2022 ASM Threat Report v2.1: Tending to Your Attack Surface Garden

Attack surfaces are living things – they grow and change. And, much like any living thing, they need constant care. To see how those efforts are going, the Cortex® Xpanse™ research team studied the global attack surface and discovered that, as a whole, security teams are having trouble keeping up with needed risk remediation.

We monitored scans of 50 million IP addresses (over 1% of the entire internet) associated with 100+ global enterprises to understand how attack surfaces change, what exposures plague various industries, how long some exposures remain active, and to uncover the realities of attack surface management (ASM).

Looking at the data, we can see evidence of a vicious cycle. Organizations face a continuous stream of new attack surface issues, those issues are not all remediated, and those exposures become the low-hanging fruit sought out by threat actors as easy targets.

While zero-day vulnerabilities and sophisticated attacks get fancy nicknames and lots of media coverage, the majority of risks on the global attack surface are in more common software and services, like Remote Desktop Protocol (RDP) or exposed admin login portals.

The 2022 ASM Threat Report v2.1 features the breakdown of attack surface exposures by industry, based on data gathered between March 2021 and June 2022. The key findings are based on observable data and not self-reported surveys:

1. Cloud Continues To Be a Big Target
   90% of all issues observed on the global attack surface were in the cloud. This is certainly due to an increased reliance on the cloud, but it also highlights that the speed at which cloud assets are deployed can cause headaches for security teams. It is so easy to deploy to the cloud, and it is just as easy to accidentally expose or misconfigure assets, or even deploy new cloud assets completely outside of security procedures.
2. Low-Hanging Fruit Continues to Hang
   Non-zero day exposures dominate the global attack surface. Nearly one out of every four issues we found was related to an exposed RDP server, a major gateway for ransomware. Additionally, the top four exposure types – RDP, networking and security infrastructure, data storage and analysis, and building control systems – make up nearly 72% of all issues seen on the global attack surface.
3. End-of-Life Software = End-of-Life for Your Security
   By definition, end-of-life (EOL) software is insecure because it is no longer being actively supported. Unfortunately, we found around 30% of organizations running EOL software affected by Common Vulnerabilities and Exposures (CVEs) with known active exploits.
4. Issues Are Complex and Unique Across Industries
   Just like your personal garden will be unique to your wants and needs, each organization has a unique attack surface. However, zooming out a bit can show some similarities among different industries, and the types of issues faced can be far more dangerous in one industry compared to another. For example, our data showed that wholesale and retail had a similar amount of RDP exposure (~65%) compared to healthcare (~67%). But, while personal data would be at risk in the former, human lives are at risk if a hospital is attacked.
5. What Is New Becomes Old on Attack Surfaces
   Xpanse data showed that regardless of the industry, new issues are constant; not one industry we studied showed success in reducing its attack surface. Some industries observed had slower rates of increased attack surface issues (rated high or critical), like transportation and logistics or utilities and energy, with median rates of 3.67% and 6.36%, respectively. Others, like healthcare, insurance, pharma and life sciences, had far higher rates of new attack surface issues at 24%, 26.2% and 24%, respectively.
6. RDP and Cloud Exposures Are Persistent
   These new attack surface issues are not being remediated quickly enough, so exposures become persistent risks. Seven of the 12 industries observed by Xpanse averaged more than seven days per-month with an active RDP exposure. Additionally, five of the 12 industries had more than 400 median active cloud issues per-month.

All of this data uncovers fundamental truths about attack surface management. First, visibility is paramount. If you don’t know where exposures live, it’s impossible to even know the full scope of your exposures and risks, let alone be able to remediate them all.

But, having a clear view of your attack surface is only as valuable as your ability to act upon the information you find, and far too many security teams throughout the world lack the needed resources, staff and/or expertise.

A comprehensive and continuously updated inventory of all internet-connected assets is the foundation of security work, but security teams need to ensure they implement resilient processes to help handle common issues like isolating or decommissioning assets running EOL software, mitigating RDP exposures or tracking new cloud deployments for misconfigurations.

Attackers scan the entire internet looking for weak points, so defenders should be doing the exact same. Armed with an attacker’s point of view, organizations can have a clear view of their attack surface gardens and ensure any issues are tended to. Without continuous care, it is all too easy to have new issues become persistent exposures and unmanaged assets.

To learn more about other critical findings on the unmanaged attack surface, based on observable data from 100+ companies, read the 2022 Cortex Xpanse Attack Surface Threat Report.