In today's digital landscape, a dark secret lurks within enterprise security operations: the practice of turning a blind eye. A recent report, analyzing an astonishing 25 million security alerts, has shed light on this alarming trend. The data, encompassing a vast array of endpoints, identities, files, and IP addresses, paints a clear picture: threat actors are exploiting the very gaps that severity-based security operations create.
One of the most concerning revelations is the impact of low-severity alerts. In this analysis, nearly 1% of confirmed incidents originated from these seemingly harmless alerts. At a large-scale enterprise level, this translates to a missed threat every week. It's a stark reminder that detection is not always the issue; it's the triage process that fails.
The EDR Myth
The report's findings challenge a fundamental belief in the security industry: the trustworthiness of EDR (Endpoint Detection and Response) systems. Of the 82,000 alerts that underwent live forensic memory scans, a shocking number of compromised endpoints had been marked as "mitigated" by the EDR vendor. This means that these "clean" machines were, in fact, infected with malware, including well-known families like Mimikatz and Cobalt Strike.
Phishing's Evolution
Phishing attacks have evolved, and traditional email security measures are struggling to keep up. The report highlights how attackers are now using trusted platforms like Vercel, CodePen, and even PayPal's invoicing system to send malicious emails. These campaigns are sophisticated, using Unicode homoglyphs to evade detection and embedding callback numbers in payment notes.
Additionally, attackers are leveraging CAPTCHA mechanisms, like Cloudflare's Turnstile, to their advantage. They use these tools, designed to stop bots, to prevent automated security scanners from detecting their phishing pages.
Cloud Telemetry: A Cautious Approach
Cloud alert data reveals a cautious and patient attacker strategy. The focus is on long-term access, with a concentration on defense evasion and persistence tactics. AWS misconfigurations, particularly in S3 accounts, are being exploited to accelerate attackers' actions once they gain a foothold.
The Limitations of Traditional SOCs and MDRs
The problem is not just technological; it's an operational and capacity issue. Human analysts cannot keep up with the sheer volume of alerts, and as telemetry expands across various domains, every SOC reaches a limit. The solution often becomes triage: investigate only the critical alerts and trust severity labels. However, as the report shows, this trust is often misplaced.
MDR providers face similar constraints, and the feedback loop is broken. When low-severity alerts are ignored, the system cannot self-improve, as it lacks the necessary data to do so.
The Power of Full-Coverage Investigation
The report also presents a potential solution: investigating all alerts, regardless of severity. By leveraging AI-powered SOCs, like Intezer's, the need for human analyst capacity is significantly reduced. The results are promising: early-stage threats are caught before they escalate, and detection rules are continuously improved.
For security teams, this means a shift in focus from initial classification to decision-making, ensuring a more proactive and effective security posture.
Conclusion
The insights from this report are a wake-up call for the security industry. It's time to reevaluate our approaches and embrace new technologies that can provide full-coverage investigation. Only then can we hope to stay ahead of the evolving threat landscape.
