Almost 90 per cent of the cyber attacks Kaspersky‘s incident response team was called in on last year were caused by three factors: brute force attacks, exploits of vulnerabilities in public-facing applications and employees falling for malicious emails.
That is one of the main findings in Kaspersky’s annual Incident Response Analyst Report, which was released this week. The report looks at cases around the world where Kaspersky was called in to help corporate IT teams in 2020.
Brute force attacks and exploits each accounted for 31.5 per cent of incidents, successful or not. Another 23.6 per cent of incidents were blamed on users clicking on malicious links or opening infected documents.
The numbers suggest ”a lot of victims of incidents struggle with basic security controls like patch and [user] account management,” Gleb Gritsai, head of Kaspersky’s security services division, said in an interview.
In fact, he added, in 2019, brute force attacks accounted for around 13 per cent of incidents that Kaspersky experts were called in on. That means that brute force attacks as a cause of an incident almost tripled in one year.
Gritsai believes the increase in the number of employees working from home and connecting back into the enterprise was responsible.
He also noted that many of the application exploits leveraged last year were vulnerabilities discovered — and patched — in 2017, 2018 and 2019.
One piece of good news the data suggests is that better malicious email detection — by antivirus software, gateways and even employees — may be paying off. Email used to be a prime way threat actors launched attacks, Gritsai said. Last year it was number three.
What was surprising in these and other numbers in the report, Gritsai said, is they suggest last year threat actors turned from targeted attacks to going after “low-hanging fruit” and capitalizing on organizations with a low level of cybersecurity maturity.
Among other interesting numbers in the report
–53 per cent of the reasons organizations called for help was “suspicious activity,” meaning in some cases an attack was detected and might have been stopped. But in 36.7 per cent of all cases files had already been encrypted;
–10 per cent of all cases were later determined to be false positives by security software. In fact, of all the cases involving suspicious activity, 25 per cent involved false positives from network or endpoint sensors. Gritsai said that suggests IT departments aren’t correlating event data well. Enriched data, he said, would detect false positives better.
He also said post-incident analysis shows IT teams are missing warning signs in Windows and other security software logs.
–Attacker dwell time is worrisome: 32 per cent of successful attacks lasted days before being detected, 22 per cent lasted weeks and 18 per cent lasted months. Twenty-eight per cent only lasted hours.
“Setting up and controlling password policies, security patch management and employee awareness along with anti-phishing measures can significantly minimize the capabilities of external attackers,” the report concludes.
Implementing an appropriate patch management policy alone reduces the likelihood of becoming a victim by 30 per cent according to Kaspersky data, the report adds, while implementing a robust password policy reduces the likelihood by 60 per cent.