In the first half of 2019, only a handful (1.26 per cent) of Indicators of Attack (IoA) alerts on device endpoints were identified as cyber-security incidents, according to cyber product company Kaspersky’s Managed Detection and Response Analytics Report. Of the 40,806 alerts generated via IoAs, only 515 resulted in detected incidents. Yet, most of those incidents were related to sophisticated targeted attacks that use so-called “living off the land” techniques, deployed by threat actors to hide malicious activity within legitimate user and administrator behaviour.
Unlike Indicators of Compromise (IoC)-based detection methods, IoAs allow attack identification based not on known malicious files, but on so-called the tactics, techniques and procedures of threat actors. Or, in other words, ways in which particular threat actors tend to attack their victims. With attacks utilising “living of the land” techniques, which are becoming more and more popular, IoA-based detection methods prove to be the most effective.
This is confirmed by other findings of the report, which is based on multiple levels of analysis of results from Kaspersky Managed Protection Service provided by multiple organisations from sectors including financial, governmental, industrial and transportation as well as IT and telecom.
While cyber-security incidents were identified in almost all tactics of the ‘cyber-kill chain’, the greatest number of attacks were found in the stages that are considered the “nosiest” (where the likelihood of false positives is relatively higher): execution (37pc), defense evasion (31pc), lateral movement (16pc) and impact (16pc). When combating these tactics, the research found that endpoint protection products (EPP) are an effective threat response tool for near all 97pc of the incidents identified – with near half, 47pc of these classified as medium severity, including malware such as Trojans and Cryptors, and half at low severity — including unwanted programs such as adware or riskware.
However, when it comes to advanced and unknown threats or those classified as high severity (3pc), traditional EPP solutions alone are less effective, the cyber firm adds. These type of threats – including targeted attacks or complex malware, often launched through “living off the land” tactics – require an additional level of TPP-based detection, manual threat hunting and analysis.
Sergey Soldatov, Head of Security Operation Centre at Kaspersky says: “One of the key takeaways of our Managed Detection and Response Analysis we have worked on in the last six months, is that if you don’t see a large number of false-positive events in your network, that probably means that you are missing a lot of important security incidents. Therefore, you should switch towards more wide-scale usage of Indicators of Attack methods, among other tools. With “living of the land” and other malware-less stealthy attack techniques out there in the wild, it is completely ineffective to only rely on classic IoC-based or other known detection methods. While IoA-based alerts are much trickier to investigate due to the necessity to perform a lot of research to create efficient IoA and then a lot of manual analysis (when the IoA are triggered), our statistics show that these are most prone to false positives yet, they are the most effective and allow you to find really critical incidents.”
