Cyber Threat: Insights From Cato's SASE Threat Report

Published on June 10th, 2024

Threat actors are continually evolving, yet Cyber Threat Intelligence (CTI) often remains siloed within individual point solutions.

To truly understand the cybersecurity landscape, organizations must adopt a holistic approach, integrating external data, inbound and outbound threats, and network activity analysis.

Cato’s Cyber Threat Research Lab (Cato CTRL) has unveiled its inaugural SASE threat report, providing a comprehensive perspective on enterprise and network threats.

Leveraging Cato’s robust network analysis capabilities, this report offers valuable insights derived from extensive data sources.

Understanding The Report

The SASE Threat Report offers insights across strategic, tactical, and operational dimensions, utilizing the MITRE ATT & CK framework.

It encompasses analysis of malicious and suspicious activities, along with examination of applications, protocols, and tools operating within networks.

Data Sources

Drawing from a wealth of resources, including granular traffic flow data from every endpoint within the Cato SASE Cloud Platform, hundreds of security feeds, proprietary ML/AI algorithms, and human intelligence, the report presents a comprehensive view of enterprise security activity.

Key Statistics

Cato’s data pool comprises information gathered from over 2200 customers, encompassing 1.26 trillion network flows and thwarting 21.45 billion attacks.

This extensive dataset provides unparalleled insights into cybersecurity trends and threats.

Unveiling Cato CTRL

Cato CTRL, the Cyber Threat Research Lab, represents a pioneering blend of human intelligence and advanced network analysis capabilities.

With a team comprising former military intelligence analysts, researchers, data scientists, and industry professionals, Cato CTRL delivers unparalleled threat insights.

Role Of Cato CTRL

Cato CTRL serves various stakeholders within organizations, providing tactical data for Security Operations Centers (SOCs), operational threat intelligence for managers, and strategic briefings for management and board members.

Moreover, it monitors security industry trends, informing the creation of the SASE Threat Report.

The Cato CTRL SASE Threat Report’s Top 8 Findings

1. Enterprises’ AI Adoption Trends

Enterprises are increasingly integrating AI tools into their operations, with notable mentions including Microsoft Copilot and OpenAI ChatGPT.

Additionally, applications like Emol, designed for emotion recording and AI interaction, are gaining traction among businesses.

2. Insights From Hacker Forums

Hacker forums serve as a rich source of intelligence, though monitoring them poses challenges.

Cato CTRL’s monitoring efforts have unveiled noteworthy trends:

Leveraging LLMs to enhance tools like SQLMap for more efficient vulnerability exploitation.
Services offering fake credentials generation and deep fake creation.
Emergence of a malicious ChatGPT “startup,” recruiting professionals for development.

3. Brand Spoofing Risks

Well-established brands such as Booking, Amazon, and eBay are increasingly targeted for fraudulent activities and exploitation, underscoring the need for vigilance among consumers.

4. Network Vulnerabilities

Many enterprise networks exhibit vulnerabilities facilitating lateral movement for attackers. Key findings include:

62% of web traffic comprises HTTP.
Telnet constitutes 54% of all traffic.
SMB v1 or v2 accounts for 46% of traffic.

5. Focus On Known Vulnerabilities

Rather than zero-day exploits, unpatched systems and recent vulnerabilities pose significant threats.

Notably, exploits like Log4J (CVE-2021-44228) remain prevalent.

6. Industry-Specific Security Challenges

Different industries face distinct security challenges and exploitation patterns. For instance:

Entertainment, Telecommunication, and Mining & Metals sectors are targeted with T1499, Endpoint Denial of Service.
Services and Hospitality sectors face T1212, Exploitation for Credential Access.

Practices also vary, with 50% of media and entertainment organizations lacking information security tools.

7. Importance Of Context In Threat Detection

Understanding the contextual nuances of attackers’ actions is crucial. What may appear benign initially could indeed be malicious.

Combining network pattern analysis with AI/ML algorithms enhances the detection of suspicious activities.

8. Limited Adoption Of DNSSEC

Despite the critical role of DNS in enterprise operations, adoption of Secure DNS remains low at 1%. The Cato CTRL team posits hypotheses regarding this underutilization.

Conclusion: Diving Into The Report

With its unique blend of human expertise and advanced analytics, the SASE Threat Report by Cato CTRL offers a deep dive into the evolving cybersecurity landscape.

Key Terms Explained

MITRE ATT&CK Framework for Threat Detection

What it is: A globally recognized knowledge base that categorizes cyber adversary tactics, techniques, and procedures (TTPs).

How it helps:

Provides a common language for describing threats.
Helps organizations understand what attackers are trying to achieve and how they do it.
Enables security teams to map their defenses to known TTPs.
Cato CTRL likely uses this framework to categorize the threats they identified in their report.

Securing Legacy Protocols

What are legacy protocols?

Communication protocols that have been around for a long time and may not have the latest security features. (e.g., HTTP, Telnet, SMB)

Why are they a challenge?

These protocols were often designed before cybersecurity was a major concern. They may have vulnerabilities that attackers can exploit.

Securing them:

Patching regularly for known vulnerabilities.
Disabling them if they are not essential.
Using encryption and other security controls when necessary.

AI-Powered Threat Hunting

What it is: The use of Artificial Intelligence and Machine Learning algorithms to proactively search for signs of malicious activity within a network.

How it works:

Analyzes large amounts of data from various sources (logs, network traffic, etc.)
Identifies patterns and anomalies that might indicate a potential threat.
Helps security analysts focus their efforts on investigating suspicious activity.