Barracuda Networks has published new insights detailing how AI-driven pattern analysis is revolutionising cyber security, given its ability to detect abnormal account activity and thwart attackers leveraging legitimate credentials.
In the first half of 2023, Barracuda Managed XDR collected almost a trillion customer IT events, among which it detected and neutralised thousands of high-risk incidents.
During those six months, identity abuse was the most widely encountered high-risk incidents. These attacks have become increasingly sophisticated over time; however, they were spotted and blocked by the Managed XDR platform with AI-based account profiling.
Barracuda highlights that in a work context, everyone has a distinctive digital profile regarding how, where, and when they work. A red flag goes up if an IT event falls outside these pattern parameters. Even when the attacks are subtle, where it takes an expert SOC analyst to confirm the malicious intent, AI-based detection ensures this happens.
Between January and July 2023, Barracuda's Managed XDR platform collected 950 billion IT events from customers' integrated network, cloud, email, endpoint, and server security tools.
These events include everything from logins (both successful and unsuccessful), network connections, and traffic flows to email messages and attachments, files created and saved, application and device processes, changes to configuration and registry, and any specific security warnings.
0.1% of these events (985,000) were classed as 'alarms,' activity that could be malicious and required further investigation.
Out of these, 1 in 10 (9.7%) was flagged to the customer for checking, while a further 2.7% were classed as high risk and passed to a SOC analyst for deeper analysis. 6,000 required immediate defensive action to contain and neutralise the threat.
The three most common high-risk detections by Managed XDR and investigated by SOC analysts during the first six months of 2023 were:
1. "Impossible travel" login events
These occur when a detection shows a user is trying to log into a cloud account from two geographically different locations in rapid succession, with the distance between them impossible to cover in the time between logins. While this can mean they are using a VPN for one of the sessions, it is often a sign that an attacker has accessed a user's account.
Barracuda XDR's impossible travel detection for Microsoft 365 accounts detected and blocked hundreds of attempted business email compromise (BEC) attacks between January and July.
2. "Anomaly" detections
These detections identify unusual or unexpected activity in a user's account. This could include rare or one-off login times, unusual file access patterns, or excessive account creation for an individual user or organisation. Such detections can indicate various problems, including malware infections, phishing attacks, and insider threats.
Barracuda Managed XDR has a Windows "rare hour for user" detection baseline that recognises the sign-in patterns for a particular user and flags when that user logs in at an unusual time. The SOC team has issued over 400 alerts for this activity since January 2023.
3. Communication with known malicious artifacts
These detections identify communication with red-flagged or known malicious IP addresses, domains, or files. This can be a sign of a malware infection or a phishing attack.
Although AI can significantly enhance security and minimise high-risk detections, Barracuda says it can also be used for malicious purposes by attackers.
For example, generative AI language tools can create highly convincing emails that closely mimic a legitimate company's style, making it much more difficult for individuals to discern whether an email is legitimate or a phishing, account takeover, or BEC attempt.
Attackers will also likely use AI tools to automate and dynamically emulate adversarial behaviours, making their attacks more effective and harder to detect. For example, AI-powered command line utilities can rapidly adapt to changes in a target's defences, identify vulnerabilities, or even learn from failed attempts to improve subsequent attacks.
An early example of such a tool is "WormGPT," which is already being advertised on an underground forum and can be used by threat actors to automate the generation of malicious scripts and commands and adapt them dynamically to each specific target.
As AI advances, Barracuda warns that organisations must be aware of the potential risks and take steps to mitigate them.
Barracuda says this should involve robust authentication measures, such as multifactor authentication at a minimum, but ideally moving to Zero Trust approaches and continuous employee training, particularly with regard to phishing attacks.
IT security teams and their external security providers should also stay informed about the latest AI-powered threats and adapt their security posture. It is equally important to remember the basics: ensure that systems and software are kept up to date and that teams have complete visibility of the IT environment.
Barracuda recommends options for managed support, including XDR and round-the-clock (24×7) SOC-as-a-service to monitor, detect, and respond to cyber threats at any time of day or night, always keeping you and your assets safe.