Identity threats dominate

New report details investigative findings and resilience recommendations, providing strategic guidance for security operators.

  • 10 months ago Posted in

Expel, a leading managed detection and response (MDR) provider, has released the Expel Annual Threat Report 2024: cybersecurity insights, resilience recommendations, and predictions. Now in its third iteration, the findings in this report analyze patterns and trends the Expel security operations center (SOC) and threat intelligence team investigated throughout 2023 and translates them into actionable, strategic guidelines for operators and organizations in any industry.

“While data drives the trends detailed in this report, it is the intuition that human teams bring to the fight that makes this resource so valuable,” said Daniel Clayton, VP, Security Operations at Expel. “We know that our analysts, empowered by the right technology and effective processes, bring a level of unparalleled expertise to the table that allow them to protect diverse and varied customers. We hope the intel in this report helps other operators, as collaborative information sharing is the best weapon we have to improve security operations and topple our common adversaries.”

Here are some highlights from the report:

Identity threats dominate three years in a row. Identity-based incidents accounted for 64% of all incidents our SOC investigated—a volume increase of 144% from 2022 to 2023. Sixty-nine percent of identity-based incidents involved malicious logins from suspicious infrastructure, which are hosting providers or proxies that aren’t expected for a user or organization—a trend we’ve noted in past years and one we expect to continue.

Cloud infrastructure incidents trend up, with secret (stolen or leaked credentials) exposure as the biggest and most frequent risk. The Expel SOC noted a 72% increase in cloud infrastructure incidents, roughly consistent with what we saw in the previous year and continuing the upward trend since we began support for cloud infrastructure. Ninety-six percent of those incidents occurred in Amazon Web Services (AWS), and the remaining 4% were split evenly between Google Cloud Platform (GCP) and Microsoft Azure. While fewer of our cloud customers use GCP and Azure, this skew is also likely due to more AWS security research and auditing tools available for attackers to abuse.

More than half of all malware incidents presented an immediate, significant risk. Pre-ransomware accounted for 57% of the malware incidents our SOC investigated. The most frequent malware cases that we classified as pre-ransomware—Gootloader (17%), Qakbot (12%), and SocGholish (11%)—were also the top pre-ransomware threats we reported on in both 2021 and 2022. The skilled actors behind these threats have been active for a while, and they aren’t slowing down.

The rise of QR code phishing: Expel analysts noted a rise in the abuse of QR codes for phishing in 2023. With a URL, a user can visit the malicious domain using the org’s endpoint, giving operators the opportunity to block connections using multiple technologies. However, with a QR code, the activity moves off the workstation and onto the user’s mobile device—making this an attractive technique for attackers.

“Expel’s operators face off against some of the most sophisticated cyber threats across industries, granting them front-line visibility into how these attacks and attackers constantly shift and evolve,” said Dave Merkel, co-founder and CEO at Expel. “It’s our responsibility to share the knowledge gleaned from our analysts’ daily experiences with the larger security community as we fight the good fight, together.”

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...