Eighty-two percent of attacks on organizations in Q1 2022 were caused by the external exposure of a known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.
The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyberattacks against United States organizations between January and March 2022.
The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credential are still major factors in attacks against organizations.
External Exposures: A Major Path of Compromise
The study looks at the Root Point of Compromise (RPOC) in attacks. The RPOC is the initial entry point through which a threat actor infiltrates a victim organization and is categorized as the external exposure to a known vulnerability, or a malicious action performed by the user or a system misconfiguration.
“Incidents caused by unpatched systems cost organizations 54 percent more than those caused by employee error,” according to the report.
Researcher draw a line of distinction between “External Vulnerabilities” and “Risky External Exposures”.
External Vulnerabilities, defined by Tetra Defense, refers incidents where an attacker leverages the publicly available exploit to attack the victim’s network. Risky External Exposure, on the other hand, include IT practices such as leaving an internet-facing port open that can be used by an adversary to target the system.
“These behaviors are considered ‘risky’ because the mitigation relies on an organization’s continued security vigilance and willingness to enforce consistent standards over long periods of time,” said Tetra Defense in the report.
Risky External Exposure, the study found, account for 57 percent of an organizations’ losses.
Learning Lessons the Hard Way
According to Tetra Defense, the widespread awareness about the Log4Shell vulnerability minimize the active exploitation and was only the third most exploited external exposure accounting for 22 percent of total incident response cases. The Microsoft Exchange vulnerability ProxyShell outpaces the Log4Shell and leads the way by accounting for 33 percent of cases.
The Tetra Defense revealed that nearly 18 percent of the events were caused by the unintentional action performed by an individual employee in the organization.
“Over half (54 percent) of the incidents where ‘User Action’ was the RPOC were caused by an employee opening a malicious document,” Tetra Defense noted. The researcher analyzed that most incidents include malicious email campaigns targeting individuals and organizations at random.
The other major incident is the abuse of compromised credentials which contributes to 23 percent of incidents involved in user action. The reports indicate that usage of the same password across multiple sites is one of the main factors leading to credential leaking and account takeover.
“If one of the sites experiences a breach and the credentials are leaked to the dark web, those credentials can be used to compromise other systems where the same pair of username and password is used,” said Tetra Defense.
In the recent findings by Tetra Defense, the healthcare industry leads with approximately 20 percent of the total incidents reported in the first quarter of 2022. Apart from healthcare Tetra Defense collected insights from twelve different verticals including finance, education, manufacturing and construction.
The Patching Imperative
According to the reports by Tetra Defense, the median cost for an incident response engagement where external vulnerability was the RPOC is 54 percent more than the events where “User Action” was the RPOC.
“Advocating for better patching practices has almost become a cliché at this point as it’s common knowledge that it plays a major role in reducing cyber risk,” Tetra Defense noted.
“To best prevent exploitation of external vulnerabilities, organizations need to understand their attack surface and prioritize patching based on risk, all while ensuring they have the defenses in place to protect their systems knowing that that will have obstacles that will prevent them from immediately patching vulnerable systems,” Tetra Defense added.
The researcher observed multiple cybercriminal groups active on the dark web. “With such a large number of groups being actively observed it highlights the constant challenges organization have in protecting themselves, because if even one group becomes inactive or is taken down by law enforcement, there remain dozens of other groups actively trying to compromise them,” Tetra Defense concluded.