Expel Quarterly Threat Report: Cybersecurity data, trends, and recs from Q1 2022

· 3 MIN READ · JONATHAN HENCINSKI · MAY 20, 2022 · TAGS: Cloud security / MDR / Tech tools

The monthly attack vector reports you know and (hopefully) love got a makeover! Since July 2021, our security operations center (SOC) has brought you monthly reports that dig into the biggest threats we saw across the incidents we investigate for our customers.

Now, we’re changing things up a bit.

The new Expel Quarterly Threat Report provides even more data on what we’re seeing, detection opportunities, and resilience recs to help protect your organization — now on a quarterly basis. (Sort of a zoomed-in version of our Great eXpeltations annual report.)

The trends in this quarterly report — and the reports to come — are based on incidents the Expel SOC team identified through investigations into alerts, email submissions, or hunting leads from the first quarter (Q1) of 2022 (January 1 to March 31).

Through an analysis of incidents across our customer base, we looked for patterns and trends to help guide strategic decision-making and operational processes for your team.

Why? We hope that by sharing how attackers got in, and how we stopped them, we can translate the events we detect into a useful security strategy for your organization.

Here are some of the top takeaways.

Spoiler alert: It turns out, Google Chromebooks, phish-resistant FIDO keys, and Google’s Advanced Protection Program can get you really far with corporate security.

Identity-based attacks accounted for 65% of all incidents handled by our SOC in Q1.

Business email compromise (BEC) and business application compromise (BAC) accounted for 63% of all incidents, while identity-based attacks in popular cloud environments like Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounted for 2%.

We’ve said it before and we’ll say it again: BEC should be considered public enemy number one. In Q1 2022, 57% of all incidents our SOC observed were BEC attempts in Microsoft Office 365 (O365) — with 24% of our customers experiencing at least one BEC attempt in O365.

However, none of the BEC incidents we identified were in Google Workspaces or involved accounts with FIDO security keys.

Of the attempts we saw in O365, 2% were able to bypass multi-factor authentication (MFA) by abusing OAuth applications. Usually in this situation, clearing sessions and resetting the victim’s password and MFA token will do the trick. But in this scenario, Security or IT teams must remove the malicious OAuth application and its permissions.

We also saw an uptick in BEC targeting the week of Valentine’s Day. Expel for Phishing service identified campaigns to harvest email credentials using Valentine’s Day themed lures — preying on people’s hearts and procrastination with promises of false last-minute gift ideas.

On the other hand, BAC in Okta accounted for only 6% of incidents — with 7% of those attempts satisfying the MFA requirement by continuously sending Duo push notifications to the victim until they accepted. It appeared to us that threat actors were banking on intended targets growing tired of continuously rejecting push requests, and eventually accepting one just to get the notifications to stop.

Attacks to deploy pre-ransomware or commodity malware proved that ransomware should remain a top concern.

While our data showed that BEC was the top threat, we know many organizations continue to worry about ransomware attacks — and rightfully so. In Q1, our SOC attributed 5% of incidents to pre-ransomware activity.

If we hadn’t detected and remediated this pre-ransomware activity, threat actors would likely have ransomed their target organizations.

One big takeaway was that threat actors used macro-enabled Word documents and Zipped JavaScript files as the initial attack vector in 82% of all pre-ransomware incidents.

The deployment of commodity malware and malware families linked to pre-ransomware operations accounted for 26% of incidents — meaning organizations of all shapes and sizes should create and test strategies to defend against ransomware attacks.

A nod to the good guys.

Some good news out of this doom and gloom? Nine percent of the incidents our SOC detected in Q1 were authorized penetration tests, red team, and purple teams.

These exercises allow you to test and gut-check your security controls, remediation processes and investigative capabilities.

The takeaway? Pentest your controls, red team your response! The results could be invaluable.

One more thing… how long does all of this take?

Another important data point from the quarter was about how long it typically takes Expel to respond to the incidents detailed above.

We found the median alert-to-recommendation time for critical incidents in Q1 was 25 minutes. That’s the total time from when an alert landed in Expel Workbench to when we notified our customers for all critical incidents.

This matters because almost everything we do is latency sensitive. The longer an alert waits for an analyst in the queue, the more time an attacker has to do some damage.

If we’ve piqued your interest with this preview and you’re ready to dig-in to more details on the data, trends, and recommendations we saw in Q1 2022, download the full report.