{"id":327482,"date":"2024-08-22T09:30:35","date_gmt":"2024-08-22T16:30:35","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=327482"},"modified":"2024-08-22T09:29:21","modified_gmt":"2024-08-22T16:29:21","slug":"incident-response-by-the-numbers","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2024\/08\/incident-response-by-the-numbers\/","title":{"rendered":"Incident Response by the Numbers"},"content":{"rendered":"<h2><a id=\"post-327482-_hq0vsv9lk31n\"><\/a>Key Insights from Unit 42\u2019s 2024 Incident Response Report<\/h2>\n<p>In the past year, we\u2019ve seen threat actors making bigger moves faster to mount more sophisticated attacks against their targets.<\/p>\n<p>As we helped hundreds of clients assess, respond and recover from attacks, we collected data about those attacks and compiled them into our <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/unit-42-incident-response-report\">2024 Incident Response (IR) Report<\/a>.<\/p>\n<p>Here are the data points that tell the story of last year's attacks and the steps defenders can take to protect their organizations.<\/p>\n<h2><a id=\"post-327482-_e76ma6lcwo41\"><\/a>To Block Attacks, Lock Down the Vectors<\/h2>\n<p>Attack vectors are the avenues by which attackers penetrate your organization\u2019s defenses. Understanding how attackers get in can show you where to place controls to stop them.<\/p>\n<p>The three most popular initial attack vectors we identified:<\/p>\n<ol>\n<li>Software and API vulnerabilities: 38.6% of cases<\/li>\n<li>Previously compromised credentials: 20.5% of cases<\/li>\n<li>Social engineering and phishing: 17% of cases<\/li>\n<\/ol>\n<p>Shoring up these weak points is no easy task, and it requires a combination of tools, expertise and routine processes.<\/p>\n<h3><a id=\"post-327482-_wdxdcfwb3y4q\"><\/a>Exploiting Software and API Vulnerabilities<\/h3>\n<p>Last year, software and API vulnerabilities provided the initial access vectors for 38.6% of attacks we investigated \u2013 more than any other vector.<\/p>\n<p>These attacks result from large-scale, automated intrusion campaigns. Often, attacks targeted key parts of the software supply chain, like Apache\u2019s Log4j logging framework and Oracle\u2019s WebLogic server, affecting governments, banks, shipping companies, airlines and others.<\/p>\n<p>The IR Report demonstrates that these types of exploits are not anomalies. Instead, they represent an attack trend. <a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/vulnerability-management\">A proactive patch management program<\/a> is key to addressing realized vulnerabilities promptly and anticipating future vulnerabilities based on trends and threat intelligence.<\/p>\n<p>The challenge lies in an uncomfortable truth \u2013 vulnerabilities are discovered at a far greater rate than teams\u2019 ability to patch them. <a href=\"https:\/\/www.ncsc.gov.uk\/collection\/vulnerability-management\/understanding-vulnerabilities\" rel=\"nofollow,noopener\" >Thousands of vulnerabilities are reported each year<\/a>, and each patch should be tested before being deployed in your environment.<\/p>\n<p>Two of the top five <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/playbook-of-the-week-using-cves-in-incident-investigation\/\">Common Vulnerabilities and Exposures (CVEs)<\/a> exploited in 2023 were identified years before that (2020 and 2021), which illustrates a significant lag in patching known vulnerabilities.<\/p>\n<h5><a id=\"post-327482-_xw8r7wuxzdao\"><\/a><strong>Detecting vulnerabilities isn\u2019t enough. Teams must be able to prioritize the most critical vulnerabilities and implement defenses to mitigate lower-priority vulnerabilities. <\/strong><\/h5>\n<h3><a id=\"post-327482-_h942nezgq8nd\"><\/a>Continued Use of Previously Compromised Credentials<\/h3>\n<p>Previously compromised credentials provided the initial access vector in 20.5% of cases we investigated \u2013 a 5x rise over the past two years.<\/p>\n<p>Compromised credentials overtook phishing and social engineering as an attack vector, and there is a persistent and active black market for them.<\/p>\n<p>Good hygiene can limit the damage potential of stolen credentials, but controls must go beyond strong passwords and multifactor authentication (MFA).<\/p>\n<ul>\n<li><strong>Secure Credential Storage<\/strong>: Teams should store credentials using encryption and secret management solutions.<\/li>\n<li><strong>Credential Rotation<\/strong>: Rotating credentials can help minimize the likelihood of an attacker having success using previously compromised ones.<\/li>\n<li><strong>Least-Privileged Access<\/strong>: <a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-least-privilege-access\">The principle of least privilege<\/a> limits the damage incurred from compromised credentials by ensuring each staff member doesn\u2019t have excessive access beyond what they need to do their jobs.<\/li>\n<li><strong>Audit Logging<\/strong>: Audits of credential use can uncover potentially compromising activities and help comply with reporting standards.<\/li>\n<\/ul>\n<p>As cybercriminal tactics evolve, teams must implement more dynamic and responsive security controls and policies. These include regular security audits, real-time threat detection and training programs aimed at credential-threat risk recognition and mitigation.