Barracuda XDR: AI-Pattern Learning for Your Protection

Out of the nearly one trillion events that Barracuda's Managed XDR platform diligently aggregated from various integrated security tools, only 0.1% (985,000) were classified as 'alarms' that required further investigation. These alarms encompassed a wide range of activities, including logins (both successful and unsuccessful), network connections, traffic flows, email messages and attachments, file creations and saves, application and device processes, configuration and registry changes, and any specific security warnings.

Of the flagged alarms, 1 in 10 (9.7%) were promptly brought to the attention of the customer for verification, while an additional 2.7% were identified as high risk and handed over to a SOC analyst for in-depth analysis. Out of these, 6,000 incidents demanded immediate defensive action to effectively contain and neutralize the potential threat.

The most frequently detected high-risk attacks.

Now, let's delve into the three most common high-risk detections during this period:

1. “Impossible travel” login events

Our Managed XDR identified and blocked numerous attempted Business Email Compromise (BEC) attacks through the detection of "impossible travel" login events. These occur when a user logs into a cloud account from two different locations in rapid succession, indicating a potential unauthorized access. Barracuda XDR detected and blocked hundreds of attempted BEC attacks by identifying impossible travel logins for Microsoft 365 accounts. 

For instance, a user logging in from California and then, just 13 minutes later, from Virginia raised an immediate red flag. The team quickly alerted the customer when they discovered that the IP used to log in from Virginia was not associated with a known VPN address, and the user did not typically log in from that location. The customer confirmed that this was an unauthorized login, and immediate action was taken to reset their passwords and log the rogue user out of all active accounts.

2. “Anomaly” detections

These detections uncover unexpected or uncommon behavior within a user's account. This may include infrequent or one-time login instances, atypical file access patterns, or an excessive number of account creations for an individual or organization. Such detections can signal a range of issues, including malware infections, phishing attacks, and insider threats. Should you come across an anomaly-style detection, it is crucial to investigate the account to determine the cause of the irregularity.

Barracuda XDR incorporates a Windows "rare hour for user" detection baseline, which identifies the login patterns of specific users and raises a flag when they log in at an unusual time. Since January 2023, the SOC team has issued more than 400 alerts for this type of activity.

3. Communication with known malicious artifacts

These detections uncover instances of communication with flagged or known malicious IP addresses, domains, or files. This could indicate a potential malware infection or a phishing attempt. If you come across any communication with a known malicious or suspicious artifact, it is crucial to immediately isolate the affected computer and conduct a thorough investigation into the infection.

AI in attackers' control

However, it is important to note that while AI can greatly improve security measures, it can also be exploited by malicious individuals for their own harmful intentions.

For instance, advanced AI language tools have the ability to generate emails that closely resemble the style of a legitimate company, making it increasingly challenging for individuals to distinguish between genuine emails and potential phishing attempts, account takeovers, or BEC attacks.

Furthermore, attackers can leverage AI tools to automate and dynamically mimic adversarial behaviors, enhancing the effectiveness of their attacks and making them even more difficult to detect.

As technology advances, malicious individuals are finding new ways to exploit AI for their harmful intentions. For instance, AI-powered command line utilities can quickly adapt to a target's defenses, identify vulnerabilities, and even learn from previous failed attempts to enhance future attacks. An example of such a tool is "WormGPT," which is already being promoted on underground forums.

Threat actors can utilize this tool to automate the creation of malicious scripts and commands, dynamically adjusting them to suit each specific target. It is crucial for organizations to stay vigilant and take proactive measures to mitigate these evolving AI-powered threats.

Security for a rapidly evolving threat landscape

To mitigate the potential risks of advancing AI, organizations should implement robust authentication measures like multifactor authentication or Zero Trust approaches. Continuous employee training, especially regarding phishing attacks, is crucial.

IT security teams and external providers must stay informed about AI-powered threats and maintain up-to-date systems and software for full visibility of the IT environment. Integrated security services and platforms, such as managed support, XDR, and round-the-clock SOC-as-a-service, are available to monitor and respond to cyber threats, ensuring the safety of assets.