November 19, 2024 3m read

Highlights from Q3 2024 Cato CTRL SASE Threat Report 

Etay Maor
Vitaly Simonovich
Etay Maor , Vitaly Simonovich
Cato CTRL SASE Threat Report-blog

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

Introduction  

Today, we published the Q3 2024 Cato CTRL SASE Threat Report, which summarizes findings from Cato CTRL’s analysis of 1.46 trillion network flows across more than 2,500 customers globally between July and September 2024.  

Key Findings 

Threat actors recruiting pen testers for ransomware affiliate programs  

In closely monitoring discussions on the RAMP forum, Cato CTRL has observed threat actors seeking pen testers to join various ransomware affiliate programs including Apos, Lynx and Rabbit Hole.   

Any good developer knows that software needs to be tested before deploying in production environments. This is also true for ransomware gangs. They want to ensure that their ransomware can be deployed successfully against organizations.   

Shadow AI lurks in the background for organizations  

Shadow AI refers to the unauthorized or unsanctioned use of AI applications and tools within an organization without the knowledge or approval of IT departments or security teams. This phenomenon typically involves employees or departments adopting AI solutions independently and bypassing formal vetting processes and governance controls.  

Out of the hundreds of AI applications that Cato CTRL monitors, Cato CTRL tracked 10 AI applications used by organizations (Bodygram, Craiyon, Otter.ai, Writesonic, Poe, HIX.AI, Fireflies.ai, PeekYou, Character.AI and Luma AI) and observed various security risks. The top concern is data privacy.   

Q3 2024 Cato CTRL SASE Threat Report | Download the report

TLS attack attempts reveal TLS inspection not utilized enough 

TLS inspection allows organizations to decrypt, inspect and re-encrypt traffic. However, TLS inspection can break applications and access to some domains. As such, many organizations choose to forgo TLS inspection entirely or bypass inspection for a large portion of their traffic.   

Cato CTRL found that only 45% of participating organizations enable TLS inspection. Even then, only 3% of organizations inspected all relevant TLS-encrypted sessions. This leaves the door open for threat actors to utilize TLS traffic and remain undetected. Organizations must inspect TLS sessions to protect themselves. In Q3 2024, Cato CTRL found that 60% of attempts to exploit CVEs were blocked in TLS traffic. CVEs included Log4j, SolarWinds and ConnectWise.    

When TLS inspection is enabled, organizations are better protected. In Q3 2024, Cato CTRL found that organizations who enabled TLS inspection blocked 52% more malicious traffic than organizations without TLS inspection. 

Security Best Practices 

Based on our key findings, Cato CTRL recommends that organizations take the following actions: 

  • Ransomware: Organizations should engage in red team exercises and pen testing to identify vulnerabilities in their infrastructure before ransomware gangs exploit them. 
  • Shadow AI: Visibility into which AI tools and applications are being used, by whom and for what purposes is important for organizations to effectively manage data privacy risks. 
  • TLS Inspection: Threat actors often use encrypted communication channels to evade detection and exploit vulnerabilities in applications that utilize TLS. Enabling TLS inspection is crucial for effectively monitoring this traffic. 

Resources 

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Etay Maor

Etay Maor

Etay Maor is the Chief Security Strategist at Cato Networks, a founding member of Cato CTRL, and an industry-recognized cybersecurity researcher. Prior to joining Cato in 2021, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of the Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and an MA in Counter-Terrorism and Cyber-Terrorism.

Read More
Vitaly Simonovich

Vitaly Simonovich

Vitaly Simonovich, Threat Intelligence Researcher, Cato Networks. Member of Cato Ctrl. He is based in Israel and has more than eight years of experience in the field of cybersecurity, with a focus on application and data security. Previously, Vitaly worked at Incapsula and Imperva, where he led teams of security analysts and researchers. Apart from his work, Vitaly is an active contributor to the cybersecurity community. He regularly publishes research blogs and webinars, and also presents at various security conferences. He is passionate about teaching cybersecurity to others and is teaching at local colleges. In his free time, he enjoys solving Capture The Flag (CTF) challenges, which helps him to enhance his skills.

Read More