Custom Alerts, Foreign Log-in Attempts Dominate Alert Threats, MSSP’s Data Shows
Foreign log-in attempts and suspicious application processes accounted for nearly 50% of the cyber threats identified by DirectDefense, a managed security services provider (MSSP), in a newly released report.
The Denver, Colorado-based DirectDefense said that of the “hundreds of thousands” of alerts its ThreatAdvisor platform managed last year, the MSSP investigated 100% of them and acted on or dismissed 77%.
In total, only 23% needed client collaboration to close the event, saving more than 1.1 million hours in alert investigation time for clients while providing continuous monitoring. Each DirectDefense security operations center (SOC) analyst spent an average of 1,723 hours on event triage and response.
Seven Threat Types Identified
The DirectDefense team identified top seven threat types for 2022, including custom alerts created by DirectDefense based on its clients’ unique needs and program support:
- Custom alerting, 30%
- Foreign login activity, 27%
- Process analysis, 21%
- Account activity, 9%
- Phishing attempts, 7%
- Mailbox manipulation, 5%
- Deceptive technologies, 1%
Low Phishing Alerts Surprising
DirectDefense was “surprised” by the low number of client alerts related to phishing expeditions. This infrequency could be the result of tighter organizational email security protocols or simply fewer phishing attempts overall due to previous year’s events where threat actors scraped email addresses and personal information from social networking sites and took other approaches, such as brute force attacks.
Of note, on the 7% of phishing attempt alerts, 859 were positive phishing attempts and three of those escalated to an incident response engagement.
Commenting on the survey results, Jim Broome, DirectDefense president and chief technology officer, said:
“The number of hours spent investigating alerts, many of which require no action, can stop productivity in its tracks. Not to mention how alert fatigue often results in simply not investigating alerts, thereby potentially missing a very real threat — and the opportunity to respond quickly. Even when companies elect to handle certain alerts in-house, the benefit of having 100% of alerts immediately investigated by an MSSP removes a significant strain on organizational resources.”
Looking ahead to 2023, the DirectDefense team has identified ransomware, cloud infrastructure attacks, blind-by-design applications (no basic security controls built in) and emerging AI attacks as critical threats.