Cloudflare’s Shielding the Future: Middle East Cyber Threat Landscape, takes a close look at the state of cybersecurity in the Middle East, gauging both the offensive pressure from threat actors and business’ resilience to attacks.
The survey was conducted with 991 leaders responsible for cybersecurity in their organizations across three major countries in the region, including Turkey, Saudi Arabia, and the UAE.
Most (52%) respondents Cloudflare spoke to represented cyber leaders from large enterprises, which comprised more than 2,500 employees. A further 27% came from medium-sized businesses (1,000 – 2,499 staff), while 21% worked at smaller organizations with a workforce of between 150 and 999 people.
More than four in five (82%) of these leaders reported experiencing some form of cybersecurity incidents in the past 24 months, with more than half (53%) suffering an incident in the last year.
Medium-sized enterprises were found to be the most vulnerable to cyber attacks, with 58% reporting an incident in over the previous 12 months, shortly followed by larger organizations (56%). Smaller firms in the Middle East have been less affected by cyber incidents according to the research, with just 39% reporting a cybersecurity incident in the same period.
Financial services was the worst affected industry in the region, with 63% of leaders from businesses in the finance vertical reporting at least one incident in the previous year.
In July 2024, a hacktivist group under the name SN_DARKMETA launched a series of DDoS attacks on banks in the UAE, generating an astonishing peak of 14.7 million requests per second. The group has also claimed to have targeted financial institutions in Israel such as the Israeli International Bank and the Meitav Investment House.
Web attacks plague businesses as dwell times increase
Overall, DDoS attacks like the one launched by SN_DARKMETSA were the joint third most common attack vector in the Middle East, experienced by 41% of respondents, alongside stolen credentials or insider threats.
The most prevalent attack vector, cited by 69% of cyber leaders, was web attacks. This includes techniques such as cross site scripting, session hijacking, or or path traversal attacks, where hackers exploit a vulnerability to read and write arbitrary files anywhere on the target’s system .
A considerable number (55%) of respondents also referenced phishing attacks as the most commonly experienced attack vector.
Once the attackers have gained a foothold in the system, 62% of security leaders named malware, such as trojans, worms, or viruses as the attackers’ next weapon of choice. In October 2024, researchers warned the community about a threat campaign being perpetrated by the OilRig group using the infostealer malware STEALHOOK to exfiltrate data from businesses in the Middle East.
The majority of targets were critical national infrastructure organizations in the energy sector, with the group thought to be affiliated with the FOX Kitten threat collective which is responsible for a number of state-sponsored ransomware attacks.
Ransomware & spyware were the second most common risk to Middle Eastern business, listed by 38% of respondents in their top three threats facing their organization, followed by business email compromise (BEC) attacks (36%), API attacks (32%), and data breaches (31%).
The report noted that 80% of leaders said they felt attacker dwell time, the period in which cyber intruders were able to persist on victim networks, has increased over the last 12 months, with 32% stating it had increased significantly.
The majority (58%) said the average dwell time is up to 24 hours, whereas a fifth of respondents said it had jumped to anywhere from one to three days. Cloudflare noted that 6% of respondents, equivalent to 60 organizations in the Middle East, said on average cyber intruders were able to remain undetected in their environment for more than a week.
Speaking to ITPro, Matt Aldridge, principal solutions consultant at OpenText Cybersecurity, highlighted two key factors he believes are driving this trend. Aldridge said the cyber crime industry is evolving, with hackers specializing as initial access brokers (IABs) who look to sell access to networks, holding on to the breached credentials for significant periods.
“One key factor is the nature of the threat actor ecosystem itself. With Initial Access Brokers (IABs) often waiting patiently for a long time until the right buyer pays the right price for their access – breached systems and compromised credentials can lie dormant for considerable amounts of time before a final attack is instigated by a threat actor,” he explained.
“This can often cause problems with forensic analysis, as in many cases log retention periods are not long enough for the initial source of breach to be isolated.”
Aldrige added that attackers are using more sophisticated persistence strategies which make it even more difficult for defenders to detect and remediate unauthorized access.
“Dwell times have also been able to increase due to increasing volume and sophistication of Living-off-the-Land (LoL) and fileless malware approaches by threat actors. These techniques make it harder to detect an attack, which can often hide amongst the expected daily administrative traffic within an environment. It is crucial to have anomaly detection capabilities in critical environments in order to spot when something out of the ordinary is in need of investigation”
Zero trust will be central to cyber resilience in the Middle East
Key to limiting the disruption of attackers once they have compromised a corporate network is adopting mature network segmentation defense strategies, but respondents told Cloudflare they weren’t confident in business leaders' understanding of the zero trust security model.
Danny Jenkins, CEO and co-founder at ThreatLocker, told ITPro why zero trust is integral to any modern defense strategy.
Zero Trust has emerged as the sole viable solution to guard against the dynamic and ever-growing landscape of cyber threats, particularly as hackers can now leverage AI to code malware at an unprecedented rate,” he explained.
“Operating cybersecurity by simply identifying threats is no longer sufficient, however, the knowledge gap in business leaders has prevented Zero Trust frameworks from widespread implementation.”
Despite the importance of this technique, 79% of respondents reported that leadership teams at Middle Eastern organizations still do not have a firm grasp on zero trust security.
Trevor Dearing, director of critical infrastructure at Illumio, said he was not surprised by this knowledge gap, suggesting outdated security attitudes are to blame.
“The lack of understanding of Zero Trust among leadership is not surprising. Cybersecurity has traditionally been seen as an IT issue, but with more and more attacks now geared around inflicting operational disruption, it’s an area business leaders cannot afford to ignore,” he noted.
“IT leaders must take steps to educate everyone in the organization about Zero Trust, especially leadership. And leadership needs to take accountability for operational resilience and advocate any changes to strategy from the top-down.”
