66% of critical incidents in the government sector in 2021 were targeted attacks

A study based on analysis of incidents reported to Kaspersky Managed Detection and Response (MDR) customers found that the share of critical incidents experienced by organizations fell from one in ten (9%) in 2020 to one in seven (14%) in 2021.

More and more complex infrastructures, shortage of qualified professionals and a growth attack sophistication can all affect the effectiveness of cybersecurity teams and their ability to identify conflicting activity before incidents occur.

To provide insight into the current threat landscape, Kaspersky analyzed anonymized customer incidents identified through its MDR service in 2021.

According to the resulting report, organizations across all industries experienced high-severity incidents during this period, with most verticals experiencing multiple types.

The most frequent causes of critical incidents remained the same as the previous year, with the largest share (40.7%) belonging to targeted attacks.

Critical impact malware was identified in 14% of cases, and just under 13% of high severity incidents were categorized as exploits of publicly exposed critical vulnerabilities.

Social engineering also remained a relevant threat, accounting for nearly 5.5% of incidents caused.

Targeted attacks in 2021 were detected in every vertical represented in the research, with the exception of education and mass media, although incidents related to targeted attacks were reported within media organizations.

The greatest number of human attacks have been detected in the government, industrial, IT and financial sectors.

In particular, targeted attacks accounted for two-thirds (66%) of all critical incidents in the government sector, more than half (55%) in healthcare and 40% in the construction sector.

High-severity incidents are distinguished by a broad use of live-off-the-earth (LotL) binaries, non-malicious in nature, which are already available in a targeted system.

These tools allow cybercriminals to conceal their activity and minimize the chances of detection in the early stages of an attack.

Besides widely used rundll32.exe, powershell.exe and cmd.exe, tools such as reg.exe, te.exe and certutil.exe are often used during critical incidents.

To better prepare for targeted attacks, organizations can hire services that conduct ethical offensive exercises.

This type of activity simulates complex adversarial attacks to examine a company’s cyber resilience.

According to Kaspersky MDR analysts, this has only been applied in 16% of organizations.

“The MDR report shows once again that sophisticated attacks are here to stay and that more and more organizations are facing critical incidents. One of the most pressing issues here is that high severity incidents require more time to investigate and provide recommendations on corrective action. Last year, Kaspersky analysts managed to significantly reduce this indicator from 52.6 minutes in 2020 to 41.4 minutes. This was achieved by adding more incident map templates and introducing new telemetry enrichments that speed up triage,” comments Sergey Soldatov, Head of Security Operations Center, Kaspersky.

To protect your organization against advanced attacks, Kaspersky recommends the following:

Deploy a solution that combines detection and response capabilities and managed threat hunting to help identify known and unknown threats without involving additional internal resources. An alert-based approach is no longer effective in responding to modern threats.

Provide your SOC team with access to latest threat informationto ensure deep visibility into cyber threats targeting your organization.

Implementation Specialist incident response training to enhance the expertise of your internal digital forensics and incident response team. This will help verify and deal with threats faster and minimize the impact of the incident.

To reduce the likelihood of targeted attacks, provide your staff essential cybersecurity knowledge. Social engineering is still very popular and applies even to high-severity incidents.

Related