Attacks aimed at impersonation and account takeover have become increasingly sophisticated over time, providing cybercriminals with an easy gateway into a company's network to access sensitive data or carry out further attacks. Now there should be an end to account takeover, BEC and co.
In the first half of 2023, Barracuda collected nearly a trillion IT events, with the most frequently detected high-risk incidents requiring immediate mitigation involving some type of impersonation.
However, with the help of AI-based account profiling, these attacks can be detected and blocked. In the work context, every person has a distinct digital profile in terms of how, where and when they work. If an IT event falls outside this pattern, the system raises an alarm. Even when attacks are so subtle and sophisticated that human expertise is required to investigate, AI-based detection ensures that an experienced SOC analyst confirms the malicious intent of the attack.
The most frequently discovered high-risk attacks: results in detail
Between January and July 2023, Barracuda's Managed XDR platform collected 950 billion IT events from its customer companies' integrated network, cloud, email, endpoint and server security tools. These nearly one trillion events include everything from logins (successful and unsuccessful), network connections, and traffic flows to email messages and attachments, files created and saved, application and device processes, configuration and registry changes, and specific security alerts .
0,1 percent of these events (985.000) were classified as alarms, activities that could be malicious and require further investigation. Of these, 1 in 10 (9,7 percent) were reported to the customer for review, while another 2,7 percent were identified as high risk and forwarded to a SOC analyst for further analysis. 6.000 attacks required immediate defensive measures to contain and neutralize the threat.
The top three high-risk attacks detected and studied by SOC analysts in the first six months of 2023 were:
1. “Impossible Journey” login event
These events occur when a detection shows that a user is attempting to log in to a cloud account from two geographically different locations in quick succession - where the distance between the two locations is impossible to overcome in the time between logins. While this may mean that the user is using a VPN for one of the sessions, it is often a sign that an attacker has gained access to the user account. Therefore, “Impossible Trip” claims should always be investigated. Barracuda XDR Impossible Travel detection for Microsoft 365 accounts detected and blocked hundreds of attempted Business Email Compromise (BEC) attacks between January and July 2023 alone.
A real-world example: In an incident investigated by the Barracuda SOC team, a user logged in to their Microsoft 13 account from California and just 365 minutes later from Virginia. The IP address used to log in from Virginia was not associated with a known VPN address and the user did not typically log in from that location. The SOC team notified the customer company, which confirmed that it was an unauthorized login, immediately reset the passwords, and logged the user out of all active accounts.
2. Anomaly detections
AI-based account profiling can also be used to identify unusual or unexpected activity in a user's account. These include infrequent or one-time login times, unusual file access patterns, or excessive account creation for a single user or organization. Deviations from a user account's usual pattern of behavior should always be investigated to determine the cause of the anomaly, as it can be a sign of a variety of problems, including malware infections, phishing attacks, and insider threats.
3. Communication with known malicious artifacts
These detections identify communications with suspicious or known malicious IP addresses, domains, or files. This could be a sign of a malware infection or a phishing attack. If communication with a known malicious or suspicious artifact is discovered, the computer should be immediately quarantined and scanned for infection.
AI in the hands of attackers
While the above shows how AI can significantly improve security, it can also be used by attackers for malicious purposes. For example, cybercriminals can use generative AI language tools to create highly convincing emails that closely resemble the style of a legitimate company, making it much harder for individuals to tell whether an email is legitimate or not a phishing, account takeover or BEC attack.
AI tools are also likely to be used by attackers to automate and dynamically emulate malicious software behaviors, making their attacks more effective and difficult to detect. For example, AI-powered command-line programs can quickly adapt to changes in a target's defenses, identify vulnerabilities, or even learn from previous failed attempts to optimize subsequent attacks. A first example of such a tool is “WormGPT,” which is already being promoted on an underground forum and can be used by threat actors to automate the creation of malicious scripts and commands, dynamically adapting them to each specific target.
Security for a rapidly evolving threat landscape
As AI continues to advance, companies must be aware of the potential risks and take steps to mitigate them. This includes robust authentication measures, such as at least multi-factor authentication, but ideally also zero trust approaches, as well as continuous employee training, especially with regard to phishing attacks.
IT security teams and their third-party security providers should try to stay informed about the latest AI-powered threats and adapt their security precautions. But it's just as important to remember the basics: systems and software should always be up to date and professionals should have a complete overview of the IT environment.
Additionally, the use of integrated security services and platforms for managed support, XDR and SOC-as-a-Service can help companies and their internal security team monitor, detect and respond to cyber threats around the clock to defend yourself against the increasingly complex threat landscape.
More at Barracuda.com
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.