As cyberattacks become more sophisticated, and security answers require more resources to analyze the huge amount of data gathered every day, many organizations feel the need for advanced security services that can deal with this growing complexity in real time, 24/7.
This article contains some analytical findings from Managed Detection and Response( MDR) functionings during Q4 2020.
What is Kaspersky MDR
Kaspersky MDR uses Kaspersky Endpoint Security and Kaspersky Anti Targeted Attack Platform as low-level telemetry suppliers after MDR license activation. Raw telemetry is initially enriched and correlated in the cloud, then two levels of SOC analysis process the resulting alertings. The first degree of SOC analysis is a neural network-based supervised ML model that is developed on alerts investigated by human analysts. The second level consists of on-duty SOC analysts, who triage alerts and provide recommendations on response to customers.
The MDR team also has a dedicated group for threat-hunting activities — proactive sought for threats through raw telemetry to find onslaughts that were not detected by automated logic, including ML/ AI in the MDR cloud infrastructure. The threat-hunting team is responsible for detection engineering, so all menaces received manually are then covered with automatic detecting and prevention logic to speed up customer protection. During the period covered by this report, Kaspersky MDR was used across all industry horizontals as shown below along with the share of detected incidents for each.
Data processing pipe and security procedures
In Q4 2020, the average number of collected raw events from one host was around 15 000. This comparatively low amount was attributable to comprehensive analysis performed by Kaspersky Endpoint Security right at the endpoint, such as objects reputation checks, and the fact that only a necessitated minimum of telemetry is sent to the cloud for further analysis.
During the reported period, MDR processed approximately 65 000 alertings, followed by an investigation that resulted in 1 506 incidents to be submitted to clients, approximately 93% of which were mapped to the MITRE ATT& CK framework.
Incident remediation efficiency
Most of the incidents ( 80.1%) were detected based on the first analyzed alert. This means that after the first true-life positive alert, remediation activities stopped the two attacks from happening and no new alertings were linked to the incident. This demonstrates that remediation is fairly efficient.
Incidents are connected with larger numbers of alerts are related to cases where fast remediation is not efficient or not allowed. Examples of these incidents include a new targeted attack that requires thorough investigation before active response, or security rating engagements, where active counteraction to attacker is not allowed.
According to the MDR incident severity classification, High-severity incidents are related to human-driven assaults or malware outbreaks with a high impact. Medium severity is related to incidents that significantly affect the efficiency or performance of assets covered by MDR. Finally, Low severity is related to incidents without a significant impact, which still ought to be fixed, for example, infection with grayware, such as adware, riskware, etc.
High-severity incidents can be caused by a number of factors 😛 TAGEND
APT, targeted attack Offensive exert Artefacts of APT, targeted attack Malware with critical impact Likely-to-be-exploited vulnerability DDOS/DOS with impact Insider menace with impact( subversion, hoax) Social engineering
Almost all of the verticals in the analyzed interval were victims of targeted attacks. IT, Government and Industrial are the TOP 3. Corporations that suffered from targeted attacks typically engaged in offensive exerts, a sign of adequate risk assessment.
Adversary tactics, techniques and procedures
As for the attack kill-chain stage, we do not realize any correlation between incident severity and tactics at the moment of detection, although it might be expected that more complex attempts “wouldve been” detected at a later stage.
Analysis of the detecting technology has confirmed that there is a need for a combination of different detection systems, because the endpoint tactics are efficiently detected by EPP; SB offer better results at analyzing content before it reaches the endpoint, and all network communications are subject to IDS.
Next, there are the top performing( by the number of reported incidents) MITRE ATT& CK techniques, detected by telemetry from each sensor.
Analysis of incident statistics suggests the following recommendations on improving the security controls in place.
One third of all high-severity incidents were human-driven targeted attacks. Automated tools is not sufficient for amply detecting these, so manual menace hunting in combination with classical alert-driven monitoring should be implemented. Professional red squad exercises are very similar to advanced assaults and are thus a good approach to assessing the organization’s operational efficiency. Nine percentage of reported High-severity incidents were useful social engineering onslaughts, which demonstrates the need for raising employee security awareness. Be ready to detect threats that use every tactic( attack kill chain stage ). Even a complex strike consists of simple steps and techniques; the detection of a particular technique can uncover the whole attack. Different detection engineerings have different levels of efficiency with different attacker techniques. Maintain a variety of security engineerings to increase the chances of successful detection. Monitor PowerShell with built-in Windows events or comprehensive EDRs.