These tools harness the power of AI, machine learning and analytics to act as a force multiplier for the SOC analyst.
With our new security co-pilots, you can reduce SOC complexity by receiving instant solutions to complex problems and actionable insights that guide you through recommendations step by step.
There is no one solution. Almost any security control can be overcome by a sufficiently motivated, skilled and resourced attacker. However, a perfectly executed intrusion is just as rare as a perfect defense.
A Unit 42 Retainer can give you the expertise and backup you need. Through Attack Surface and SOC Assessments, the Unit 42 team can assess and test your current playbooks and processes to create a roadmap for SOC excellence that empowers your business to thrive. Our Zero Trust Advisory Services will help you create and execute a roadmap for your Zero Trust journey.
Practice makes perfect. We’ll help your team prepare through exercises and simulations that keep them sharp. Why defend your organization alone? See how Unit 42 and the AI-powered Cortex security suite can help your team cultivate security excellence.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.