In the dynamic landscape of cybersecurity, our commitment to your digital safety remains unwavering. Over the first half of 2023, Barracuda Managed XDR diligently sifted through almost a trillion IT events from your integrated network, cloud, email, endpoint, and server security tools. Among these, thousands of high-risk incidents were detected and neutralized, thanks to the relentless efforts of our Managed XDR platform powered by AI-based account profiling. 

Identity Abuse: A Growing Concern

 

Identity abuse emerged as a prevalent threat during this six-month period, showcasing the increasing sophistication of attacks. The beauty lies in the fact that even the subtlest attempts, requiring expert analysis, were swiftly identified and thwarted by our AI-driven detection mechanisms.

In a work context, each individual possesses a distinctive digital fingerprint that encompasses their methods, locations, and timing. Should an IT incident deviate from these established parameters, a warning signal is raised. Even when the attacks are cunningly subtle, requiring the expertise of a skilled SOC analyst to confirm their malicious intent, our AI-based detection ensures the identification of such threats.

 

Every Event Matters: Unveiling the Numbers

 

From January to July 2023, Barracuda's Managed XDR platform diligently aggregated an astonishing 950 billion IT events from the various integrated security tools across customers' networks, clouds, emails, endpoints, and servers.

Security risks detected by Barracuda XDR

 

Out of the nearly one trillion events that Barracuda's Managed XDR platform diligently aggregated from various integrated security tools, only 0.1% (985,000) were classified as 'alarms' that required further investigation. These alarms encompassed a wide range of activities, including logins (both successful and unsuccessful), network connections, traffic flows, email messages and attachments, file creations and saves, application and device processes, configuration and registry changes, and any specific security warnings.

Of the flagged alarms, 1 in 10 (9.7%) were promptly brought to the attention of the customer for verification, while an additional 2.7% were identified as high risk and handed over to a SOC analyst for in-depth analysis. Out of these, 6,000 incidents demanded immediate defensive action to effectively contain and neutralize the potential threat.

 

The most frequently detected high-risk attacks.

Now, let's delve into the three most common high-risk detections during this period:

1. “Impossible travel” login events

Our Managed XDR identified and blocked numerous attempted Business Email Compromise (BEC) attacks through the detection of "impossible travel" login events. These occur when a user logs into a cloud account from two different locations in rapid succession, indicating a potential unauthorized access. Barracuda XDR detected and blocked hundreds of attempted BEC attacks by identifying impossible travel logins for Microsoft 365 accounts. 

For instance, a user logging in from California and then, just 13 minutes later, from Virginia raised an immediate red flag. The team quickly alerted the customer when they discovered that the IP used to log in from Virginia was not associated with a known VPN address, and the user did not typically log in from that location. The customer confirmed that this was an unauthorized login, and immediate action was taken to reset their passwords and log the rogue user out of all active accounts.

2. “Anomaly” detections

These detections uncover unexpected or uncommon behavior within a user's account. This may include infrequent or one-time login instances, atypical file access patterns, or an excessive number of account creations for an individual or organization. Such detections can signal a range of issues, including malware infections, phishing attacks, and insider threats. Should you come across an anomaly-style detection, it is crucial to investigate the account to determine the cause of the irregularity.

Barracuda XDR incorporates a Windows "rare hour for user" detection baseline, which identifies the login patterns of specific users and raises a flag when they log in at an unusual time. Since January 2023, the SOC team has issued more than 400 alerts for this type of activity.

3. Communication with known malicious artifacts

These detections uncover instances of communication with flagged or known malicious IP addresses, domains, or files. This could indicate a potential malware infection or a phishing attempt. If you come across any communication with a known malicious or suspicious artifact, it is crucial to immediately isolate the affected computer and conduct a thorough investigation into the infection.


AI in attackers' control

However, it is important to note that while AI can greatly improve security measures, it can also be exploited by malicious individuals for their own harmful intentions.

For instance, advanced AI language tools have the ability to generate emails that closely resemble the style of a legitimate company, making it increasingly challenging for individuals to distinguish between genuine emails and potential phishing attempts, account takeovers, or BEC attacks.

Furthermore, attackers can leverage AI tools to automate and dynamically mimic adversarial behaviors, enhancing the effectiveness of their attacks and making them even more difficult to detect.

As technology advances, malicious individuals are finding new ways to exploit AI for their harmful intentions. For instance, AI-powered command line utilities can quickly adapt to a target's defenses, identify vulnerabilities, and even learn from previous failed attempts to enhance future attacks. An example of such a tool is "WormGPT," which is already being promoted on underground forums.

Threat actors can utilize this tool to automate the creation of malicious scripts and commands, dynamically adjusting them to suit each specific target. It is crucial for organizations to stay vigilant and take proactive measures to mitigate these evolving AI-powered threats.

Security for a rapidly evolving threat landscape

To mitigate the potential risks of advancing AI, organizations should implement robust authentication measures like multifactor authentication or Zero Trust approaches. Continuous employee training, especially regarding phishing attacks, is crucial.

IT security teams and external providers must stay informed about AI-powered threats and maintain up-to-date systems and software for full visibility of the IT environment. Integrated security services and platforms, such as managed support, XDR, and round-the-clock SOC-as-a-service, are available to monitor and respond to cyber threats, ensuring the safety of assets.

Take the Next Steps with Datalink Networks:

In light of the insights shared, we invite you to take the next step in securing your digital assets. Explore our Managed XDR and 24x7 SOC-as-a-service options today.

Contact Datalink Networks for a personalized consultation. Our team of experts is ready to assess your current security measures, address any vulnerabilities, and implement a robust cybersecurity strategy that aligns with your organization's unique requirements. 

Managed Security Services

 

 
 

Contact Datalink Networks

4 min read

The power of remote security monitoring

Remote security monitoring is revolutionizing the way we protect our businesses. With advanced technology and real-time...

5 min read

Securing Your Cloud: Best Practices for Cloud Security in 2024

Uncover the essential tactics for achieving unparalleled security for your cloud infrastructure in 2024 while also...

7 min read

Preventing Email Spoofing: A Guide to DMARC Implementation

Did you know that 80% of organizations do not have DMARC policies set up? This makes it easy for hackers to spoof their...