Key Insights from Unit 42’s 2024 Incident Response Report
In the past year, we’ve seen threat actors making bigger moves faster to mount more sophisticated attacks against their targets.
As we helped hundreds of clients assess, respond and recover from attacks, we collected data about those attacks and compiled them into our 2024 Incident Response (IR) Report.
Here are the data points that tell the story of last year's attacks and the steps defenders can take to protect their organizations.
To Block Attacks, Lock Down the Vectors
Attack vectors are the avenues by which attackers penetrate your organization’s defenses. Understanding how attackers get in can show you where to place controls to stop them.
The three most popular initial attack vectors we identified:
- Software and API vulnerabilities: 38.6% of casesPreviously compromised credentials: 20.5% of casesSocial engineering and phishing: 17% of cases
Shoring up these weak points is no easy task, and it requires a combination of tools, expertise and routine processes.
Exploiting Software and API Vulnerabilities
Last year, software and API vulnerabilities provided the initial access vectors for 38.6% of attacks we investigated – more than any other vector.
These attacks result from large-scale, automated intrusion campaigns. Often, attacks targeted key parts of the software supply chain, like Apache’s Log4j logging framework and Oracle’s WebLogic server, affecting governments, banks, shipping companies, airlines and others.
The IR Report demonstrates that these types of exploits are not anomalies. Instead, they represent an attack trend. A proactive patch management program is key to addressing realized vulnerabilities promptly and anticipating future vulnerabilities based on trends and threat intelligence.
The challenge lies in an uncomfortable truth – vulnerabilities are discovered at a far greater rate than teams’ ability to patch them. Thousands of vulnerabilities are reported each year, and each patch should be tested before being deployed in your environment.
Two of the top five Common Vulnerabilities and Exposures (CVEs) exploited in 2023 were identified years before that (2020 and 2021), which illustrates a significant lag in patching known vulnerabilities.
Detecting vulnerabilities isn’t enough. Teams must be able to prioritize the most critical vulnerabilities and implement defenses to mitigate lower-priority vulnerabilities.
Continued Use of Previously Compromised Credentials
Previously compromised credentials provided the initial access vector in 20.5% of cases we investigated – a 5x rise over the past two years.
Compromised credentials overtook phishing and social engineering as an attack vector, and there is a persistent and active black market for them.
Good hygiene can limit the damage potential of stolen credentials, but controls must go beyond strong passwords and multifactor authentication (MFA).
- Secure Credential Storage: Teams should store credentials using encryption and secret management solutions.Credential Rotation: Rotating credentials can help minimize the likelihood of an attacker having success using previously compromised ones.Least-Privileged Access: The principle of least privilege limits the damage incurred from compromised credentials by ensuring each staff member doesn’t have excessive access beyond what they need to do their jobs.Audit Logging: Audits of credential use can uncover potentially compromising activities and help comply with reporting standards.
As cybercriminal tactics evolve, teams must implement more dynamic and responsive security controls and policies. These include regular security audits, real-time threat detection and training programs aimed at credential-threat risk recognition and mitigation.
It’s equally important to recognize the anomalous and suspicious behavior that follows the use of compromised credentials.
As attackers act with greater sophistication and subtlety, AI and machine learning are becoming vital to detect attack patterns early and position defenders to respond with precision.
Targeted Social Engineering and Phishing
Previously, social engineering and phishing were the top attack vectors, accounting for 17% of the attacks we investigated last year.
Our experience shows that social engineering and phishing attacks are increasingly aimed at the IT help desk rather than employees themselves. Attackers will call the target’s help desk and impersonate a real employee, asking for help with resetting their password or with changing the phone number associated with an account.
Defending against human nature is still the hardest task. Often, admins prove just as susceptible to phishing attacks as other team members. That’s because high-performing organizations are built on people helping one another. We go against our own goals and self-interest when we ask people not to trust or help each other.
A multilayered defense slows attackers down, creates more opportunities for them to make mistakes, and gives your team the upper hand.
- Train IT and admin staff to recognize and respond to phishing attempts.Perform continuous authentication and monitoring of communication channels.Encourage employees to question anomalies and report suspicious behavior.
Evolving Malware Capabilities
In 2023, malware was implicated in 56% of all documented security incidents, with ransomware accounting for 33% of these cases.
