TAMPA, Fla. – March 26, 2024 – The majority of cyber-attacks against organizations are perpetrated via social engineering of employees, and criminals are using new methods including AI to supercharge their techniques. This is according to the ReliaQuest Annual Threat Report, which contains in-depth analysis of key security incidents and research from the past year, offering insights into the threats that organizations face. 

Some 71% of all attacks trick employees via the use of phishing, and of particular concern is a sharp rise in QR code phishing, which increased 51% last year compared to the previous eight months. Employees are also being duped into downloading fake updates – often to their web browser. Drive-by compromise has been traditionally defined as the automatic download of a malicious file from a compromised website without user interaction. However, in most cases reviewed during the reporting period, user action was involved—facilitating initial access in nearly 30% of incidents.  

The use of AI to accelerate these attacks is gaining significant attention among major cybercriminal forums with growing interest in weaponizing this technology. ReliaQuest has found dedicated AI and machine-learning sections of these sites, which detail criminal alternatives to mainstream chatbots, such as FraudGPT and WormGPT, and hint at the development of simple malware and distributed denial of service (DDoS) queries using these options. AI systems can now replicate a voice using a sample, and video-call deepfakes are aiding threat actors. Additionally, ReliaQuest has noted that a growing number of threat actors are automating various stages of their attacks, or the entire attack chain – particularly the Citrix Bleed exploitation. 

However, while AI-powered automation is being leveraged by attackers, it has also delivered a step change in defensive capabilities among organizations. AI-enabled automated workflows have allowed ReliaQuest customers to respond to threats within minutes rather than days. For example, while ReliaQuest customers utilizing traditional approaches saw a Mean Time to Respond (MTTR) of an average of 2.3 days, organizations who opted to leverage some level of AI and automation saw a reduction to 58 minutes: a 99% decrease from 2022. Even more encouraging, customers who fully leveraged AI and automation are seeing reductions of MTTR down to 7 minutes or less.  

Financial theft stood out as the primary objective of criminals in 2023, driving 88% of customer incidents. Extortion activity increased by 74%, with a record 4,819 compromised entities named on data-leak websites from ransomware groups, with LockBit alone accounting for 1,000-plus entities. 

ReliaQuest noted a significant threat from suspected nation state actors using so-called ‘living off the land’ (LotL) techniques. In such incidents threat actors seek to hide their activity via defense-evasion techniques, such as log clearing and infiltrating PowerShell. In an intrusion ReliaQuest observed in April 2023, a Chinese state-sponsored threat group primarily focused on using LotL commands to blend into a company’s environment. The group’s discreet LotL activity allowed access for more than a month. 

Michael McPherson, ReliaQuest’s Senior Vice President of Technical Operations said: “As the threat continues to evolve, defenders must stay agile, using AI and automation to keep pace with the latest attack techniques. Time is the enemy in cybersecurity. To proactively protect against these risks, companies should maximize visibility across their networks and beyond the endpoint, fully leverage AI and automation to better understand and use their own data, and equip their teams with the latest threat intelligence, as outlined in our recommendations. With this approach, in the next year we expect customers who fully leverage our AI and automation capabilities to contain threats within 5 minutes or less.” 

The ReliaQuest Annual Threat Report contains detailed remediation advice, including specific sections on stopping Business Email Compromise (BEC) attempts, ransomware attacks, as well as social engineering and multifactor authentication (MFA) abuse. There are also sections on preventing malware-free activity, as well as staying on top of the latest tactics, techniques and procedures (TTPs).  

Please see here for the full research report: https://www.reliaquest.com/resources/research-reports/annual-threat-report-2024  

About ReliaQuest 

ReliaQuest is the force multiplier of security operations. Our security operations platform, GreyMatter, automates detection, investigation and response across cloud, endpoint, and on-premise tools and applications. GreyMatter is cloud native, built on an open XDR architecture and delivered as a service any time of the day, anywhere in the world. With over 800 customers worldwide and 1,200+ teammates working across six global operating centers, ReliaQuest is driving outcomes for the most trusted enterprise brands in the world. We exist to make security possible. For more information visit www.reliaquest.com