About 56% of Incident Response (IR) requests processed by Kaspersky security experts in 2018 took place after a holiday, after the organizations were faced with an attack that had visible consequences such as unauthorized money transfers, workstations encrypted by ransomware and unavailable services. 44% of the requests were processed after detecting a premature attack, saving the client from potentially serious consequences. These are some of the key findings of Kaspersky’s latest Incident Response Analytics report.
It is often assumed that intervention in an incident is only necessary in cases where damage has already been caused by a digital attack and there is a need for further investigation. However, an analysis of the multiple incident response cases involving Kaspersky security experts during 2018 shows that this service can serve not only as a research but also as a tool to detect an attack at an earlier stage aimed at damage prevention.
In 2018, 22% of incident response cases started after detecting possible malicious activity on the network and an additional 22% started after finding a malicious file on the network. Without other signs of a breach, both cases may indicate that there is a continuing attack. However, not every company security team in the company can understand whether automated security tools have already detected and prevented malicious activity, or were they just the beginning of a larger, invisible, malicious operation on the network and need external help partners. As a result of the misclassification, malicious activity is evolving into a serious digital attack with real consequences. In 2018, 26% of retrospectively investigated cases were caused by malware encryption, while 11% of the attacks resulted in theft of money. 19% of the cases investigated ex-post were the result of spam email being detected by a corporate account, detecting a service unavailability, or detecting a successful breach.
“This situation shows that in many companies there is definitely room for improvement in detection methods and incident response procedures. The earlier an organization detects an attack, the less likely the consequences will be. But in our experience, companies often do not pay close attention to findings from serious attacks, and our incident response team is often called in when it is already too late to prevent damage. On the other hand, we see that many companies have learned how to evaluate the signs of a serious digital attack on their network, and we have been able to prevent those that could develop into more serious incidents. We invite other organizations to view this as a successful case study” said Ayman Shaaban, a security expert at Kaspersky.
Additional findings of the report include:
- 81% of the organizations that provided data for analysis were found to have indicators of malicious activity within their network.
- 34% of organizations reported signs of advanced targeted attack.
- 54.2% of financial institutions were found to be attacked by a group or groups of advanced persistent threats (APT).
In order to respond effectively to incidents, Kaspersky recommends:
- Make sure the company has a dedicated team (at least employee) responsible for IT security issues within the company.
- Apply backup systems for critical assets.
- To respond in a timely fashion to a digital attack, combine the incident response team within the company as the first line of response with subcontractors to scale up more complex incidents.
- Develop an incident response plan with detailed instructions and procedures for different types of digital attacks.
- Introduce employee awareness training to educate them about digital hygiene and explain how they can identify and avoid potentially malicious emails or links.
- Apply patches management procedures to update the software.
- Regularly conduct a security assessment of your IT infrastructure.
You can read the full report on the dedicated Securelist.com website .