Skip to content
Get A Demo
Sign Up Free
    May 25, 2022

    Blumira’s State of Detection and Response

    Download a PDF copy of the whitepaper

    01 Introduction
    02 Time To Detect and Respond
    03 Microsoft Security
    04 Top LotL Techniques
    05 Identity-Based Attacks
    06 Hands In The Honeypot


    Threat actors can be evasive, clever, and complex — but fortunately for defenders, they are also predictable. There is only a limited number of methods to access an environment, and when an attacker finds a technique that works, they tend to reuse it.

    That’s not to say threat actors — especially those in state-sponsored, high- profile ransomware groups — aren’t getting more sophisticated. Adversaries have the same access to endpoint detection software as customers do, and thoroughly test their attacks against them to hone their evasion techniques. More advanced attackers are always attempting to stay ahead of the curve by leveraging new exploit kits, vulnerabilities, or malware loaders.

    Another concerning trend is the shortening of ransomware dwell time: the time it takes for an attack to complete, from initial access to exploitation. We’re no longer seeing as many attacks in which adversaries lurk in an environment for weeks or months before exfiltrating data. Attacks happen quickly — and at inopportune moments, like holidays and weekends — and defenders, too, must work quickly to stop an attack in its early stages.

    But there’s good news. Although today’s attacks may appear more sophisticated, the techniques, tactics and procedures (TTPs) used to launch those attacks remain the same. Adversaries often take the approach of working harder, not smarter; finding easy, low-cost and relatively simple methods to launch attacks.

    By studying patterns in attacker behavior, we can better understand those methods — no matter how advanced — and detect them accordingly.

    Behavior-based detection and signaturebased detection are both valid approaches, but monitoring behavior can identify the paths that an adversary takes on the road to an attack — even if those behaviors seem legitimate. Focusing on attacker behavior and what initiated that behavior is a strong indicator of a potential threat or attack in progress.

    As defenders, we’re always interested to get inside of a threat actor’s mind. Looking at their patterns in behavior is the closest way to achieve that.

    Our Approach To Findings

    Blumira’s platform incorporates hundreds of different findings that detect suspicious behaviors that may indicate an attack in progress. This report is based on research from 33,911 key findings from a sample including 230 organizations, which took place over the course of 2021.

    These 33,911 findings are filtered to exclude outliers and low-priority alerts that we considered less significant, including account lockouts and blocked websites. That’s not to say that these alerts should be ignored, but we decided not to include them for the sake of accurate, relevant data.

    To understand how we generate these findings, let’s take a step back. Blumira’s incident detection engineers (IDE) take an intentional approach to rule design to reduce alert fatigue.

    1. First, our IDE team creates rules based on threat-based research, pulling data from various threat intel reports to determine how current threat actors operate.
    2. Once the team emulates attacks in a lab environment, they identify and build detections based on the threat actors’ behavior.
    3. Then the detection is tested again across customer datasets to remove false positives, reducing noisy alerts to help customers focus on priority findings.
    4. Blumira’s platform stacks similar alert data to already-triggered findings until the case is closed, helping to prevent alert fatigue and providing all relevant evidence to assist with investigation.

    But it’s not enough to be able to detect and respond to an attack in progress. As attacks happen faster, security and IT teams must be able to both detect and respond quickly before real damage occurs.

    Time To Detect and Respond

    Time to detect and respond refers to the time it takes to identify a compromise and contain the threat (sometimes referred to as the “breach lifecycle”). It directly affects the bottom line of an organization, with the longer the breach takes to detect and contain, the higher the overall cost.

    The Impact on the Bottom Line

    In IBM/Ponemon’s 2021 Cost of a Data Breach report, they found that breaches that take longer than 200 days to resolve can result in 35% higher cost, from $3.6 million to $4.9 million on average.

    287 days

    The total average breach lifecycle (Source: IBM/Ponemon's 2021 Cost of a Data Breach)

    Blumira's detection engine includes real-time, or instantaneous, individual findings that notify a customer almost immediately of a potential threat, such as detecting a virus on your network – the median time to detect for these types of findings is 50 seconds

    Threshold-based findings are based on a certain event happening multiple times over a set period of time. For example, in a password spraying attack, an attacker will attempt to log in by trying a large number of usernames with a single password, which can help evade detection. In this case, notification will happen only after the behavior is observed over a certain period of time.

