Zero Networks warns that business risk comes from everyday usage

Zero Networks is warning that organisations need to focus more on the daily mundane rather than exotic malware or zero-day malware. This is due to attackers abusing the same trusted internal pathways that businesses rely on. It means there is no obvious trigger to warn off an attack or something going wrong. For defenders, it makes it much harder to differentiate between good and bad traffic.

The warning is based on a blog the company has just released titled, “One Compromised System and BOOM, Meet Your Blast Radius.” The company analysed 3.4 trillion activities across 400 enterprise environments for 12 months.

Its biggest finding was “the most dangerous activity often looks legitimate, blends into everyday operations, and occurs after initial access – when attackers are expanding impact rather than breaking in.”

While the researchers see AI as improving access for malicious actors, it is not the only risk. However, breaches are more about what they can reach once in. It means that defenders need to focus on stopping lateral movement and deploy segmentation.

Once attackers are in, they quickly compromise the network

Most reports on compromise focus on dwell time as giving the attacker time to spread across the network. Zero Networks is taking a different approach with two hard-hitting statistics. It says that attackers “compromise at least 60% of the environment in less than an hour, once initial access is gained.”

If 60% in the first hour isn’t bad enough, the blog goes on to say, “A single compromised host could reach a median of 85% of internal systems in the first hop and effectively 100% in the second hop.”

Both of those statistics should act as a major wake-up call. Instead of using dwell time to believe you have time to find attackers, they are effective from the first minute.

Allowing the attackers to hide in plain sight and move through systems is how they exploit key Windows protocols. The blog explicitly calls out SMB, RDP, WinRM, and RPC as accounting for 71% of the 3.4 million detected threat activities. While RDP can be turned off, doing that for the others is not possible without significant problems.

It means that security teams need to find a way to cut through the noise of legitimate traffic on those protocols to identify threats.

Resilience depends on your cybersecurity planning

The solution to containing these threats and making a network more resilient depends on how you architect the network. Techniques such as segmentation will limit the spread of attackers. But it has to be done without impacting user performance. That requires careful planning and an understanding of what users need access to on a daily basis.

Albert Estevez Polo, Field CTO, EMEA at Zero Networks, said, “What our data analysis confirms in theory – and what recent successful attacks such as those on Jaguar Land Rover, Marks & Spencer and multiple London councils confirm in practice – is that resilience is key. And AI-enabled attacks are only going to accelerate the scale of the issue.

“Modern cyber resilience depends on limiting lateral movement: containing threats at their point of entry and preventing them from spreading across the environment. By reducing the blast radius of a breach, organizations protect critical assets, maintain operational continuity, and remain resilient even when defenses are bypassed. Simply put, if you don’t know your blast radius, you don’t have a cyber resilience plan.”

Resilience is also a major focus of the National Cyber Security Centre. It has been pushing businesses to be more resilient in their cybersecurity planning, especially those operating in Critical National Infrastructure (CNI).

It also announced its Cyber Resilience Test Facilities (CRTF) last year. Since then, the first set of products has had its reports issued. They show that organisations are working on being more resilient.

Enterprise Times: What does this mean?

The challenge for cybersecurity teams is where to invest their time. They are overwhelmed by advice, tools and attacks. That often leads them to jump from one focus to another with no guarantee that things will get better.

This blog calls out the danger of ignoring the mundane and the speed with which attackers spread across the network. It shows the danger of getting distracted with dwell time and drawing a false correlation between that and the effectiveness of an attack.

Many teams will be surprised, if not shocked, at the speed at which attacks can spread. Two hops is all it can take for an attacker to own their network. While they are aware of the risk of living-off-the-land attacks, few realise how effective and fast this is.

It will be interesting to see the next version of this research. Will we see increased segmentation and awareness of the speed with which attackers move? Will defenders be paying more attention to common protocols?

Whatever happens, defenders need to reset their focus to make sure they are not ignoring their biggest risk.

The post Zero Networks warns that business risk comes from everyday usage appeared first on Enterprise Times.