Research based on the analysis of incidents reported to customers of Kaspersky Managed Detection and Response (MDR) has revealed that the share of critical incidents experienced by organisations increased from one-in-ten (9%) in 2020, to one-in-seven (14%) in 2021.
Increasingly complex infrastructures, shortage of skilled professionals and a growing sophistication of attacks can all affect the efficiency of cybersecurity teams and their ability to identify adversarial activity before incidents happen. To provide insights on the current threat landscape, Kaspersky analysed anonymised customer incidents identified via its MDR service in 2021.
According to the resulting report, organisations across all industries experienced high severity incidents during this period, with most verticals facing multiple types. The most frequent causes of critical incidents remained the same as the previous year, with the biggest share (40,7%) belonging to targeted attacks. Malware with critical impact was identified in 14% of cases, and a little less than 13% of high severity incidents were classified as exploitation of publicly exposed critical vulnerabilities. Social engineering also remained a relevant threat, accounting for almost 5,5% of incidents caused.
Targeted attacks in 2021 were detected in each vertical represented in the research, except for education and mass media, even though there were reported incidents related to targeted attacks within media organisations. The largest number of human-driven attacks were detected in government, industrial, IT and financial verticals. In particular, targeted attacks accounted two-thirds (66%) of all critical incidents in government sector, more than half (55%) in healthcare and 40% in the construction industry.
High severity incidents are distinguished by a wide use of living-off-the-land (LotL) binaries, of a non-malicious nature, that are already available in a targeted system. These tools allow cybercriminals to hide their activity and minimise the chances of being detected during the first stages of an attack. In addition to widely used rundll32.exe, powershell.exe and cmd.exe, tools such as reg.exe, te.exe and certutil.exe have are often used in critical incidents.
To better prepare themselves against targeted attacks, organisations can employ services which conduct ethical offensive exercises. This type of activity simulates complex adversarial attacks to examine a company’s cyber-resilience. According to Kaspersky’s MDR analysts, this was only applied in 16% of organisations.
“The MDR report once again shows that sophisticated attacks are here to stay, and more and more organisations are facing critical incidents. One of the most pressing issues here is that high severity incidents require more time to investigate and provide recommendations on remediation steps. Last year, Kaspersky analysts managed to significantly reduce this indicator from 52,6 minutes in 2020, to 41,4 minutes. This was achieved by adding more incident card templates, and introduction of new telemetry enrichments that speed up triage,” says Sergey Soldatov, head of Security Operations Center, Kaspersky.