WAFs can’t give organizations the security they need

Cymulate reveals that web application firewalls are the least effective security solutions, making them prime target for adversaries and high risk points for organizations.

Consequences of the ineffectiveness of web application firewalls

• Overall unique threats in the wild increased to 819 in 2021, up 36.5% from 2020
• Phishing attacks rose by 161% during 2021
• User accounts that lack any form of multi-factor authentication are extensively abused
• In 2021, post-exploit activity quickly escalated into enterprises infrastructure – expanding extent of initial compromise and complicating remediation
• The number of security teams running assessment campaigns and scenarios grew by 66% in 2021 compared to 2020, with many enterprises choosing to run at least one assessment per day, taking corrective actions immediately.

Top threats that most companies were at risk from in 2021 include LockBit, Conti and Dharma ransomwares, HAFNIUM, TeamTNT, and APT29 with Log4j abuse, Reg XX and escalation of privileges via Active Directory flaws expected to continue in 2022.

Most vulnerable sectors

While the majority of companies are at medium risk of attacks, the technology sector is the most vulnerable followed by critical infrastructure and manufacturing. Risks to the technology industry increased dramatically in 2021 from 2020 with a rise in spear phishing attacks attempting to gain a foothold. The weakest link however remained Web Application Firewall and phishing awareness. While the critical infrastructure sector’s most problematic area is data exfiltration, i.e. the unauthorized movement of data or data theft.

“Every industry today depends on IT for business success and this is driven by digital innovation through applications,” said Eyal Wachsman, CEO at Cymulate. “Attackers however have become very adept at taking advantage of existing gaps left by the rush towards productivity and adapting progressing information architectures. And when organizations fail to put metrics in place for their security programs, these gaps remain open and can lead to devastating consequences from immediate threats and data theft.”

Additional key findings

• The Americas are the most vulnerable region, with the most immediate threats from Data Exfiltration and WAF, while APAC had the most phishing attempts.
• Attackers took full advantage of overly permissive accounts without multi-factor authentication (MFA), malicious Microsoft Macros and Adobe PDF extensions as well as benign decoy files and Windows API functions resolved at run-time, to launch successful attacks.