According to new research from Kaspersky, roughly 56% of Incident Response (IR) requests processed by security experts in 2018 occurred after the affected organization experienced an attack that had tangible consequences such as unauthorized money transfers, workstations encrypted by ransomware and service unavailability. Alternatively, the remaining 44% of requests were processed after detection of an attack during an early stage of infection saving organizations from more severe malicious activity. This research highlights the importance of utilizing incident response as a tool for not only investigating an attack after it happens, but also catching an attack during an earlier stage to prevent additional damage.

In 2018, 22% of IR cases were initiated after detection of potential malicious activity in the network, and an additional 22% were initiated after a malicious file was found in the network. Without any other signs of a breach, both cases may suggest that there is an ongoing attack. However, not every corporate security team may be able to identify if automated security tools have already detected and stopped malicious activity, or these were just the beginning of a larger, invisible malicious operation in the network and external specialists are needed.

As a result of incorrect assessment, malicious activity evolves into a serious cyberattack with real consequences. In 2018, 26% of investigated "late" cases were caused by infection with ransomware, while 11% of attacks resulted in monetary theft. 8% of "late" cases were a result of detecting spam from a corporate email account, 7% as a result of hooliganism and 4% detection of service unavailability.

"This situation indicates that, in many companies, there is certainly room for improvement of detection methods and incident response procedures," said Ayman Shaaban, security expert at Kaspersky. "The earlier an organization catches an attack, the smaller the consequences will be. But based on our experience, companies often do not pay proper attention to artifacts of serious attacks, and our incident response team often is being called when it is already too late to prevent damage. On the other hand, we see that many companies have learned how to assess signs of a serious cyberattack in their network and we were able to prevent what could have been more sever incidents. We call on other organizations to consider this as a successful case study."

Additional findings of the report include:

• 81% of organizations that provided data for analysis were found to have indicators of malicious activity in their internal network.
• 34% organizations exhibited signs of an advanced targeted attack.
• 54.2% of financial organizations were found to be attacked by an advanced persistent threat (APT) group or groups.