Positive Technologies identifies key weaknesses in corporate cybersecurity defenses

The Positive Technologies Expert Security Center Incident Response team has released its findings¹ from the past year's cyberattack investigations and retrospective analysis. Experts note that demand for these services remains strong, with requests for retrospective analysis doubling over the past year. Exploiting web application vulnerabilities and abusing trusted third-party relationships were identified as the primary initial access vectors for breaching corporate infrastructure. The share of attacks that successfully disrupted business continuity reached 55%.

According to the Positive Technologies Expert Security Center Incident Response (PT ESC IR) team, the victim profile has changed significantly. While manufacturing companies were the most frequent targets in the previous reporting period, IT companies have now taken the lead (24%). Such growth is attributed to the fact that compromising a single IT provider can serve as a gateway into the internal networks of multiple client organizations. Government agencies currently share the top spot, also accounting for 24% of investigation requests.

The share of supply chain attacks — breaches via third-party contractors — nearly doubled compared to last year, jumping from 15% to 28%. The report highlights that in these scenarios, two-factor authentication (2FA) would have significantly hindered the attackers' progress and increased the likelihood of early detection. The most common method for infiltrating corporate infrastructure remains the exploitation of vulnerabilities in perimeter web applications (36%).

The report also indicates a rise in incidents involving compromised network devices. In one investigated case, cybercriminals exploited misconfigured network routers to intercept traffic over an extended period.

In over a quarter of the incidents (26%), attackers successfully breached internal networks by taking advantage of poor network segmentation. Another critical security flaw was the use of outdated operating systems and software, particularly on the network perimeter, which accounted for 25% of cases. In 23% of the investigated projects, attackers capitalized on the absence of 2FA on hosts. In 21% of cases, the success of the cyberattack was facilitated by either a lack of antivirus solutions or their improper configuration.

Experts also point out that organizations are now detecting security incidents faster. On average, it takes nine days from the beginning of malicious activity to its discovery — an eight-day improvement compared to the previous year. However, in some cases, attackers manage to compromise critical infrastructure hosts and trigger non-tolerable events in just 24 hours. Conversely, some attacks can span years: during one investigation, PT ESC IR specialists found that hackers had remained undetected for nearly three and a half years.

To prevent cyberattacks, specialists recommend adhering to current cybersecurity best practices. Effective defense can be achieved by deploying robust security solutions, including: security information and event management solutions (MaxPatrol SIEM), vulnerability management systems (MaxPatrol VM), network traffic behavioral analysis (PT NAD), next-generation firewalls for deep traffic filtering (PT NGFW), web application firewalls (PT Application Firewall), sandboxes for detecting complex and unknown malware (PT Sandbox), and comprehensive endpoint protection against sophisticated APTs and mass attacks (MaxPatrol Endpoint Security). Organizations can use the PT X cloud solution to detect indicators of compromise and rapidly monitor and respond to threats. The PT Fusion portal enables efficient security monitoring and rapid response to modern threats that exploit vulnerabilities. It provides insights into current tactics, techniques, and indicators of compromise (IoCs), helping organizations map out the latest cyberthreat landscape.