Out of nearly a trillion customer IT events collected by Barracuda Managed XDR in the first half of 2023, 6,000 of them appeared to be of high-risk.
The most common high-risk incident the team encountered had to do with identity abuse, which have become increasingly sophisticated, not in the least because of advancements in AI.
Barracuda, a cybersecurity firm, outlined the three most common high-risk threat detections they found in order to mitigate the effects of these identity-abuse incidents.
1. Impossible travel login
Impossible travel refers to when there are at least two attempted log ins to a cloud account from geographically distinct locations that could not be traversed within the timeframe of the two log ins. While it could simply mean a VPN has been used for one of the logins, it can often mean that a threat actor is attempting to or has gained access to a user’s account.
Investigating the IP address of each log in can help determine if a VPN was used or if it was a different actor logging in, and a user can then verify which log in attempt was genuine.
2. Anomaly Detections
These refer to unusual activities in a user’s account that can be tracked by a security team, including log-in times, account creation, and different patterns for accessing files.
Barracuda claims that these unexpected activities could be signs of malware infections, insider threats, or phishing attacks, and should be investigated.
The team at Barracuda has said that their “rare hour for user” detection issued over 400 alerts since the start of 2023. With the continued integration of remote and flexible work, however, it may be more difficult to recognise ‘normal’ patterns for people’s work.
3. Communication with Known Malicious Materials
Essentially, this is any communication with a known malicious IP address, file, or domain, which can be a sign of phishing or malware. This would call for immediate quarantining of a computer or device, Barracuda advises, until further investigation is done.
AI in Cyber
AI advancements can be used on both sides of the cybersecurity race, by threat actors and defence experts alike.
As large language models advance, adversaries are able to make their phishing attempts and social engineering more realistic and harder to identify.
Recommended
AI can also be used to automate their malicious actions, making their attempts more effective, efficient, and harder to defend against.
“For example, command line utilities powered by AI can rapidly adapt to changes in a target’s defences, identify vulnerabilities, or even learn from previous failed attempts to improve subsequent attacks,” Merium Khalid, director of SOC offensive security at Barracuda said in a blog post.
WormGPT, a malicious version of ChatGPT, is already being used for to replicate phishing scripts and create specifically targeted social engineering attempts.
To defend against these rapid advancements, cybersecurity teams can employ their own emerging technology to threat detection, but remembering the basics is key.
Employing multifactor authentication, zero-trust approaches, and training employees remains vital, no matter how advanced the techniques of threat actors have become.
