Most cyber attacks happen outside of office hours, the vast majority of attackers use known vulnerabilities, and the manufacturing sector was the hardest hit in the past year.
These are among the findings of the Arctic Wolf 2024 Security Operations Report, which experts unpacked during a recent Arctic Wolf Quarterly Briefing for SA security stakeholders, presented in partnership with ITWeb.
Arctic Wolf field CTO Christopher Fielder said: “Our security operations report this year ingested 253 trillion observations and concluded that around the clock monitoring is crucial - it’s not a nice to have. 45% of alerts are created through the mid afternoon to early morning period, and one fifth of them were on weekends. Attackers are all over the world and they choose to execute attacks when they think you're not paying attention and everyone has gone home for the day. So we can’t take time off, we have to monitor 24/7 and be able to respond immediately. Organisations with 24/7 security operations are better able to detect threats and defend themselves.”
The report found that the exploitation of known and patched vulnerabilities outnumbered exploitation of zero-day vulnerabilities by around 7.5 times. It also found that the most exploited applications were the ones used for core business functions, such as Microsoft Outlook, Windows 10, and Cisco IOS, and that manufacturing was the most-targeted sector - accounting for 26% of alerts.
Fielder also highlighted predictions made by Arctic Wolf at the beginning of 2024, including that there would be increased cyber activity around the worldwide 2024 elections; that ransomware as a service (RaaS) and data exfiltration would continue to evolve.
“We also said the CCP China-first policy would drive industrial espionage and that Active Directory security configurations would continue to be a threat,” Fielder said.
These predictions had proven accurate, he said.
“We also warned that AI-generated code - especially LLM and Generative AI - would introduce new vulnerabilities into development processes. We’ve seen AI-generated code being flawed and vulnerable. We have also seen cases of attackers actually training these models to produce vulnerable code with a weakness or backdoor, so an unsuspecting developer may ask AI to write them code and put it into production. Attackers then search for instances of this code, and gain access. People have lost their jobs over that. Organisations need to have policies around the use of AI,” he said.
Jason Oehley, regional sales manager, Arctic Wolf Networks, said: “Cyber crime is big business, even in Africa. In the past year, we saw a significant increase in the number of attacks on mid-size and small organisations in South Africa, Zambia and Kenya in particular. A lot of incidents related to external log sources, restricted country logins, policy changes and group changes on firewalls without change control processes, and around authentication.”
The 2024 Security Operations Report said that the most common source of early detection was identity and access management.
Fielder said: “Identity telemetry is vital - you need to know who is using credentials, when, and where from. You also have to monitor endpoints, networks and the cloud.”
Arctic Wolf noted: “‘A security operations (SecOps) approach that aligns with the NIST Cybersecurity Framework 2.0 is a proven way to assess, mitigate, and transfer cyber risk. Around-the-clock monitoring is a modern-day necessity. SecOps teams should aim to simultaneously achieve a low false-negative rate and a high true-positive rate, but doing so is a tremendous challenge due to the sheer volume of security telemetry.’
“All this information can turn into noise,” Fielder said. “Security can get buried under alerts and notifications. Our platform goes through all this and distils it down to one true alert.”
Please click here to download the report: https://arcticwolf.com/resource/security-operations-report
Share