Security Operations, SOC, Identity, Decentralized identity and verifiable credentials

Over half of security alerts occur outside of business hours

Header graphic features a laptop with a red warning triangle and alert icons, dark background with streaming green code. It suggests concepts of cybersecurity threats, hacking, and system errors.

(Adobe Stock)

A Sept. 16 report from Arctic Wolf details how threat actors have accelerated their tactics, exploiting identity and timing to bypass network defenses.

The report’s primary finding: 51% of alerts issued occurred outside of business hours, with 15% of total alerts taking place on weekends.

Arctic Wolf researchers also found that certain vertical sectors remain prime targets, with education, healthcare, and manufacturing topping the charts for attack volume largely because of outdated infrastructure, the high value of the data they store, and low tolerance for downtime.

“Today’s threat landscape is defined by round-the-clock attacks that target identity, exploit timing, and drive alert fatigue, leaving defenders to navigate increasingly complex tactics,” said Dan Schiappa, president, technology and services, Arctic Wolf. “Our report distills those insights into clear guidance organizations can use to strengthen defenses and prepare for what comes next.”

Gary Orenstein, CCO at Bitwarden, said Arctic Wolf’s report underscored that identity compromise has become the most reliable entry point for attackers. With over half of alerts occurring outside business hours, Orenstein said adversaries are timing intrusions to coincide with thinner defenses and escalating privileges through weak, stolen, or unmonitored credentials.

“If identity is the new security perimeter, it has also become the primary attack surface,” said Orenstein. “Attackers are compressing the response window, exploiting VPNs, firewalls, and privilege escalation pathways to encrypt unmonitored systems in under 90 minutes.”

James Maude, Field CTO at BeyondTrust, said threat actors rarely work 9 to 5, so it’s no surprise that 51% of alerts occur outside business hours and 15% happen on weekends. In many cases, Maude said it’s not simply a time zone difference, but a deliberate ploy to strike when security pros are away from the keyboard.

“This is especially effective for identity-based attacks as a user logging in on a weekend might not seem like they are suspicious and running malware,” said Maude. “One of the big reasons user identities are easily exploited on off-hours is that they have standing privileges and more often than not are over- privileged. When that’s the case, if a threat actor compromises an identity, they acquire 24/7 access with all the privileges the user has during the work day.”

Damon Small, a board member at Xcape Inc., added that the finding that many identity-based attacks happen outside of business hours is not terribly surprising given that the attackers can be anywhere in the world.  

“What the study fails to mention is that the likelihood of compromise is increased when a company relies only on username/password pairs,” said Small. “Organizations should use MFA to further protect their identities.”

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationBiometricsBlue TeamCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Cold Warm Hot Disaster Recovery SiteCountermeasureDaemonDigest AuthenticationDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds