1、The State of Exposure Management in 2024Navigating the Paths of Risk:The State of Exposure Management in 20242Executive SummaryKey FindingsMeasuring Security PostureMeasuring Security PostureA Primer on Attack PathsEnumerating ExposuresPoints of ConvergenceOrganizational ComparisonsFinding&Categoriz

2、ing ExposuresExposures in IT/Network DevicesExposures in Cloud EnvironmentsExposures in Active DirectoryConclusionAppendix A:Security Posture Scores by SectorAppendix B:Top Cloud TechniquesAppendix C:Top Attack Techniques345579729313335Table of ContentsNavigating the Paths of Risk:The Sta

3、te of Exposure Management in 20243What if you could identify all the ways in which your organization is exposed to cyber attacks,understand how adversaries will exploit those exposures,and prioritize remediation efforts to reduce risk most effectively?Well,that is exactly what this report is all abo

4、ut.This report presents key insights drawn from hundreds of thousands of attack path assessments conducted through the XM Cyber Continuous Exposure Management(CEM)platform during 2023.These assessments uncovered over 40 million exposures affecting 11.5 million entities deemed critical to business op

5、erations.Data gathered from the XM Cyber platform were anonymized and provided to Cyentia Institute for independent analysis to generate the insights that fill the pages to follow.Everyones talking about exposure managementExposure Management seems to be the hot topic on everyones lips right now,but

6、 defining what this means and how best to implement a Continuous Threat Exposure Management(CTEM)framework is still causing some confusion.Aiming to move away from the pain point of endless lists of vulnerabilities,organizations are embracing technologies that claim to provide greater coverage of ex

7、posure types,and additional context to aid the prioritization and risk analysis of these different exposure types.However,the context is still often limited to each individual asset or focused solely on the intrusion risk,as in which asset is the mostly likely breach point.At XM Cyber,weve been prov

8、iding holistic Exposure Management powered by our XM Attack Graph Analysis for over 8 years.Were proud to once again distill those findings into this third edition of our annual State of Exposure Management report.We hope these insights will bolster your security teams important mission over the nex

9、t year.We present some highlights of this years analysis on the next page.Executive SummaryNavigating the Paths of Risk:The State of Exposure Management in 20244 Exposure Management is much more than just CVEs.Organizations typically have about 15,000 exposures across their environments that attacke

10、rs could exploit.Traditional CVE-based vulnerabilities account for less than 1%of those and just 11%of all exposures to critical assets.Effective Exposure Management needs to integrate attack path modeling.XM Attack Graph Analysis identifies that 2%of exposures reside on“choke points”of converging a

11、ttack paths that adversaries can use to reach critical assets.Theres a 20 x difference in choke point ratio between organizations with the worst vs.best security posture.Key findings Identity and credential issues represent a huge exposed attack surface.Active Directory typically accounts for 80%of

12、all security exposures identified in organizations as well as one-third of their issues that put critical assets at risk.Poor cyber hygiene plagues the security of endpoints.79%of organizations have problems with cached domain credentials or local credentials that are present on multiple machines ac

13、ross the network.While most organizations use EDR(91%),over a quarter of devices arent typically covered.Cloud environments are not exempted from the risk of exposure.Over half(56%)of critical asset exposures are in cloud platforms.Furthermore,attackers can traverse on-premises to cloud environments

14、 in 70%of organizations and then compromise 93%of critical assets in the cloud in just two hops.One size doesnt fit all for managing exposures.On average,financial firms manage 5x more digital assets than the energy sector,but the proportion of exposures affecting critical assets is 21x higher in th

15、e latter.Exposure Management cant be a one-time or annual project.Its an ever-changing,continuous process to drive improvements.Organizations with poor posture scores have six times the number of security exposures(30k)compared to high scorers(5k).Whats worse is that the gap between those groups wid

16、ened over time.Navigating the Paths of Risk:The State of Exposure Management in 2024502550751005.85 5.85 5.85 5.85 5.85 5.8597979797979797979797974949494949494949494949Well soon dig into our detailed analysis of attack paths,but lets first set the stage with an overall assessment of organizational r

17、isk exposure.The XM Posture Score provides such a view.XM Cyber evaluates the risk to critical assets for various attack scenarios,each of which receives a score from 0 to 100.This score is based on the number and complexity of paths leading to critical assets in that scenario.A lower score indicate

18、s higher risk due to numerous shorter,simpler attack paths.Higher scores signify the opposite;critical assets are less susceptible to compromise.Scores for all scenarios are averaged to derive the overall security score for the organization.Average score per groupingXM Posture ScoreMeasuring Securit

19、y PostureFigure 1:Organizations with the highest(blue)and lowest security scores(red)Organizations still struggle to get a holistic view of risk postureThe“as of their latest assessment”caveat brings up an important pointsecurity scores are not static over time.Per the faded lines in the background

20、of Figure 2,they shift up and down as changes in the environment and evolving attack scenarios alter risk to critical assets.The moving average among both high-and low-scoring organizations is fairly steady but grows apart over time.The high scorers show steady improvement during the year,while low-

21、scoring organizations trend down.Figure 1 shows the distribution of security posture scores for individual organizations as of their latest assessment in 2023.Those earning the highest 25%of scores are indicated in blue and can be considered top performers.Organizations in red ranked in the lower 25

22、th percentile of scores.The middle half of organizations is faded out to draw more contrast between the top and bottom performers.The median score across all organizations is 79.Cyber risk cant be a one-time or annual project.Its an ever-changing,continuous process to drive improvements.Navigating t

23、he Paths of Risk:The State of Exposure Management in 20246The final chart in the section serves as a very visual reminder that managing cyber risk cant be a one-time or annual project.Its an ever-changing,continuous process to drive improvements.In the next section we will dig into those attack path

24、 details we promised.LowScorersHighScorers0255075100FebMarAprMa?JunJu?Au?SepOctNovDecFrom the results,its clear that security is never done.However,when operationalized effectively,a Continuous Threat Exposure Management(CTEM)methodology can have a positive impact on the overall security posture.Thr

25、oughout 2023 we have seen positive improvements to the XM Posture Score,in our more mature and established customer base.As you read through the following sections of the report you will see some common trends in security improvements that go hand in hand with these posture improvements,such as a re

26、duction in exposures,a 20 x decrease in the number of choke points,resulting in the successful closing of attack paths to critical assets.All of these are key drivers and objectives for security professionals and CISOs across the globe,as outlined in our survey report:The State of Security Posture 2

27、024.XM Cyber Takeaways&RecommendationsFigure 2:Daily security scores with moving averages for high-and low-scoring organizationsSliding 4-week averageNavigating the Paths of Risk:The State of Exposure Management in 20247Organizations face a constant threat of cyber-attacks that can jeopardize critic

28、al assets,exfiltrate data or disrupt business operations.Although these cyber attacks are ever-evolving,they typically follow a logical set of steps referred to as the Cyber Kill Chain,which provides an effective structure for an adversary or attacker to breach an organizations defenses.Whereas the

29、Kill Chain represents the individual stages of an attack,the term Attack Path refers to the logical path across your network and around your different security defenses that the attack takes in order to execute their Kill Chain and reach the end goal of your business-critical assets and systems.The

30、attack path is formed of individual hops between many different entity types,across all parts of your enterprise infrastructure.They stretch from edge-of-network devices and perimeter defenses,spreading laterally through laptops,desktops and workstations in the campus.They can traverse vertical netw

31、ork layers from physical,to virtual and cloud entities,and can even traverse the vertical layers of data plane,to the control plane to the management plane and back again.Attack paths arent just formed from different device types,but can leverage extended entity types,like software applications,kube

32、rnetes clusters,user credentials,API tokens,and other identity types.Due to this expansive array of entity types and infrastructure layers,its difficult to truly understand the risk varying attack paths present.Considering only one type of exposure,such as vulnerabilities(CVEs),or one infrastructure

33、 layer,such as cloud,severely limits your ability to see the full extent of the exploitability of your attack surface and the potential attack paths towards your critical assets.To help address this challenge,Attack Path Modeling is a foundational methodology needed for Exposure Management.It helps

34、cyber defenders and security stakeholders identify and map potential routes that threat actors could take to exploit vulnerabilities,misconfigurations and weak security posture in order to compromise critical assets.But why limit this model to only a single Attack Path?XM Cyber has pioneered the use

35、 of Attack Path Modeling for Exposure Management since its inception.However,to truly see all ways an attacker could breach your organization,you need to see all attack paths from a holistic viewpoint and in a comprehensive state.A Primer on Attack PathsNavigating the Paths of Risk:The State of Expo

