Barracuda security researchers analyzed the top Extended Detection and Response (XDR) detections of 2023, based on proprietary data supported by a 24/7 Security Operations Center (SOC). The results reveal the most common ways attackers tried – and failed – to gain persistent access to networks.
In 2023, 66.000 high-risk threats were detected that were serious enough to require referral to SOC analysts for investigation, and an additional 15.000 that required urgent, immediate response. Both threat categories experienced a steady increase throughout the year, peaking in October, November and December. These months are a peak season for online shopping as well as holidays. Both factors are attractive to attackers because the first offers a large number of potential targets and attack opportunities and, in the case of the holiday season, IT teams are away from work or less alert. Another, smaller peak of the attack occurred in June, which is also an important holiday month for many countries.
Common evidence of identity abuse
🔎 In 2023, XDR detected 66.000 high-risk threats that were forwarded to SOC analysts, as well as an additional 15.000 cases that required immediate mitigation (Image: Barracuda).
Most of the top 10 detections of 2023 via XDR focused on some form of impersonation to compromise an account. Detections that indicate this impersonation include suspicious logins, brute force attacks, and attackers disabling multifactor authentication.
Uploading a suspicious executable file may indicate that attackers are attempting to move additional tools or malware from an external, attacker-controlled system, such as a command-and-control server, into a compromised account.
Subscribe to our newsletter now
Read the best news from B2B CYBER SECURITY once a monthSuspicious login activity by category
Superheroes: Registration from two locations that are far apart from each other
Over 17.000 high-risk incidents have been discovered via the Impossible Travel rule. This rule catches attackers trying to log in to a compromised account. If two logins are detected from two different locations that would require the user to travel an impossible distance in a short period of time, a security alert is triggered. This checks whether the login is connected to a VPN IP in order to rule out a false positive result.
Ghosts: Suspicious logins by inactive users
🔎 Suspicious registrations from on the go or from other countries accounted for almost a third of the XDR incidents (Image: Barracuda).
The system also detected more than 7.000 unusual usernames in the authentication protocols. This detection rule helps detect attackers who are misusing credentials of a dormant or inactive user, such as someone who has left the company. Furthermore, user names are discovered that do not fit into the company's typical naming scheme. This is an indication of threat actors creating new users to remain persistent on the network.
Insomniacs: Logging in at unusual times
In addition, more than 4.600 user logins were detected at times that were unusual for them. This could be due to an attacker in a different time zone trying to access a compromised account. Additionally, unauthorized user activity often occurs outside of normal business hours.
Exploitation of critical security vulnerabilities
An analysis of the most common Intrusion Detection System (IDS) detections also showed that attackers continue to exploit existing critical security holes and vulnerabilities that have not yet been patched. Attacks on vulnerabilities from “Shellshock,” a 10-year-old collection of bugs, were also among the most frequently detected threats. The fact that Shellshock attacks remain so common suggests that attackers are aware that there are still many unpatched systems in circulation.
Furthermore, two years after the Log4Shell vulnerability in the open source Java-based Log4j logging program became known, attacks on it are still widespread. This could be because Log4j is so deeply embedded in applications and other software that many companies don't even know the program exists - and it can be difficult and time-consuming to fix the vulnerabilities.
Measures to protect against cyber threats
Strong cyber resilience first requires basic security measures. This includes robust authentication and access controls (at least multi-factor authentication and ideally a move to Zero Trust), a robust approach to patch management and data security, and regular employee cybersecurity training.
With an increasing number of high-level threats targeting an organization's expanding digital attack surface, and attackers increasingly leveraging AI to launch increasingly sophisticated, faster, and more targeted attacks, security teams must ensure their security tools have the same capability. A multi-layered, AI-based security approach with multiple layers for ever-deeper detection and testing is therefore essential.
AI plus experts results in the best solution
This AI-based approach should be embedded in a comprehensive security framework that includes robust next-generation security technologies. This should be supported by expert analytics and 24/7 security monitoring to detect unknown threats and anomalies, as well as SOC-as-a-Service to respond to and mitigate attacks. For companies that don't have the time or skilled resources, a managed XDR service that includes a SOC-as-a-Service that monitors every corner of the IT environment XNUMX/XNUMX can be a suitable solution.
More at Barracuda.com
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.