About 56% of Incident Response (IR) requests processed by Kaspersky security experts in 2018 took place after the event, after the organizations were attacked with visible consequences; such as unauthorized transfers, money transfers. workstations encrypted by ransomware and unavailable services.
44% of the requests were processed after detecting an early-stage attack, saving the client from potentially serious consequences. These are some of the key findings of Kaspersky’s latest “Incident Response Analytics” report.
It is often assumed that intervention in an incident is only necessary in cases where damage has already been caused by a digital attack and there is a need for further investigation.
However, the analysis of multiple incident response cases -involving Kaspersky security experts- during 2018 shows that this service can not only serve as an investigation but also as a tool to detect an attack at an earlier stage by aim to prevent damage.
In 2018, 22% of incident response cases started after detecting possible malicious activity on the network and an additional 22% started after finding a malicious file on the network. Without other signs of a breach, both cases may indicate that there is a continuing attack.
However, not every company’s security team can understand whether automated security tools have already detected and prevented malicious activity, or were only the beginning of a larger, invisible, malicious operation on the network and need help from external partners.
As a result of the misclassification, malicious activity is evolving into a serious digital attack with real consequences. In 2018, 26% of retrospectively investigated cases were caused by malware encryption, while 11% of the attacks resulted in theft of money. 19% of the ex-post cases were investigated as a result of spam email detection by a corporate account, detection of unavailability of a service, or successful breach detection.
Additional findings of the report include:
- 81% of the organizations that provided data for analysis were found to have indicators of malicious activity within their network.
- 34% of organizations reported signs of advanced targeted attack.
- 54.2% of financial institutions were found to be attacked by a group or groups of advanced persistent threats (APT).