2022 ASM Threat Report

The Unmanaged Attack Surface Continues to Be Persistent and Complex

Seasoned security professionals know that while zero-days get the headlines, the real problems always come from the dozens of small decisions every day inside of an organization. Just one accidental misconfiguration could create a crack in defenses. So the Cortex® Xpanse™ research team looked at 2021 data (from the beginning of March to the end of September) from 100+ organizations spanning multiple industries to map their unmanaged attack surfaces to develop the 2022 ASM Threat Report.

Opportunistic attackers have begun to rely on these accidents and misconfigurations as it has become easy and inexpensive to find any vulnerabilities, exposures or other unknown open doors. Even lower-skilled attackers can put together a scanning infrastructure to perform a rough scan of the internet to uncover assets ripe for compromise.

Some may even take a shot at breaching that exposure, but far more enterprising attackers sell this scan data on the dark web to bidders who can then launch more sophisticated attacks. Defenders can gain a great advantage from having an attacker’s view of their attack surface.

To perform a deeper analysis, the researchers considered a sample of critical vulnerabilities and exposure (CVE) data from January to February 2022 that had known active exploits in the wild and were highlighted in key federal cybersecurity advisory notes.

These are some of the key findings from the 2022 ASM Threat Report, based on observable data from 100+ organizations and not self-reported surveys:

  1. Cloud Continues to Be a Security Nightmare
    Nearly 80% of all issues observed on the global attack surface were in the cloud. Cloud deployments, while easy, are creating several accidental exposures on account of misconfigurations and shadow IT.
  2. Low-Hanging Fruit Continues to Hang
    Non-zero day exposures are everywhere. Nearly one out of every four issues we found on the attack surface was related to an exposed RDP server, which is now the preferred gateway for ransomware. Xpanse research also uncovered over 700 unencrypted login pages for several IT services that were unencrypted and publicly exposed. Close to 3,000 database storage and analytics systems and over 2,500 critical building control systems (BCS) were also accessible from the public internet.
  3. End-of-Life Software = End-of-Life for Your Security
    During the course of our research, around 30% of organizations were running end-of-life (EOL) software versions that were affected by CVEs that had known active exploits in the wild and were featured in cybersecurity advisories from the U.S. government.
  4. The Unmanaged Attack Surface Is Growing
    We observed that while several organizations had large numbers of active issues that they were combating within a month, they were never truly secure. These organizations remained vulnerable throughout the month because their unmanaged attack surface continued to grow while other security issues were being remediated.
  5. Persistent, Complex, but Unique
    Xpanse's research found that while every industry sector’s attack surface is unique, the exposures are persistent. For example, nearly 23% of all issues in the Utilities and Energy sector were on account of exposed building control systems. Nearly 50% of all issues associated with Professional and Legal Services were around data storage systems and unencrypted logins exposed to the public internet, potentially putting their intellectual property, critical customer information and other highly-sensitive information at risk.

If you don’t know where exposures live, it’s impossible to ensure issues are remediated. For many organizations, the cloud and RDP are going to be persistent issues to target, but the constellation of exposures and vulnerabilities on your attack surface will only continue to grow as attack surfaces get more complex.

Attackers thrive on the complexity and ever-changing nature of attack surfaces because they can scan the entire internet looking for those weak points. With an attacker’s point of view, organizations can identify and prioritize issues for remediation. This also means focusing on metrics, like mean time to detect (MTTD) and mean time to respond (MTTR) is inherently flawed.

In the case of a breach, MTTD and MTTR are acceptable, but security should be focused on doing all they can to prevent breaches before they happen. That means putting more stake in the mean time to inventory (MTTI), because it is impossible to secure unknown assets and unknown exposures.

Modern attack surfaces are dynamic. Without clear visibility that is constantly updated, it is all too easy to have persistent exposures and unmanaged assets. Security practitioners can only be as good as the data they have, so having a strong foundation of continuous discovery and monitoring ensures you can keep up with modern, dynamic attack surfaces in order to find, prioritize and mitigate exposures as they arise.

To learn more about other critical findings on the unmanaged attack surface, based on observable data from 100+ companies, read the 2022 Cortex Xpanse Attack Surface Threat Report.