Takeaways from Palo Alto Unit 42's Incident Response Report 2024
Takeaways from Palo Alto Unit 42's Incident Response Report 2024
Palo Alto’s annual incident response report offers useful insights based on real-world data about the evolving landscape of cybersecurity threats. Whether you’re involved with incident response, taking the lead on higher-level security decision-making, or a general cybersecurity practitioner, the research compiled by Palo Alto’s Unit 42 team helps inform and protect against current and potential threats.
Here are some noteworthy takeaways from Palo Alto’s 2024 Incident Response Report.
Notable Incident Response Trends
While the full 66-page report might be worth reading if you have the time to comb through it, much of the data points depend on the terminology and definitions specific to how Unit 42 analyzes incidents. Still, there are several general higher-level insights worth looking at and learning from.
Better Detection Rates
It’s good to start with a positive finding, which comes in the form of a couple of metrics that indicate improved incident discovery. One metric is that organizations on average discovered four out of five incidents internally rather than only finding out about an incident from a partner (like a managed services provider) or externally (like when hackers boast about and post samples of exfiltrated data on dark web forums).
The second finding indicative of better detection rates is a reduction in threat actor dwell time to 13 days (it was 26 days in 2021).
While these improvements are commendable, they shouldn’t lead to complacency. After all, regulatory changes in the US and Europe call for companies to not only detect but also evaluate and disclose these incidents more quickly than ever. New SEC rules in the US require public companies to disclose material cybersecurity incidents within 4 days, while the EU’s NIS 2 directive has a 72-hour window for official incident notification.
You need to invest not just in detection technologies but also in analytics and decision-making frameworks that can accelerate the process from detection to disclosure.
Internet-Facing Vulnerabilities Increase
Initial access vectors are always worth serious scrutiny for any emerging trends. Unit 42’s 2024 Incident Response Report found exploitation of internet-facing vulnerabilities hit the top spot, replacing phishing as the most common vector for initial compromise.
At almost 40% of the initial access vectors, these exploits included weaknesses in underlying code and API security flaws.
The top exploited vulnerabilities included MOVEit, Log4j, and Citrix NetScaler ADC/Gateway.
The nature of these vulnerabilities coupled with their large-scale impacts highlights the need for a robust approach to secure software development practices that includes regular code audits, updates, and adopting secure coding standards to address common web app flaws. Aside from secure development, visibility over the attack surface for web apps is a problem that needs addressing.
The report found that 11.5% of analyzed incidents involved insufficient patch management leading to uncontrolled and unmanaged vulnerabilities.
Living Off the Land
In terms of how threat actors operate after compromising initial defenses, an interesting finding was an increase in living off the land tactics. This involves misusing the tools you already have in your environment, rather than relying just on malware to achieve aims.
The report references tools like common Windows utilities, compromising privileged accounts and hijacking security tools, and using Server Message Block (SMB) protocol to appear like normal users.
A smart approach to detecting living off the land activity involves looking for footprints that deviate from normal user activity. This might include detecting internal port scans, unusual patterns in access logs, and using dedicated user and entity behavior analytics.
Monitoring and investigating anomalies can reap dividends with faster incident response and damage mitigation.
Varied Extortion Tactics
It’s no secret that threat actors continue to try and extort large sums of money when they breach companies. Sometimes dedicated ransomware gangs don’t even bother installing ransomware on systems; sensitive data is the coveted prize.
Unit 42 regards a successful extortion case (from the hackers’ standpoint) as one in which they received payment from the company they threatened.
Delving deep into the findings on extortion activity reveals a large increase in successful extortion cases involving data theft—from 40% in 2021 to 82% in 2023.
Similarly, successful extortion cases involving harassment increased from less than 1% to 27% within just two years.
Bearing in mind that incident response also includes dealing with the fallout from incidents, the increase in harassment-related extortion cases indicates that your response strategies must also evolve to consider the human element more deeply. Prepare for incidents not only technically but also in terms of crisis communication and legal readiness.
Update your incident response plan to specifically detail actions for multi-extortion tactics. Viable backups can bide more time to deal with these varied extortion tactics.
Preparing Better with Simulated Cyber Incidents
Much of the recommendations from the report center on the value of preventative controls like attack surface management, strengthening user authentication, and using zero trust principles. While these strategies are helpful, sophisticated actors might still find a way in through some obscure flaw.
So how do incident response teams better prepare?
A proactive approach to incident response ensures that when a real incident happens, your team’s response is swift, efficient, and minimizes damage.
Cyber range platforms provide advanced simulation environments that allow you to easily train and test response teams under realistic, controlled conditions by mimicking everything from data breaches to full-scale ransomware attacks and APTs.
Engaging in these simulated scenarios helps your IR team identify weaknesses in their response protocols, improve communication and decision-making under pressure, and fine-tune technical skills without the risk of real-world damage.
Cloud Range’s industry-leading cyber range platform gives you real-world, dynamic cyber attack simulations for IR teams to practice in. FlexRange programs let you tailor exercises to specific skills and needs. Plus, teams can use the same tools they use in their day-to-day scenarios.