March 09, 2023 4m read

Cato Analyzes the Dominant Sources of Threats in 2H2022 Research Report

Etay Maor
Etay Maor

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

We recently issued the Cato Networks SASE Threat Research Report, which highlights cyber threats and trends based on more than 1.3 trillion flows that passed through the Cato SASE Cloud network during the second half of 2022. The report highlights the most popular vulnerabilities that threat actors attempted to exploit, and the growing use of consumer applications that may present a risk to the enterprise.

Cato Scans a Vast Trove of Data to Hunt for Threats 

One of the first observations in the report was the sheer scale of our data repository. Cato’s convergence of networking and security provides unique visibility on a global scale into both legitimate enterprise network usage and the malicious activity aimed at enterprise networks. This includes hostile network scans, exploitation attempts, and malware communication to C&C servers. 

Like many security vendors, we collect information from threat intelligence feeds and other security resources.  But as a networking provider, we’re also able enrich our understanding of security events with network flow data often unavailable to security professionals. During 2022, Cato’s data repository was fed by more than 2.1 trillion network flows traversing or our global private backbone or about a 20% growth in flows each quarter.  

Security events, threats, and incidents also grew in proportion to the number of network flows. In the second half of 2022, the Cato Threat Hunting System (CTHS) detected 87 billion security events across the entire Cato Cloud. A security event is any network flow that triggers one of Cato’s many security controls. 

Eliminate Threat Intelligence False Positives with SASE | Download the eBook

CTHS is a natural extension of Cato Cloud security services. It is comprised of a set of algorithms and procedures developed by Cato Research Labs that dramatically reduces the time to detect threats across enterprise networks. CTHS is not only incredibly accurate but also requires no additional infrastructure on a customer’s network. 

CTHS concluded there were 600,000 threats, or high-risk flows, based on machine learning and data correlation. Of these, 71,000 were actual incidents, or verified security threats.   

Cato Identifies the Top Threats and Exploit Attempts on the Network 

Over the years, Cato has been tracking the top threats on the network and the trends haven’t changed much. The top five threat types in the current research report are (1) Network Scan, at 31.2 billion events, (2) Reputation, at 4.7 billion events, (3) Policy Violation, at 1.3 billion events, (4) Web Application Attack, at 623 million events, and (5) Vulnerability Scan, with 482 million events.  

Other types of threats worth noting include Remote Code Execution (92 million), Crypto Mining (56 million), and Malware (55 million). Remote Code Execution events and Malware events both increased over the previous reporting period, but Crypto Mining events decreased. This latter fact may be due to the recent decline in the cryptocurrency business itself following the collapse of the FTX exchange. 

The most-used cloud apps in the reporting period were from Microsoft, Google, Apple, Amazon (AWS), and Meta (Facebook). Many consumer-oriented applications were also in use, including YouTube, TikTok, Spotify, Tor, Mega, and BitTorrent. The latter three apps are known to be used frequently for malicious activities and pose a potential risk to enterprise networks. 

The Log4j vulnerability (CVE-2022-44228) is a relatively recent discovery that is estimated to have affected nearly a third of all web servers in the world. Thus, it’s no surprise that it continues to dominate exploitation attempts with 65 million events across the Cato Cloud network. What is surprising is that two older vulnerabilities continue to make the top five list for exploit attempts. One is CVE-2017-9841, a remote code execution bug from 2017, and the other is CVE-2009-2445, a 14-year old vulnerability affecting certain popular web servers.  

Cato also tracks network flows associated with MITRE ATT&CK techniques. Network based scanning and remote system discovery lead the list with 22.6 billion flows and 17 billion flows, respectively. The top five most-used techniques targeting enterprises are Phishing, Phishing for Information, Scanning, Remote System Discovery, and Exploit Public-facing Application. Knowing which attack techniques are most often seen on the network can help organizations tighten their defenses where it is most needed. 

For more detailed information, read the Cato Networks SASE Threat Research Report for the second half of 2022. 

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Etay Maor

Etay Maor

Etay Maor is the Chief Security Strategist at Cato Networks, a founding member of Cato CTRL, and an industry-recognized cybersecurity researcher. Prior to joining Cato in 2021, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of the Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and an MA in Counter-Terrorism and Cyber-Terrorism.

Read More