<\/p>\n<h5><a id=\"post-327482-_9i26u8kbv104\"><\/a><strong>It\u2019s equally important to recognize the anomalous and suspicious behavior that follows the use of compromised credentials.<\/strong><\/h5>\n<p>As attackers act with greater sophistication and subtlety, AI and machine learning are becoming vital to detect attack patterns early and position defenders to respond with precision.<\/p>\n<h3><a id=\"post-327482-_vugu1t351nq5\"><\/a>Targeted Social Engineering and Phishing<\/h3>\n<p>Previously, social engineering and phishing were the top attack vectors, accounting for 17% of the attacks we investigated last year.<\/p>\n<p>Our experience shows that <a href=\"https:\/\/www.paloaltonetworks.com\/cybersecurity-perspectives\/social-engineering-and-the-art-of-fishing\">social engineering and phishing<\/a> attacks are increasingly aimed at the IT help desk rather than employees themselves. Attackers will call the target\u2019s help desk and impersonate a real employee, asking for help with resetting their password or with changing the phone number associated with an account.<\/p>\n<p>Defending against human nature is still the hardest task. Often, admins prove just as susceptible to phishing attacks as other team members. That\u2019s because high-performing organizations are built on people helping one another. We go against our own goals and self-interest when we ask people not to trust or help each other.<\/p>\n<h5><a id=\"post-327482-_ok015jd3oob8\"><\/a>A multilayered defense slows attackers down, creates more opportunities for them to make mistakes, and gives your team the upper hand.<\/h5>\n<ul>\n<li>Train IT and admin staff to recognize and respond to phishing attempts.<\/li>\n<li>Perform continuous authentication and monitoring of communication channels.<\/li>\n<li>Encourage employees to question anomalies and report suspicious behavior.<\/li>\n<\/ul>\n<h2><a id=\"post-327482-_9mq4cg4bl98i\"><\/a>Evolving Malware Capabilities<\/h2>\n<p>In 2023, malware was implicated in 56% of all documented security incidents, with ransomware accounting for 33% of these cases.<\/p>\n<p>We found a few noteworthy shifts in the details:<\/p>\n<ul>\n<li>Attackers are more frequently using data destruction tactics with wipers and other tools and techniques.<\/li>\n<li>About 42% of our investigations involved a backdoor, while 32% of malware-related matters had some kind of interactive C2 software. In 12% of cases, attackers used web shells to use a compromised server as a beachhead into an environment. These tactics afford intruders a foothold from which they can covertly conduct a wide range of malicious activity.<\/li>\n<li>Reverse tunnels are a favored technique among attackers. These connections lead out of the target environment and terminate on a system under the attacker\u2019s control. This allows attackers more freedom without needing to install malware on the target system.<\/li>\n<li>Many operating systems have built-in support for encrypted tunnels that hackers can exploit. For example, the vast majority (85%) of organizations still leave Microsoft Remote Desktop exposed to the internet for <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/2023-unit-42-attack-surface-threat-report\">at least 25% of the month<\/a>.<\/li>\n<\/ul>\n<h5><a id=\"post-327482-_21uemtn51jp\"><\/a><strong>Organizations need more <\/strong><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/siem-solutions-in-soc\"><strong>comprehensive monitoring systems<\/strong><\/a><strong> that detect and counteract stealthy infiltrations through backdoors and encrypted channels.<\/strong><\/h5>\n<p>Comprehensive monitoring includes advanced threat detection technologies that analyze behaviors and patterns, integrate endpoint protection, and employ decryption capabilities to identify hidden exploits.<\/p>\n<h2><a id=\"post-327482-_6j3umzsjppgy\"><\/a>Speed Matters<\/h2>\n<p>One of the biggest takeaways from our report is the speed at which attacks take place. Data breaches can now occur within days or even hours of an initial compromise.<\/p>\n<p>In 2022, the median time between compromise and exfiltration was nine days. By 2024, it was two days. In almost 45% of cases, attackers exfiltrated data less than a day after compromise. Nearly half the time, organizations must now respond within hours because reacting more slowly means reacting too late.<\/p>\n<p>But, the capabilities of defenders can get a boost from advanced analytics and <a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-digital-experience-monitoring\">real-time monitoring<\/a>. AI and machine learning can help filter out the noise and empower teams to detect and respond with lightning speed.<\/p>\n<h2><a id=\"post-327482-_59aqqx52i062\"><\/a>How Defenders Can Get up to Speed<\/h2>\n<h3><a id=\"post-327482-_5bllal8djbvj\"><\/a>Enhance Visibility<\/h3>\n<p>Gaining visibility across your external and internal attack surfaces is step 1:<\/p>\n<ul>\n<li>Catalog external-facing assets and protect them all with MFA. Disallow remote access using only a username and password.