36、sure Management in 20248XM Attack Graph Analysis gives you clear and concise exposure intelligence,built from context-based insights across all exposures from Cloud to Core,by pinpointing key intersections where attack paths converge and present the most critical risk to business operations.This hel

37、ps Security and IT teams prioritize remediation efforts,and work collaboratively to have a positive impact on security posture and a reduction to cyber risk.Understanding the relationship and context of attack paths toward critical assets is essential to mitigating risk.By visualizing all possible a

38、ttack paths through the XM Attack Graph Analysis,the platform can correlate all validated attack paths,to uniquely identify the key intersections where attack paths converge and highlight them as Choke Points that present the most impactful risk to your critical assets.By identifying entities with t

39、he weakest and most exploitable security posture,we can assess the intrusion risk and most likely breach points to your organization.Our attack scenarios continuously calculate all potential attack paths from the breach point through to the critical assets.This,in turn,allows for a more validated ap

40、proach to risk prioritization that reports all attack tactics,techniques,and processes(TTPs)that the attacker could utilize,in order to exploit the specific exposures of each entity along the attack path.The analysis and statistics shown in this report are all taken from the XM Attack Graph Analysis

41、,leveraging the key metric of critical assets at risk,presented by a particular exposure type,or attack TTP.Our advanced approach to Attack Path Modeling gives you the context you need to make faster,more confident decisions about your exposure risk profile,and where to focus your remediation effort

42、s.Continue reading this report for unique insights taken from the XM Attack Graph Analysis.Introducing XM Attack Graph Analysis Dead EndCritical AssetActive DirectoryClo?dD?Data CenterSAPA?SC?o?e?ointFigure 3:Example attack graph identifying entities,dead ends,choke points,and critical assetsNavigat

43、ing the Paths of Risk:The State of Exposure Management in 20249High scorers have a median of 5.1k exposuresLow scorers have a median of 30k exposuresOverall median of 15k exposures101001k10k100kMonthly org exposuresDensityData collected from XM Attack Graph Analysis continually points to a core cybe

44、rsecurity challenge facing every organization:there are just too many issues for defenders to realistically fix and too many ways for attackers to exploit them.Even the best teams become overwhelmed.“Overwhelmed”is rather vague,so lets put some numbers around that in Figure 4.We typically identify 1

45、5,000 security exposures that attackers could exploit in each organization on a monthly basis(thats the overall median).The median among organizations with high overall security posture scores is just 5,100,while low scorers contend with six times that amount!Enumerating ExposuresFigure 4:Distributi

46、on of attack path exposures identified across organizationsEntities:Any endpoint,workstation,server,identity,access tokens,cloud resources,etc.in an environment that an attacker can use to advance an attack path toward critical assets.Exposures:Exposures are combinations of techniques and entities s

47、usceptible to those techniques.They essentially enumerate the many options attackers have at their disposal.Lessons learned from another year of attack graph analysisWe typically identify15,000 exposures attackers could exploit in each organization.Some have over 100,000!Navigating the Paths of Risk

48、:The State of Exposure Management in 202410Exposures on severe choke points,Each a?ectin?o?critical assetsExposures on Choke points,pathway to critical assets.and the 98%of exposures that dont lead to critical assetsRather than treating all exposures equally,a far more manageable approach is to iden

49、tify the subset of issues that represent the highest risk and prioritize those for remediation.The majority(74%)of security exposures afflicting organizations are on“dead ends”that limit attackers lateral movement toward critical assets.A small subset of exposures,however,affect critical assets and/

50、or represent“choke points”of converging attack paths that adversaries can leverage to escalate and broaden their access through the target environment.Defenders can also target those same choke points to reduce risk more efficiently and effectively.This concept is depicted in Figure 5,which represen

51、ts the typical enterprise attack surface.Choke points and directly-exposed critical assets are highlighted in yellow and red,amid the sea of all exposures.We distinguish the red ones because about 1 in 5 choke points exposes 10%or more of the critical assets in the organization.Compromising those op

52、ens the door for attackers to cause severe impact.Addressing these should be at the absolute top of your security remediation to-do list.Points of convergenceThe majority 74%of exposures lead to dead ends.Figure 5:A depiction of the typical attack surface,showing the ratio of“choke points”(yellow an

