Cybersecurity in 2023: An uptick in severe cyberattacks highlighted the importance of enhanced defenses and constant vigilance.
Identity compromises led to 2023’s cyberthreats, urging a shift towards AI-enhanced security measures.
Stronger authentication and cybersecurity training are critical after a sophisticated spate of cyberthreats in 2023.
Throughout 2023, Barracuda XDR and its dedicated SOC analysts sifted through nearly two trillion cybersecurity events. Their relentless scrutiny unveiled tens of thousands of potential high-risk security threats, safeguarding countless networks from intrusion.
A 2023 cybersecurity overview
The year’s analysis by security experts highlighted the predominant XDR threats. Their research unveiled the tactics attackers employed in their unsuccessful attempts to infiltrate networks. Techniques ranged from business email compromise to deploying malicious code and exploits, showcasing the diverse arsenal used by cybercriminals.
It’s crucial to understand that XDR and similar defensive security measures are designed to identify, alert, and thwart potential intruders preemptively. This proactive defense often stops attacks before their intended harm can be realized, leaving the ultimate goal of these thwarted attacks, such as deploying ransomware, unknown.
The trend in 2023 saw a noticeable uptick in high-severity attacks. Specifically, 66,000 threats warranted escalation to SOC analysts for further investigation, with an additional 15,000 posing immediate threats that required swift defensive actions. Notably, the frequency of such threats surged during the latter months of the year, especially from October through December, coinciding with peak online shopping periods and holiday seasons—when attackers likely see increased opportunities due to higher online activity and potentially reduced vigilance from IT staff.
In one high-profile instance, HTC Global Services, a key IT and business consulting player, confirmed a cyberattack orchestrated by the ALPHV ransomware group, which began leaking sensitive data online. HTC Global Services, catering to industries like healthcare, automotive, manufacturing, and finance, promptly responded with a public acknowledgment via the social media platform X, emphasizing its commitment to resolving the issue and safeguarding user data integrity.
This cyberattack disclosure followed the ALPHV group’s public taunt, showcasing stolen data, including personal and sensitive information, and highlighting the tangible risks of such security breaches.
Similarly, Sony faced a ransomware dilemma with its Insomniac Games division, falling victim to a Rhysida ransomware attack. This incident led to a significant data breach, prompting Insomniac Games to alert employees about their compromised personal information.
Since its acquisition by Sony in August 2019, Insomniac Games has been a pivotal component of Sony Interactive Entertainment’s PlayStation Studios. It has been at the forefront of developing major titles like Marvel’s Spider-Man 2 for PlayStation 5 and is currently developing Marvel’s Wolverine.
Sony’s December announcement of an ongoing investigation into the breach by the Rhysida group underscored the severity of the attack, which resulted in over 1.3 million files being stolen. The refusal to meet the ransom demand led to the public leak of 1.67 TB of internal documents, profoundly impacting the studio’s team and revealing extensive personal and contractual information.
This leak, including previews of the upcoming Wolverine game, represents a significant violation of privacy and security, with Rhysida boasting about leaking 98% of the stolen data after allegedly selling the rest.
The analysis also highlighted a secondary peak in June, a prime holiday season for many, further underscoring the opportunistic nature of cyberattackers. These patterns, first identified in 2022, reaffirm the heightened risk during periods when potential victims are likely to be less vigilant, emphasizing the need for constant and robust cybersecurity measures.
High severity threats 2023. (Source – Barracuda).
The rise of identity compromise in cybersecurity
In 2023, the primary focus of XDR detections revolved around various forms of identity misuse, leading to compromised accounts. These detections highlighted activities such as unusual login patterns, brute force attacks, and attempts to disable multifactor authentication.
An alert for uploading a suspicious executable file might suggest that attackers are attempting to transfer additional malicious tools or malware from a controlled external source, like a command-and-control server, into a breached account.
Endpoint threat detections are initiated by Barracuda’s Managed XDR Endpoint Security whenever a potential threat is identified within a system. These critical alerts require immediate communication with the client for further investigation, regardless of whether the threat was successfully neutralized. This process is vital for determining how the malicious entity was initially executed.
The scope of these detections spans a broad range of threats, encompassing everything from benign to malicious entities, including potentially unwanted applications, adware, spyware, and more severe threats like ransomware and backdoors. Each type demands a specific strategy for identification and remediation.
Barracuda XDR uses AI and machine learning for enhanced detection capabilities, particularly in identifying suspicious login activities. These AI-driven rules analyze patterns and establish a user’s typical behavior, flagging any deviations for immediate review.
Suspicious login activity. (Source – Barracuda).
One such AI tool, the “Impossible Travel” detection rule, identifies logins from locations improbably far apart within a short time frame, indicating potential account compromise. For instance, Barracuda XDR recorded an example where a login occurred in Iowa, followed by another in Moscow just over an hour later, suggesting an impossible travel speed.
The “Rare User Log-in” detection rule aims to identify logins using unusual or inactive usernames, potentially signaling unauthorized access by an intruder exploiting dormant accounts or creating new ones for persistent access.
Similarly, the “Rare Hour for User” detection rule flags logins at atypical times for a user, which could indicate unauthorized access from different time zones or outside of normal working hours.
Barracuda XDR’s Intrusion Detection System (IDS) meticulously monitors network traffic, identifying suspicious activities and threats. This system is crucial for spotting both overt and subtle signs of cyberattacks, including malware distribution and other security breaches.
Analysis of top IDS detections in 2023 underscores a continuous trend of attackers exploiting unpatched vulnerabilities and weaknesses, emphasizing the importance of diligent network security updates.
Despite being decades old, Shellshock bugs remain a top detection, indicating that many systems are still vulnerable. Similarly, exploits against the Log4Shell vulnerability persist, likely due to the widespread integration of Log4j in software, making mitigation efforts challenging for many organizations.
Reflection on the 2023 cybersecurity strategy and future
Merium Khalid, director of SOC offensive security at Barracuda XDR, emphasizes the importance of understanding cyberattackers’ behaviors and strategies. Khalid observes, “Our data for 2023 shows that attackers are launching more high-severity attacks overall, and especially during times when IT teams are away from the workplace or less attentive, such as during holidays, outside working hours, during the night, and at weekends.”
Khalid further notes that a common goal among these attacks is to breach accounts through identity compromise. With attackers increasingly utilizing AI to enhance the volume, velocity, and complexity of their efforts, Khalid warns of an intensification of these trends. It’s imperative for security teams to arm themselves with equally advanced and effective security solutions.
To counteract these threats, Barracuda advocates for the adoption of stringent authentication and access management practices. This includes, at a minimum, the implementation of multifactor authentication, with a preference for transitioning towards zero trust architectures. Complementing this with diligent patch management, data security strategies, and regular cybersecurity education for all staff members is also advised.
Such measures should be part of a comprehensive security strategy that incorporates cutting-edge security technologies. This strategy should be supported by professional analysis and continuous security monitoring by a 24/7/365 SOC to detect and respond to any potential threats or anomalies that might otherwise go unnoticed.
As a tech journalist, Zul focuses on topics including cloud computing, cybersecurity, and disruptive technology in the enterprise industry. He has expertise in moderating webinars and presenting content on video, in addition to having a background in networking technology.