Threat actors are evolving, yet Cyber Threat Intelligence (CTI) remains confined to each isolated point solution. Organizations require a holistic analysis across external data, inbound and outbound threats and network activity. This will enable evaluating the true state of cybersecurity in the enterprise.
Cato’s Cyber Threat Research Lab (Cato CTRL, see more details below) has recently released its first SASE threat report, offering a comprehensive view of and insights into enterprise and network threats. This is based on Cato’s capabilities to analyze networks extensively and granularly (see report sources below).
About the Report
The SASE Threat Report covers threats across a strategic, tactical and operational standpoint, utilizing the MITRE ATT&CK framework. It includes malicious and suspicious activities, as well as the applications, protocols and tools running on the networks.
The report is based on:
- Granular data on every traffic flow from every endpoint communicating across the Cato SASE Cloud Platform
- Hundreds of security feeds
- Proprietary ML/AI algorithms analysis
- Human intelligence
Cato’s data was gathered from:
- 2200+ customers
- 1.26 trillion network flows
- 21.45 billion blocked attacks
The depth and breadth of these resources provides Cato with a view into enterprise security activity like no other.
What is Cato CTRL?
Cato CTRL (Cyber Threats Research Lab) is the world’s first unique combination of top human intelligence and comprehensive network and security insights, made possible by Cato’s AI-enhanced, global SASE platform. Dozens of former military intelligence analysts, researchers, data scientists, academics, and industry-recognized security professionals analyze granular network and security insights. The result is a comprehensive and one of a kind view of the latest cyber threats and threat actors.
Cato CTRL provides the SOC with tactical data, managers with operational threat intelligence and the management and board with strategic briefings. This includes monitoring and reporting on security industry trends and events, which have also supported the analysis and creation of the SASE Threat Report.
Now let’s dive into the report itself.
Top 8 Findings and Insights from the Cato CTRL SASE Threat Report
The comprehensive report offers a wealth of insights and information valuable for any security or IT professional. The top findings are:
1. Enterprises are widely embracing AI
Enterprises are adopting AI tools across the board. Non-surprisingly, the most common ones were Microsoft Copilot and OpenAI ChatGPT. They were also adopting Emol, an application for recording emotions and talking with AI robots.
2. Read the report to see what hackers are talking about
Hacker forums are a valuable source of intelligence information, but monitoring them is a challenge. Cato CTRL monitors such discussions, with some interesting findings:
- LLMs are being used to enhance existing tools like SQLMap. This makes them able to find and exploit vulnerabilities more efficiently.
- Generating fake credentials and creating deep fakes are being offered as a service.
- A malicious ChatGPT “startup” is recruiting professionals for development.
3. Well-known brands are being spoofed
Brands like Booking, Amazon and eBay are being spoofed for fraud and other exploitation purposes. Buyers beware.
4. Enterprise networks allow lateral movement
In many enterprise networks, attackers can easily move across the network, since there are unsecured protocols across the WAN:
- 62% of all web traffic is HTTP
- 54% of all traffic is telnet
- 46% of all traffic is SMB v1 or v2
5. The real threat is not zero-day
Rather, it’s unpatched systems and the latest vulnerabilities. Log4J (CVE-2021-44228), for example, is still one of the most used exploits.
6. Security exploitations differ across industries
Industries are being targeted differently. For example:
- Entertainment, Telecommunication, and Mining & Metals are being targeted with T1499, Endpoint Denial of Service
- Services and Hospitality sectors are being targeted with the T1212, Exploitation for Credential Access
Practices differ as well. For example:
- 50% of media and entertainment organizations don’t use information security tools
7. Context matters
Attackers’ actions and methods might seem benign at first, but a different look shows they are actually malicious. It takes a contextual understanding of network patterns, combined with AI/ML algorithms, to monitor and detect suspicious activity.
8. 1% Adoption of DNSSEC
DNS is a critical component of enterprise operations, yet Secure DNS isn’t being adopted. Why? The Cato CTRL team has some hypotheses.
To read more insights and dive deep into the existing threats, vulnerabilities, hacking communities, enterprise behavior, and more, read the entire report.