    The True Cost of Ransomware


    Downtime and disrupted business operations means a loss in revenue, especially for companies without a disaster recovery plan. Downtime costs related to ransomware are on average nearly 50 times greater than the ransom, according to a Datto study


    A ransomware attack can make customers feel uneasy, leading to damaged reputation, and subsequently, customer churn. 86% of people are less likely to deal with companies that experienced a data breach, according to a Semafone stud


    Companies must follow up with their affected customers after a ransomware attack, and cover costs related to credit monitoring and identity protection services.


    If customer data was breached as a result of the ransomware attack, then companies must incur legal costs related to third-party claims.


    Remediation costs include implementing forensics and investigative work, as well as containing the actual breach. Remediation costs grew from an average of $761,106 in 2020 to $1.85 million in 2021, according to Sophos.


    Paying a ransom could breach OFAC regulations and result in needing to pay compliance fees on top of that ransom.


    So it’s clear that the time to detect and respond has a major impact on your business, and may be devastating for smaller organizations that have less resources to help them recover from lost revenue.

    Small and medium-sized businesses (SMBs) that experienced a data breach in 2021 suffered costs of $2.98 million, according to IBM

    Time to Detect

    32 min

    Blumira's average time to detect a finding (Source: Blumira's 2021 dataset)

    212 days

    Average time to detect a breach (Source: IBM/Ponemon's 2021 Cost of a Data Breach)

    99.4% faster

    Time to Respond

    6 hours

    Average time to respond, or how quickly a customer closed findings (Source: Blumira's 2021 dataset)

    75 days

    (or 1,800 hours) Average time to respond to a threat (Source: IBM/Ponemon's 2021 Cost of a Data Breach)

    99.7% faster

    Our Findings at a Glance

    We’ve analyzed and compiled the top findings based on our data. Those top findings highlight a few trends, some of which we’ll delve more deeply into later on in this report.

    Here are some trends we’ve witnessed:

    Microsoft 365 activity

    Our findings revealed patterns of Microsoft-related activity, including activity associated with password spraying, lateral movement, and business email compromise.

    Living off the Land

    Our findings revealed patterns of Microsoft-related activity, including activity associated with password spraying, lateral movement, and business email compromise.

    Identity-based attacks

    Our findings revealed patterns of Microsoft-related activity, including activity associated with password spraying, lateral movement, and business email compromise.

    Top 5 Findings Overall

    #5 - 50 GB+ Inbound Connection via Generic Network Protoco

    MITRE ATT&CK technique: Data Exfiltration

    What does it mean? This can indicate a business-related connection or data exfiltration. Depending on the protocol it may be important to consider the security of the connection if this is business related traffic. It is recommended to correlate with the source to determine if this is an expected connection as well.

    #4 - Admin-Level Account Added

    MITRE ATT&CK technique: Persistence: Account Manipulation

    What does it mean? It’s uncommon for a threat actor to add an admin-level account, but it’s important for IT and security teams to audited and validate each creation of an admin-level account when they occur to avoid scope creep or attackers gaining access.

    #3- Service Execution with Lateral Movement Tools

    MITRE ATT&CK technique: Execution: System Services

    What Does It Mean? The Windows service control manager (services.exe) can enable threat actors to execute malicious commands or payloads via a temporary Windows service.

    #2 - Okta Log Failure

    MITRE ATT&CK technique: n/a

    What Does It Mean? Okta logs aren't flowing properly to your SIEM, meaning you may have a gap in detection coverage. It's important to be aware of IT operational failures for both compliance and security.

    #1 - MITRE ATT&CK technique: Credential Access

    MITRE ATT&CK technique: Credential Access

    What Does It Mean? Someone is actively attempting to access your honeypot and is unaware of its nature.

    Microsoft Security

    Microsoft 365 Security

    The most popular cloud collaboration tool is also highly targeted by attackers-- so how can small & mid-sized businesses protect themselves?

    #5 - Clearing of Windows Event Logs

    MITRE ATT&CK technique: Defense Evasion

    What does it mean? An insider or threat actor may be attempting to clear evidence to cover their tracks after malicious activity. 

    #4 - Modification of Microsoft 365 Group

    MITRE ATT&CK technique: Persistence: Account Manipulation

    What does it mean? A threat actor using an admin account can modify a Microsoft 365 group to add users or grant additional permissions, resulting in data leakage and access by unauthorized users..

    #3 - Ps-Exec use on network

    MITRE ATT&CK technique: Lateral Movement: Remote Services

    What Does It Mean? An attacker may be moving laterally within your environment and interacting with remote machines using compromised credentials.

