sb-eu logo
Story image

Over 50% of incident response requests occur after damage complete – Kaspersky

02 Sep 2019

Around 56% of Incident Response (IR) requests processed by Kaspersky security experts in 2018 happened after the affected organisation experienced an attack that had visible consequences such as unauthorised money transfers, workstations encrypted by ransomware and service unavailability.

44% of requests were processed after the detection of an attack during an early stage, saving the client from potentially severe consequences.

These are among the main findings of Kaspersky’s latest Incident Response Analytics Report.

It is often assumed that incident response is only needed in cases when damage from a cyber-attack has already occurred and there is a need for further investigation.

However, analysis of multiple incident response cases which Kaspersky security specialists participated in during 2018 shows that this can not only serve as investigative function but also as a tool for catching an attack during an earlier stage to prevent damage.

In 2018, 22% of IR cases were initiated after detection of potential malicious activity in the network, and an additional 22% were initiated after a malicious file was found in the network.

Without any other signs of a breach, both cases may suggest that there is an ongoing attack.

However, not every corporate security team may be able to tell if automated security tools have already detected and stopped malicious activity, or these were just the beginning of a larger, invisible, malicious operation in the network and external specialists are needed.

As a result of an incorrect assessment, malicious activity evolves into a serious cyberattack with real consequences.

In 2018, 26% of investigated late cases were caused by infection with encryption malware, while 11% of attacks resulted in monetary theft.

19% of late cases were a result of detecting spam from a corporate email account, detection of service unavailability or detection of a successful breach.

“This situation indicates that in many companies there is certainly room for improvement of detection methods and incident response procedures,” says Kaspersky security expert Ayman Shaaban.

“The earlier an organisation catches an attack, the smaller the consequences will be.

“But based on our experience, companies often do not pay proper attention to artefacts of serious attacks, and our incident response team often is being called when it is already too late to prevent damage.

“On the other hand, we see that many companies have learned how to assess signs of a serious cyberattack in their network and we were able to prevent what could have been more severe incidents.”

Additional findings of the report include:

  • 81% of organisations that provided data for analysis were found to have indicators of malicious activity in their internal network.
  • 34% of organisations exhibited signs of an advanced targeted attack.
  • 54.2% of financial organisatons were found to be attacked by an advanced persistent threat (APT) group or groups.

To effectively respond to incidents, Kaspersky recommends:

  • Make sure the company has a dedicated team (at least employee) responsible for IT security issues in company.
  • Implement backup systems for critical assets.
  • To respond in a timely manner to a cyberattack, combine in-house IR team as a first line of respond and contractors to escalate more complex incidents.
  • Develop an IR plan with detailed guidance and procedures for different types of cyberattacks.
  • Introduce awareness training for employees to educate them on digital hygiene and explain how they can recognise and avoid potentially malicious emails or links.
  • Implement patch management procedures to have software updated.
  • Regularly conduct security assessment of your IT infrastructure.
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Strong cybersecurity posture crucial for company success - Fortinet
"They should also conduct due diligence to ensure partners aren’t inadvertently creating vulnerabilities with insufficient cybersecurity measures."More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Bitglass receives US patent for SAML technology
Bitglass designed its SAML relay to allow a cloud access security broker (CASB) to be inserted into the traffic flow between users and cloud services during the login process.More
Story image
Global DDoS attacks: What they are, how they work, and how to defend against them
Do not pay the ransom, and do make sure you've got strong DDoS protection, security firms warn.More