Cato CTRL Issues New SASE Threat Report

Threat actors are always evolving. Whether it is nation-state actors, cybercrime groups, ransomware gangs, or niche teams targeting specific systems – new tools, techniques, and procedures are constantly introduced by attackers. Stopping those threats is challenging in large part because Cyber Threat Intelligence (CTI) remains fragmented. Telltale threat indicators are often available but spread across the threat information and network activity of inbound (and outbound) internet traffic, WAN traffic, cloud traffic, and remote user traffic.

Until the Cato SASE Cloud Platform, gaining 360-degree visibility was difficult, if not impossible, for most enterprises. This is why Cato has started Cato CTRL, Cato’s CTI group. By tapping the full power of Cato, Cato CTRL helps organizations with tactical data for the SOC, operational threat intelligence for managers, and strategic briefings for management and the board.

As part of that work, Cato CTRL routinely reports trends and significant events shaping the security industry. To those ends, Cato CTRL is excited to introduce the first of its revamped Cato CTRL SASE Threat Reports. The report summarizes the findings Cato CTRL gathered from Cato traffic flows across more than 2,200 customers, 1.26 trillion network flows, and 21.45 billion blocked attacks during the first quarter of 2024. (To put that in context, that’s nearly four times more flows than the 350 billion flows we analyzed for Q1 2022.) 

What Makes Cato SASE Cloud Excellent for CTI?

Sharp-eyed readers will note that we said revamped report. Cato has long collected and reported on threat trends in the industry. However, we wanted to expand our scope of research and tap the full power of the Cato SASE Cloud.

As the global network to over 2200 enterprises, the Cato SASE Cloud Platform gathers insight into what’s happening on enterprise networks across multiple industries and countries. Cato stores the metadata of every traffic flow from every endpoint communicating across the Cato SASE Cloud platform in a massive data lake, which is further enriched with hundreds of security feeds and analyzed by proprietary ML/AI algorithms and human intelligence.

The result is a unique data repository providing Cato CTRL insights into security threats and their identifying network characteristics for all traffic, regardless of whether it emanates from or is destined for the Internet or the WAN, for all endpoints—sites, remote users, and cloud resources. Even where Cato’s multitiered defense strategy has blocked the attack, the threats are logged and identified, enabling this kind of analysis.  

The new report contains trends and insights into how enterprises and associated industries are faring with mitigated CVEs, suspicious events to be aware of, and common enterprise security behaviors. We’ve also gathered insights from the dark web and hacking communities, particularly around the use of AI tools by threat actors. Finally, we provide practical advice on how to mitigate the threats and address the limitations discussed in the report.

The Key Findings

Some of the key findings from this 30+ page report include:

AI takes the enterprise by storm. The most common AI tools used among enterprises were Microsoft Copilot, OpenAI ChatGPT, of course, and one other that we think you likely want to know about.

Get a peek into the hacker underground. As part of its research, Cato CTRL monitors fascinating discussions from various hacker forums. The report found attackers are using LLM to enhance existing tools like SQLMap to be more efficient in finding and exploiting vulnerabilities. We spotted advertisements for services for generating fake credentials and creating deep fakes. We also continued to monitor recruitment to create a malicious ChatGPT.  

Beware of where you shop. Threat actors are setting up domains that mimic well-known brands. We identified the most spoofed brands so you can configure the right filters to protect your users.

Enterprises are too trusting within their networks. Many enterprises continue to run unsecured protocols across their WAN—62% of all web traffic is HTTP, 54% of all traffic is telnet, and 46% of all traffic is SMB v1 or v2. As such, once threat actors penetrate a network, they will have less of a problem snooping critical data in transit across the network. Lateral movement—where attackers will move across networks—was identified particularly in the agriculture, real estate, and travel and tourism industries. 

Zero-day is the least of your problems. While we in the industry pay a lot of attention to zero-day threats the reality is threat actors are often trying to exploit unpatched systems, eschewing using the latest vulnerabilities. Three years after its discovery, there’s one CVE that remains one of the most used exploits. Check out the report to see which one it is.  

The “Un”adoption of DNSSEC. Our data indicates that only 1% of DNS traffic utilizes Secure DNS. We believe this is primarily due to DNS being a critical component of both the internet and organizational operations. Organizations fear that implementation complexities might result in misconfigurations, potentially disrupting their applications and services.   

Grab the Report to Learn More

There’s a lot more to read and analyze. But don’t take our word for it, read the report yourself. You can grab your copy for free here. To learn more about Cato CTRL, visit us here: https://www.catonetworks.com/cato-ctrl/