Incident response (IR) implies companies calling in a team after a security breach to prevent an attack from spreading and limit the damage. According to information shared by Kaspersky experts during the recent annual Cyber Security Weekend – META, in 2021 almost a third of the security incidents (30%) investigated and handled by Kaspersky in the Middle East, Turkey and Africa were connected to ransomware. The majority of cases investigated were related to government, IT and industrial sectors in the region.
RELATED: Ransomware remains a top cyber risk for businesses, but new threats emerging
Ransomware remains a major threat to the growth and security of key economic sectors. Ransomware operators have refined their arsenal, focusing on fewer attacks against large-scale organisations, as is evident from Kaspersky’s telemetry, where there is an increase of 2.5% in targeted ransomware attacks in the gulf region, 34% increase in Africa, 25% increase in Türkiye.
To start such high-level attacks, cybercriminals need to first gain access to their target. They use a variety of methods to first infiltrate organisations. To carry out complex attacks, vulnerability exploitation is a common initial attack method used to gain access. More than 53% of infiltrations globally took place through exploiting public-facing applications. This was followed by the usage of compromised accounts (18%) and malicious email (14%).
The majority of the cyberattacks that were investigated by Kaspersky’s incident response team had already been ongoing and remained unnoticed for weeks and months on end. This is particularly alarming since the more cybercriminals lurk in the network, the more damage they could cause. To avoid such instances, organisations should rely on intelligence-driven detection solutions that are able to detect abnormalities within a network. Kaspersky experts spent 50 hours on average to identify, contain and eliminate the attacks.
“The dangers posed by high-level cyberattacks are not expected to be resolved soon. In 30% of the security incidents, attackers made usage of legitimate tools used by organisations. This goes on to prove that security controls need to have strong visibility and need to be managed efficiently. Organisations should employ a tool stack that can provide Endpoint Detection and Response capabilities, constantly check the reaction time of security operations with offensive exercises and assess and validate the usage of legitimate tools often used by cybercriminals to gain access to organisations,” said Ayman Shaaban, Digital Forensics and Incident Response Manager at Kaspersky.
For organisations to protect themselves against cyberattacks and intrusions, Kaspersky recommends:
- Implement a robust password policy and multifactor authentication.
- Remove management ports from public access.
- Set zero-tolerance policy to patch management or compensation measures for public-facing applications.
- Ensure employees maintain a high level of security awareness.
- Always back up data.
- Work with an Incident Response Retainer partner to address incidents.
- Invest in tools such as the Kaspersky Endpoint Detection and Response that provides greater visibility into your organisation’s endpoints and continually monitors to identify suspicious activity and respond to malicious cyber threats in real-time.
- Continuously train your incident response team to maintain their expertise and stay up to speed with the changing threat landscape.