53、d red squares)among all identified exposures(gray squares).Navigating the Paths of Risk:The State of Exposure Management in 202411In addition to updating the choke point stat based on the latest and greatest data,we thought it would be instructive to explore how much variation exists among firms.Eac

54、h dot in Figure 6 plots an organizations entities(x-axis)and choke points(y-axis)in a given month.The overall trend remains fairly steady regardless of how many entities are present,but the choke point ratio does vary substantially among organizations.Our last report placed the typical ratio of chok

55、e points to exposures within organizations at about 2%.In the interim year,we conducted tens of thousands of additional assessments of a significantly larger population of organizations,which reestablished a similar ratio(1.5%).We feel obligated to stress that this doesnt mean the remaining supermaj

56、ority of exposures dont matter or shouldnt be fixed.They are security issues and they do enable attackers to persist in the environment.That said,remediation has to start somewhere.And we suggest focusing first on the exposures that matter mostand thats clearly the choke points towards critical asse

57、ts.This is the power of the XM Cyber approach to exposure management98%reduction in effort for maximum risk reduction efficacy!11?1?1?1?1?1?1?1?1?EntitiesChoke pointsFigure 6:Variation in the ratio of choke points to entities among organizations2%of exposures affect critical assets and/or represent

58、choke points of converging attack paths that adversaries can leverage to escalate and broaden their access.Navigating the Paths of Risk:The State of Exposure Management in 202412Practically speaking,that means some organizations will find it significantly harder(or easier)to efficiently stop attack

59、propagation than others.This should not be surprising,since all environments contain a different mix of assets,data,configurations,controls,etc.It reinforces the importance of knowing your environment and understanding its strengths and weaknesses relative to attackers ability to cause harm.Its clea

60、r that organizations are still overwhelmed by the sheer volume of security exposure reported across their diverse attack surface.Organizations have an average of over 15,000 security exposure identified on a monthly basis,that if left unchecked can grow exponentially to well over 100,000.To tackle t

61、his its clear that effective Exposure Management needs to integrate Attack Path Modeling,to identify choke points and offer clear remediation guidance as to how to address the exposure that presents the highest impact-risk to business critical assets and systems.For guidance on how to achieve this f

62、or your own organization,check out our Operationalizing CTEM guide.Its still advisable to aspire to fixing all your exposures through automation and a CTEM-like operation cadence,but to drive the most positive improvements,your teams should focus on what matters most,by first validating the exploita

63、bility of exposures and the business risk they pose.This is the power of the XM Cyber approach to exposure management98%+reduction in effort for the same level of risk reduction!XM Cyber Takeaways&Recommendationscheck out our comprehensive guide.XM Cyber on Operationalizing the Framework by GartnerC

64、ontinuous Threat Exposure Management(CTEM)To learn more about how the 5-stage CTEM framework can help your organization monitor,evaluate,and reduce your risk of exploitability through the validation of exposures,check out our comprehensive guide.Navigating the Paths of Risk:The State of Exposure Man

65、agement in 202413Organizational ComparisonsWhen it comes to security,one size never fits all!Figure 7:Comparison of exposure statistics for organizations with high vs.low security scoresFigure 7 demonstrates the effect that your environment has on attack paths.It compares key exposure statistics bet

66、ween organizations with the highest and lowest security posture scores.Low scorers typically have 6X more exposures and a 23X higher ratio of choke points.That doesnt mean their risk fate is sealed,but it does suggest the starting point and the effective mobilization of Exposure Management matters q

67、uite a bitWe offer a similar comparison among industries in Figure 8.Lets start with the number of digital entities detected in the first column.From this,we see that the Healthcare&Pharmaceuticals,Financial Services,Manufacturing&Technology,and Retail sectors tend to manage environments that are la

68、rger and more complex than many other types of organizations.These industries traditionally have many digital assets to track and protect.In general,industries that have a lot of entities also have a lot of exposures.This makes sense because entities vulnerable to attack are,by definition,exposures.

