The SOC case files: XDR’s automation offers rapid cloud protection

• An employee at a telecommunications company connected as usual to their cloud account.
• They then appeared to travel a distance of 361 km, roughly 225 miles, at nearly twice the speed of sound before logging in again, according to the data reaching Barracuda Managed XDR’s automated detection systems.
• These detection systems simultaneously registered that:
  • The second user login used a different device.
  • The second login came from an IP and location that was unusual for this user.
  • The system flagged this IP as malicious.
• Taken together, the data showed a 99% chance that a threat actor had compromised the account.
• Since the company had Automated Threat Response as part of XDR Cloud Security, the system automatically suspended the impacted account, alerted the customer, and shut down the incident.

The incident was detected, contained, and mitigated by the Automated Threat Response functionality of Barracuda Managed XDR Cloud Security. Barracuda Managed XDR is an extended visibility, detection, and response (XDR) service that provides customers with round-the-clock human and AI-led threat detection, analysis, incident response, and mitigation services to protect against complex threats.

How the attack unfolded

One afternoon at around 3:25 p.m., an employee at a telecommunications company connected to their cloud account with their usual device and from their usual location.

• They then appeared to travel at over 2,160 km per hour, the speed of an advanced Lockheed SR-71 Blackbird reconnaissance plane, to a location they’d rarely visited, if at all, and logged into their account again using another device.
• This anomalous activity triggered a whole range of red flags in Barracuda XDR detection systems.
• The system identified the second login as suspicious and unauthorized.
• It exhibited four characteristics that suggested account compromise with 99% confidence:
  • The ‘impossible travel’ scenario, a distance of 361 km (roughly 225 miles) traveling at nearly twice the speed of sound between logins.
  • The attacker used a different device in the second, suspicious login.
  • Barracuda Managed XDR’s machine learning indicators flagged the IP address and location associated with the suspicious login as ‘rare’ for the impacted user account.
  • Threat intelligence flagged the IP address used in the suspicious login event as possibly malicious.

Threat response and mitigation

• Not long after the second login attempt, XDR’s machine-learning model validated the anomalous characteristics of the suspicious login event and triggered a malicious detection alert.
• Six minutes later, XDR automatically suspended the impacted account and issued a security warning to the organization.
• A cybersecurity analyst from the SOC followed up with a call to the organization to let them know in person. The organization confirmed the incident as a true positive.