Cyber Threat Research: Poor Patching Practices and Unencrypted Protocols Continue to Haunt Enterprises

May 7th, 2024

Inaugural Cato Cyber Threat Research Labs (CTRL) Report Analyzes 1.26 Trillion Network Flows to Identify Today’s Enterprise Security Risks

RSA CONFERENCE, SAN FRANCISCO, May 7, 2024Cato Networks, the SASE leader, today unveiled the findings of its inaugural Cato CTRL SASE Threat Report for Q1 2024. The report shows all organizations surveyed continue to run insecure protocols across their wide access networks (WAN), making it easier for cybercriminals to move across networks.

Developed by Cato CTRL, the SASE leader’s cyber threat intelligence (CTI) research team, the Cato CTRL SASE Threat Report Q1 2024 provides insight into the security threats and their identifying network characteristics for all aggregate traffic—regardless of whether they emanate from or are destined for the internet or the WAN—and for all endpoints across sites, remote users, and cloud resources.

“As threat actors constantly introduce new tools, techniques, and procedures targeting organizations across all industries, cyber threat intelligence remains fragmented and isolated to point solutions,” said Etay Maor, Chief Security Strategist at Cato Networks and a founding member of Cato CTRL. “Cato CTRL is filling this gap to provide a holistic view of enterprise threats. As the global network, Cato has granular data on every traffic flow from every endpoint communicating across the Cato SASE Cloud Platform, and we’re excited to share what we’ve learned with the broader industry to spark a more secure future.”

The Cato CTRL SASE Threat Report Q1 2024 summarizes findings gathered from Cato SASE Cloud Platform traffic flows across Cato customers between January and March 2024. Cato CTRL analyzed 1.26 trillion network flows and blocked 21.45 billion attacks. Key findings include:

Enterprises are too trusting within their networks:

  • Once threat actors penetrate a network, they usually have less of a problem snooping critical data in transit across the network.
  • All enterprises continue to run insecure protocols across their WAN, with 62% of all web application traffic being HTTP, 54% of all traffic being telnet, and 46% of all traffic being SMB v1 or v2 instead of SMBv3.
  • Lateral movement—where attackers will move across networks—was identified most frequently in the agriculture, real estate, and travel and tourism industries.

AI takes the enterprise by storm:

  • The most common AI tools used among enterprises during the first three months of 2024 were Microsoft Copilot, OpenAI ChatGPT, and Emol, an application that records emotions and talks with AI robots.
  • The strongest adoption of these tools was seen in the travel and tourism industry (used by 79% of organizations), and the lowest adoption among entertainment organizations (44%).

Zero-day is the least of your problems:

  • Newly discovered vulnerabilities do not necessarily mean that the threats exploiting them are the most common. While zero-day threats earn much attention in the industry, threat actors often eschew the use of the latest vulnerabilities and instead exploit unpatched systems.
  • When evaluating the top ten inbound common vulnerabilities and exposures (CVEs), the seven-year-old attack targeting the PHPUnit testing framework (CVE-2017-9841) was the most common found and it was found across 33% of the inbound CVE exploitations observed.
  • Furthermore, three years after its discovery, Log4J (CVE-2021-44228) remains one of the most used exploits and it was found across 30% of the outbound CVE exploitations observed.

Many cyber threats are industry specific:

  • Of the observed media and entertainment organizations, 48% did not use one of 200+ applications identified by Cato CTRL as information security tools.
  • The top three industries targeted with T1499 Endpoint Denial of Service techniques are entertainment, telecommunication, and mining & metals.
  • In the services and hospitality sectors, threat actors utilize the T1212 Exploitation for Credential Access three times or more often than in other sectors.

To read the full Cato CTRL SASE Threat Report Q1 2024 report, visit:

Meet Cato Networks at RSA Conference 2024

Cato Networks invites RSA Conference attendees to visit the SASE leader’s booth #4401 in Moscone North Expo. Cato CTRL is also hosting two sessions at the conference this week. Yesterday, Maor delivered a presentation titled “The Price is WRONG – An Analysis of Security Complexity,” in which he dissected examples of attacks where security complexity was the overarching cause of the attack.

Today, May 7, 2024 at 8:30 a.m. PDT, Maor will be joined by Tal Darsan, manager of managed cybersecurity services at Cato Networks, to reveal the current evasion techniques used by attackers and describe mitigation strategies in “Flying Under the Radar – New Security Evasion Techniques.”

About Cato CTRL

Cato CTRL (Cyber Threats Research Lab) is the world’s first CTI group to fuse threat intelligence with granular network insight made possible by Cato’s global SASE platform. By bringing together dozens of former military intelligence analysts, researchers, data scientists, academics and industry-recognized security professionals, Cato CTRL utilizes network data, security stack data, hundreds of security feeds, human intelligence operations, AI (Artificial Intelligence), and ML (Machine Learning) to shed light on the latest cyber threats and threat actors.   

About Cato Networks

Cato Networks is the leader in SASE, delivering enterprise security and networking in a single cloud platform. With Cato, organizations replace costly and rigid legacy infrastructure with an open and modular SASE architecture based on SD-WAN, a purpose-built global cloud network, and an embedded cloud-native security stack.

Want to learn why thousands of organizations secure their future with Cato? Visit us at

# # #