According to
Kaspersky's Managed
Detection and Response Analytics
report,
in the first half of 2019, only 1.26% of Indicators of Attack (IoA) alerts on
endpoint devices were identified as cybersecurity incidents. Of the 40,806
alerts generated via IoAs, only 515 resulted in detected incidents. The results
uncovered that most of these incidents were related to sophisticated targeted
attacks that use "living off the land" techniques deployed by threat actors to
hide malicious activity within legitimate user and administrator behavior.
Unlike Indicators of Compromise (IoC) detection methods,
IoAs allow attack identification based on the ways particular threat actors
tend to attack their victims including tactics, techniques and procedures. With
"living of the land" attack techniques becoming more popular, IoA detection methods
are proving to be the most effective. This is confirmed by additional report
findings based on multiple levels of analysis of results from Kaspersky Managed
Protection Service provided by several organizations from sectors including
financial, governmental, industrial and transportation as well as IT and
telecom.
While cybersecurity incidents were identified in almost all
tactics of the cyber-kill chain, the greatest number of attacks were found in
the stages where the likelihood of false positives is relatively higher
including execution (37%), defense evasion (31%), lateral movement (16%) and
impact (16%). When combating these tactics, the research found that Endpoint
Protection Products (EPP) are an effective threat response tool for 97% of the
incidents identified. 47% of these classified as medium severity including
malware such as Trojans and Cryptors, and 50% at low severity including
unwanted programs such as adware or riskware.
When it comes to advanced and unknown threats, or those
classified as high severity (3%), traditional EPP solutions alone are less
effective. These type of threats, including targeted attacks or complex malware
who utilize "living off the land" tactics, require an additional level of
TPP-based detection, manual threat hunting and analysis.
"One of the key takeaways of our Managed Detection and
Response Analysis we have worked on in the last six months, is that if you
don't see a large number of false-positive events in your network, that
probably means that you are missing a lot of important security incidents," said
Sergey Soldatov, head of security operation center at Kaspersky. "Therefore,
you should switch towards more wide-scale usage of Indicators of Attack
methods, among other tools. While IoA-based alerts are much trickier to
investigate due to the necessity to perform a lot of research to create
efficient IoA and then a lot of manual analysis (when the IoA are triggered),
our statistics show that these are most prone to false positives yet, they are
the most effective and allow you to find really critical incidents."
For more information about the Managed Detection
and Response Analytics report, or how Kaspersky Managed Protection can help
your business, please visit
Securelist.com.