Study: Cyber ​​attacks use tools

August 26, 2020
| No comments
Cyber ​​attack

Share post

Kaspersky reports: In 25 percent of cyber attacks in Europe, cyber criminals misuse legitimate tools for their further activities. Most of the time, they use program vulnerabilities as gateways into the company network or remote access tools to steal data. 11,1 percent of incident responses in Europe come from Germany; 25,9 percent from Switzerland.

Whether financial institutions or companies from telecommunications, industry, transport and logistics - European organizations in all sectors are struggling with cyber attacks. Almost a quarter (24 percent) of the incident responses analyzed by Kaspersky worldwide last year concerned Europe, which is second after the Middle East (32,6 percent). Suspicious files (36,2 percent), data that was already encrypted (21,3 percent) or suspicious activities on endpoints (10,6 percent) were most likely to trigger an incident response in companies. The problem with this is that half of the incidents are only discovered after a few weeks, so the damage has already occurred. In addition, a quarter of security incidents are related to legitimate management and remote access tools that make security solutions difficult to identify as attacks and that are popular in times of work from home.

Cyber ​​attacks are sometimes only noticed late

Companies recognize cyber attacks on the one hand by conspicuous negative effects such as encrypted data, loss of money or leaked data as well as on the basis of warnings that they receive from their security solutions. When analyzing the response to incidents in Europe, the Kaspersky experts found that in more than a third (35,3 percent) of the cases, exploited program vulnerabilities were the gateway to the corporate network. The following first attack vectors could be identified:

  • malicious emails (29,4 percent),
  • external data carriers (11,8 percent),
  • Exploitation of weak points due to incorrect configuration (11,8 percent),
  • leaked access data (5,9 percent)
  • as well as insiders (5,9 percent)

Companies in all sectors are affected. The incident responses analyzed by Kaspersky came from organizations in the areas of finance (25,4), telecommunications (16,9 percent), industry (16,9 percent) or transport (13,6 percent). Roughly every twelfth incident response came from authorities (8,5 percent).

Management and remote access tools pose a risk to businesses

Once the attackers were on the network, they misused legitimate tools to cause damage in 25 percent of the incident responses analyzed. These are actually used by IT and network administrators to correct errors and provide technical support to employees, among other things. However, it allows cyber criminals to run processes on endpoints, access and extract sensitive information, bypassing various security controls designed to detect malware.

When analyzing the incident responses, the Kaspersky experts were able to identify 18 different legitimate tools that were misused by attackers for malicious purposes. Half of the cases analyzed in Europe (50 percent) were the powerful management tool, PowerShell, which can be used for many purposes, from gathering information to running malware, and PsExec, which is used to start processes on remote endpoints , utilized. SoftPerfect Network Scanner, used to obtain information about network environments, in 37,5 percent of attacks.

Legitimate software disguises attacks

"In order to avoid detection and remain invisible on a compromised network for as long as possible, attackers often use software designed for normal user activities, administrator tasks and system diagnostics," explains Konstantin Sapronov, Head of Global Emergency Response Team at Kaspersky. “These tools allow attackers to gather and move around information about corporate networks, change software and hardware settings, or even perform malicious actions – they could use legitimate software to encrypt customer data. Legitimate software can help attackers stay under the radar of security analysts, as they often only spot the attack after the damage has been done. It is not possible to exclude these tools for many reasons. However, properly deployed logging and monitoring systems help detect suspicious activity on the network and sophisticated attacks at earlier stages.”

Companies should consider implementing an endpoint detection and response solution with an MDR service in order to be able to detect and react to such attacks in good time. MITER ATT & CK® Round 2 Evaluation [2], in which various solutions such as Kaspersky EDR and Kaspersky Managed Protection Service were evaluated, can help companies select EDR products that meet their own requirements. The results of the ATT & CK evaluation demonstrate the importance of a comprehensive solution that combines a fully automated multi-layered security product and a manual threat-hunting service.

Kaspersky business protection tips

  • Restrict access to remote management tools from external IP addresses and ensure that remote control interfaces can only be accessed from a limited number of endpoints.
  • Enforce a strict password policy for all IT systems and the use of multi-factor authentication.
  • Offer restricted privileges to employees and only grant high privileged accounts to those who need them to do their jobs.
  • Installation of a dedicated security solution such as Kaspersky Endpoint Security for Business [3] on all Windows, Linux and MacOS endpoints. This enables protection against known and unknown cyber threats and offers a range of cyber security control options for each operating system.
  • Provide SOC teams with access to the latest threat intelligence [4] to keep them informed of tools, techniques and tactics used by threat actors.
  • Regular creation of backups of all relevant business data. In this way, important data that has been encrypted and made unusable by means of ransomware can be quickly restored.

Additional insights from Kaspersky's Incident Response Analyst Report are available online.

More on this at Kaspersky.com

 

About Kaspersky

Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/

 

Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more

PR News
, , , ,