It is a well-known fact that today’s hackers do not need to hack to infiltrate IT environments. Instead, deception is the cyber attacker’s trump card. Research shows once again that organizations’ cyber hygiene is substandard and is the leading cause of attacks. It leads to unnecessary compromises that are also difficult to identify afterwards.
Hunt & Hackett analyzed 54,400 incidents to reach this conclusion. Poor cyber hygiene does not necessarily lead to problems immediately, but its structural nature makes compromise inevitable in the long run. According to the Trend Report, overdue IT maintenance, weak identity security, and incomplete logging are the main areas of concern.
Well-known techniques dominate
Of all the incident response cases handled by Hunt & Hackett, 71 percent were financially motivated. Ransomware was the most common, at 43 percent, followed by email fraud at 29 percent.
CEO Jurjen Harskamp is concerned about the situation. “Our trend report shows that organizations are already struggling to ward off relatively simple, well-known attack techniques, while threats are rapidly increasing. Without a serious catch-up in resilience, there is a good chance that we will see more incidents in the coming years, not fewer.”
Attackers mainly exploit weaknesses in identity security. Stolen login details, unpatched vulnerabilities in internet-facing systems, and long-overdue IT maintenance are the main points of attack. Access was often gained via vulnerable remote services, edge devices, or the use of stolen credentials.
In most cases, the techniques used were already well known, extensively documented, and detectable with the right controls. However, in complex IT environments, it is difficult for organizations to implement these controls structurally and at scale. Furthermore, the playing field for attackers is expanding, with identities being the target for most malicious actors. As a result, the dashboards that previously identified the relevant threats may no longer do so.
Logging as a crucial weak spot
In 86 percent of incident response cases, incomplete logging and monitoring hindered detection. Missing audit logs, limited log retention, or systems that fell outside the security scope gave attackers room to enter unnoticed. Cloud environments, devices with direct internet access, and dependencies on suppliers further increase the attack surface.
Successful attacks are mainly made possible by a lack of prevention, visibility, and control. Truly innovative techniques play a smaller role for now. In the majority of incidents, basic conditions for effective detection and investigation were lacking, such as sufficient log retention, consistent monitoring, and tested response plans. Without this data, IT defenses are immediately at a disadvantage, and forensic investigations are often unable to determine exactly what went wrong beyond the fact that logging was inadequate.
Ronald Prins, co-founder of Hunt & Hackett, sees a fundamental problem. “We have been talking about solving ‘low-hanging fruit’ for years. The problem is not a lack of awareness, but a lack of execution. Many organizations implement security tools and assume that they will catch everything, but effective protection requires visibility across the entire attack path.”
Digital sovereignty and control
The report identifies four priorities that directly reduce risk: strengthen identity security by limiting excessive access rights, limit exposure by quickly patching internet-facing systems, increase visibility by having critical systems generate security logs, and test response scenarios so that forensic evidence can be quickly secured.