The age-old adage of ‘prevention is better than cure’ has never been more relevant in cybersecurity. Last week, Cymulate released its annual research report that analyzes the proactive approaches cyber teams are taking to seek out and address their weaknesses and gaps before attackers find and exploit them.
Based on the anonymized data from attack surface assessments, simulated attack scenarios and campaigns, and automated red teaming activities across more than 500 Cymulate customers, the Cymulate research highlights the evolution of security operations teams toward security validation and exposure management. The report focuses on the correlation of threat exposures from vulnerabilities, misconfigurations, and other weaknesses with both threat activity and the security controls designed to mitigate the threats.
Old Vulnerabilities, New Threats: An Ongoing Cyber Battle
In this correlated analysis of exposures, threats, and controls, the Cymulate research noted that the infamous Log4Shell vulnerability (CVE: 2021-44228) from late 2021 remains one of the most frequently targeted vulnerabilities. Threat actors, such as Lazarus, MuddyWater, and groups associated with North Korea and Iran, targeted the vulnerability in their 2023 campaigns. On average, 75% of web application firewalls demonstrated their ability to block exploits of the Log4Shell vulnerability. In comparison, endpoint security and web gateway protection showed security effectiveness from 62% to 89% to protect against post-exploit threat activity in these campaigns.
Pikabot: Most Frequently Assessed Threat of 2023
Just as Pikachu is known for its electrifying power, Pikabot malware seems to have a ‘shocking’ ability to bypass security controls. Pikabot emerged in 2023 as a malicious backdoor exploit associated with ransomware distribution, crypto mining, data theft, and remote control. In their validation of the threat, Cymulate research shows that, on average, security controls were only 47% effective, meaning 53% of the Pikabot assessments could penetrate defenses.
The Exposed Flanks: Management Services
A striking 63% of organizations report having at least one instance of publicly exposed management services, inadvertently rolling out a welcome mat for malicious actors. A security weakness not associated with vulnerabilities, these publicly exposed management services greatly expand the attack surface by creating initial access points to malicious actors. The Cymulate research noted that 47% of organizations have at least one instance of publicly exposed email services, and 10% exposed database services publicly.
Declining Control Effectiveness: A Call for Robust Security Validation
The Cymulate research showed a 5% decrease in control effectiveness based on the average Cymulate score of controls and vectors. While a reduction in effectiveness is concerning, it also underscores the importance of security validation practices, allowing organizations to identify coverage gaps and implement mitigation tactics or compensating controls.
Closing Thoughts
Remember, cyber resilience is not just about deploying the latest technology. It’s about understanding and anticipating potential attackers’ moves and ensuring your defenses are ready for what’s coming next. As threats evolve, let’s make sure our security postures evolve with it.
To delve deeper into the insights offered by the 2024 State of Exposure Management & Security Validation report, download the full report.
Register for the webinar Exposure Validation 2024: Cymulate Research on the Correlation of Vulnerabilities, Threats & Controls.
