The third consecutive installment of Cymulate’s annual report summarizes and analyzes the findings from all our customers’ security assessments in 2022, shedding light on the effectiveness of security programs.
The Cymulate Cybersecurity Effectiveness report is unique as it outlines security gaps and events that were NOT detected by security controls. Moreover, it also covers the attack surface exposures, vulnerabilities, and attack paths – all in one study. Throughout the year, Cymulate customers performed the equivalent of over 197 years of offensive cybersecurity testing within their production environments. The review of the anonymized aggregated data provides visibility into the state of overall cybersecurity resilience across the globe, company sizes, and industry sectors. It shows where gaps are, and where businesses struggle, as well as comprehensive insights into the most significant cybersecurity threats, vulnerabilities, and trends of the year.
Cybersecurity Effectiveness Report Key Findings
- Known and cataloged industry-wide security issues remain unaddressed:
For example – 40% of organizations have vulnerabilities that have had available patches for more than two years. Yet, despite being well-documented, vulnerabilities such as unpatched CVEs and inadequately configured Identity and Access Management (IAM), and Privilege Access Management (PAM) continue to pose a significant risk to organizations. - Headlines Dictate Remediation Prioritization:
Organizations tend to prioritize immediate threats based on media coverage rather than actual risk level, leading to a misallocation of resources and a lack of focus on more pressing, but less widely covered threats. - The effectiveness of data protection measures is declining:
The average data exfiltration risk score has worsened considerably in 2022, with cloud service-related assessments scoring a dangerous 70 on average, followed by network protocols with a medium-risk score of 43. - 92% of the top 10 exposures are related to domain and email security: The vast majority of detected exposures are spread across two main topics: domain security (59.3%) and email security (32.8%). This highlights the importance of tightening domain and email security to reduce the attack surface.
- Breach and Attack Simulation has a significant positive impact on cyber resiliency:
The report highlights the importance of running continuous assessments and investing in remediation efforts where their impact is optimized. Implementing the recommended mitigating guidance lowered EDR risk scores from high to low in less than a year.
Security Controls Efficacy – DLP Scores the lowest
Data and application protection successful attack simulation rates show these are still areas of concern for organizations. As far as Data Leakage Prevention, heavily used exfiltration methods (such as exfiltration of text via email and uploading to non-blockable Cloud systems such as AWS S3) remains a challenge.
Common reasons for this phenomenon include:
- Reliance on access to certain Cloud storage platforms for the proper functionality of business operations – Notably, AWS S3 and Azure Websites
- The complexity of Data Loss Prevention (DLP) and Cloud Security Access Broker (CASB) solution sets, and the expense of implementation.
The Data Exfiltration concerns are being addressed in one notable area: email restrictions. While the increased use of email encryption has posed challenges, more organizations are taking advantage of native and 3rd-party tools to restrict what data can be sent out of the organization via email.
However, many of the issues are related to Business Email Compromise (BEC) type of attacks, usually launched through:
- CEO Fraud: Impersonating a company’s CEO or executive and sending an email requesting a transfer of funds to an employee authorized to make payments.
- Account Compromise: Usurping an employee’s email account and sending requests for payments to vendors.
- False Invoice Scheme: Impersonating a supplier and asking for payment.
- Attorney Impersonation: Impersonating a lawyer to obtain protected information.
- PII misappropriation: Impersonating relevant employees from relevant departments to obtain access to protected data. This can even be two-tiered attacks, such as targeting HR employees to obtain personal or sensitive information about people in the company, information that can be used in spearfishing.
Common characteristics of the Top 10 Tested Immediate Threats
The Cymulate research team operationalizes safe testing of new threats as these emerge daily. This way organizations can test their resilience immediately with no need to research, code, prepare, or even be made aware. These are the most concerning new threats that were tested for in 2022.
Ø Most are state-sponsored or of known hacking groups.
Ø Phishing, water holes, and supply-chain attacks are the primary compromise method. Ø Some use known tools (Cobalt Strike, Sliver framework, APT41, Nmap, SQLmap, and Acunetix). Ø All attacks have a clear motive, such as financial gain or espionage. Ø The attacks are specifically designed to evade detection and remain persistent. |
Most Common Exposure Types
The Cymulate External Attack Surface Management (EASM) module discovered a variety of exposed digital assets that a potential adversary can take advantage of.
Read the full report to learn about top vulnerabilities, MITRE attack framework, and the business implications of the various levels of cybersecurity effectiveness.