Hot off the press: a new study into “the nature of cyber incidents”

Highlights from “The nature of cyber incidents” report by the Kaspersky GERT team.

Key findings and tips from the GERT report

Our Kaspersky Global Emergency Response Team (GERT) has analyzed the incidents our experts investigated in 2021 to prepare a detailed report. You can get the full report by filling out the form on the Securelist blog. Meanwhile here, we’d like to share the main findings and top recommendations of the response experts.

Initial attack vectors

Most often, in 2021 attackers tried to penetrate the infrastructure of companies by exploiting vulnerabilities in widely available applications (in 53.6% of cases). In 17.9% of cases they used previously compromised credentials, and in 14.3% — malicious emails. Given this, our experts recommend:

  • implementing a strong password policy and using multi-factor authentication;
  • excluding the possibility of direct internet access to the management mechanisms of information systems;
  • installing updates for publicly available services and systems as soon as possible, or developing adequate compensatory measures to protect them;
  • periodically increasing the cybersecurity awareness of employees.

Tools used in attacks

In almost 40% of incidents, the attackers used typical tools: either they were legitimate operating-system components or penetration testing software. Our experts advise you to prepare for such attacks in advance:

  • if possible, stop using software that’s commonly exploited by attackers;
  • use EDR class solutions;
  • set up rules for detecting the tools most often used by attackers;
  • regularly conduct penetration tests and cyber drills using common attacker techniques and tactics.

Incident impacts

Attackers tried to encrypt corporate data in 51% of incidents. What’s worse, 16% of attacks resulted in data leaks. In 11.1%, Active Directory was compromised. In order to minimize damage to your business, we recommend:

  • regularly backing-up your data;
  • paying special attention to the protection of systems containing personal information;
  • working with a trusted incident-response service provider with fast SLAs;
  • improving and maintaining the skills of your incident response team with specialized training and cyber exercises.

In order to develop the expert skills of internal incident response and cyber forensics teams, and to prepare them for countering complex cyberattacks, we recommend using the Kaspersky Expert Training Windows Incident Response course. It’s based on the experience and expertise of specialists from the same Kaspersky Global Emergency Response Team and, among other things, teaches your specialists how to correctly identify incidents, obtain evidence, analyze logs and networks, and create indicators of compromise. You can read more about the course on the online expert training page.