Security Threat Research Highlights #1

In Q1 2021, 190 billion traffic flows passed through Cato’s SASE Network. Leveraging deep network visibility and proprietary machine learning algorithms, our MDR team set out to analyze and identify new cyber threats and critical security trends, and have recently published their findings in the SASE Threat Research Report. Below, we provide you with 5 key insights from this report.

Key Highlights from Cato Networks’ SASE Threat Research Report

#1. Top 5 Threat Types in 2021

By using machine learning to identify high-risk threats and verified security incidents, Cato is able to identify the most common types of attacks in Q1 2021. The top five observed threat types include:

  • Network Scanning: The attacker is detected testing different ports to see which services are running and potentially exploitable.
  • Reputation: Inbound or outbound communications are detected that point to known-bad domains or IP addresses.
  • Vulnerability Scan: A vulnerability scanner (like Nessus, OpenVAS, etc.) is detected running against a company’s systems.
  • Malware: Malware is detected within network traffic.
  • Web Application Attack: Attempted exploitation of a web application vulnerability, such as cross-site scripting (XSS) or SQL injection, is detected.

The top three threat types demonstrate that cybercriminals are committed to performing reconnaissance of enterprise systems (using both port and vulnerability scans) and are successfully gaining initial access (as demonstrated by the large number of inbound and outbound suspicious traffic flows).

Ransomware is on the Rise | Download eBook

#2. Regional Bans Create False Sense of Security

In the news, most cybercrime and other online malicious activity are attributed to a small set of countries. As a result, it seems logical that creating firewall rules blocking traffic to and from these countries would dramatically improve a company’s security posture.

However, these regional bans actually create a false sense of security. The vast majority of malicious activity originates in the US, accounting for more than these four largest sources (Venezuela, China, Germany, and Japan) put together. Regional bans have little or no impact because most malware sources and command & control servers are in the US.

#3. Cybercriminals Exploit Remote Administration Tools

Remote access and administration tools like, and TeamViewer became significantly more popular during the pandemic. These tools enabled businesses to continue functioning despite a sudden and forced transition to remote work.

However, these tools are popular with cybercriminals as well. Attackers will try to brute-force credentials for these services and use them to gain direct access to a company’s environment and resources. RDP is now a common delivery vector for ransomware, and a poorly-secured TeamViewer made the Oldsmar water treatment hack possible.

#4. Legacy Software and PHP are Commons Targets

An analysis of the Common Vulnerabilities and Exposures (CVEs) most targeted by cybercriminals reveals some interesting trends. The first is that PHP-related vulnerabilities are extremely popular, making up three of the top five vulnerabilities and potentially allowing an attacker to gain remote code execution (RCE).

Another important takeaway is that cybercriminals are targeting age-old threats lurking on enterprise networks. Cybercriminals are commonly scanning for end-of-life, unsupported systems and vulnerabilities that are over 20 years old.

#5. Enterprise Traffic Flows Aren’t What You Expect

The analysis of business network traffic flows shows that Microsoft Office and Google applications are the two most commonly used cloud apps in enterprise networks.

However, that is not to say that they are the most common network flows on enterprise networks. In fact, the average enterprise has more traffic to TikTok than Gmail, LinkedIn, or Spotify. These TikTok flows threaten enterprise security. Consumer applications can be used to deliver malware or phishing content, and the use of unsanctioned apps creates new vulnerabilities and potential attack vectors within a company’s network.

Improve Your Network Visibility and Security with Cato

Cato’s quarterly SASE Threat Research Report demonstrated the importance of deep network visibility and understanding for enterprise security. While some of the trends (such as the exploitation of remote access solutions) may have been predictable, others were less so. To learn more about the evolving threat landscape, read the full report, and stay tuned for the next one.

Cato was able to generate this report based on the deep visibility provided by its SASE network. Achieving this level of visibility is essential for enterprises looking to identify the top trends and security threats within their networks.