Examining the Risk Environment
XM’s researchers uncovered that 75% of exposures along attack paths lead to "dead ends" that cannot impact critical assets and therefore represent minimal risk. Only 2% of security exposures are actually located on "choke points," that being entities through which multiple attack paths converge enroute to critical assets.By focusing efforts on remediating exposures on these choke points, organizations can maximize risk reduction while minimizing remediation workload amongst security and IT teams, the hybrid cloud security provider’s researchers said.As Zur Ulianitzky, XM Cyber researcher vice president, explained:"Security teams are inundated with increasing volumes of alerts and attackers are actively exploiting this. Threat actors are not working any harder than they have to, and most find success with attack paths which are simple, short and lead straight to fruitful returns. By diligently focusing remediation efforts on first and foremost eliminating the 2% of exposures which provide attackers with seamless access to critical assets, organizations can significantly reduce their risk without adding any additional strain to security teams."
Credentials and Permissions a Favored Attack Vector
The research also reveals that attack techniques targeting credentials and permissions affect 82% of organizations. Still, many continue to overlook attack paths that leverage credentials and permissions, XM said.The research also shows that attackers easily pivot from on-premises to cloud networks and the importance of having strong security controls for both environments. Roughly seven in 10 organizations have exposures in their on-premises networks that put their critical assets in the cloud at risk.Ulianitzky explained how organizations face tough challenges in managing their diverse on-premises and cloud environments, often failing to consider the bigger picture and only focusing on each piece in isolation:"Once attackers infiltrate cloud environments, it's easy for them to compromise assets. Cloud security is not yet mature, and many security teams don't fully understand what security issues they need to look for."