Blumira Report Reveals Identity-based Attacks as Top Threat

Blumira, a leading cybersecurity provider of automated threat detection and response technology, releases today the 2022 State of Detection and Response Report, a research report that analyzed the company’s security detections across log datasets of 230 organizations. The report reveals identity-based attacks and living off the land behaviors as top threats organizations faced in 2021.

Blumira releases the report under the backdrop of an increasingly challenging threat landscape, with ransomware, software supply chain attacks, data breaches, and more becoming an almost daily occurrence. Attacker dwell time is also decreasing; ransomware attacks happen quickly from initial compromise to infection/ deployment.

“Organizations, especially small and medium-sized businesses, need help with faster detection and response to keep up with latest threats and protect against breaches,” said Jim Simpson, CEO of Blumira. “Expediting time to security for faster response is key to better overall security outcomes.”

An analysis of Blumira’s average time to detect a threat was 32 minutes, while the average time to respond, or how quickly an organization closed out a finding, was six hours. Compared to the industry average, Blumira’s time to detect and respond is 99 percent faster.

Among the key findings in the report are:

  • Identity-based attacks surged– Access attempts were a common theme, as the pandemic forced many organizations to move to cloud services to support their remote employees. For organizations without a solid understanding of their exposed attack surface, moving to a cloud environment highlighted that knowledge gap. Threat actors take advantage of those knowledge gaps by exploiting, misusing, or stealing user identities. Attempts to authenticate into a honeypot, or a fake login page designed to lure attackers, were Blumira’s number one finding of 2021. Identity-driven techniques accounted for three out of Blumira’s top five findings at 60 percent. Cloud environments are particularly vulnerable to identity-based attacks such as credential stuffing, phishing, password spraying and more. Rapid detection of these attacks can enable organizations to respond and contain an identity-based attack faster, helping stop an attack from progressing further.
  • Living off the land techniques are a common threat– Research observed usage of living off the land (LotL) techniques, which threat actors use to remain undetected in an environment. They do so by leveraging built-in Microsoft tools that make it appear as though they are legitimate users within an organization’s environment. Among Blumira’s top findings were instances of living off the land techniques, including Service Execution with Lateral Movement Tools (4), PsExec Use (16), and potentially malicious PowerShell command (18). Taking place over days or weeks, these types of attacks can go undetected by endpoint detection and response (EDR) solutions that rely on the detection of known malicious tools. By that time, it may be too late.
  • Microsoft 365 Activity– Microsoft 365 is one of the most popular cloud productivity suites, and Blumira’s findings revealed patterns of Microsoft-related activity, including activity associated with password spraying, lateral movement, and business email compromise.

Investing in solutions that provide faster time to detect and respond, including initial deployment, can result in lower costs for organizations. In keeping with market needs, Blumira recently launched a free, self-service cloud security information and event management (SIEM) for Microsoft 365; and new paid editions that enable IT, teams of all sizes, to close security gaps and achieve rapid time to security.

To download the full report, click here.

Blumira will be exhibiting and offering demos of the free edition June 6-9, at booth #3222 in the South Expo Hall at the 2022 RSA Conference, located at the Moscone Center in San Francisco. Also, Blumira’s Lead Incident Detection Engineer, Amanda Berlin, is speaking in two sessions at RSAC.

For more information about Blumira, please visit https://www.blumira.com.