Research based on the analysis of incidents reported to customers of Kaspersky Managed Detection and Response (MDR) has revealed that the share of critical incidents experienced by organizations increased from one-in-ten (9%) in 2020, to one-in-seven (14%) in 2021.
Increasingly complex infrastructures, shortage of skilled professionals and a growing sophistication of attacks can all affect the efficiency of cybersecurity teams and their ability to identify adversarial activity before incidents happen. To provide insights on the current threat landscape, Kaspersky analyzed anonymized customer incidents identified via its MDR service in 2021.
According to the resulting report, organizations across all industries experienced high severity incidents during this period, with most verticals facing multiple types. The most frequent causes of critical incidents remained the same as the previous year, with the biggest share (40.7%) belonging to targeted attacks. Malware with critical impact was identified in 14% of cases, and a little less than 13% of high severity incidents were classified as exploitation of publicly exposed critical vulnerabilities. Social engineering also remained a relevant threat, accounting for almost 5.5% of incidents caused.
Targeted attacks in 2021 were detected in each vertical represented in the research, except for education and mass media, even though there were reported incidents related to targeted attacks within media organizations. The largest number of human-driven attacks were detected in government, industrial, IT and financial verticals.
High severity incidents are distinguished by a wide use of living-off-the-land (LotL) binaries, of a non-malicious nature, that are already available in a targeted system. These tools allow cybercriminals to hide their activity and minimize the chances of being detected during the first stages of an attack. In addition to widely used rundll32.exe, powershell.exe and cmd.exe, tools such as reg.exe, te.exe and certutil.exe have are often used in critical incidents.
To better prepare themselves against targeted attacks, organizations can employ services which conduct ethical offensive exercises. This type of activity simulates complex adversarial attacks to examine a company’s cyber-resilience. According to Kaspersky’s MDR analysts, this was only applied in 16% of organizations.
“The MDR report once again shows that sophisticated attacks are here to stay, and more and more organizations are facing critical incidents. One of the most pressing issues here is that high severity incidents require more time to investigate and provide recommendations on remediation steps. Last year, Kaspersky analysts managed to significantly reduce this indicator from 52.6 minutes in 2020, to 41.4 minutes. This was achieved by adding more incident card templates, and introduction of new telemetry enrichments that speed up triage,” comments Sergey Soldatov, Head of Security Operations Center, Kaspersky.
To protect your organization from advanced attacks, Kaspersky recommends the following:
- Deploy a solution that combines detection and response capabilities and managed threat hunting to help identify both known and unknown threats without involving additional in-house resources. An alert-driven approach is no longer effective for reacting to modern threats.
- Provide your SOC team with access to the latest threat intelligence, to ensure in-depth visibility into cyberthreats targeting your organization.
- Implement expert Incident Response training to improve the expertise of your in-house digital forensics and incident response team. That will help verify and handle threats quicker and minimize the incident impact.
- To reduce the likelihood of targeted attacks, provide your staff with essential cybersecurity knowledge. Social engineering is still very popular and applies even in high severity incidents.
The full Kaspersky Managed Detection and Response analytics report is available via this link.