56% of IR requests processed after visible attacks

Around 56% of Incident Response (IR) requests processed by Kaspersky security experts in 2018 happened after the affected organisation experienced an attack that had visible consequences such as unauthorised money transfers, workstations encrypted by ransomware and service unavailability. 44% of requests were processed after detection of an attack during an early stage, saving the client from potentially severe consequences. These are among the main findings of Kaspersky’s latest Incident Response Analytics Report.

It is often assumed that incident response is only needed in cases when damage from a cyberattack has already occurred and there is a need for further investigation. However, analysis of multiple incident response cases which Kaspersky security specialists participated in during the 2018 shows that this offering can not only serve as investigative, but also as a tool for catching an attack during an earlier stage to prevent damage.

In 2018, 22% of IR cases were initiated after detection of potential malicious activity in the network, and an additional 22% were initiated after a malicious file was found in the network. Without any other signs of a breach, both cases may suggest that there is an ongoing attack. However, not every corporate security team may be able to tell if automated security tools have already detected and stopped malicious activity, or these were just the beginning of a larger, invisible, malicious operation in the network and external specialists are needed. As a result of incorrect assessement, malicious activity evolves into a serious cyberattack with real consequences. In 2018, 26% of investigated “late” cases were caused by infection with encryption malware, while 11% of attacks resulted in monetary theft.19% of “late” cases were a result of detecting spam from a corporate email account, detection of service unavailability or detection of a successful breach.

“This situation indicates that in many companies there is certainly room for improvement of detection methods and incident response procedures. The earlier an organisation catches an attack, the smaller the consequences will be. But based on our experience, companies often do not pay proper attention to artifacts of serious attacks, and our incident response team often is being called when it is already too late to prevent damage. On the other hand, we see that many companies have learned how to assess signs of a serious cyberattack in their network and we were able to prevent what could have been more sever incidents. We call on other organisations to consider this as a successful case study,” said Ayman Shaaban, security expert at Kaspersky.

The following two tabs change content below.

David Dungay

Editor - Comms Business Magazine