Connect with us

Hi, what are you looking for?


Threat Intelligence

The Benefits of Red Zone Threat Intelligence

Incorporating Red Zone threat intelligence into your security strategy will help you stay on top of the latest threats and better protect your organization.

Threat intelligence

Exploit trends help reveal the areas that cybercriminals are actively investigating for potential attacks and what they’re currently targeting. New intelligence allows CISOs to prioritize risk mitigation and reduce the active attack surface with an expanded “Red Zone” approach.

Entering the Red Zone

When FortiGuard Labs researchers looked at data from the second half of 2022, they found that less than 1 percent of the total observed vulnerabilities discovered in an enterprise-size organization were on endpoints. Why is this important? It’s key to helping defenders narrow in on what’s actively under attack – in other words, the red zone of where they need to focus on the most.

Mapping CVEs reveals vulnerability “Red Zone” to help CISOs prioritize

Our analysis (PDF) found that the majority of CVEs were not found on endpoints, and even fewer of those that were found were also being exploited. The red zone is computed by comparing the open attack surface of endpoints (open CVEs) to the active attack surface (the CVEs attackers are exploiting.) The resulting Red Zone is 8.9% for the second half of 2022.

We would anticipate that attackers would prioritize CVEs based on their presence on endpoints. Instead, we observed a large number of CVEs that are prevalent on endpoints but rare among attacks. Why? Attackers choose their targets based on a variety of factors, but a multitude of exploitable CVEs doesn’t seem to be one of them.

Examining prevalent vulnerabilities

Advertisement. Scroll to continue reading.

When examining the most prevalent vulnerabilities – we saw that Log4j continued to reign supreme. Log4j-based attacks overwhelmingly focused on the technology sector, irrespective of region. That’s mainly because Apache Log4j is such a popular open-source program. Many businesses might not even know that they have built their existing systems on top of a Log4j component, as it can be so deeply integrated into a variety of applications.

It’s used even in unexpected places, like Ghidra (a debugger), where it has been completely incorporated. Its wide use suggests its popularity won’t die off any time soon.

These old-timers like Log4J were joined by some newcomers – including those we’ve designated the “rookies of the half,” meaning vulnerabilities that have only recently been discovered but had high frequency among companies during the six-month period. The latest recipient of this designation is the Workspace One Access Catalog vulnerability in VMWare, which first came to light in mid-2022 during a server-side injection problem. It is a significant remote code execution vulnerability that was discovered in July 2022. The nodes that were seen using this flaw appear to be comparable to those of generic botnets.

Three of the top six “rookies of the half” were connected to Spring, the open-source Java framework. If the word “Spring” seems familiar, it’s because two zero-day vulnerabilities in the Spring framework were revealed in 2022. Although they aren’t very common, it’s a good idea to keep them in mind as we proceed in 2023.

Prioritizing patching

By providing CISOs with information on the active attack surface, these insights offer CISOs a clear view of the Red Zone and where to focus patching efforts. Of course, as soon as vulnerabilities are found, the majority of software providers offer patches. But those patches are useless if you don’t apply them. The most damaging malware attacks of the last 10 years have therefore focused on software flaws for which updates were easily accessible. CISOs and IT executives need to prioritize effective patch management and regularly upgrade or replace software.

The first step in defending against zero-day vulnerabilities is determining what needs to be secured. There will always be a mix of network- and endpoint-based detection and security measures. To provide total visibility across all areas and industries, both kinds of measures should incorporate the most recent security updates and threat data offered by a global threat research team.

Intelligence is power

As the threat landscape and organizations’ attack surfaces are continually changing, the capacity of bad actors to create and modify their tactics to meet this changing environment continues to pose a serious risk to enterprises of all sizes, regardless of sector or location.

In the second part of 2022, criminals were continuing to exploit known and new vulnerabilities – but not necessarily at end points. It’s information like this that helps organizations know how to prioritize their security teams’ time and plug the leakiest holes. Incorporating Red Zone threat intelligence into your security strategy will help you stay on top of the latest threats and better protect your organization.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.