Today’s Attack Trends — Unit 42 Incident Response Report

Palo Alto Networks

By Wendi Whitmore, SVP Unit 42

---

Each year, Unit 42 Incident Response and Threat Intelligence teams help hundreds of organizations assess, respond and recover from cyberattacks.

Our 2024 Unit 42 Incident Response Report will help you understand the threats that matter. It's based on real incident data and our security consultants' experience.

Read the report to learn how to safeguard your organization's assets and operations:

• Threat actors, their methods and their targets.
• Statistics and data about the incidents our team worked on.
• A spotlight on the Muddled Libra threat group – one of the most damaging ransomware groups today.
• How artificial intelligence affects cybersecurity now and in the future.
• In-depth recommendations for leaders and defenders.

Key Takeaway — Speed Is Critical
Speed matters. Attackers are acting faster, not only at identifying vulnerabilities to exploit, but also stealing data after they do.

• In 2023, the median time from compromise to data exfiltration fell to just two days, which is much faster than the nine days we observed in 2021.
• In approximately 45% of cases this year, attackers exfiltrated data within a day of compromise.
• For non-extortion-related incidents in 2022 and 2023, the median time to data exfiltration has consistently remained under one day, meaning defenders must react to a ransom attack in less than 24 hours.

Attacker "dwell time" (the duration between when an attacker was detected and the earliest evidence of their presence) has also accelerated. The median dwell time was just 13 days in 2023 – half of what it was in 2021.

Key Takeaway – Software Vulnerabilities Remain Important
In 2023, attackers used internet-facing vulnerabilities to get into systems more often. This tactic occurred in 38.6% of our IR cases, making it the leading method of initial access. This change emphasizes the importance of good patching practices and attack surface reduction. While that work can be challenging for large organizations to implement comprehensively, organizations must act swiftly and use multiple layers of defense to protect themselves.

Key Takeaway – Threat Actors Continue to Use Sophisticated Approaches
Cyberthreat actors are adopting sophisticated strategies, organizing into specialized teams and effectively leveraging IT, cloud and security tools. Attackers are now using defenders' own security tools against them, compromising highly privileged accounts and infrastructure to access tools and move within their target network.

Five Recommendations to Better Protect Your Organization from Cyberthreats in 2024

1. Improve Organizational Visibility: Prioritize comprehensive visibility across your network, cloud and endpoints.
2. Simplify: Streamline the complexity of cybersecurity operations by consolidating point products.
3. Enforce Zero Trust Principles: Implement a Zero Trust security strategy. Deploy robust authentication methods, network segmentation, lateral movement prevention, Layer 7 threat prevention and the principle of least privilege.
4. Control Application Access: Control application usage and eliminate implicit trust between application components. Restrict access to specific applications, especially those exploited by threat actors.
5. Segment Networks: Employ network segmentation to reduce the attack surface and confine breaches to isolated zones. Implement Zero Trust network access (ZTNA) to verify users and grant access based on identity and context policies.