    #2 - 10 Windows user password reset attempts within 1 hour

    MITRE ATT&CK technique: Lateral Movement

    What Does It Mean? An attacker may be moving laterally throughout your environment and attempting to reset passwords for other accounts.

    #1 - Creation of Microsoft 365 security group

    MITRE ATT&CK technique: Persistence: Account Manipulation

    What Does It Mean? Someone that creates a security group can grant members of that group access to certain things, such as a SharePoint site. This may lead to insider risk or elevation of privileges.

    Security Recommendations

    If your organization uses Microsoft 365, it’s likely that a lot of data flows in and out of it — making it a prime target for attackers.

    • Ensure you can detect suspicious activity such as creating inbox rules or external email forwarding rules
    • Check for MFA misconfigurations or instances of MFA being disabled
    • Monitor your Microsoft 365 environment to be able detect threats early enough to stop an attack

    Signs of Business Email Compromise

    • Activity from suspicious IP addresses
    • Disabling of MFA
    • Enabling external email forwarding
    • Mass downloading of files

    Living off the Land

    What is Living off the Land (LotL)?

    Living off the land techniques involve using tools that already exist within a system to conduct attacks. Many of these tools are used by sysadmins for legitimate work, making it difficult for defenders to distinguish between malicious behavior and an admin simply doing his or her job.


    of detections were malware-free in 2% Crowdstrike's 2022 Global Threat report.

    Why Do Attackers Use LotL?

    • Low cost. These attacks take advantage of tools that already exist within an environment, so attackers don’t need to buy or create malware or attack tools, saving money and time. You can’t get better than free.
    • Easy and simple. No need to build, test, and use tooling, which creates obstacles for adversaries wanting to launch attacks quickly.
    • Avoid detection. A lack of malicious tools and files means a lack of signature (or known-bad behavior recognized by many security tools), making detection difficult.

    The Problem With Living off the Land

    Living off the land behaviors often take place over a period of days or weeks, and during this time, an attacker can go undetected by endpoint detection tools because the attacker is not using anything that is known to be malicious.

    This means that endpoint detection and response (EDR) tools may have a hard time detecting attacker behavior until it is too late — for example, when an attacker introduces malware into the environment.

    Even when an EDR tool does alert on questionable behavior, it’s very easy for an admin to miss or dismiss an alert that looks like normal behavior without additional questionable behavior identified from other IT and security systems that provide context. A single agent alerting on a single machine often isn’t enough visibility and context to stop savvy attackers.

    Top LotL Techniques

    Service Execution with Lateral Movement Tools

    The Windows service control manager (services.exe) can enable threat actors to execute malicious commands or payloads via a temporary Windows service.

    PsExec is a command-line tool in Windows that lets privileged users execute processes on remote systems and redirect console applications' output to the local system so that these applications appear to be running locally.

    Attackers use it for the same reasons, providing a convenient way to move laterally and interact with remote machines using compromised credentials. Only authorized users should be utilizing PsExec on the network.

    PsExec Use

    Threat actors can use PsExec maliciously to move laterally throughout your network, to execute commands or payloads, or to conduct remote execution.

    Potentially malicious PowerShell command

    PowerShell is like the swiss-army knife of tools, enabling adversaries and admins alike to perform a variety of tasks.

    .NET User: Recon commands

    Microsoft's Net user command utility allows for queries about both local users and domain users. While useful for systems administrators, it is often used by malware, and hands-on threat actors as an unobtrusive way to begin discovery in an environment.


    An Attacker's Favorite LotL Tool

    PowerShell is one of the most powerful tools to control a Windows machine from within. Only necessary users should have the ability to use PowerShell. Each additional user opens up another security gap, enabling attackers to have an elevated foothold in your network as soon as they’re able to access one of those users, hosts, or sessions.


    increase in PowerShell threats in Q4 of 2020 (Source: McAfee)

    5 Ways That Attackers Use PowerShell

    • Execute local scripts
    • Encode payloads
    • Inject malicious code in to memory
    • Execute code without admin access
    • Install PowerShell scripts as services

    Security Recommendations

    Detecting living off the land techniques requires an understanding of what legitimate behavior looks like in your environment.

    Pare down access to PowerShell to only the necessary users can help more easily determine your organization’s definition of normal PowerShell activity

    Once you establish a baseline, you can more easily identify spikes in activity and abnormalities that may indicate an attack in progress.