69、The fact that the median number of exposures affecting healthcare providers is 5X that of the Energy and Utilities sector points to the inherent challenges of minimizing risk in those environments.Critical Exposures:Exposures that have been validated to be exploitable and present an onward attack pa

70、th towards critical assets using the XM Attack Graph AnalysisExposures5.1K30K0.46%0.33%7.7%0.47%High ScoresLow ScoresCritical ExposuresCho?e poi?t ratioNavigating the Paths of Risk:The State of Exposure Management in 202414Every environment is unique and presents their own level of exposure risk,wit

71、h individual nuances and challenges.And as such,security tools and the approach to security strategy needs to be flexible and adapt to dynamic changes in the attack surface.As an example,from the charts above,you will see that although on average financial firms manage 5X more digital assets than th

72、e energy sector,the proportion of exposures affecting critical assets is 21X higher in the latter.Why is this?Well its likely down to two factors,the first being the tendency to use relatively flat networks,combined with the number of critical assets across the network for an energy or utility compa

73、ny.It may also be down to the use of legacy operating systems and hardware.Understanding the threats that exist and the risk they present to your unique attack surface is an essential first step to success with the cybersecurity strategy.Hopefully this report,combined with our Most Potent Attack Pat

74、hs,series is starting to frame the picture for where you need to focus.Speaking of minimizing risk,the third column offers a more risk-centric perspective.It shows the proportion of all exposures that put critical assets at risk.The tables are turned here,and we see unusually high ratios of critical

75、 exposures for the transportation and energy sectors.A similar pattern applies to the choke point ratio.The lower exposure count in the denominator contributes to that calculation,but the basic fact remains.Managing high concentrations of critical assets and choke points requires a different approac

76、h than risk-sparse environments.Figure 8:Comparison of exposure statistics by sector48k26k0.1%1%11k11k11%33%29k30k0.1%0.7%59k46k0.5%7%41k38k0.07%0.3%19k25k0.2%3%16k9.2k0.2%0.2%14k12k7%21%18k15k0.6%0.4%72k55k0.04%1%EntitiesExposuresCritical ExposuresChoke point ratioTelecommunication&MediaEnergy&Util

77、itiesTransportation&AutomotiveEducation&GovernmentAgriculture&FoodManufacturing&TechnologyBusiness Services&ConsultingRetailFinancial ServicesHealthcare&PharmaceuticalsXM Cyber Takeaways&RecommendationsNavigating the Paths of Risk:The State of Exposure Management in 202415Figure 9:Categorical breakd

78、own of entities,exposures,and critical exposuresEntitiesExposuresCritical Exposures51%80%33%5?%7%31%13%11%Active DirectoryIT/Network DevicesClou?18%Finding&Categorizing ExposuresThe challenge with identification and classification of critical assetWeve explored challenges associated with the high vo

79、lume of security exposures across enterprise environments,but important questions remain.Where do all these exposures exist?How do attackers exploit them?What attack techniques can cause the most harm?In this section,well seek those answers and more.To a certain extent,answers to these questions are

80、 a matter of perspective.Many view their attack surface as consisting of everything in their environment.And theres truth to that;organizations should protect all their assets.But to do that effectively,they need to know where those assets are located and how theyre exposed to attack.The left-most c

81、hart in Figure 9 represents the attack surface based on broad categories of digital entities discovered during XM Cybers attack path assessments.Active Directory constitutes just over half of entities identified across all environments.On-premises IT and network devices account for another 31%of ent

82、ities and cloud environments house the remaining 17%.Not all entities,however,are exposed via attack paths.If we change the scope of the attack surface to include only vetted exposures(entities susceptible to attack techniques),things look different.The middle chart captures this perspective and Act

83、ive Directory exposures dominate the attack surface.Where/What are our biggest exposures?Well,the answer depends on how you define“biggest”Exposure Management must encompass all environments and account for where critical assets are most at risk.Navigating the Paths of Risk:The State of Exposure Man

84、agement in 202416But not all of those exposures affect critical assets.To be truly effective,Exposure Management must encompass all environments and account for where critical assets are most at risk.If we once again rescope the attack surface to focus on exposures to critical assets,a very differen

85、t picture emerges,which is captured in the rightmost chart of Figure 9.Cloud environments now encompass over half of all critical asset exposures,followed by AD at 33%and IT/Network devices at 11%.Given that defenders often specialize along lines which are not too different from these high level cat

86、egories,an organization could find itself adequately staffed and skilled to manage entities based on their overall counts,but coming up short when managing the outsized impact presented by riskieralbeit less numerousones.With too many entities and too little time,weeding out benign exposures is cruc

87、ial to matching effort to risk.We compare the relative distribution of exposures to critical assets across industries in Figure 10.About half follow the overall pattern of Cloud Active Directory IT/Network devices.But theres quite a bit of variation and some sectors buck that trend entirely.For exam

