Incidental data from one cybersecurity firm’s MDR field work holds some clues as to how cyber attackers are targeting corporate victims.

Increasingly complex infrastructures, shortage of skilled professionals, and the growing sophistication of attacks can affect the efficiency of cybersecurity teams and their ability to preempt identify adversarial activity.

This is one of the conclusions of a report on managed detection and response (MDR) incidents handled by a cybersecurity firm in 2021.

According to the report by Kaspersky, organizational customers across all industries had experienced high severity incidents during this period, with most verticals facing multiple types.

In the analytics, the most frequent causes of critical incidents remained the same as for 2020: targeted attacks—which formed 40.7% of high severity incidents. The latter are characterized by the wide use of ‘living-off-the-land’ binaries of a non-malicious nature, that are already available in a targeted system.

These tools allow cybercriminals to hide their activity and minimize the chances of being detected during the first stages of an attack. In addition to widely used rundll32.exe, powershell.exe and cmd.exe, tools such as reg.exe, te.exe and certutil.exe have are often used in critical incidents.

Other findings

The analysis of incidents reported to the firm’s MDR teams has revealed that the share of critical incidents experienced by organizations had increased from 9% in 2020 14% in 2021. Also:

  • Malware with critical impact was identified in 14% of cases, and a little less than 13% of high severity incidents were classified as exploitation of publicly exposed critical vulnerabilities.
  • Social engineering also remained a relevant threat, accounting for almost 5.5% of incidents caused.
  • Targeted attacks in 2021 were detected in each vertical represented in the research, except for education and mass media, even though there were reported incidents related to targeted attacks within media organizations. The largest number of human-driven attacks were detected in government, industrial, IT and financial verticals. 
  • 16% of customers used services that conducted ethical offensive exercises to simulate complex adversarial attacks to offer insights into a firm’s cyber resilience. 

According to the firm’s Head of Security Operations Center, Sergey Soldatov: “One of the most pressing issues here is that high severity incidents require more time to investigate and provide recommendations on remediation steps,” involving the addition of “more incident card templates, and introduction of new telemetry enrichments that speed up triage.”