    Combine EDR tools — that may mis LotL techniques — with a behavior-based detection approach.

    Identity-Based Attacks

    The pandemic forced many organizations to move to cloud services to support their remote employees. For organizations without a solid understanding of their exposed attack surface, moving to a cloud environment only highlighted that knowledge gap.

    In identity-based attacks, threat actors take advantage of those knowledge gaps by exploiting, misusing, or stealing user identities.


    of breaches are identity-driven

    What Makes Cloud Vulnerable to Identity Attacks?

    • Lowered visibility into employee actions
    • Cloud misconfigurations, i.e. leaving an unencrypted data store exposed to the public internet without requiring authentication, or failing to apply the least privilege principle
    • The sheer volume of identities in the cloud means that identity and access management policies are harder to manage

    Attempts to authenticate into a honeypot was Blumira's #1 finding of 2021.

    What's a honeypot?

    A honeypot lures attackers with a network device that appears to contain valuable data. Once an attacker tries to log in, scan the device, or attempts to access a file on the device – the honeypot will notify your team.

    Types of Honeypots

    • Honeynet – A collection of honeypots and other deception techniques.
    • Honeytoken – A piece of data that is used to lure in an attacker, such as API keys, database entries, executable files, and keys to cloud resources (e.g. AWS key).
    • Honeycred – A username or ID that is used to identify specific types of attacks on systems.
    • Honeyport – A job that listens on specific TCP Ports. When a connection is established, it can either simply log or add a local firewall rule to block the host from further connections.

    Security Recommendations

    As identity-based threats become more common — especially for cloud services — aim to get more visibility into your environment:

    • Enable multi-factor authentication to reduce the risk of unauthorized access due to credential compromise.
    • Limit domain access to small groups to limit exposure and lower your chances of a malicious actor gaining access to domain accounts.
    • Use honeypots to stay one step ahead of attackers and to be aware of potential intruders

    How Blumira Can Help - Blumira’s XDR Platform

    Lean IT teams struggle to defend against cyberattacks and meet compliance requirements.
    Managing security tools requires threat hunting, managing rules, parsing data, developing integrations and more.
    NO 24/7 TEAM
    Lean IT teams struggle due to high costs of enterprise solutions, talent shortage and lack of security expertise.
    Too many disparate solutions results in redundancies and lack of visibility into remote endpoint risks


    Reduce reliance on humans to complete manual security tasks to save time and refocus efforts.


    Accelerate breach prevention and ransomware protection with security automation


    All-in-one open platform simplifies workflows with hybrid coverage, satisfying more compliance controls



    Blumira’s open XDR platform makes advanced detection and response easy and effective for small and medium-sized businesses, accelerating ransomware and breach prevention.

    Time-strapped IT teams can do more with one solution that combines SIEM, endpoint visibility and automated response.

    Blumira does the heavy lifting to pare down the overwhelming amount of data from logs into actionable events. That allows us to focus on revenueenhancing activities.

    Michael Cross, CIO Greenleaf Hospitality

    • BEST ROI


    • Managed detections for automated threat hunting to identify attacks early
    • Automated response to contain and block threats immediately
    • One year of data retention and option to extend to satisfy compliance
    • Advanced reporting and dashboards for forensics and easy investigation
    • Lightweight agent for endpoint visibility and response
    • 24/7 Security Operations (SecOps) support for critical priority issues


    Reduce complexity by consolidating security tools into one platform

    Integrate broadly to provide insight across your entire environment

    Use automation to speed up detection and response

    I don’t have the staff dedicated to sit and read logs all day or with the skillset to analyze our data. We chose Blumira for its simplicity – I needed a solution that would simplify, consolidate and show me what I really need to see.

    Jim Paolicelli, IT Director Atlantic Constructors


    Blumira makes security easy and effective for SMBs, helping them detect and respond to cybersecurity threats faster to stop breaches and ransomware.

    Contact us to trial Blumira's XDR platform & get:

    • SIEM deployment in minutes
    • Managed detection rules
    • Endpoint visibility and response
    • Automated response

    Erica Mixon

    Erica is an award-winning writer, editor and journalist with over ten years of experience in the digital publishing industry. She holds a Bachelor’s degree in writing, literature and publishing from Emerson College. Her foray into technology began at TechTarget, where she provided editorial coverage on a wide variety...

    More from the blog

    View All Posts