Sunday, October 17, 2021

Brute force attacks, unpatched software and malicious emails behind most incidents investigated by Kaspersky last year

Almost 90 per cent of the cyber attacks Kaspersky‘s incident response team was called in on last year were caused by three factors: brute force attacks, exploits of vulnerabilities in public-facing applications and employees falling for malicious emails.

That is one of the main findings in Kaspersky’s annual Incident Response Analyst Report, which was released this week. The report looks at cases around the world where Kaspersky was called in to help corporate IT teams in 2020.

Brute force attacks and exploits each accounted for 31.5 per cent of incidents, successful or not. Another 23.6 per cent of incidents were blamed on users clicking on malicious links or opening infected documents.

The numbers suggest ”a lot of victims of incidents struggle with basic security controls like patch and [user] account management,” Gleb Gritsai, head of Kaspersky’s security services division, said in an interview.

In fact, he added, in 2019, brute force attacks accounted for around 13 per cent of incidents that Kaspersky experts were called in on. That means that brute force attacks as a cause of an incident almost tripled in one year.

Graphic from Kaspersky's 2021 Incident Response Analysis report
How attackers got into organizations in cases Kaspersky was brought in. Kaspersky graphic

Gritsai believes the increase in the number of employees working from home and connecting back into the enterprise was responsible.

He also noted that many of the application exploits leveraged last year were vulnerabilities discovered — and patched — in 2017, 2018 and 2019.

One piece of good news the data suggests is that better malicious email detection — by antivirus software, gateways and even employees — may be paying off. Email used to be a prime way threat actors launched attacks, Gritsai said. Last year it was number three.

What was surprising in these and other numbers in the report, Gritsai said, is they suggest last year threat actors turned from targeted attacks to going after “low-hanging fruit” and capitalizing on organizations with a low level of cybersecurity maturity.

Among other interesting numbers in the report

–53 per cent of the reasons organizations called for help was “suspicious activity,” meaning in some cases an attack was detected and might have been stopped. But in 36.7 per cent of all cases files had already been encrypted;

–10 per cent of all cases were later determined to be false positives by security software. In fact, of all the cases involving suspicious activity, 25 per cent involved false positives from network or endpoint sensors. Gritsai said that suggests IT departments aren’t correlating event data well. Enriched data, he said, would detect false positives better.

He also said post-incident analysis shows IT teams are missing warning signs in Windows and other security software logs.

–Attacker dwell time is worrisome: 32 per cent of successful attacks lasted days before being detected, 22 per cent lasted weeks and 18 per cent lasted months. Twenty-eight per cent only lasted hours.

“Setting up and controlling password policies, security patch management and employee awareness along with anti-phishing measures can significantly minimize the capabilities of external attackers,” the report concludes.

Implementing an appropriate patch management policy alone reduces the likelihood of becoming a victim by 30 per cent according to Kaspersky data, the report adds, while implementing a robust password policy reduces the likelihood by 60 per cent.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News