Kaspersky reports: In 25 percent of cyber attacks in Europe, cyber criminals misuse legitimate tools for their further activities. Most of the time, they use program vulnerabilities as gateways into the company network or remote access tools to steal data. 11,1 percent of incident responses in Europe come from Germany; 25,9 percent from Switzerland.
Whether financial institutions or companies from telecommunications, industry, transport and logistics - European organizations in all sectors are struggling with cyber attacks. Almost a quarter (24 percent) of the incident responses analyzed by Kaspersky worldwide last year concerned Europe, which is second after the Middle East (32,6 percent). Suspicious files (36,2 percent), data that was already encrypted (21,3 percent) or suspicious activities on endpoints (10,6 percent) were most likely to trigger an incident response in companies. The problem with this is that half of the incidents are only discovered after a few weeks, so the damage has already occurred. In addition, a quarter of security incidents are related to legitimate management and remote access tools that make security solutions difficult to identify as attacks and that are popular in times of work from home.
Cyber attacks are sometimes only noticed late
Companies recognize cyber attacks on the one hand by conspicuous negative effects such as encrypted data, loss of money or leaked data as well as on the basis of warnings that they receive from their security solutions. When analyzing the response to incidents in Europe, the Kaspersky experts found that in more than a third (35,3 percent) of the cases, exploited program vulnerabilities were the gateway to the corporate network. The following first attack vectors could be identified:
- malicious emails (29,4 percent),
- external data carriers (11,8 percent),
- Exploitation of weak points due to incorrect configuration (11,8 percent),
- leaked access data (5,9 percent)
- as well as insiders (5,9 percent)
Companies in all sectors are affected. The incident responses analyzed by Kaspersky came from organizations in the areas of finance (25,4), telecommunications (16,9 percent), industry (16,9 percent) or transport (13,6 percent). Roughly every twelfth incident response came from authorities (8,5 percent).
Management and remote access tools pose a risk to businesses
Once the attackers were on the network, they misused legitimate tools to cause damage in 25 percent of the incident responses analyzed. These are actually used by IT and network administrators to correct errors and provide technical support to employees, among other things. However, it allows cyber criminals to run processes on endpoints, access and extract sensitive information, bypassing various security controls designed to detect malware.
When analyzing the incident responses, the Kaspersky experts were able to identify 18 different legitimate tools that were misused by attackers for malicious purposes. Half of the cases analyzed in Europe (50 percent) were the powerful management tool, PowerShell, which can be used for many purposes, from gathering information to running malware, and PsExec, which is used to start processes on remote endpoints , utilized. SoftPerfect Network Scanner, used to obtain information about network environments, in 37,5 percent of attacks.
Legitimate software disguises attacks
"In order to avoid detection and remain invisible on a compromised network for as long as possible, attackers often use software designed for normal user activities, administrator tasks and system diagnostics," explains Konstantin Sapronov, Head of Global Emergency Response Team at Kaspersky. “These tools allow attackers to gather and move around information about corporate networks, change software and hardware settings, or even perform malicious actions – they could use legitimate software to encrypt customer data. Legitimate software can help attackers stay under the radar of security analysts, as they often only spot the attack after the damage has been done. It is not possible to exclude these tools for many reasons. However, properly deployed logging and monitoring systems help detect suspicious activity on the network and sophisticated attacks at earlier stages.”
Companies should consider implementing an endpoint detection and response solution with an MDR service in order to be able to detect and react to such attacks in good time. MITER ATT & CK® Round 2 Evaluation [2], in which various solutions such as Kaspersky EDR and Kaspersky Managed Protection Service were evaluated, can help companies select EDR products that meet their own requirements. The results of the ATT & CK evaluation demonstrate the importance of a comprehensive solution that combines a fully automated multi-layered security product and a manual threat-hunting service.
Kaspersky business protection tips
- Restrict access to remote management tools from external IP addresses and ensure that remote control interfaces can only be accessed from a limited number of endpoints.
- Enforce a strict password policy for all IT systems and the use of multi-factor authentication.
- Offer restricted privileges to employees and only grant high privileged accounts to those who need them to do their jobs.
- Installation of a dedicated security solution such as Kaspersky Endpoint Security for Business [3] on all Windows, Linux and MacOS endpoints. This enables protection against known and unknown cyber threats and offers a range of cyber security control options for each operating system.
- Provide SOC teams with access to the latest threat intelligence [4] to keep them informed of tools, techniques and tactics used by threat actors.
- Regular creation of backups of all relevant business data. In this way, important data that has been encrypted and made unusable by means of ransomware can be quickly restored.
Additional insights from Kaspersky's Incident Response Analyst Report are available online.
More on this at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/