{"id":315104,"date":"2024-02-28T06:00:53","date_gmt":"2024-02-28T14:00:53","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=315104"},"modified":"2024-02-27T12:38:41","modified_gmt":"2024-02-27T20:38:41","slug":"unit-42-incident-response-report","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2024\/02\/unit-42-incident-response-report\/","title":{"rendered":"Today\u2019s Attack Trends \u2014 Unit 42 Incident Response Report"},"content":{"rendered":"<p><span style=\"font-family: georgia, palatino, serif;\">Each year, Unit 42 Incident Response and Threat Intelligence teams help hundreds of organizations assess, respond and recover from cyberattacks. Along the way, we collect data about these incidents.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">Our <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/unit-42-incident-response-report\">2024 Unit 42 Incident Response Report<\/a> will help you understand the threats that matter. It's based on real incident data and our security consultants' experience.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">Read the report to learn how to safeguard your organization's assets and operations:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: georgia, palatino, serif;\">Threat actors, their methods and their targets.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\">Statistics and data about the incidents our team worked on.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\">A spotlight on the Muddled Libra threat group \u2013 one of the most damaging ransomware groups today.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\">How artificial intelligence affects cybersecurity now and in the future.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\">In-depth recommendations for leaders and defenders.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: georgia, palatino, serif;\">As an executive responsible for safeguarding your organization, you'll find analysis and recommendations to help you make strategic decisions about where to invest your time, resources and budget.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">Use the following takeaways to start a conversation with your leadership team and encourage them to download the <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/unit-42-incident-response-report\">2024 Unit 42 Incident Response Report<\/a> to review the expert analysis in full.<\/span><\/p>\n<h2><a id=\"post-315104-_xhvg38nm8hvf\"><\/a><span style=\"font-family: georgia, palatino, serif;\">Key Takeaway \u2014 Speed Is Critical<\/span><\/h2>\n<p><span style=\"font-family: georgia, palatino, serif;\">Speed matters. Attackers are acting faster, not only at identifying vulnerabilities to exploit, but also stealing data after they do.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: georgia, palatino, serif;\">In 2023, the median time from compromise to data exfiltration fell to just two days, which is much faster than the nine days we observed in 2021.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\">In approximately 45% of cases this year, attackers exfiltrated data <em>within a day<\/em> of compromise.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\">For non-extortion-related incidents in 2022 and 2023, the median time to data exfiltration has consistently remained under one day, meaning defenders must react to a ransom attack in less than 24 hours.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: georgia, palatino, serif;\">Attacker \"dwell time\" (the duration between when an attacker was detected and the earliest evidence of their presence) has also accelerated. The median dwell time was just 13 days in 2023 \u2013 half of what it was in 2021.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">But, that's not necessarily a bad thing. Other data in our report indicates it may be that <em>defenders<\/em> are improving.<\/span><\/p>\n<h2><a id=\"post-315104-_thv196r8mf7b\"><\/a><span style=\"font-family: georgia, palatino, serif;\">Key Takeaway \u2013 Software Vulnerabilities Remain Important<\/span><\/h2>\n<p><span style=\"font-family: georgia, palatino, serif;\">In 2023, attackers used internet-facing vulnerabilities to get into systems more often. This tactic occurred in 38.6% of our IR cases, making it the leading method of initial access.<\/span><\/p>\n<figure id=\"attachment_315105\" aria-describedby=\"caption-attachment-315105\" style=\"width: 891px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"891\"><span class=\"ar-custom\" style=\"padding-bottom:62.96%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-315105 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/02\/word-image-315104-1.png\" alt=\"Graph of software\/API vulnerabilities, previously compromised credentials, social engineering - phishing, brute force, other. \" width=\"891\" height=\"561\" \/><\/span><\/div><figcaption id=\"caption-attachment-315105\" class=\"wp-caption-text\"><span style=\"font-family: georgia, palatino, serif;\">Figure 1. Initial access vectors per year, from 2021 through 2023.<\/span><\/figcaption><\/figure>\n<p><span style=\"font-family: georgia, palatino, serif;\">Vulnerability exploitation surpassed phishing as the leading initial access method. Exploiting weaknesses in web applications and internet-facing software played a significant role in some of the largest and most automated cyberattacks.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">This change emphasizes the importance of good patching practices and attack surface reduction. While that work can be challenging for large organizations to implement comprehensively, organizations must act swiftly and use multiple layers of defense to protect themselves. If you don't find and fix the exposure, attackers will.<\/span><\/p>\n<h2><a id=\"post-315104-_futtva4xlmkc\"><\/a><span style=\"font-family: georgia, palatino, serif;\">Key Takeaway \u2013 Threat Actors Continue to Use Sophisticated Approaches<\/span><\/h2>\n<p><span style=\"font-family: georgia, palatino, serif;\">Cyberthreat actors are adopting sophisticated strategies, organizing into specialized teams and effectively leveraging IT, cloud and security tools. They've become more efficient, defining and repeating processes for quicker results.