Blumira in Ann Arbor, a cybersecurity provider of automated threat detection and response technology, has released its “2022 State of Detection and Response” report, which revealed identity-based attacks and living-off-the-land behaviors as top threats organizations faced in 2021.
The report, in which Blumira analyzed security detection across log datasets of 230 organizations, states the threat landscape is increasingly challenging, with ransomware, software supply chain attacks, data breaches, and more are becoming an almost daily occurrence.
Attacker dwell time also is decreasing; ransomware attacks happen quickly from initial compromise to infection/deployment.
“Organizations, especially small and medium-sized businesses, need help with faster detection and response to keep up with latest threats and protect against breaches,” says Jim Simpson, CEO of Blumira. “Expediting time to security for faster response is key to better overall security outcomes.”
An analysis of Blumira’s average time to detect a threat was 32 minutes, while the average time to respond, or how quickly an organization closed out a finding, was 6 hours. Compared to the industry average, Blumira’s time to detect and to respond is 99 percent faster.
Key research findings include:
Identity-based attacks surge: Access attempts were a common theme, as the pandemic forced many organizations to move to cloud services to support their remote employees. For organizations without a solid understanding of their exposed attack surface, moving to a cloud environment only highlighted that knowledge gap. Threat actors take advantage of those knowledge gaps by exploiting, misusing, or stealing user identities.
Attempts to authenticate into a honeypot, or a fake login page designed to lure attackers, was Blumira’s number one finding of 2021. Identity-driven techniques accounted for three out of Blumira’s top five findings at 60 percent.
Cloud environments are particularly vulnerable to identity-based attacks such as credential stuffing, phishing, password spraying, and more. Rapid detection of these attacks can enable organizations to respond and contain an identity-based attack faster, helping stop an attack from progressing further.
Living-off-the-land (LotL) techniques are a common threat: Research also observed usage of LotL techniques, which threat actors use to stealthily remain undetected in an environment. They do so by leveraging built-in Microsoft tools that make it appear as though they are legitimate users within an organization’s environment.
Among Blumira’s top findings were various instances of living off the land techniques, including service execution with lateral movement tools, PsExec use, and potentially malicious PowerShell command.
Taking place over days or weeks, these types of attacks can go undetected by endpoint detection and response (EDR) solutions that rely on the detection of known malicious tools. By that time, it may be too late — for example, when an attacker introduces malware into the environment.
Microsoft 365 activity: Microsoft 365 is one of the most popular cloud productivity suites, and Blumira’s findings revealed patterns of Microsoft-related activity, including activity associated with password spraying, lateral movement, and business email compromise.
To download the full report, click here.