Virtualization Technology News and Information
Kaspersky Research Finds 1% of IoAs are Targeted Attacks
According to Kaspersky's Managed Detection and Response Analytics report, in the first half of 2019, only 1.26% of Indicators of Attack (IoA) alerts on endpoint devices were identified as cybersecurity incidents. Of the 40,806 alerts generated via IoAs, only 515 resulted in detected incidents. The results uncovered that most of these incidents were related to sophisticated targeted attacks that use "living off the land" techniques deployed by threat actors to hide malicious activity within legitimate user and administrator behavior. 

Unlike Indicators of Compromise (IoC) detection methods, IoAs allow attack identification based on the ways particular threat actors tend to attack their victims including tactics, techniques and procedures. With "living of the land" attack techniques becoming more popular, IoA detection methods are proving to be the most effective. This is confirmed by additional report findings based on multiple levels of analysis of results from Kaspersky Managed Protection Service provided by several organizations from sectors including financial, governmental, industrial and transportation as well as IT and telecom.

While cybersecurity incidents were identified in almost all tactics of the cyber-kill chain, the greatest number of attacks were found in the stages where the likelihood of false positives is relatively higher including execution (37%), defense evasion (31%), lateral movement (16%) and impact (16%). When combating these tactics, the research found that Endpoint Protection Products (EPP) are an effective threat response tool for 97% of the incidents identified. 47% of these classified as medium severity including malware such as Trojans and Cryptors, and 50% at low severity including unwanted programs such as adware or riskware.

When it comes to advanced and unknown threats, or those classified as high severity (3%), traditional EPP solutions alone are less effective. These type of threats, including targeted attacks or complex malware who utilize "living off the land" tactics, require an additional level of TPP-based detection, manual threat hunting and analysis.

"One of the key takeaways of our Managed Detection and Response Analysis we have worked on in the last six months, is that if you don't see a large number of false-positive events in your network, that probably means that you are missing a lot of important security incidents," said Sergey Soldatov, head of security operation center at Kaspersky. "Therefore, you should switch towards more wide-scale usage of Indicators of Attack methods, among other tools. While IoA-based alerts are much trickier to investigate due to the necessity to perform a lot of research to create efficient IoA and then a lot of manual analysis (when the IoA are triggered), our statistics show that these are most prone to false positives yet, they are the most effective and allow you to find really critical incidents."

For more information about the Managed Detection and Response Analytics report, or how Kaspersky Managed Protection can help your business, please visit
Published Tuesday, October 08, 2019 8:51 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2019>