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">Attackers are now using defenders' own security tools against them, compromising highly privileged accounts and infrastructure to access tools and move within their target network. Vigilance and proactive defense are crucial as threat actors adapt and innovate.<\/span><\/p>\n<h2><a id=\"post-315104-_wrzzebxzwllx\"><\/a><span style=\"font-family: georgia, palatino, serif;\">Five Recommendations to Better Protect Your Organization from Cyberthreats in 2024<\/span><\/h2>\n<p><span style=\"font-family: georgia, palatino, serif;\">Here are five key recommendations from our cybersecurity consultants to enhance your cybersecurity posture based on our insights from 2023's cyber incidents:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: georgia, palatino, serif;\"><strong>Improve Organizational Visibility:<\/strong> Prioritize comprehensive visibility across your network, cloud and endpoints. Actively monitor unmonitored areas, manage vulnerabilities effectively with robust patch management and secure internet-exposed resources such as remote desktops and cloud workloads. Insufficient and incomprehensive visibility makes incidents more frequent and more severe.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\"><strong>Simplify:<\/strong> Streamline the complexity of cybersecurity operations by consolidating point products. Centralize and correlate security telemetry data from various sources into an analytics platform. The best strategy enhances threat detection and response efficiency with machine learning (ML) and analytics.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\"><strong>Enforce Zero Trust Principles: <\/strong>Implement a Zero Trust security strategy. Deploy robust authentication methods, network segmentation, lateral movement prevention, Layer 7 threat prevention and the principle of least privilege. Prioritize comprehensive multifactor authentication (MFA), passwordless solutions and single sign-on (SSO). Regularly audit and update authentication systems.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\"><strong>Control Application Access:<\/strong> Control application usage and eliminate implicit trust between application components. Restrict access to specific applications, especially those exploited by threat actors. Emphasize monitoring and alerting on remote management applications and unsanctioned file-hosting services.<\/span><\/li>\n<li><span style=\"font-family: georgia, palatino, serif;\"><strong>Segment Networks:<\/strong> Employ network segmentation to reduce the attack surface and confine breaches to isolated zones. Implement Zero Trust network access (ZTNA) to verify users and grant access based on identity and context policies to ensure users or devices are <em>not<\/em> trusted until continuously verified.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-family: georgia, palatino, serif;\">In addition to the findings outlined here, the report spotlights current threats as well as the impact of emerging technologies, including artificial intelligence (AI) Social Engineering, Large Language Models (LLMs), DevSec and DevSecOps, as well as the continued use of cloud-based technologies.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">Download the complete <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/unit-42-incident-response-report\">2024 Unit 42 Incident Response Report<\/a> to learn more in-depth recommendations for improving your security posture and focus on the risks you need to mitigate.<\/span><\/p>\n<h2><a id=\"post-315104-_utxmgh41j43n\"><\/a><span style=\"font-family: georgia, palatino, serif;\">Get in Touch<\/span><\/h2>\n<p><span style=\"font-family: georgia, palatino, serif;\">Want help preparing for or responding to a cyber incident? Call in the experts.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif;\">If you think you may have been impacted by a cyber incident or have specific concerns about any incident types discussed here, please <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\">contact Unit 42<\/a>. The <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/respond\/incident-response\">Unit 42 Incident Response team<\/a> is available 24\/7\/365. If you have cyber insurance, you can request Unit 42 by name. You can also take preventative action by requesting our <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/assess\">cyber risk management services<\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The 2024 Unit 42 Incident Response Report offers insights into attacker tactics and actionable recommendations to help you defend your organization.<\/p>\n","protected":false},"author":723,"featured_media":315118,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,6717],"tags":[8854,586],"coauthors":[7527],"class_list":["post-315104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-products-and-services","tag-incident-response-report","tag-unit-42"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/02\/GettyImages-1073786122-edit.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/315104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/723"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=315104"}],"version-history":[{"count":4,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/315104\/revisions"}],"predecessor-version":[{"id":315134,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/315104\/revisions\/315134"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/315118"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=315104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=315104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=315104"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=315104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}