Top 5 takeaways: Expel Quarterly Threat Report Q2
Just like that, a new quarter is upon us and we’re back with our second Expel Quarterly Threat Report. The series, which debuted in the first quarter (Q1) of 2022, provides cybersecurity data, trends, and recommendations to help you protect your organization.
The second quarter (Q2) edition dives into the trends our security operations center (SOC) identified through investigations into alerts, email submissions, and threat hunting leads from April 1 to June 30, 2022. We’ve identified some insights and patterns to help guide strategic decision-making and operational processes for your team using a combination of time-series analysis, statistics, customer input, and analyst instinct.
Our goal? By sharing how attackers got in, and how we stopped them, we hope to translate the events we detect into security strategy for your organization.
Here are our top five takeaways.
TL;DR: Microsoft blocking macros by default is changing the game for threat actors and defenders alike; legacy MFA in cloud apps and cloud identity providers simply isn’t cutting it; and business email compromise (BEC) will continue to reign supreme in Q3.
1: Hackers are shifting their pre-ransomware approach, thanks in part to Microsoft
In Q1, our report noted that macro-enabled Microsoft Word documents (VBA macro) and Excel 4.0 macros were the initial attack vectors in 55% of all pre-ransomware incidents. But in Q2, Excel 4.0 macro attacks fell to 9% and VBA macro initial attacks dropped to zero.
What changed? Microsoft began blocking macros by default in Office applications, so threat actors all but abandoned the use of VBA and Excel 4.0 macros for initial entry. Instead, they opted to use ISO, LNK, and ZIP files that store other files for initial access. In fact, the use of ISO files for initial access increased 15% compared to Q1.
We’re advising our customers to block ISO files at email and web gateways. But proceed with caution: many businesses use these files in the regular course of business. Also, consider unregistering ISO file extensions in Microsoft Windows Explorer. By doing so, ISO files will no longer be recognized by Windows and double-clicking won’t result in program execution.
2: Identity-based attacks are still the elephant in the room… and they aren’t going away
Allie Mellen, independent senior analyst, recently tweeted, “Identity is the new endpoint,” and we tend to agree. Identity-based attacks (credential theft, credential abuse, long-term access key theft) accounted for 56% of all incidents handled by our SOC in Q2. Business email compromise (BEC) remains public enemy number one, accounting for 45% of all incidents—with 100% occuring in Microsoft Office 365 (O365).
For context here, we monitor roughly twice as many O365 tenants as we do Google Workspace, but the fact that we didn’t identify any BEC attempts in Google Workspace is pretty interesting.
What’s more, 19% of BEC attempts bypassed MFA in O365 using legacy protocols (up 16 percentage points from Q1). The takeaway? Single-factor authentication backed by conditional access policies aren’t enough to prevent unauthorized access.
BEC (unauthorized access into email apps) and business application compromise (BAC, unauthorized access into application data) made up 51% of all incidents, while identity-based attacks in popular cloud environments like AWS accounted for 5%.
Unfortunately, we expect threat actors will continue to favor identity-based attacks in Q3.
3: The majority of our leads come from a cloud application or identity provider integration
An effective detection and response strategy is more than EDR—it’s identity-oriented. Fifty-four percent of all identified Q2 incidents began with an initial lead from a cloud application or identity provider integration; 38% started with an initial lead from an EDR integration. While network (NDR) and SIEM make up only 7% of initial leads into Q2 incidents, these technologies provide SOC analysts with significant investigative capabilities and power orchestration in the Expel Workbench™.
4: Automation frees up human analysts to do what they do best
To improve SOC scale and quality, we automate a lot of our analysts’ repetitive tasks—things like “grab the Windows event log” or “let’s take a look at 30 days of authentication activity for a given user.” This frees analysts up to focus on risk-based decisions for our customers vs. spending time fighting with a query language to retrieve results.
How much of a burden does orchestrated automation take off analysts? Automation, not humans, completed key investigative actions 77% of the time we sent an alert to our SOC for review. When analysts spend less time buried in manual tasks, it boosts scale and levels up quality by standardizing investigative steps.
5: Orchestration dramatically improves remediation time
Orchestration not only improves scale and quality in our SOC, but also accelerates remediation. When our SOC identifies an incident, analysts investigate to uncover the scope and create remediation actions to reduce risk. Workbench automatically executes remediation actions for our customers, such as containing a host, disabling an account, removing phishing emails, or adding attacker indicators of compromise (IOCs)/hashes to a ‘deny’ list.
In Q2, the median time to complete a remediation action not automated through orchestration was two hours. What happens when a remediation action is automated via orchestration? That median time drops to seven minutes—a 1640% improvement.
We know what you’re thinking—with so many great takeaways in this blog, what more could the full report have in store? See for yourself.