How new and old security threats keep persisting

Security leaders recognize that the pattern of buying new tech and the frantic state of find-fix vulnerability management is not working, according to Cymulate.

Security leaders take proactive approach to cybersecurity

Rather than waiting for the next big cyberattack and hoping they have the right defenses in place, security leaders are now more than ever implementing a proactive approach to cybersecurity by taking action to identify and address security gaps before attackers find and exploit them.

The research highlights the correlation of threat exposures from vulnerabilities, misconfigurations and other weaknesses with both threat activity and the security controls designed to mitigate the threats.

In this correlated analysis of exposures, threats and controls, the research noted that the infamous Log4Shell vulnerability (CVE: 2021-44228) from late 2021 remains one of the most frequently targeted vulnerabilities. Threat actors, such as Lazarus, MuddyWater and groups associated with North Korea and Iran, targeted the vulnerability in their 2023 campaigns.

On average, 75% of web application firewalls demonstrated their ability to block exploits of the Log4Shell vulnerability, while endpoint security and web gateway protection showed security effectiveness from 62% to 89% to protect against post-exploit threat activity in these campaigns.

The report identified the Pikabot malware family as the most frequently assessed threat among Cymulate customers. Pikabot emerged in 2023 as a malicious backdoor exploit associated with ransomware distribution, crypto mining, data theft and remote control. In their validation of the threat, research shows that, on average, security controls were only 47% effective, which means 53% of the Pikabot assessments were able to penetrate defenses.

Among the other key findings was the exposure risk created by 63% of organizations reporting at least one instance of publicly exposed management services. A security weakness not associated with vulnerabilities, these publicly exposed management services greatly expand the attack surface by creating initial access points to malicious actors. 47% of organizations have at least one instance of publicly exposed email services and 10% exposed database services publicly.

Data exfiltration risk grows

Organizations face an increasing risk of data exfiltration with decreasing control effectiveness of their data loss prevention (DLP) controls.

The research showed an overall 5% decrease in control effectiveness based on the average Cymulate score of controls and vectors. While a decrease in effectiveness is obviously concerning, it also underscores the importance of security validation practices, which can allow organizations to identify where coverage gaps exist and implement mitigation tactics or compensating controls.

“This new research underscores the critical insights that exposure management and security validation solutions can provide for today’s businesses,” said Avihai Ben Yossef, Cymulate CTO. “As new attack tactics emerge and adversaries continue to make use of existing vulnerabilities, businesses cannot afford to be reactive. They need to proactively gauge the effectiveness of their security solutions, identify where gaps exist and take the necessary action to limit their risk and mitigate their exposure. We are encouraged to see a growing number of organizations adopting the exposure management and security validation tools needed to improve their security posture.”

One of the report’s most consistent themes was the continued exploitation of older, known vulnerabilities rather than new or innovative techniques. Misconfigurations leading to weakened encryption and increased susceptibility to attack remain common—particularly within older web applications using legacy code that cannot be updated.

30% of scans identified vulnerable cipher suites for HTTPS, which remains an actively exploited area of an older flaw. These findings serve as an important reminder that today’s organizations must ensure they have strong security fundamentals in addition to preparing for new and emerging threats.

Exposure management should drive tangible improvements to cyber resilience – not lists and inventories for the sake of documentation.