88、ple,very few of the critical asset exposures affecting the Energy,Transportation,and Healthcare sectors are in the cloud.On the other hand,the share of critical exposures in cloud environments is much higher than average in the Agriculture and Manufacturing industries.Figure 10:Categorical breakdown

89、 of entities,exposures,and critical exposures by sector67%26%7%Agriculture&Food(3.7K)27%63%9%Manucaturing&Technology(768)37%10%53%Telecommunication&Media(1.1K)37%10%53%Retail(3.3K)140%34%53%Financial Services(1.6K)53%15%32%Education&Government(1K)60%19%21%Business Services&Consulting(819)4%6?%2?%Hea

90、lthcare&Pharmaceuticals(2k)71%29%Trans?ortation&Automotive(1.?k)67%33%Energy&?tilities(832)IT/Network devicesActive?irectoryCloudIT/Network devicesActive?irectoryCloudActive Directory is the largest attack surface,but the largest share of exposures to critical assets is in the cloud.Where are the cr

91、itical exposures?Navigating the Paths of Risk:The State of Exposure Management in 202417XM Cyber Takeaways&RecommendationsFigure 11:Categorical breakdown of entities,exposures,and critical exposures by organization size100 k(5.2k)10,001-100k(2k)10,001-10k(?.3k)101-1k(?1)100K74.410,001-100K64.91,001-

92、10K69.?101-1K6?.?1007?.?Our takeaway from this is that cybersecurity challenges scale with the organization.Things wont get inherently easier or harder as your firm grows.Measuring risk to critical assets wherever youre at now and managing that reality to minimize exposure is imperative for organiza

93、tions of all sizes.Figure A2:Comparison of overall security scores by organization sizeNavigating the Paths of Risk:The State of Exposure Management in 202433Appendix B:Top Cloud TechniquesThe figures that follow list the top techniques observed by XM Cyber during attack path analyses conducted in 2

94、023.We use the same measures used throughout this report:Organizations:Percent of organizations susceptible to each technique Exposures:Percent of all platform-specific exposures identified by XM Cyber Critical Exposures:Percent of all platform-specific exposures to critical assetsFigure B1:Top tech

95、niques in AWS environments30.2%2.06%1.37%14.2%10.7%8.12%13.6%10.5%8.63%13.6%1.48%6.54%13.6%1.40%6.38%13.0%2.92%1.80%13.0%2.87%1.72%12.3%13.9%0.0989%12.3%12.3%7.02%12.3%12.1%6.89%12.3%1.36%4.91%12.3%1.01%3.43%12.3%0.312%3.59%11.1%2.52%4.42%11.1%1.37%5.15%10.5%3.21%4.23%9.88%2.92%2.99%9.26%0.153%4.76%

96、OrganizationsExposuresCritical ExposuresAWS AssumeRole Compromise(Cross Account)AWS EC2 SSM StartSession TakeoverAWS EC2 SSM SendCommand takeoverAWS Over-privileged AWS Lambda Function CreationAWS Update Lambda CodeAWS AssumeRole CompromiseAWS Add User To GroupAWS Over-privileged AWS EC2 Instance Cr

97、eationAWS EC2(AttachVolume,DetachVolume)Take OverAWS Modify EC2 Instance User DataAWS EBS Share Volume SnapshotAWS S3 Bucket Write DataAWS S3 Bucket Read DataAWS Update Login ProfileAWS Create User Access KeyAWS Update Role Impersonation PolicyAWS IAM Add Policy Privilege EscalationAWS Access Keys S

98、tealerNavigating the Paths of Risk:The State of Exposure Management in 202434Figure B3:Top techniques in GCP environmentsFigure B2:Top techniques in Azure environments31%14%4.4%31%0.20%19%30%0.66%21%28%0.059%0%27%13%4.7%27%13%4.5%25%0.56%0.17%25%0.026%0.00014%25%0.025%0.000058%24%0.71%16%23%20%7.0%2

99、1%9.7%3.1%20%8.1%2.6%19%3.2%2.8%17%1.1%0.42%15%2.2%1.3%9.9%0.14%3.4%9.3%3.7%0.00029%Azure Certificate Stealer from DiskAzure Group Member of GroupMicrosoft Intune-Execute ScriptAzure Queues CompromiseAzure Applications Can Add Passwords to Other ApplicationsAzure Upload BlobsAzure Read BlobsAzure Ta

