Almost half of all security incidents happen after work

Arctic Wolf’s latest Security Operations Report analyzes more than 250 trillion security events from more than 6,500 organizations, providing insights into the modern threat landscape and sharing best practices to help organizations benefit from the expertise and experience of one of the world’s largest Security Operations Centers (SOC) and achieve better security outcomes.

The number of cyber attacks remains high, even though more and more security tools are being used – unfortunately mostly without a holistic prevention and detection strategy. Given the threat situation of the last year – with large-scale IT outages, thousands of new critical vulnerabilities, malicious activities by state threat actors and increased use of AI by attackers – many companies are faced with the challenge of managing their cyber risk effectively.

Hackers don’t have a closing time

The analysis of the Arctic Wolf Security Operations Report 2024 found that almost half of all security incidents (45%) occur outside of traditional working hours between 8 p.m. and 8 a.m. In addition, up to 20% of security alerts were recorded on the weekend between Friday 8 p.m. and Monday 8 a.m. Cybercriminals seem to specifically take advantage of times when security teams are not in use or thinly staffed. In the early stages of attacks, however, attackers often hide in the log data of legitimate users. This allows them to reduce the risk of being discovered, increase their dwell time and exploit the limited responsiveness of companies. The widespread adoption of cloud-based applications also makes companies an attractive target around the clock.

Attackers target key business applications

Arctic Wolf’s analysis also shows the software applications that were most frequently exploited by attackers during the evaluation period:

This list is not niche applications or examples of shadow IT, but rather critical business applications that are used every day in many modern organizations.

“Because companies cannot do without these applications, a certain basic or residual risk of cyber attacks is unavoidable,” says Dr. Sebastian Schmerl, Regional Vice President Security Services EMEA at Arctic Wolf. “At the same time, the report’s evaluations underline the importance of a risk management program to identify vulnerabilities and patch them promptly. This remains one of the most effective means of risk reduction and effectively protects against known vulnerabilities and commonly used exploits.”

Identity telemetry is critical for threat detection

Telemetry data from identity and access management (IAM) tools topped the list of threats and indicators of compromise (IOC) that triggered the most alerts during the evaluation period. These included, for example, login attempts from blocked countries. In second and third place were unusual firewall changes and added email forwarding rules.

This list is consistent across industries, showing that different attacks and attackers rely on the same “building blocks.” The exception is the banking sector, where “unusual firewall changes” ranks first. The evaluation underlines the crucial role of IAM as part of a strong security strategy and as an element of zero-trust initiatives.

A multitude of security tools overwhelms IT teams

Security applications help to detect attacks as quickly as possible and limit potential damage and costs. In practice, however, IT teams are often overwhelmed by the large number of warning messages from the various security solutions.

“In practice, we see that most companies have the necessary security tools. The challenge is to configure and monitor the tools correctly. Teams do not have the time to filter out the real warnings that require a quick response from the flood of false alarms. As part of a security strategy, therefore, not only should security applications be purchased, but also how the alerts can be efficiently validated in order to then respond with an emergency plan. Companies that rely on security operations are more secure, more resilient and better able to adapt to the constantly changing threat landscape.”