Palo Alto Networks – Unit 42 Attack Surface Threat Report Lessons in Attack Surface Risk

By : Basel Khaled

Organizations are accelerating the modernization of their network architectures, driven by the adoption of new security models, cloud computing, SaaS, and the need to support distributed workforces. This rapid evolution has introduced complexity into security efforts that were already stretched thin by significantly expanding known and unknown IT infrastructure. Assets made public-facing, intentionally or not, stand out to malicious actors like prey in the open desert.

A critical challenge remains: keeping track of and protecting all assets, as many companies and government agencies struggle to inventory their holdings and identify the most vulnerable services. According to the 2024 Unit 42 Incident Response Report, in the past year, attackers’ initial access most often started with a software vulnerability. The largest attack campaigns began with the successful exploitation of internet-facing systems. So, to better understand these challenges, Unit 42^® conducted a comprehensive analysis of public internet data, leveraging Palo Alto Networks Cortex Xpanse^®. This report distills insights from several petabytes of data collected in 2023 to provide security leaders with a clear picture of the evolving global attack surface and what risks to look for in their environment.

Attack surface change inevitably leads to exposures. Across industries, attack surfaces are always in a state of flux. Our research indicates that, on average, an organization’s attack surface has over 300 new services every month. These additions account for nearly 32% of new high or critical cloud exposures for organizations.

Opportunities for lateral movement and data exfiltration are abundant. Just three categories of exposures—IT and Networking Infrastructure, Business Operations Applications, and Remote Access Services—account for 73% of high-risk exposures across the organizations we studied and can be exploited for lateral movement and data exfiltration.

Critical IT and security services are dangerously exposed to the internet. Over 23% of exposures involve critical IT and security infrastructure, opening doors to opportunistic attacks. These include vulnerabilities in application-layer protocols like SNMP, NetBIOS, PPTP, and internet-accessible administrative login pages of routers, firewalls, VPNs, and other core networking and security appliances.

While this exposure data may seem overwhelming, it shouldn’t instill panic or fear. Fear is the mind-killer. Face these risks head-on.

Maintain persistent, comprehensive visibility

The key to being able to discern and respond to attack surface risks (such as new, high-profile vulnerabilities) begins with having comprehensive attribution of your organization’s attack surface. This can be accomplished with continuous scanning of both standard and nonstandard ports, as well as accurate fingerprints of services and devices in your environment and assessments of risks. Your organization can use our Cortex Xpanse platform to proactively find and fix exposures on your internet-connected assets before attackers can exploit them.

Monitor for unsanctioned services or shadow IT

Checking known perimeter resources can help you tell the difference between expected assets and unknown or out-of-scope ones. No matter the industry you're protecting, it's important to use common configuration baselines for security. Deviations from these baselines or policies are usually the most vulnerable to compromise.

Focus on high-priority vulnerabilities

Concentrate remediation efforts on the most critical security issues, particularly those that are internet-exposed, which would lead to high-severity and likelihood scores. Consider leveraging external expertise to identify the most impactful starting points for improvement.

Remediate critical exposure risks in real time

Detecting internet-exposed risks, whether they’re due to misconfigurations or vulnerabilities, is only half of the battle. Organizations should have processes, and ideally technology, to aid security operation teams in identifying service owners, communicating risk details, and tracking remediation.

Seek expert guidance

If your organization is new to attack surface management or looking to enhance existing practices, consider a Unit 42 Attack Surface Assessment.

Strengthen remote access security

Implement robust authentication protocols, such as multifactor authentication, for all remote access services. Establish monitoring systems to detect and respond to potential unauthorized access attempts or brute-force attacks.

Optimize cloud configurations

Establish a regular schedule for reviewing and updating cloud settings to align with industry best practices and mitigate potential security risks. Foster collaboration between security and development teams to promote secure cloud-native application development.

Enforce secure data handling practices

Implement and maintain stringent access controls and secure file sharing protocols for all databases and shared resources to prevent unauthorized access and data breaches and ensure regulatory compliance.

Stay informed about emerging threats

Develop a system for keeping abreast of new vulnerabilities, exploits, and threat actors. Regularly reassess your organization's attack surface in light of this evolving threat landscape. Follow the Unit 42 blog for our insights, and if you’d like a consulting relationship, consider a services retainer for threat landscape briefings and Incident Response services.