We found a few noteworthy shifts in the details:
- Attackers are more frequently using data destruction tactics with wipers and other tools and techniques.About 42% of our investigations involved a backdoor, while 32% of malware-related matters had some kind of interactive C2 software. In 12% of cases, attackers used web shells to use a compromised server as a beachhead into an environment. These tactics afford intruders a foothold from which they can covertly conduct a wide range of malicious activity.Reverse tunnels are a favored technique among attackers. These connections lead out of the target environment and terminate on a system under the attacker’s control. This allows attackers more freedom without needing to install malware on the target system.Many operating systems have built-in support for encrypted tunnels that hackers can exploit. For example, the vast majority (85%) of organizations still leave Microsoft Remote Desktop exposed to the internet for at least 25% of the month.
Organizations need more comprehensive monitoring systems that detect and counteract stealthy infiltrations through backdoors and encrypted channels.
Comprehensive monitoring includes advanced threat detection technologies that analyze behaviors and patterns, integrate endpoint protection, and employ decryption capabilities to identify hidden exploits.
Speed Matters
One of the biggest takeaways from our report is the speed at which attacks take place. Data breaches can now occur within days or even hours of an initial compromise.
In 2022, the median time between compromise and exfiltration was nine days. By 2024, it was two days. In almost 45% of cases, attackers exfiltrated data less than a day after compromise. Nearly half the time, organizations must now respond within hours because reacting more slowly means reacting too late.
But, the capabilities of defenders can get a boost from advanced analytics and real-time monitoring. AI and machine learning can help filter out the noise and empower teams to detect and respond with lightning speed.
How Defenders Can Get up to Speed
Enhance Visibility
Gaining visibility across your external and internal attack surfaces is step 1:
- Catalog external-facing assets and protect them all with MFA. Disallow remote access using only a username and password.Catalog internal network assets and endpoints, then implement EDR or XDR solutions to monitor and analyze endpoint activity.Conduct regular vulnerability assessments and scan for unpatched software, insecure network configurations and unnecessary open ports and services.
Palo Alto Networks Cortex XDR platform enables you to identify and quantify security vulnerabilities on any endpoint and application. It also evaluates the endpoints and applications impacted by a particular CVE, giving you the information you need to prioritize the most important vulnerabilities.
Adopt Zero Trust Principles
Mixing weak authentication controls, overprivileged accounts and improperly secured applications and information assets lead to critical breaches. This dangerous combination creates a straightforward pathway for attackers with an easy route in, as well as unfettered access to sensitive data and an unobstructed route for data exfiltration or other disruptive impacts.
Zero Trust architecture minimizes the attack surface and reduces breach impact by assuming that both internal and external traffic could be a threat.
Zero Trust principles involve implementing stringent authentication protocols, such as MFA and single sign-on (SSO), and applying network segmentation to prevent unauthorized lateral movements within the network.
Reduce Detection and Response Times
Over 90% of SOCs still rely on manual processes to manage threats.
Manual processes become less effective by the day. Many teams are still stuck in the mode of managing alerts because they do not have intelligent tools at their disposal.
Extended detection and response (XDR) with extended security intelligence and automation management provide a unified platform that captures and contextualizes security telemetry from endpoints, networks and cloud environments. These tools harness the power of AI, machine learning and analytics to act as a force multiplier for the SOC analyst.
With our new security co-pilots, you can reduce SOC complexity by receiving instant solutions to complex problems and actionable insights that guide you through recommendations step by step.
Get the Backup Your Team Needs
There is no one solution. Almost any security control can be overcome by a sufficiently motivated, skilled and resourced attacker. However, a perfectly executed intrusion is just as rare as a perfect defense.
A Unit 42 Retainer can give you the expertise and backup you need. Through Attack Surface and SOC Assessments, the Unit 42 team can assess and test your current playbooks and processes to create a roadmap for SOC excellence that empowers your business to thrive. Our Zero Trust Advisory Services will help you create and execute a roadmap for your Zero Trust journey.
Practice makes perfect. We’ll help your team prepare through exercises and simulations that keep them sharp. Why defend your organization alone? See how Unit 42 and the AI-powered Cortex security suite can help your team cultivate security excellence.
The post Incident Response by the Numbers appeared first on Palo Alto Networks Blog.
