Threat actors are continuously evolving, yet Cyber Threat Intelligence (CTI) remains fragmented across isolated point solutions. Organizations need a holistic analysis that spans external data, inbound and outbound threats, and network activity to accurately assess their cybersecurity posture.

Cato's Cyber Threat Research Lab (Cato CTRL) has published its inaugural SASE threat report, providing in-depth insights into enterprise and network threats. This report leverages Cato's extensive and detailed network analysis capabilities.

The SASE Threat Report examines threats from strategic, tactical, and operational perspectives using the MITRE ATT&CK framework. It covers malicious and suspicious activities, as well as the applications, protocols, and tools active on networks.

The report is based on:

- Detailed data from every traffic flow across the Cato SASE Cloud Platform

- Hundreds of security feeds

- Analysis through proprietary ML/AI algorithms

- Human intelligence

Cato's data encompasses:

- Over 2200 customers

- 1.26 trillion network flows

- 21.45 billion blocked attacks

These comprehensive resources give Cato unparalleled insights into enterprise security activities.

Cato CTRL (Cyber Threats Research Lab) combines top-tier human intelligence with comprehensive network and security insights, enabled by Cato's AI-enhanced global SASE platform. Experts, including former military intelligence analysts, researchers, data scientists, academics, and security professionals, provide a unique view of the latest cyber threats and actors.

Cato CTRL offers tactical data for SOC teams, operational threat intelligence for managers, and strategic briefings for executives and boards. This includes monitoring and reporting on security industry trends, which informed the SASE Threat Report.

The report provides valuable insights for security and IT professionals, highlighting the following key findings:

1. Widespread AI Adoption in Enterprises: Enterprises are increasingly adopting AI tools, with Microsoft Copilot and OpenAI ChatGPT being the most common. Emol, an application for recording emotions and interacting with AI robots, is also gaining traction.

   - LLMs are enhancing tools like SQLMap for more efficient vulnerability exploitation.

   - Services for generating fake credentials and creating deep fakes are available.

   - A malicious ChatGPT startup is recruiting developers.

3. Spoofing of Well-Known Brands: Brands such as Booking, Amazon, and eBay are frequently spoofed for fraudulent activities, posing risks to consumers.

4. Lateral Movement in Enterprise Networks: Attackers can easily move laterally within enterprise networks due to unsecured protocols:

   - 62% of web traffic is HTTP

   - 54% of traffic is Telnet

   - 46% of traffic is SMB v1 or v2

5. Prevalence of Unpatched Systems Over Zero-Day Exploits: Unpatched systems and recent vulnerabilities, such as Log4J (CVE-2021-44228), are more frequently exploited than zero-day vulnerabilities.

   - Entertainment, Telecommunications, and Mining & Metals sectors are targeted with T1499 (Endpoint Denial of Service).

   - Services and Hospitality sectors face T1212 (Exploitation for Credential Access).

   Practices also vary, with 50% of media and entertainment organizations not using information security tools.

7. Importance of Contextual Understanding: Seemingly benign actions can be malicious when viewed in context. AI/ML algorithms, combined with network pattern analysis, are essential for detecting suspicious activity.

8. Low Adoption of DNSSE: Despite its importance, DNSSEC adoption is only at 1%. The Cato CTRL team is investigating the reasons behind this low adoption rate.

The full report can be viewed here .