Americas

  • United States
michael_cooney
Senior Editor

Your attack surface is showing, Unit 42 warns enterprises

Analysis
Aug 14, 20245 mins
Cloud SecurityNetwork Security

Palo Alto Networks’ Unit 42 security research group studied changes in enterprise attack surfaces and how those changes lead to increased vulnerabilities in network and IT infrastructure.

A man holding out his hand, with an icon of a padlock in a shield floating above it.
Credit: SomYuZu / Shutterstock

The average organization adds or updates some 300 services every month, creating a significant challenge for security teams charged with protecting enterprise cloud-based resources, notes Unit 42. Companies in the telecommunications, insurance, pharma and life sciences industries can add over 1,000 new services every month, while those in financial services, healthcare and manufacturing industries often add over 200 new services monthly, says the security research group, which is part of Palo Alto Networks.

This rapid growth of new services often occurs without central IT security oversight, which inevitably leads to misconfigurations and exposures, and those risks mean a higher chance of a breach, Unit 42 stated in its newly released Attack Surface Threat Report. For the report, Unit 42 researchers measured attack surface threats across 265 organizations worldwide, collecting data on exposures and vulnerabilities over a one-year period.

According to its data, new and updated services are responsible for nearly 32% of organizations’ high or critical cloud exposures. In addition, IT and networking infrastructure, business operations applications, and remote access services account for 73% of high-risk exposures that could be exploited for lateral movement and data exfiltration, researchers stated. 

“The 2024 Unit 42 Incident Response analysis revealed that organizations with partial or incomplete deployment of security controls, particularly endpoint detection and response tools, enabled attackers to operate unhindered in undefended network areas,” researchers stated.

Security risks are often exacerbated by vulnerabilities in internet-accessible administrative login pages of core networking and security appliances, including routers, firewalls and VPNs, Unit 42 stated. Application layer protocols such as SNMP, NetBIOS and PPTP are most often susceptible.

Perhaps not surprisingly, Internet-facing resources are targeted most often by attackers, according to Unit 42. 

“Each vulnerable, internet-facing asset represents a potential entry point for attackers, and the severity of each vulnerability also increases the risk,” researchers stated. “The longer these vulnerabilities remain unaddressed, the higher the chance that they’ll be discovered and exploited by malicious actors. This is particularly critical given that sophisticated attackers are constantly scanning for new opportunities and can often weaponize new vulnerabilities within hours or days of their discovery.”

In addition, attackers speed up their activity both before launching an attack and after successfully infiltrating a target network. “According to prior research, attackers can scan the entire IPv4 address space, all 4.3 billion IPv4 addresses in minutes, looking for opportunities. Additionally, once attackers are in, they move faster to steal data, sometimes getting in and out in less than one day,” Unit 42 stated.

The report notes a number of common exposure points, including:

  • Remote access services: Exposures involving remote access services comprise almost 24% of observed exposures. These services, such as remote desktop protocol (RDP), secure shell (SSH), and virtual network computing (VNC), are critical for enabling remote connectivity to organizational networks and systems. However, when left exposed or improperly configured, they present substantial security risks.
  • Unpatched, misconfigured, and end-of-life systems: Attackers exploit vulnerabilities in these systems to gain unauthorized access or disrupt operations. For example, an attacker could exploit an unpatched critical router to intercept or modify network traffic, compromising data integrity or confidentiality. Misconfigured firewalls might inadvertently allow unauthorized access to internal networks, facilitating data exfiltration or malware propagation.
  • Weak or insecure cryptography: This exposes sensitive communications and data to interception or decryption by malicious actors. This could result in unauthorized access to confidential information or intellectual property theft, impacting competitive advantage and regulatory compliance.
  • Operational technologies (OT), embedded devices, and the Internet of Things (IoT) devices: Such devices often operate with limited security controls, making them vulnerable to exploitation. A malicious actor could use a compromised IoT device, such as a smart camera or sensor, as a foothold for attacking internal networks or as part of a botnet for launching distributed denial-of-service (DDoS) attacks.

To improve protection, organizations should identify attack surface risks with continuous, comprehensive scans of their ports, services and devices.

“Once you have a continuously updated inventory of internet-connected assets, the next step is to ensure all exposures and vulnerabilities are identified and routed to the appropriate stakeholders for swift remediation,” Unit 42 stated. “Focus on addressing the most critical vulnerabilities and exposures, such as those with a high Common Vulnerability Scoring System (CVSS), which indicates severity, and Exploit Prediction Scoring System (EPSS), which indicates the likelihood of exploitation, to reduce the risk of successful cyberattacks.”

Other protection suggestions include:

  • Regularly check perimeter resources to distinguish between expected assets and unknown or out-of-scope ones. Deviations from these baselines are often the most vulnerable to compromise, making them prime targets for attackers. “An accurate view of your attack surface and its vulnerabilities is a necessity and no longer a ‘nice-to-have,’ especially when new services can be provisioned without the IT team’s purview,” unit 42 stated.
  • Utilize automation capabilities. Triaging and remediating findings is oftentimes a very manual process for defenders. In large organizations, seemingly simple tasks like finding an owner can take days or weeks, Unit 42 stated.

Read the latest network security stories: