Important minority: 1% of corporate network “noise” are stealthy targeted attacks
October 2019 by Kaspersky Lab
In the first half of 2019, only a handful (1.26%) of Indicators of Attack (IoA) alerts on device endpoints were identified as cybersecurity incidents, according to Kaspersky’s Managed Detection and Response Analytics Report. Of the 40,806 alerts generated via IoAs, only 515 resulted in detected incidents. Yet, most of those incidents were related to sophisticated targeted attacks that use so-called “living off the land” techniques, deployed by threat actors to hide malicious activity within legitimate user and administrator behavior.
Unlike Indicators of Compromise (IoC)-based detection methods, IoAs allow attack identification based not on known malicious files or other artifacts, but on so-called the tactics, techniques and procedures of threat actors. Or, in other words, ways in which particular threat actors tend to attack their victims. With attacks utilising “living of the land” techniques, which are becoming more and more popular, IoA-based detection methods prove to be the most effective.
This is confirmed by other findings of the report, which is based on multiple levels of analysis of results from Kaspersky Managed Protection Service provided by multiple organisations from sectors including financial, governmental, industrial and transportation as well as IT and telecom.
While cybersecurity incidents were identified in almost all tactics of the ‘cyber-kill chain’, the greatest number of attacks were found in the stages that are considered the “nosiest” (where the likehood of false positives is relatively higher): execution (37%), defense evasion (31%), lateral movement (16%) and impact (16%). When combating these tactics, the research found that endpoint protection products (EPP) are an effective threat response tool for 97% of the incidents identified – with 47% of these classified as medium severity, including malware such as Trojans and Cryptors, and 50% at low severity — including unwanted programs such as adware or riskware.
However, when it comes to advanced and unknown threats or those classified as high severity (3%), traditional EPP solutions alone are less effective. These type of threats – including targeted attacks or complex malware, often launched through “living off the land” tactics – require an additional level of TPP-based detection, manual threat hunting and analysis.
“One of the key takeaways of our Managed Detection and Response Analysis we have worked on in the last six months, is that if you don’t see a large number of false-positive events in your network, that probably means that you are missing a lot of important security incidents. Therefore, you should switch towards more wide-scale usage of Indicators of Attack methods, among other tools. With “living of the land” and other malware-less stealthy attack techniques out there in the wild, it is completely ineffective to only rely on classic IoC-based or other known detection methods. While IoA-based alerts are much trickier to investigate due to the necessity to perform a lot of research to create efficient IoA and then a lot of manual analysis (when the IoA are triggered), our statistics show that these are most prone to false positives yet, they are the most effective and allow you to find really critical incidents,” comments Sergey Soldatov, Head of Security Operation Centre at Kaspersky.