On August 29, cybersecurity firm Kaspersky Lab issued its Incident Response Analytics Report for 2018. The report, which covers Kaspersky’s own incident response practices for the year, covers in just eight pages a broad range of facts and findings indicating the breadth and depth of cybersecurity challenges:
- General Data on Incident Responses: For regional distribution of incident responses, the Commonwealth of Independent States (including Russia) has by far the highest percentage (48 percent), followed by Latin America (19 percent), Europe (16 percent), the Middle East (6 percent), and Africa, Asia-Pacific, and North America (3 percent each). For industry distribution of incident responses, financial institutions represented the largest segment (33 percent), followed closely by government bodies (30 percent) and industrial companies (22 percent). The remaining 15 percent of industries included miscellaneous (7 percent) and retail and transport (4 percent each).
- Reasons for Requesting Incident Response: The report stated that “[m]ore than half of the requests for investigation were initiated by customers after detecting an attack that had visible consequences, such as unauthorized money transfers, workstations encrypted by ransomware, service unavailability, etc.” The most common reasons for incident responses were ransomware (26 percent), detection of a suspicious file (22 percent), detection of a suspicious network activity (22 percent), monetary theft (11 percent), and spamming from a corporate account (7 percent). For ransomware attacks, Wannacry, associated with North Korea since 2017, accounted for by far the largest percentage of victims (40.64 percent), with Cryaki (7.37 percent) and GandCrab (5.15 percent) a distant (though still noteworthy) second and third.
- Relative Infrequency of Incident Response Requests: While 81 percent of organizations that provided data for analysis “were found to have indicators of malicious activity in their internal network,” only 22 percent of companies “where evidence of malicious activity was detected requested an Incident Response service.”
- Industry-Specific Variations in Threat Frequency: For financial institutions, indications of advanced persistent threat (APT) attacks “appeared in the infrastructure of financial institutions one and a half times more often (54%) than in other organizations.” Only 12 percent of financial organizations showed indications of ransomware, and only 8 percent showed indications of banker Trojans. For government bodies, malicious activity was detected in 95 percent of government bodies – 14 percent greater than across all organizations in general. By contrast, industrial companies “are more likely to be victims of bankers.” Banker Trojan activity was detected in 27 percent of companies, and APT attacks were detected in 15 percent and ransomware attacks in 25 percent of manufacturing companies.
- Attack Vectors: Cyberattackers used the remote management interface of the Microsoft Remote Desktop Protocol (RDP) in the initial attack vector in one out of three incidents. “In the majority of cases, an adversary successfully obtained a valid user’s credentials as a result of a brute-force attack on the RDP service.” Notably, in one-third of attacks through remote management interfaces, “the valid credentials were known to the intruder in advance (no brute-force attempts were detected).” In a finding that should surprise no one, one-third of attacks “occurred due to a lack of security awareness among employees. An employee downloaded a malicious file from untrusted sources and launched it, allowing an adversary to gain control over the workstation.”
The report also includes a discussion of attack durations for various cyberattacks, and a detailed table of attack tactics and techniques.
Note: Cybersecurity teams at companies of all sizes should read the Kaspersky report in its entirety. While the data on regional distribution of incident responses may be skewed if Kaspersky, headquartered in Moscow, has a greater percentage of its clients in the CIS, the data are nonetheless instructive. The report includes a variety of recommendations for improving incident responses, but adds an appropriate cautionary note:
[W]e can see that humans are still the weakest link in the security chain. Even with a high-level security policy and security controls in place, a single employee uneducated in information security can trigger a major compromise of the internal environment and assets.