Under the backdrop of ransomware, software supply chain attacks, data breaches, and more, a new Blumira report has found that identity-based attacks are the top threat organizations faced in 2021.
The 2022 State of Detection and Response Report analyzed Blumira’s security detections across log datasets of 230 organizations.
Unsurprisingly, access attempts were a common theme, as the pandemic forced many organizations to move to cloud services to support their remote employees. Moving to a cloud environment only highlighted the knowledge gap for organizations without a solid understanding of their exposed attack surface. Threat actors exploit those knowledge gaps by exploiting, misusing, or stealing user identities.
Attempts to authenticate into a honeypot, or a fake login page designed especially to lure attackers, was Blumira’s #1 finding of 2021. Identity-driven techniques accounted for three out of Blumira’s top five findings at 60%.
Cloud environments are particularly vulnerable to identity-based attacks such as credential stuffing, phishing, password spraying and more. Rapid detection of these attacks can enable organizations to respond and contain an identity-based attack faster, helping stop an attack from progressing further.
Research also observed the usage of living off the land (LotL) techniques, which threat actors use to stealthily remain undetected in an environment. They do so by leveraging built-in Microsoft tools that make it appear as though they are legitimate users within an organization’s environment.
Among Blumira’s top findings were various instances of living off the land techniques, including Service Execution with Lateral Movement Tools (#4), PsExec Use (#16), and Potentially malicious PowerShell command (#18).
Over days or weeks, these types of attacks can go undetected by endpoint detection and response (EDR) solutions that rely on the detection of known malicious tools. By that time, it may be too late — for example, when an attacker introduces malware into the environment.
To download the full report, click here.