<\/li>\n<li>Catalog internal network assets and endpoints, then implement <a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-endpoint-detection-and-response-edr\">EDR<\/a> or <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr\">XDR<\/a> solutions to monitor and analyze endpoint activity.<\/li>\n<li>Conduct regular vulnerability assessments and scan for unpatched software, insecure network configurations and unnecessary open ports and services.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr\">Palo Alto Networks Cortex XDR platform<\/a> enables you to identify and quantify security vulnerabilities on any endpoint and application. It also evaluates the endpoints and applications impacted by a particular CVE, giving you the information you need to prioritize the most important vulnerabilities.<\/p>\n<h3><a id=\"post-327482-_qkc30a8aze6r\"><\/a>Adopt Zero Trust Principles<\/h3>\n<p>Mixing weak authentication controls, overprivileged accounts and improperly secured applications and information assets lead to critical breaches. This dangerous combination creates a straightforward pathway for attackers with an easy route in, as well as unfettered access to sensitive data and an unobstructed route for data exfiltration or other disruptive impacts.<\/p>\n<h5><a id=\"post-327482-_mdx71asmutus\"><\/a><strong>Zero Trust architecture<\/strong> <strong>minimizes the attack surface and reduces breach impact by assuming that both internal and external traffic could be a threat.<\/strong><\/h5>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-a-zero-trust-architecture\">Zero Trust principles<\/a> involve implementing stringent authentication protocols, such as MFA and single sign-on (SSO), and applying network segmentation to prevent unauthorized lateral movements within the network.<\/p>\n<h3><a id=\"post-327482-_v4ejdmpaty9j\"><\/a>Reduce Detection and Response Times<\/h3>\n<h5><a id=\"post-327482-_percxqyot6sr\"><\/a>Over 90% of SOCs still rely on manual processes to manage threats.<\/h5>\n<p>Manual processes become less effective by the day. Many teams are still stuck in the mode of managing alerts because they do not have intelligent tools at their disposal.<\/p>\n<p>Extended detection and response (XDR) with extended security intelligence and automation management provide a unified platform that captures and contextualizes security telemetry from endpoints, networks and cloud environments. These tools harness the power of AI, machine learning and analytics to act as a force multiplier for the SOC analyst.<\/p>\n<p>With <a href=\"https:\/\/www.paloaltonetworks.com\/precision-ai-security\">our new security co-pilots<\/a>, you can reduce SOC complexity by receiving instant solutions to complex problems and actionable insights that guide you through recommendations step by step.<\/p>\n<h2><a id=\"post-327482-_s707spqplu7p\"><\/a>Get the Backup Your Team Needs<\/h2>\n<p>There is no one solution. Almost any security control can be overcome by a sufficiently motivated, skilled and resourced attacker. However, a perfectly executed intrusion is just as rare as a perfect defense.<\/p>\n<p>A Unit 42 Retainer can give you the expertise and backup you need. Through <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/assess\/attack-surface-assessment\">Attack Surface<\/a> and <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/assess\/soc-assessment\">SOC Assessments<\/a>, the Unit 42 team can assess and test your current playbooks and processes to create a roadmap for SOC excellence that empowers your business to thrive. <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/datasheets\/zero-trust-advisory-service\">Our Zero Trust Advisory Services<\/a> will help you create and execute a roadmap for your Zero Trust journey.<\/p>\n<p>Practice makes perfect. We\u2019ll help your team prepare through exercises and simulations that keep them sharp. Why defend your organization alone? See how Unit 42 and the AI-powered Cortex security suite can <a href=\"https:\/\/www.paloaltonetworks.com\/get-started\">help your team cultivate security excellence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unit 42 helped hundreds of clients assess, respond and recover from attacks, collecting data and compiling our 2024 Incident Response Report.<\/p>\n","protected":false},"author":723,"featured_media":327483,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,483],"tags":[8854],"coauthors":[9611],"class_list":["post-327482","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-unit42","tag-incident-response-report"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/08\/GettyImages-508484039-edit.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/327482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/723"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=327482"}],"version-history":[{"count":1,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/327482\/revisions"}],"predecessor-version":[{"id":327496,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/327482\/revisions\/327496"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/327483"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=327482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=327482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=327482"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=327482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}