Running 17 SOCs and 11 CyberSOCs worldwide gives us unprecedented visibility into the cyber threat landscape. It also reveals some fascinating insights. One of them, which we explore in our Security Navigator report this year, shines light not just on the type of attacks facing enterprises but when they occur.

Our analysis of almost 19,000 verified security incidents between January and October 2020 found that security incidents are observed most often during working hours. Confirmed incidents recorded by our teams peaked just as people arrived in the office between 9:00amand 10am. They would drop significantly at noon, when people headed for lunch, only to peak again during the mid-afternoon.

Even though the attack volumes were lower, a significant number of incidents were still flagged after people had gone home for the day. They tapered significantly after 5pm, reaching their lowest point at around midnight when companies experienced only 7% of confirmed incidents.  Still, more than 40% of all confirmed incidents were recorded outside of traditional local working hours.

Among these attacks, those that did not need a human victim to trigger them occurred more frequently outside office hours. These are the times that many companies would not be monitoring IT systems, leaving them open to attack.

Attacks after hours

Among the attacks that occurred more frequently when people were outside the office were external intrusion attempts. These security incidents include scanning and exploiting an exposed service over the Internet.

Intrusion attacks occur at the network layer, requiring no assistance from an unwitting human victim. This was the second most common kind of incident at night, but only the sixth most common during office hours, suggesting that these will occur when security teams are less likely to spot them.

Another incident category that is more prominent at night is web application attacks. These ranked 11th in frequency at night compared to 13th during office hours. These security incidents target public-facing web applications and take advantage of coding and configuration mistakes in web applications that can leave functions and resources vulnerable.

These flaws are so common that the Open Web Application Security Project (OWASP) publishes a periodic list of them. The organization is working on a 2020 edition, but the most recent list published in 2017 included some long-standing weaknesses in web applications.

The top web application weakness included injection flaws that allow attackers to enter database queries directly into search parameters. The second most common is broken authentication, which may allow access to to data or services without valid user credentials. Most of the vulnerabilities in the list are exploited without requiring legitimate user interaction.

A related incident category is the attempt to compromise externally accessible servers. This happened just as frequently inside and outside of office hours, ranking eighth. These incidents involve non-web servers running a host of services, including synchronization, backup, and other applications.

Attackers can also target web applications with DoS activity. This kind of incident was detected frequently out-of-hours but hardly featured during the day. DoS attacks on websites can take various forms. One example is the use of bots to query products on an ecommerce site, causing it to reserve the products in its inventory in case the user wants to buy them. This hogs the inventory available to legitimate customers, interfering with product sales and the customer experience.

Certain kinds of malware events are also more likely to be detected after hours. Basic malware ‘dropper’ programs often need a human victim to trigger their installation, but after that they can work behind the scenes, contacting a command-and-control (C2) server to download updates and new instructions.

Occasionally, malware doesn’t even need human interaction to install itself. Instead, it can infect other machines on the network on its own by using ‘wormable’ flaws that allow for automated exploits. We saw this in 2017 with the WannaCry attack, and again with the BlueKeep vulnerability that exploited a security hole in Windows Remote Desktop Protocol (RDP) connectivity.

Focusing on employees is not enough

None of these Incidents involve user interaction, meaning they can occur at any time. This tells us something important about our security stance: people alone are not a sufficient line of defense.

Employee awareness training will always be important because most incidents still occur during office hours, because the attacker requires an unwitting user to cooperate. Encouraging employees not to click on suspicious files or visit unfamiliar links will always be a good security practice. But what about those attacks that don’t need a person to wave them through?

A vigilant security team can fill in the gap by monitoring the network for security events that might correlate to incidents, but not all companies have the resources for a team to be on watch 24/7. In many cases, security teams will run on a skeleton crew out of hours, if at all. This blinds a company to those attacks that occur while employees and security staff are sleeping.

Each one of those attacks represents a potential catastrophe to companies, possibly wreaking havoc. Ransomware, Denial of Service and Advanced Persistent Threats have taught companies this repeatedly over the years. Companies must prevent every possible attack from slipping through, whereas an adversary need only succeed once. As the volume of attacks increases, the situation will only become more challenging.

All this indicates a requirement to maintain a fully-fledged SOC 24/7, ideally complemented by an incident response team. There are various ways of doing this. A strategy many organizations found feasible in terms of swift implementation and cost effectiveness is to consider managed detection and response (MDR) services. A good service provider can support existing SOC teams both during office hours and outside of them and provide emergency containment and recovery whenever needed.

Download the Security Navigator here

Original article source was posted here