The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
In an ideal world, you would invest in defending against all types of attacker tactics and techniques. The reality is that you must prioritize your efforts based on the likelihood and impact of different types of attacks.
Unfortunately, prioritizing the prevention of one type of attack over another – whether it is general attack vectors or attacker tactics outlined in the MITRE ATT&CK framework – can leave gaps in your organization’s defenses.
In the Blue Report 2023, our analysis of 14 million attack simulations found that organizations are making four “impossible” tradeoffs when it comes to managing their threat exposure. One trade-off is choosing which types of attacks to prevent.
Specifically, we found that as organizations invest in one area, they appear to be trading-off investing in others, creating gaps in their security.
Attackers only need to find one gap in organizations’ defenses to succeed. It is therefore not surprising then that the Blue Report 2023 also found that organizations are the least successful at preventing malware varieties that include multiple malicious actions across the kill chain.
Similarly, cyber threat groups posing the most significant challenge are those whose attacks combine multiple techniques. These tend to be state-linked and financially motivated attack groups.
Performance by Attack Vector
Organizations’ ability to prevent attacks varies depending on the type of cyber attack being used. For example, organizations demonstrate a high level of preparedness for malware download attacks.
Prevention effectiveness score by attack vector
On the other hand, security teams significantly lag in their ability to prevent data exfiltration in the face of attacks on their network. Their 18% effectiveness rate against data exfiltration is alarmingly low and suggests that their cybersecurity controls are largely ineffective at preventing the unauthorized export of sensitive data. Given the significant financial, legal and reputational implications of data breaches, the prevention of data exfiltration attacks requires urgent attention and resources.
When it comes to attack scenarios – complex, multi-stage attacks – our findings indicate a prevention effectiveness score of only 46%. These types of attacks are increasingly common. Over a third of malware samples exhibit 20 or more attacker tactics, techniques and procedures (TTPs) according to analysis compiled in The Picus Red Report 2023.
Web application attacks are another type of attack that security teams should pay attention to since an overwhelming majority of modern businesses use web platforms as a core part of their business. Unfortunately, organizations’ prevention effectiveness against web application attacks stands at a moderate 55%, which could expose them to significant risk, especially given the rise of such attacks in recent years.
Overall, these figures suggest that organizations’ cybersecurity postures, while robust against some types of threats, have significant gaps.
Performance by MITRE ATT&CK Tactic
Many security organizations today use the MITRE ATT&CK framework to understand attack behavior and evaluate their own threat readiness. We analyzed organizations' ability to defend against the 14 attacker tactics in the MITRE ATT&CK enterprise matrix.
Organizations were least able to defend against the discovery tactic, preventing this tactic only 31% of the time. As a result, adversaries may be successful in gathering information about organizations’ networks and systems to further their attack. For example, once inside a network attackers can identify critical systems, understand configuration details and learn about the privileges of compromised credentials. Organizations with a weak performance in this area should undertake an urgent review of their security controls, given that successful discovery is usually a key step for attackers to perpetuate a successful breach.
Organizations also had inadequate or basic efficacy defending against persistence (35%), execution (40%), impact (42%) and command and control (45%) tactics. Organizations can improve their defense against persistence techniques by improving their detection capabilities and thereby disrupt long-term intrusions. To better defend against the execution tactic, organizations should strengthen security controls that prevent malicious software write, modify, or execute processes in their systems.
Organizations inability to defend themselves against the impact and command and control tactics means that organizations could be vulnerable to detrimental impacts of a cyber attack. Essentially, these weaknesses could allow cybercriminals to cause significant disruption, including but not limited to data destruction, encryption, and manipulation, system downtime, financial loss, and tarnished reputation. To mitigate against this threat, organizations should both improve their ability to prevent initial system intrusion as well as tighten controls that prevent an intruder from executing actions that could directly impact their business. Organizations need to preclude malicious actors from communicating with compromised systems to extract data, command malicious software, or control system functions.
