Kaspersky was fierce of the incident responses Kaspersky handled in 2018, over 50% were requested after damage from cyber attacks. Why is the company’s response delayed? The company explains the seven causes and how to respond effectively to incidents.
On September 30, 2019, Kaspersky announced the results of an incident response analysis that the company’s security team responded to in response to a request in 2018. According to the analysis, 81% of all organizations found signs of malicious activity in their internal network, 34% showed evidence of highly targeted attacks, and 54.2% of financial institutions were under attack.
Furthermore, the analysis results show that many companies that have been subjected to cyber-attacks are slow to respond to incidents. In fact, 56% of the companies surveyed asked the company’s security specialist team after severe attacks such as unauthorized remittance, workstation encryption with ransomware, and suspension of service provision due to cyber attacks. is doing. On the other hand, 44% of the respondents were protected from serious damage immediately after detecting the initial stage of the attack.
Why is the response of the corporate security team delayed? Kaspersky, along with its own views, explains seven points for an effective response to incidents.
The response may be delayed and lead to theft of money-7 incident responses
In general, incident responses tend to be considered necessary when investigating details such as causes after suffering damage from cyber attacks. Kaspersky has analyzed multiple incident response cases involving its security team, and incident response are not only used for detailed investigation of damage, but by identifying the type of attack and preventing damage early in the cyberattack. It will also be a means to
For example, among incident response cases that the company requested in 2018, incident detection started after “detecting an activity that seems to be a threat in the network” and a malicious file was found in the network The cases that started after “was done” were 22% each. According to the company, if there is no evidence of infringement, these two cases may indicate that they are currently under attack.
However, in the “early stages of attack”, such as the two cases listed above, corporate security teams cannot detect whether automated security tools have already detected and blocked the malicious activity or a larger scale. The company explains that malicious attacks may have begun in the network and it may not be possible to determine if an external expert is needed.
In fact, 26% of the 2018 incident response “slow request” cases were due to encryption malware infection, of which 11% stolen money. In addition, 19% of “slow request” cases detected spam from corporate email accounts, detected service unavailability, and detected security breaches.
Kaspersky security expert Ayman Shaaban said many companies have room to improve detection and incident response procedures, “If we can identify attacks quickly, we can do less damage. Experience has shown that companies are often not fully aware of the consequences of serious attacks, and often are too late to prevent damage when our incident response team is contacted. ”
On the other hand, he said that a request from a company with knowledge of the judgment of evidence of a serious cyber attack in the network prevented a situation that could lead to a serious incident.
Kaspersky Lab recommends the following to respond effectively to incidents:
- A dedicated team (at least specialized employees) in charge of IT security issues in the company.
- Install a backup system for important data assets.
- In order to respond quickly to cyber attacks, combine an in-house incident response team that responds to the front line with an external specialist that handles more complex incidents.
- Develop an incident response plan that provides detailed guidance and procedures for various cyber attacks.
- Educate employees on basic precautions against cybercrime, and provide training on how to recognize and avoid potentially malicious emails and links.
- Introduce a patch management procedure for updating software.
- Regularly evaluate the security of IT infrastructure.