Attackers can compromise 94% of critical assets within four steps, according to XM Cyber research. Pictured: A symbolic data cloud is seen at the 2014 CeBIT technology trade fair on March 10, 2014, in Hanover, Germany. (Photo by Nigel Treblin/Getty Images)

Research on Thursday from XM Cyber found that attackers can compromise 94% of critical assets within four steps of the initial breach point.

The company’s first annual survey also reported that attackers can compromise 75% of an organization's critical assets in the company’s existing security status, and 73% of the top attack techniques involve mismanaged or stolen credentials.

Shay Siksik, vice president customer experience at XM Cyber, said by knowing where to disrupt attack paths, companies can reduce 80% of issues that would otherwise have taken up security resources.  

 "We often think of cybersecurity as protecting against zero-day, APT-style attacks, but in fact attackers are able to pivot throughout the network as a result of known vulnerabilities, strong credentials on a machine, misconfigurations, and sometimes even legitimate configurations that allow them to move around," Siksik said. “Understanding the combinations that create attack paths and where to best disrupt them means the difference between improving your security posture or leaving your organization at risk of attack."

This research comes across as very believable because many organizations have yet to define their crown jewels, said North American Steering Committee Chair Nasser Fattah of Shared Assessments. Fattah said knowing well that it’s impossible to protect all assets equally the same, there’s a strong likelihood that critical assets are not adequately protected from cyberattacks.

“Also, many organizations have yet to leverage threat intelligence to not only learn of threats that are out there lurking in the dark targeting them, but also to know of leaked credentials that may still have valid access to IT assets,” Fattah said. “And yes, expect cloud misconfiguration to continue to be an Achilles heel for any organization because of the need to quickly introduce or reconfigure technology to keep up with business demands. Hence, the importance of security by design and continuous security compliance monitoring."

Darren Williams, founder and CEO at BlackFog, said the important point here is that for attacks to be effective threat actors need to compromise the device through network access. Williams said if corporations have adequate protection from both defensive and preventative tools such as anti-data exfiltration products, then attackers will not gain a foothold onto the device.

“This report highlights the lack of controls within most networks and the difficulty organizations are having in adopting more modern security protocols and technologies,” Williams said.

George McGregor, vice president at Approov, added that the XM Cyber report confirms that access methods depending purely on use of secrets are insecure, since secrets and credentials are not adequately protected and are stolen all the time.

“One common attack vector that can be disrupted by organizations is where stolen API keys are used in scripts or tools to mimic genuine API requests from mobile apps to APIs," McGregor said. “App attestation approaches can ensure that only genuine apps can access APIs, providing an additional layer of run-time protection and mitigation against any attempt to exploit stolen secrets.”

Sounil Yu, chief information security officer at JupiterOne, said security teams need a layered defense model to ensure that attackers must bypass multiple controls before they can harm a critical asset. With that in mind, Yu said the suggestion that four or fewer hops are needed from the initial breach point to access 94% of critical assets could actually be good news, suggesting that some of our critical assets have up to four layers of controls. 

“However, according to the report, 63% of those critical assets only require one hop, meaning that only 31% of critical assets are protected with two or more layers of controls,” Yu said. “If you have a critical asset with only one layer of controls, it's like having a body with a brain that’s protected only by the skin and not further encased in a skull.”