As many businesses make knee-jerk reactions to assessing their risk and exposure from emerging threats, many aren’t paying close enough attention to threats that are most likely to target their organizations, according to a new report from Cymulate.
Kill-Chain Testing Validated
Indeed, businesses that used scheduled and full kill-chain testing demonstrated the broadest testing coverage and the most in-depth validation when they added advanced scenario testing to their programs, said Cymulate, a risk validation and exposure management specialist, in a study of cybersecurity effectiveness.
Cymulate analyzed the results of more than one million security posture validation assessments, including 1.7 million hours of offensive cybersecurity testing within Cymulate’s production environments.
Commenting on the report, Carolyn Crandall, Cymulate chief security advocate, said:
“It’s understandable that organizations want to protect themselves against the major threats making headlines today. But the findings of the Cybersecurity Effectiveness Report underscore the fact that many attackers aren’t using advanced new strategies — they’re continuing to find success using known tactics. Organizations need to shift their vulnerability management strategies to address these gaps by implementing attack surface management tools for exposure assessment, breach and attack simulation for security control efficacy validation, and continuous automated red teaming for more frequent penetration testing.”
What Cymulate Found
Key findings from the report include:
- 40% of the top 10 CVEs (common vulnerabilities and exposures) identified most by vulnerability management platforms were more than two years old yet remain unpatched. A significant number of organizations are not testing against more widely recognized threats such as ProxyNotShell and Emotet.
- Network and group policies have had a positive impact on prevention of data exfiltration, which has driven attackers to resort to alternative exfiltration methods.
- 92% of the top 10 exposures are related to domain and email security. In 2022, the top 10 exposures detected by Cymulate’s External Attack Surface Management (EASM) module showed most detected exposures were spread across domain security (59.3%) and email security (32.8%).
- When comparing the anonymized data between the first endpoint security assessment completed and the most recent assessments completed, significant improvements in risk reduction were seen when BAS (breach and attack simulation) testing was regularly performed.