100、bles CompromiseAzure Member Of GroupModify OneDrive Files using Azure ApplicationsRead OneDrive Files using Azure ApplicationsAzure Key Vaults CompromiseAzure Run Command On VMAzure Run Command On VM Using VM ExtensionsAzure Access Token StealerAzure Add Role AssignmentAzure Graph Role CompromiseAzu

101、re Application Owner Can Compromise the Application Service PrincipalsOrganizationsExposuresCritical Exposures14.8%1.53%4.10%6.79%15.3%4.79%6.79%12.1%6.15%6.79%5.93%1.26%6.79%5.59%1.27%6.79%5.46%1.65%6.79%3.02%1.04%6.79%2.59%5.47%6.79%2.49%5.21%6.79%1.71%6.19%6.79%0.165%0.202%6.79%0.126%0.0302%6.17%

102、3.07%6.13%6.17%2.67%6.00%6.17%2.43%6.29%6.17%2.42%6.04%6.17%1.78%10.1%6.17%1.58%5.57%5.56%10.8%2.55%4.94%10.1%2.49%4.32%0.104%5.97%3.09%5.71%6.01%GCP Member Of GroupGCP Set a Folder IAM PolicyGCP Write BigQueryGCP Read BigQueryGCP Set Service Account IAM PolicyGCP Set a Project IAM PolicyGCP Signing

103、 Well-Formed JWTGCP Request Service Account Token By Implicit DelegationGCP Allows Signing of Arbitrary PayloadsGCP Request Service Account TokenGCP Read FirestoreGCP Compromised Service Account KeyGCP Service Account From ResourceGCP Create Function with Specified Service AccountGCP Create VM with

104、Specified Service AccountGCP Set Storage IAM PolicyGCP Read SecretGCP Read Data From BucketGCP Write Data To BucketGCP Create Service Account KeyGCP Compromise Linux VMGCP Access Token StealerOrganizationsExposuresCritical ExposuresNavigating the Paths of Risk:The State of Exposure Management in 202

105、435Appendix C:Top Attack TechniquesMITRE ATT&CK is a popular knowledge base of adversary tactics,techniques,and procedures(TTPs)used across the cybersecurity industry.Because of this popularity,we maintain a mapping between our attack path techniques and ATT&CK.Based on that mapping,Figure C1 lists

106、the top ATT&CK techniques identified by XM Cyber in 2023.Figure C2 compares techniques that expose critical assets in on-prem networks,cloud platforms,and Active Directory.Overall,theres surprisingly little overlap between the columns.That suggests prioritization of TTPs and defenses should be done

107、specific to the environment in view.It also reiterates the importance of context in threat and risk assessment.Figure C1:Top ATT&CK techniques identified by XM Cyber attack path analysis during 2023Figure C2:Comparison of critical ATT&CK techniques identified by XM Cyber in different scenarios99.4%1

108、5.5%37.2%95.7%10.3%10.1%95.1%36.3%14.4%94.4%9.31%2.72%93.8%3.56%6.58%93.2%0.934%1.53%92.0%8.96%2.06%90.1%2.88%3.53%90.1%2.88%3.53%89.5%5.25%2.88%87.7%0.951%0.896%84.0%0.355%4.74%83.3%0.420%2.60%Exploitation for Privilege Escalation(T1068)Exploitation of Remote Services(T1210)Adversary-in-the-Middle(

109、T1557)Taint Shared Content(T1080)Windows Management Instrumentation(T1047)Scheduled Task/Job(T1053)Boot or Logon Initialization Scripts(T1037)OS Credential Dumping(T1003)Remote Services(T1021)Permission Groups Discovery(T1069)Account Manipulation(T1098)Use Alternate Authentication Material(T1550)Val

110、id Accounts(T1078)OrganizationsExposuresCritical Exposures33.5%8.23%31.5%8.23%23.2%15.3%2.50%26.3%6.77%86.8%8.23%Active DirectoryWindows Management Instrumentation(T1047)Valid Accounts(T1078)Use Alternate Authentication Material(T1550)Taint Shared Content(T1080)Scheduled Task/Job(T1053)Remote Services(T1021)Account Manipulation(T1098)CloudIT/Network devices