In 2022, we collected a lot of data here at Blumira — over 5,000 TB — to protect our customers from threats. Looking back on the year, we can uncover patterns in the data to continually improve our detection & response capabilities.
What are some trends we noticed in 2022? Let’s delve in.
2022 Threat Detection Recap
At Blumira, we rely on a mixture of signature-based and behavior-based detection for a more nuanced view of suspicious behavior in an environment that could lead to an attack. We proactively identify and reach out to our customers when our platform identifies a malicious detection — what we call a finding — that is critical to respond to and stop an attack early.
These detections, or findings, are split into different categories based on the type of activity. The most common category across Blumira for 2022 was Users and Groups. This encompasses all detections around account lockouts, login failures, and other user-based issues within environments.
Other common categories included:
- Policy Violation – Someone is violating an IT or security policy that your organization has set.
- Unauthorized Access Attempt – Someone is trying to access a resource without the right permissions
- Persistence – The adversary is trying to maintain their foothold.
- Initial Access -The adversary is trying to get into your network.
- Lateral Movement – The adversary is trying to move through your environment.
- Reconnaissance – The adversary is trying to gather information they can use to plan future operations.
- Privilege Escalation – The adversary is trying to gain higher-level permissions.
Getting more granular, we saw an increase in findings for Microsoft 365 multi-factor authentication (MFA) enrollment skips — not including email forwarding, because we advise our customers to do that.
Microsoft strongly encourages MFA usage, claiming that it can block 99.9% of account compromise attacks. In October 2022, Microsoft started deprecating legacy and basic authentication, even if it is still in use.
We also saw an increase in Microsoft 365 domain administrator creations. Each organization should have a very limited number of domain admins, since their elevated permissions bring a lot of power.
In 2023, ensure all of your users are utilizing MFA and that you reduce usage of administrators across your environment as much as possible.
Top 10 Most Common Detection From 2022
10. modification of Microsoft 365 group
9. indicator: Microsoft 365 exchange domain added
8. indicator: null session authentication by known attack tool
7. indicator: Azure AD global administrator role assignment
6. indicator: potential clear-text password on local system by file write
5. indicator: Microsoft 365 – malware campaign detected in SharePoint and OneDrive
4. indicator: Microsoft 365 – user requested to release a quarantined message
3. Microsoft 365 – creation of forwarding/redirect rule to external domain
2. indicator: Microsoft 365 – suspicious inbox rule creation
1. Microsoft 365 – excessive number of mfa enrollment skips
Think you’re seeing too many (or too few) findings as a Blumira customer? Make sure you to checkout our Rule Management and Detection Filters features! These will allow you to tweak your detections to make it fit your environment
Where Did These Come From?
As an open-based platform, Blumira has over 50 native integrations to common software and security tools, all of which have logs sent to Blumira for monitoring. In fact, Blumira customers average 15 log sources, everything from operating systems, to firewalls and EDR systems. And, given that we have a Free edition built around Microsoft 365, it’s no surprise that multiple Microsoft products are found on the list of the top 10 most common data sources.
Top 10 Most Common Log Sources From 2022
Resolving Threats in 2022
Resolving a threat is like turning the last page of a book and closing the cover — it feels good to wrap up so you can move on to the next priority. To make it easier to finish the book, Blumira provides guided playbooks and has a SecOps team standing by for critical findings. In fact, over 18% of the threats detected and resolved by our customers were P1 threats – those that need to be acted upon immediately.
And resolving threats isn’t always easy. But, we do everything in our power to make it as easy as possible. Guided response playbooks are included with every finding and admins have the option to walk through those steps themselves, assign it to another team member, or contact Blumira support for more info. But just what do these playbooks include?
Playbook Example: Microsoft 365 – creation of forwarding/redirect rule to external domain
Yes/No Workflow Questions:
- Is [user] allowed to forward email externally to [forward to] or [smtp_address”]
- Are the IP address and geolocation common access locations for the user
- Is the user on vacation or traveling?
- Review the internal policy on mail forwarding with the user and remove the unauthorized mail forwarding rule
- This may indicate a compromised account. Blumira recommends resetting the user credentials and expiring existing auth tokens. Remove the unauthorized mail forwarding rule
Follow Up Questions With Potentially Compromised Accounts
- Review the access activity for the exchange account and AD login activating looking for anomalous logins or access activity. Were you able to identify malicious access?
- Was sensitive data like PII, trade secrets, stored credentials accessed by the threat actor?
And it seems like those playbooks really do help our customer close things out. We had almost half of our customers resolve every single detection that popped up in their system. 100% threat response rate is amazing! About 60% of the organizations using the Blumira platform resolved at least 90% of the findings they received.
Interested in seeing just how easy it is to receive findings and resolve threats with the Blumira platform? Check out our Free edition for Microsoft 365. There’s no credit card or additional licensing required, and you get the full set of detections and response playbooks for M365.