According to Barracuda’s Managed XDR Global Threat Report, identity fraud and the abuse of access rights constitute a significant cyber risk. Anomalous Microsoft 365 logins and changes to admin rights often prove to be early warning signs of an attack.
Identity fraud and the abuse of admin rights are among the most significant cyber risks for organizations. This is according to Barracuda’s Managed XDR Global Threat Report, which is based on the analysis of vast amounts of IT events. According to the report, anomalous Microsoft 365 logins and the manipulation of access rights are often the first indications that an attack is taking place.
Digital identities
The analysis shows that attackers are increasingly targeting digital identities. In 32 percent of cases, an anomalous Microsoft 365 login was the first sign of an attack. Additionally, ‘impossible travel’ was identified in 17 percent of incidents. This occurs when a user logs in from two locations within a short period that are physically too far apart to cover the distance in the time available.
According to Barracuda, stolen credentials play a major role in system breaches. After gaining initial access, attackers attempt to remain undetected within a network. They then try to obtain elevated access rights and disable security mechanisms.
Escalating privileges
Once attackers have access to a system, they often attempt to gain admin rights. With such privileges, they can, for example, disable security software or distribute ransomware.
Within Windows, 42 percent of cases involved a user being added to a high-privilege group, such as Domain Administrators. In cloud environments, a new user was added to the Microsoft 365 Global Administrator group in 16 percent of incidents.
Combination of attack techniques
The report also describes combinations of techniques that often occur together during attacks. For instance, PowerShell was used in 66 percent of incidents involving fileless malware. As a result, such attacks often remain undetected by traditional security scanners.
Password spraying is another commonly used technique. In 44 percent of firewall-related incidents, attackers tried large numbers of common passwords on known usernames. Additionally, 34 percent of incidents began with social engineering, where users are deceived into downloading malicious files.
The report also highlights issues with the configuration of security measures. In 94 percent of the cases investigated, the endpoint agent was found to be disabled. This results in a lack of visibility into what is happening on the device.