Barracuda XDR Insights: How AI learns your patterns to protect you

In the first half of 2023, Barracuda Managed XDR collected almost a trillion customer IT events, among which it detected and neutralized thousands of high-risk incidents.

During those six months, the most widely encountered high-risk incidents — threats that require immediate defensive action — involved some kind of identity abuse. These kinds of attacks have become increasingly sophisticated over time, but they were spotted and blocked by the Managed XDR platform with the aid of AI-based account profiling.

In a work context, everyone has a distinctive digital profile in terms of how, where, and when they work. If an IT event falls outside these pattern perimeters, a red flag goes up — and even when the attacks are so subtle and devious that it takes an expert SOC analyst to confirm the malicious intent, the AI-based detection ensures this happens.

From everyday event to urgent action

Between January and July 2023, Barracuda’s Managed XDR platform collected 950 billion IT events from customers’ integrated network, cloud, email, endpoint, and server security tools.

Security risks detected by Barracuda XDR

These nearly one trillion events include everything from logins (both successful and unsuccessful), network connections, and traffic flows, to email messages and attachments, files created and saved, application and device processes, changes to configuration and registry, and any specific security warnings.

0.1% of these events (985,000) were classed as ‘alarms,’ activity that could be malicious and required further investigation.

Out of these, 1 in 10 (9.7%) was flagged to the customer for checking, while a further 2.7% were classed as high risk and passed to a SOC analyst for deeper analysis. 6,000 required immediate defensive action to contain and neutralize the threat.

The most frequently detected high-risk attacks.

The three most common high-risk detections by Managed XDR and investigated by SOC analysts during the first six months of 2023 were:

1. “Impossible travel” login events

These occur when a detection shows a user is trying to log into a cloud account from two geographically different locations in rapid succession — with the distance between them impossible to cover in the time between logins. While this can mean they are using a VPN for one of the sessions, it is often a sign that an attacker has gained access to a user’s account. Impossible travel logins should always be investigated.

Barracuda XDR’s impossible travel detection for Microsoft 365 accounts detected and blocked hundreds of attempted business email compromise (BEC) attacks between January and July.

In one incident investigated by the SOC team, a user logged into their Microsoft 365 account from California, and then just 13 minutes later from Virginia. To physically achieve this, they would have to travel at a speed exceeding 10,000 miles per hour. The IP used to log in from Virginia was not associated with a known VPN address, and the user did not normally log in from this location. The team notified the customer who confirmed that this was an unauthorized login, immediately reset their passwords, and logged the rogue user out of all active accounts.

2. “Anomaly” detections

These detections identify unusual or unexpected activity in a user’s account. This could include things like rare or one-off login times, unusual file access patterns, or excessive account creation for an individual user or organization. Such detections can be a sign of a variety of problems, including malware infections, phishing attacks, and insider threats. If you see an anomaly style detection, you should investigate the account to see what caused the anomaly.

Barracuda XDR has a Windows “rare hour for user” detection baseline that recognizes the sign-in patterns for a particular user and flags when that user logs in at an unusual time. The SOC team has issued over 400 alerts for this kind of activity since January 2023.

3. Communication with known malicious artifacts

These detections identify communication with red flagged or known malicious IP addresses, domains, or files. This can be a sign of a malware infection or a phishing attack. If you see a communication with a known malicious or suspicious artifact, you should immediately quarantine the computer and investigate the infection.

AI in attackers’ hands

While the above shows how AI can significantly enhance security, it can also be used for malicious purposes by attackers.

For example, generative AI language tools can create highly convincing emails that closely mimic a legitimate company’s style, making it much more difficult for individuals to discern whether an email is legitimate or a phishing, account takeover, or BEC attempt.

AI tools are also likely to be used by attackers to automate and dynamically emulate adversarial behaviors, making their attacks more effective and harder to detect.

For example, command line utilities powered by AI can rapidly adapt to changes in a target’s defenses, identify vulnerabilities, or even learn from previous failed attempts to improve subsequent attacks. An early example of such a tool is “WormGPT,” which is already being advertised on an underground forum and can be used by threat actors to automate the generation of malicious scripts and commands and adapt them dynamically to each specific target.

Security for a rapidly evolving threat landscape

As AI continues to advance, organizations need to be aware of the potential risks and take steps to mitigate them.

This should involve robust authentication measures, such as multifactor authentication at a minimum but ideally moving to Zero Trust approaches, and continuous employee training, particularly with regard to phishing attacks.

IT security teams and their external security providers should try to stay informed about the latest AI-powered threats and adapt their security posture. But it’s equally important to remember the basics — ensure that systems and software are kept up to date and that you have full visibility of the IT environment.

If this sounds complex and resource-intensive, don’t worry. There is a growing industry-wide approach toward integrated security services and platforms. There are now excellent options available for managed support, XDR, and round-the-clock (24×7) SOC-as-a-service to monitor, detect, and respond to cyberthreats at any time of day or night, always keeping you and your assets safe.

This post originally appeared on Smarter MSP.

Leave a Reply

Your email address will not be published. Required fields are marked *