Working closely with numerous frontline security teams, a pervasive sentiment we’ve encountered is this: while we are exceptionally busy on a daily basis, the direction of our efforts often does not fully align with the actual risk landscape.
Today, let’s move beyond abstract theories. We want to share several data points we have observed and summarized. These figures might differ from what we intuitively assume based on gut feelings or experience.
The First Data: 60%
In the significant data breach incidents we analyzed last year, over 60% of the attacks had a dwell time exceeding 100 days.
What does this mean?
What we often worry about most are conspicuous ransomware attacks because they create significant noise and have an immediate impact. Consequently, we invest considerable energy in real-time alerts and incident response.
However, this data reveals that the more dangerous adversaries are the quiet attackers. After gaining entry, they don’t aim to create a spectacle; instead, they silently execute lateral movements, privilege escalation, and data exfiltration. This entire process can persist for months. By the time we discover them, critical data may have long been exfiltrated.
Our existing defense systems, primarily reliant on real-time alerts, are often powerless against these ‘slow-cooker’ attacks. Throughout the prolonged dwell time, each individual action by the attacker might not trigger a high-severity alert.
Let’s try to put ourselves in the attacker’s shoes: what would you do? An attacker’s primary objective after breaching your environment is to establish persistence, ensuring that all your existing detection and defensive measures fail to alert or activate. How else could they remain undetected? So, you should consider your strategy if your security products and detection methods aren’t generating alerts.
What should we do?
Since we cannot prevent attackers from infiltrating, we must ensure we detect them immediately and then make it impossible for them to advance. We need to regularly use automated attack playbooks to simulate the attack techniques (TTPs) that attackers would use during the persistence phase, and simulate all possible lateral movement paths after gaining initial access.
We must continuously validate every potential pathway, from the office network to critical zones, and from web servers to databases, ensuring these paths are discovered and blocked before they can be genuinely exploited. Naturally, if security validation reveals a lack of technical capabilities, a plan must be urgently made to address it. For example: what if there are no operating system-level audit logs? What if there are no network traffic audit logs?
The Second Data: 70%
In the cloud-based attack and defense exercises we assisted our clients with, nearly 70% of the vulnerabilities weren’t due to zero-day exploits, but rather stemmed from fundamental, common misconfigurations.
What does this mean?
We’ve allocated significant budgets to acquire the most advanced CWPP and CNAPP solutions, trusting these sophisticated tools to protect our cloud assets.
However, the data indicates what often undermines us isn’t advanced hacker techniques, but rather fundamental mistakes. For example: a storage share inadvertently left open to the public internet, an ‘any-any’ security group rule configured for convenient debugging, or an access key hardcoded by a developer.
These issues cannot be resolved merely by purchasing new tools. No matter how powerful a tool’s capabilities, it cannot prevent a misconfiguration from directly leaving the front door wide open.
What should we do? Transform configuration checks into dynamic, continuous validation through simulated attacks.
Stop relying solely on static configuration scan reports. Use an automated platform to continuously simulate scenarios like: “If an AK/SK key is leaked, what could an attacker do with it?” or “If this security group rule is permissive, which internal services can an attacker access?”
Use the results of these simulated attacks to drive the immediate discovery, correction, and hardening of misconfigurations. We can no longer afford to wait for the next monthly or quarterly audit, or discover the root cause only after a security incident occurs.
The Third Data: 40%
In the client security incidents we reviewed, nearly 40% of successful intrusions exploited vulnerabilities that were [patched].
What does this mean?
What does this mean? We hold weekly vulnerability review meetings, pushing operations and development teams to apply patches, and consider the issue resolved once the vulnerability list is cleared, thinking the job is done.
But the data tells us that applying a patch does not always equate to eliminating the risk. Many times:
- The patch might not have been applied correctly to all relevant assets.
- The patch itself might have issues or be incompatible with business operations, leading to a silent rollback.
- Attackers might use a new technique to bypass the patch.
We become satisfied seeing the vulnerability disappear from the scan report, but we fail to validate whether the attack vector exploiting that vulnerability has actually been neutralized.
What should we do?
Incorporate a mandatory security validation step into the vulnerability remediation process. When operations or development teams report a vulnerability as fixed, the work isn’t over. The security team must immediately use the ATLASSecurity Validation Platform to re-run the attack playbook specifically targeting that vulnerability. Only when the attack simulation shows ‘no longer successfully exploitable’ can that vulnerability remediation ticket be truly closed.
These three data converge on the same conclusion: the focus of our security efforts is shifting from assumption to proof.
We can no longer assume that a lack of alerts means security; we can no longer assume that deploying tools equates to effectiveness; we can no longer assume that applying patches resolves risks.
The core value of the ATLAS Security Validation Platform is to help our clients achieve this transformation from “I think so” to “I am certain”. By using continuous, automated security validation data, we can guide our limited resources to be invested in mitigating the most real and urgent risk impacts.
