Cato Networks reveals insecure protocols widespread in inaugural SASE report

Cato Networks, a specialist in Secure Access Service Edge (SASE), has released its inaugural Cato CTRL SASE Threat Report for Q1 2024. The report highlights that all the examined organisations continue to employ insecure protocols within their broad access networks (WAN), facilitating easier movement for cybercriminals within networks.

The report was developed by Cato CTRL, Cato Network's cyber threat intelligence (CTI) research team. The team presents insights into security threats and identifying network characteristics for all traffic - regardless of their source or destination - and for all endpoints across websites, remote users, and cloud resources.

Etay Maor, Chief Security Strategist at Cato Networks and a founding member of Cato CTRL said, "As threat actors constantly introduce new tools, techniques, and procedures targeting organisations across all industries, cyber threat intelligence remains fragmented and isolated to point solutions. Cato CTRL is filling this gap to provide a holistic view of enterprise threats. As the global network, Cato has granular data on every traffic flow from every endpoint communicating across the Cato SASE Cloud Platform, and we're excited to share what we've learned with the broader industry to spark a more secure future."

The report analysed 1.26 trillion network flows and blocked 21.45 billion attacks. A critical finding was that enterprises are too trusting within their networks. All examined enterprises continued to employ insecure protocols across their WAN, with 62% of all web application traffic being HTTP. Attackers moving across networks, a method known as lateral movement, was most commonly identified in the agriculture, real estate, and travel, and tourism industries.

The report also detailed the common AI tools used among enterprises in the first three months of 2024. Microsoft Copilot, OpenAI ChatGPT, and Emol, an application that records emotions for AI robots were the most frequently employed. The highest adoption of these was seen in the travel and tourism industry, where 79% of organisations used them.

Interestingly, the report found that newly discovered vulnerabilities do not necessarily mean that the threats exploiting them are the most common. Threat actors often eschew the use of the latest vulnerabilities and instead exploit unpatched systems. A seven-year-old attack targeting the PHPUnit testing framework was the most common found vulnerability, occurring across 33% of the inbound Common Vulnerabilities and Exposures (CVEs) exploitations observed. Similarly, Log4J remained one of the most used exploits, found across 30% of the outbound CVE exploitations observed, even three years after its discovery.

Finally, the report indicated that many cyber threats remain industry-specific. In media and entertainment organisations, 48% did not employ one of over 200 applications identified by Cato CTRL as information security tools. The entertainment, telecommunication, and mining & metals industries were the most targeted with T1499 Endpoint Denial of Service techniques. In the services and hospitality sectors, threat actors utilise the T1212 Exploitation for Credential Access three times or more frequently than in other sectors.