The XM Cyber research analyzed over 60 million exposures in over 10 million entities. It discovered that an average organization has approximately 11,000 exploitable security exposures per month, affecting both on-prem and cloud infrastructure, with up to 250,000 exposures in larger enterprises.
Critical assets are within “one hop away”
More surprising is how easy it was to access critical assets on-premises and in the cloud.
According to the state of security exposure report, attackers could access on-premises critical assets in three steps and cloud assets in one step from the initial entry point.
“Attackers can access 70% of critical assets in on-prem networks in just 3 steps,” the research stated. “It’s even worse in the cloud, where 90% of critical assets are just one hop away from initial compromise.”
Additionally, nearly three-quarters (71%) of attacks pivot from on-premises infrastructure to cloud environments. “Once there, 92% of critical assets lie just one hop away,” the researchers noted.
Despite the interconnectedness, organizations were struggling to manage mixed on-prem and cloud environments.
“Part of that struggle stems from failing to consider the big picture and only focusing on each piece in isolation.”
This tunnel vision usually causes organizations to lose sight of critical attack paths that attackers can exploit.
Credentials and permissions ignored, and misconceptions about zero-trust
The research found organizations failed to address all security exposure methods that jeopardize most organizations. For example, the study found that attack techniques targeting credentials and permissions affect 82% of organizations, yet many ignore these paths.
“Many continue to overlook attack paths that leverage credentials and permissions however these results make it clear that attackers prey upon trusted administrative services and identities to execute attacks,” the report noted.
Additionally, the study found that zero trust was insufficient in protecting organizations against security exposure methods exploiting trust.
“It’s also a common misconception that implementing a zero-trust architecture is sufficient to protect against all techniques that exploit forms of trust.”
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, concurred with XM’s findings on zero-trust’s shortcomings.
“A threat actor in the environment can still do considerable damage, even if they don’t have immediate access,” he said. “If they can gain persistence on a low-value target, they have a chance down the line to escalate when a better opportunity presents itself.”
He also noted that compromised credentials and misconfigured permissions were common security exposure methods: “The second significant finding reinforces something we, in the cybersecurity community, have been saying for a while. Namely, that misconfigurations and compromised credentials are still a major risk.”
Parkin advised vendors to distribute their products with “security by default” configurations to reduce human error.
“That at least would make it take some effort to configure it poorly. For the users, even the growing usage of multi-factor authentication (MFA) has only helped where it was deployed correctly,” suggested Parkin.
Security professionals are overwhelmed by dead-end security exposure alerts
The study found that sifting through a haystack of dead-end security exposure alerts overwhelmed security teams and gave attackers an easier time.
“With advanced tooling, modern security teams are faced with an overwhelming volume of exposures to validate and analyze, despite the fact that most exposures uncovered do not lead to critical assets.”
On the cloud, 95.9% of attack paths were dead ends, while on-prem, 60.7% of the same led to nowhere. However, a tiny fraction of security exposure methods created paths that converge at “choke points,” leading to critical assets.
According to the report, focusing on these high-risk zones could remediate critical exposures and reduce security teams’ work.
Zur Ulianitzky, Vice President of Research at XM Cyber, noted that threat actors took advantage of the noise by exploiting “attack paths which are simple, short and lead straight to fruitful returns.”
“By diligently focusing remediation efforts on first and foremost eliminating the 2% of exposures which provide attackers with seamless access to critical assets, organizations can significantly reduce their risk without adding any additional strain to security teams,” he said.
Similarly, Wade Baker, PhD, Partner at Cyentia Institute, noted that attackers continued to target the low-hanging fruit to infiltrate cloud environments.”
“Through attack path analysis, we see what the attacker sees and identify their least costly (quickest, easiest) routes to whatever it is they value.”
Baker believes that organizations could study attackers’ behavior and use that knowledge to their advantage: “If we operationalize that knowledge, I have hope that we can finally shift the cost of attack in our favor.”
Subsequently, the report called for more efficient security exposure management tools to uncover the real threats that put organizations’ critical assets at risk.