For years, organizations have relied on firewalls as the primary line of defense against cyber threats. Firewalls were designed to block malicious traffic and prevent unauthorized access to internal systems.
But recent research shows that attackers have learned how to turn this traditional security control into an advantage.
A recent report highlighted by Barracuda Networks and discussed in a Cyber attackers hide their tracks by exploiting firewalls article reveals a troubling trend. In 90 percent of ransomware incidents analyzed in 2025, attackers gained access through firewalls by exploiting vulnerabilities, weak credentials, or misconfigured systems.
Even more alarming, the fastest ransomware attack in the dataset went from initial intrusion to full encryption in just three hours.
For many organizations relying on traditional security approaches, that timeline leaves almost no opportunity to detect the attack and respond before damage occurs.
Firewalls are supposed to keep attackers out. Yet in many modern breaches, they have become the very point of entry.
The research found that attackers commonly exploit:
Many of these weaknesses exist because organizations are running older systems or security appliances that were never designed to face today’s threat landscape.
One example highlighted in the report is the continued exploitation of CVE-2013-2566, a vulnerability tied to the outdated RC4 encryption algorithm used in older SSL/TLS implementations. Despite being more than a decade old, it is still actively exploited in attacks today.
This demonstrates a harsh reality of cybersecurity: attackers do not need cutting-edge techniques if organizations leave known vulnerabilities exposed.
Modern attackers rarely rely on obvious malware that triggers alarms.
Instead, they use a tactic known as Living Off the Land (LOTL). This approach involves using legitimate administrative tools and system utilities that already exist within the environment.
By doing this, attackers can:
According to the research, 96 percent of incidents involving lateral movement ultimately resulted in ransomware deployment.
Once attackers gain a foothold through a firewall vulnerability or compromised account, they often move through the network quietly, escalating privileges and positioning themselves to deploy ransomware.
Because they are using legitimate tools and processes, traditional security tools frequently fail to recognize the activity as malicious.
Another growing concern highlighted in the research is the role of third-party software and supply chains.
The report found that 66 percent of incidents involved a supply chain or third-party component, a sharp increase from the previous year.
Attackers frequently target:
If attackers compromise a trusted tool or supplier, they can gain access to multiple organizations at once.
In many cases, the malicious activity appears to come from legitimate systems, which makes detection even more difficult.
Traditional cybersecurity strategies rely heavily on Detect and Respond.
This model assumes that security tools will detect malicious activity early enough for teams to investigate and stop the attack before damage occurs.
But the reality of modern attacks is very different.
When ransomware can move from intrusion to encryption in just a few hours, detection-based security approaches often fail for several reasons:
The problem is not simply detection accuracy.
It is the fundamental speed of modern attacks.
To stop today’s threats, organizations must shift away from purely detection-driven security models.
Instead of relying on identifying malicious activity after it starts, security strategies must prevent attackers from executing and spreading inside the environment.
This is where the concept of Isolation and Containment becomes critical.
Rather than attempting to detect every possible threat, isolation-based protection limits what applications and processes are allowed to do.
Even if attackers exploit a firewall vulnerability or compromise a legitimate account, their ability to execute malicious actions is contained.
This dramatically reduces the impact of:
This is exactly where AppGuard stands apart from traditional endpoint protection solutions.
AppGuard is a proven endpoint protection platform with more than 10 years of real-world success defending organizations against advanced threats.
Instead of relying on signature detection or behavioral analysis, AppGuard focuses on:
Even if an attacker enters the environment through a compromised firewall, phishing email, or vulnerable application, AppGuard prevents them from executing malicious code or moving laterally through the network.
This makes it highly effective against the exact tactics highlighted in the Barracuda research.
The latest research makes one thing clear:
Firewalls alone are no longer enough to protect modern organizations.
Attackers are increasingly exploiting firewall vulnerabilities, legitimate administrative tools, and trusted systems to hide their activity and launch ransomware attacks.
When 90 percent of ransomware incidents exploit firewalls, organizations must rethink how they defend their environments.
The cybersecurity industry must move beyond a strategy that simply tries to Detect and Respond.
The future of cybersecurity lies in Isolation and Containment.
If your organization is still relying primarily on detection-based security tools, it may already be vulnerable to the types of attacks described above.
At CHIPS, we help businesses implement modern endpoint protection strategies using AppGuard to stop ransomware and advanced attacks before they can execute.
If you would like to learn how AppGuard can prevent incidents like the firewall-based attacks described in this report, we invite you to talk with our team.
Contact CHIPS today to learn how moving from Detect and Respond to Isolation and Containment can dramatically improve your organization’s cybersecurity posture.
Like this article? Please share it with others!