The 5 least prevented MITRE ATT&CK tactics
Overall, organizations’ performance against attacker tactics as defined in the MITRE ATT&CK framework differs by tactic. This finding is similar to the varying performance we found organizations have when it comes to preventing different attack vectors.
Performance by Ransomware Group
Cyber threat groups posing the most significant challenge tend to be state-linked and financially motivated. The majority of these groups use sophisticated TTPs including defense evasion techniques, vulnerability exploitation, spear-phishing, and living-off-the-land (LOTL) to thwart defensive measures. As these groups evolve and refine their TTPs, organizations must continually validate and strengthen their security controls.
The 10 least prevented ransomware groups
In our analysis, we found that organizations are least successful (13%) at preventing attacks by OilRig (a.k.a. APT34), which has suspected links to the Iranian government. This group has made headlines for its high-tech cyber-espionage campaigns primarily targeting Middle Eastern and other entities linked to the finance, energy, telecommunications, and chemical industries.
Organizations don’t do much better (17%) against APT37, also known as Reaper, a group backed by North Korea. APT37 primarily targets South Korean public and private entities, but has expanded the scope of its attacks to include Japan, Vietnam, and the Middle East. With a keen interest in industries like chemicals, electronics, manufacturing, aerospace, automotive, and healthcare, the group has undertaken campaigns involving espionage, data theft, and even sabotage.
Organizations also struggle to prevent attacks (21%) against the Lazarus Group, another North Korea-backed group, known for the infamous Sony Pictures hack and WannaCry ransomware attack. Their victims span the finance, manufacturing, media, aerospace, and critical infrastructure industries in nations worldwide.
Other groups whose attacks organizations are least successful at preventing include MuddyWater (associated with Iran), APT41 (China-backed and known for both cyber-espionage and cybercrime operations), BlueNoroff (part of the Lazarus Group, focused on financial gain), the Russian-aligned Gamaredon group, the financially motivated TA505 group, Silence and Sandworm (a group linked to the Russian government and known for its destructive attacks against Ukrainian infrastructure).
Performance by Ransomware
Ransomware poses an increasingly prevalent and severe threat to organizations across industries, and around the world. The disruptive impact, adaptability, and constant evolution of ransomware makes it a significant challenge for organizations to protect themselves. Even well-equipped organizations are not impervious, underlining the need for all organizations to take a proactive defensive posture.
The 10 least prevented ransomware attacks
In our analysis, we identified the 10 ransomware attacks that organizations were least able to prevent. All of the least prevented malware varieties include multiple malicious actions across the kill chain.
Mount Locker and Hive top the list. These malware varieties have proven to be extremely successful due to their rapid evolution and their advanced capabilities. Ragnar Locker, known for its sophisticated encryption techniques and the sizable ransom demands of its users, was also rarely prevented: less than one out of four times.
Other ransomware like the notorious NetWalker, Maze, and Darkside varieties, are infamous for their high-profile attacks. Despite the international attention they've drawn, organizations’ relatively low prevention efficiency scores indicate that most of them remain exposed to these malware varieties. The same can be said for other malware strains like BlackByte, Cuba, BianLian, and Black Basta which, despite being less prominent in media headlines, pose equally severe threats.
Overcoming the Trade-off
Organizations should continuously improve their cyber resilience in the face of these highly adaptable and destructive threats. It's equally crucial for them to stay up to date in the face of the evolving ransomware landscape.
Picus Security can help you validate the performance of your security controls against the latest threats so you know where trade-offs have been made and where investing additional resources can have the greatest impact.
Picus Security Control Validation (SCV) is a Breach and Attack Simulation (BAS) solution that helps you to measure and strengthen cyber resilience by automatically and continuously testing the effectiveness of your security tools.
With Picus SCV you can simulate real-world cyber threats to identify prevention and detection gaps, and obtain actionable mitigation recommendations to address them swiftly and effectively.
To learn more about other trade-offs organizations face managing their threat exposure, download the Blue Report 2023, or read our other blogs in this series.