Managed Detection and Response in 2023
2024-4-30 17:0:40 Author: securelist.com(查看原文) 阅读量:8 收藏

SOC, TI and IR posts

SOC, TI and IR posts

minute read

Managed Detection and Response in 2023 (PDF)

Alongside other security solutions, we provide Kaspersky Managed Detection and Response (MDR) to organizations worldwide, delivering expert monitoring and incident response 24/7. The task involves collecting telemetry for analysis by both machine-learning (ML) technologies and our dedicated Security Operations Center (SOC). On detection of a security incident, SOC puts forward a response plan, which, if approved by the customer, is actioned at the endpoint protection level. In addition, our experts give recommendations on organizing incident investigation and response.

In the annual MDR report, we present the results of analysis of SOC-detected incidents, supplying answers to the following questions:

  • Who are your potential attackers?
  • How do they currently operate?
  • How to detect their actions?

The report covers the tactics, techniques and tools most commonly used by threat actors, the nature of high-severity incidents and their distribution among MDR customers by geography and industry.

Security incident statistics for 2023

Security events

In 2023, Kaspersky Managed Detection and Response handled more than 431,000 alerts about possible suspicious activity. Of these, more than 117,000 were analyzed by ML technologies, and over 314,000 by SOC analysts. Of the manually processed security events, slightly under 90% turned out to be false positives. What is more, around 32,000 security alerts were linked to approximately 14,000 incidents reported to MDR customers.

Geographic distribution of users

In 2023, the largest concentration of Kaspersky MDR customers was in the European region (38%). In second place came Russia and the CIS (28%), in third the Asia-Pacific region (16%).

Distribution of Kaspersky MDR customers by region, 2023

Distribution of Kaspersky MDR customers by region, 2023

Distribution of incidents by industry

Since the number of incidents largely depends on the scale of monitoring, the most objective picture is given by the distribution of the ratio of the number of incidents to the number of monitored endpoints. The diagram below shows the expected number of incidents of a given criticality per 10,000 endpoints, broken down by industry.

Expected number of incidents of varying degrees of criticality per 10,000 endpoints in different industries, 2023

Expected number of incidents of varying degrees of criticality per 10,000 endpoints in different industries, 2023

In 2023, the most incidents per 10,000 devices were detected in mass media organizations, development companies and government agencies.

In terms of absolute number of incidents detected, the largest number of incidents worldwide in 2023 were recorded in the financial sector (18.3%), industrial enterprises (16.9%) and government agencies (12.5%).

Distribution of the number of Kaspersky MDR customers, all identified incidents and critical incidents by industry, 2023

Distribution of the number of Kaspersky MDR customers, all identified incidents and critical incidents by industry, 2023

General observations and recommendations

Based on the analysis of incidents detected in 2023, and on our many years of experience, we can identify the following trends in security incidents and protection measures:

  • Every year we identify targeted attacks carried out with direct human involvement. To effectively detect such attacks, besides conventional security monitoring, threat hunting is required.
  • The effectiveness of the defense mechanisms deployed by enterprises is best measured by a range of offensive exercises. Year after year, we see rising interest in projects of this kind.
  • In 2023, we identified fewer high-severity malware incidents than in previous years, but the number of incidents of medium and low criticality increased. The most effective approach to guarding against such incidents is through multi-layered protection.
  • Leveraging the MITRE ATT&CK® knowledge base supplies additional contextual information for attack detection and investigation teams. Even the most sophisticated attacks consist of simple steps and techniques, with detection of just a single step often uncovering the entire attack.

Detailed information about attacker tactics, techniques and tools, incident detection and response statistics, and defense recommendations can be found in the full report (PDF).

  • Reports

    We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.

    New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go.

    In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

    Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups.


    文章来源: https://securelist.com/kaspersky-mdr-report-2023/112411/
    如有侵权请联系:admin#unsafe.sh