The Hidden Dangers of Ignored Alerts
The world of cybersecurity is rife with secrets, and one of the industry's most alarming practices is the systematic neglect of low-severity alerts. This issue is not just a theoretical concern; it's a dark reality backed by a staggering 25 million security alerts, revealing a critical blind spot in enterprise security operations.
Unveiling the Neglected 1%
What's particularly eye-opening is that nearly 1% of confirmed incidents originated from alerts initially deemed low-severity or informational. This seemingly small percentage translates to a significant number of real threats, approximately 54 per year, that go unnoticed in the average organization. These are not hypothetical risks but actual compromises hidden in plain sight.
The issue here is not the failure of detection systems but the economic triage that makes it impractical to investigate every alert. This practice, while understandable, creates a dangerous loophole that threat actors are exploiting with alarming efficiency.
EDR's False Sense of Security
A startling revelation is that Endpoint Detection and Response (EDR) systems, often considered the last line of defense, may not be as reliable as we think. The report highlights that over 50% of compromised endpoints, confirmed through forensic memory scans, were previously marked as 'mitigated' by EDR vendors. This means that without memory-level forensics, these infections remain hidden, and the safety net we rely on is full of holes.
The malware families found in these scans are not experimental tools but well-known, widely used threats. This suggests that attackers are not only exploiting gaps in our defenses but are doing so with established, effective methods.
Phishing's Evolving Tactics
Phishing attacks have evolved significantly, moving beyond traditional attachment-based methods. Attackers now use links and language to deceive, and they've found a new home on trusted platforms like Vercel, CodePen, and even PayPal. These platforms, designed to facilitate legitimate activities, are now being weaponized, making detection even more challenging.
The use of legitimate infrastructure, such as PayPal's payment request system, to send threat emails is a masterstroke of deception. It's a stark reminder that attackers are not just targeting our systems but also exploiting our trust in established services.
Cloud Attacks: A Game of Patience
Cloud alert data reveals a strategic shift in attacker behavior. Instead of loud, high-impact actions, they are playing a long game, focusing on defense evasion and persistence. This strategy involves token manipulation, abuse of cloud features, and obfuscation techniques to avoid detection.
AWS misconfigurations, particularly in S3, further exacerbate this problem. These misconfigurations rarely trigger alerts and are often classified as low severity, providing attackers with an easy entry point to accelerate their malicious activities.
The Human-Machine Disconnect
The core challenge lies in the mismatch between human analyst capacity and the ever-increasing volume of alerts. As telemetry expands across various domains, SOCs and MDRs face a common dilemma: either automate most closures or investigate only the most critical alerts. This approach, while necessary for operational efficiency, creates a feedback loop where missed threats remain undetected, and detection rules never improve.
MDR providers, despite their expertise, face similar constraints. The solution doesn't lie solely in adding more analysts or implementing SOAR platforms. These measures only provide temporary relief without addressing the root cause.
The Power of Comprehensive Investigation
The game-changer here is the concept of full-coverage investigation. By removing the human analyst bottleneck and leveraging AI-powered tools like Intezer AI SOC, it becomes feasible to investigate every alert, regardless of severity. This approach not only improves triage accuracy but also enhances detection engineering by providing continuous feedback for rule tuning.
The benefits are twofold: human analysts can focus on high-confidence escalations, and the organization's security posture continuously improves, keeping pace with the evolving threat landscape.
Final Thoughts
This report serves as a wake-up call for the cybersecurity industry. It highlights the critical importance of addressing low-severity alerts and the potential consequences of neglecting them. As threat actors become more sophisticated, our defenses must evolve to match their tactics. Ignoring the 'small' threats can lead to significant breaches, and it's time we reevaluate our triage strategies to ensure a more comprehensive and proactive security approach.
