Cyber threat severity rises during holidays says research

Security and data protection company Barracuda’s analysis of cyber threats detected by its XDR platform through 2022 – with a special focus on the summer months – has revealed that while the volume of attacks dipped significantly between February to May, and again between July to September, the severity of each individual attack actually grew. 

“Cyber criminals tend to target companies and IT security teams when they are likely to be under-resourced. This could be on weekends, overnight, or during a holiday season, such as the summer. This is reflected in our data, which clearly shows that despite an overall reduction in threat volume, a significantly greater proportion of threats detected during the summer months were at the higher-risk end of the scale,” said Adam Kahn, VP of Global Security Operations, Barracuda. “This is especially worth bearing in mind as we head into the end of year holiday season.” 

Volume Dips, Intensity Spikes 

In January 2022, the number of threat alarms detected by Barracuda’s XDR platform spiked to 1.4 million, before falling sharply by just under three quarters (71.4%). This was mirrored by a second spike of 1.4 million alarms in June, which was followed by a similar if more gradual decline in July through August. However, while in January, only around 1 in 80 (1.25%) of threat alarms were serious enough to warrant a security alert to the customer, by June to September the rate went up to 1-in-5 (20%). 

The three most frequently detected threats between June and September were as follows: 

1.     Successful Microsoft 365 login from a suspicious country (High risk): This type of attack accounted for 40% of all attacks during the 90-day window between June and the end of September. The countries that flag an automatic security alert include Russia, China, Iran, and Nigeria. A successful breach of a Microsoft 365 account is particularly risky because it offers an intruder potential access to all the connected and integrated assets the target has stored on the platform.  

2.     Communication to an IP address known to Threat Intelligence (Medium risk): This type of attack, which includes any attempt at malicious communication from a device within the network to a website or known command-and-control server, accounted for 15% of all attacks during the monitoring period, 

3.     Brute force authentication user attempt (Medium Risk): Accounting for 10% of all attacks, these are automated attacks trying to penetrate an organisation’s defences by simply running as many name/password combinations as they can. 

Offering insight into how to build resilience to such attacks, Kahn said, “In the face of growing attack sophistication, organisations would be well advised to implement security measures that include enabling multifactor authentication (MFA) across all applications and systems, ensuring all critical systems are backed up, implementing a robust security solution that includes email protection and Endpoint Detection and Response (EDR), and ensuring they have visibility across their whole IT Infrastructure.”