Palo Alto Networks recently published its 2023 Unit 42 Attack Surface Threat Report. The report illuminates some of the riskiest security observations around attack surface management (ASM) and contrasts the dynamic nature of cloud environments with the speed at which threat actors are exploiting new vulnerabilities. It found that cybercriminals are exploiting new vulnerabilities within hours of public disclosure. The findings also show that organisations are finding it difficult to manage their attack surfaces at a speed and scale necessary to combat threat actor automation.
The report highlights that most organisations have an attack surface management problem, and they don’t even know it, because they lack full visibility of the various IT assets and owners. Among the findings, the report found that one of the biggest culprits of these unknown risks are remote access service exposures, which made up nearly one out of every five issues we found on the internet. This signifies that defenders need to be vigilant, because every configuration change, new cloud instance or newly disclosed vulnerability begins a new race against attackers.
The notable findings from the report include:
Attackers Move at Machine Speed
- Today’s attackers can scan the entire IPv4 address space for vulnerable targets in minutes.
- Of the 30 Common Vulnerabilities and Exposures (CVEs) analysed, three were exploited within hours of public disclosure and 63% were exploited within 12 weeks of the public disclosure.
- Of the 15 remote code execution (RCE) vulnerabilities analysed by Unit 42, 20% were targeted by ransomware gangs within hours of disclosure, and 40% of the vulnerabilities were exploited within 8 weeks of publication.
Cloud Is the Dominant Attack Surface
- 80% of security exposures are present in cloud environments compared to on-premises at 19%.
- Cloud-based IT infrastructure is always in a state of flux, changing by more than 20% across every industry every month.
- Nearly 50% of high-risk, cloud-hosted exposures each month were a result of the constant change in cloud-hosted new services going online and/or old ones being replaced.
- Over 75% of publicly accessible software development infrastructure exposures were found in the cloud, making them attractive targets for attackers.
Remote Access Exposures Are Widespread
- Over 85% of organisations analysed had Remote Desktop Protocol (RDP) internet-accessible for at least 25% of the month, leaving them open to ransomware attacks or unauthorised login attempts.
- Eight of the nine industries that Unit 42 studied had internet-accessible RDP vulnerable to brute-force attacks for at least 25% of the month.
- The median financial services and state or local government organisations had RDP exposures for the entire month.
Enabling SecOps teams to reduce mean time to respond (MTTR) in a meaningful way requires accurate visibility into all organisational assets and the ability to automatically detect the exposure of those assets. Attack surface management solutions, like Palo Alto Networks industry-leading Cortex Xpanse, give SecOps teams a complete and accurate understanding of their global internet-facing assets and potential misconfigurations to continuously discover, evaluate and mitigate the risks on an attack surface.
Cortex Xpanse is agentless, automatic and routinely discovers assets that IT staff are unaware of and are not monitoring. Each day, it conducts over 500 billion scans of internet facing assets. This helps organisations actively discover, learn about, and most importantly, respond to unknown risks in all connected systems and exposed services. Cortex Xpanse is one of the only products that not only gives businesses the ability to see their exposures, but to also automatically remediate them. Cortex Xpanse also recently introduced new capabilities to help organisations better prioritise and remediate attack surface risks by utilising real-world intelligence and AI-assisted workflows.
The report has made clear that the legacy technologies powering today’s security operations center (SOC) are no longer working and that customers require a massive reduction in their mean time to respond and remediate. The Cortex portfolio of products, such as XSIAM, incorporates AI and automation to revolutionise security operations and help customers be more agile and secure.
Additional detail on Unit 42’s findings, C-level recommendations and more can be found in the 2023 Unit 42 Attack Surface Threat Report, which can be downloaded on the Palo Alto Networks website. An in-depth article on the report is available on the Unit 42 blog. You can also register for the Attack Surface Threat Report Webinar on October 5 on Palo the Palo Alto Networks website.
Regarding today’s article on what essentially is hacking (Saturday) is it possible to minimize damage by partly reverting to pen, paper and telephone or face to face transfer of sensitive material so it does not hit the public realm; a bit like the blank sections of your podcasts? Any comment Kym?
I assume that already happens. There are plenty of private conversations that are never minuted.
Thanks Kym; that is a heartening scenario to say the least. Ivan
The 2023 Unit 42 Attack Surface Threat Report by Palo Alto Networks is a wake-up call for organizations. It underscores the pressing need for robust attack surface management (ASM) capabilities in an era where threat actors move at machine speed. Cloud environments, which now dominate the attack surface, are in constant flux, making it challenging for defenders. Remote access exposures, such as RDP, are widespread, leaving organizations vulnerable. Palo Alto Networks’ Cortex Xpanse, an agentless solution, offers real-time visibility and automatic risk mitigation, helping organizations adapt to this evolving threat landscape. The report signals a call for modern, AI-driven security solutions like Cortex to combat cyber threats effectively.
This comment sounds more like a commercial, but I’ll let it through.