Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securelistAyman ShaabanSECURELIST:35644FF079836082B5B728F8E95F0EDD
HistoryAug 06, 2020 - 10:00 a.m.

Incident Response Analyst Report 2019

2020-08-0610:00:34
Ayman Shaaban
securelist.com
95
JSON

Download full report (PDF)

As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries' cyber-incident tactics and techniques used in the wild. In this report, we share our teams' conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.

The insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.

Executive summary

In 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.

Analysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.

Most of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware's presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.

Verticals and industries

Adversaries used a variety of initial vectors to compromise victims' environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.

In addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.

Although we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.

Recommendations

Based on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:

  • Apply complex password policies
  • Avoid management interfaces exposed to the internet
  • Only allow remote access for necessary external services with multi-factor authentication – with necessary privileges only
  • Regular system audits to identify vulnerable services and misconfigurations
  • Continually tune security tools to avoid false positives
  • Apply powerful audit policy with log retention period of at least six months
  • Monitor and investigate all alerts generated by security tools
  • Patch your publicly available services immediately
  • Enhance your email protection and employee awareness
  • Forbid use of PsExec to simplify security operations
  • Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks
  • Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss
  • Back up your data frequently and on separated infrastructure

Reasons for incident response

Significant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).

Organizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.

One of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story "Cities under ransomware siege".

Distribution of reasons for top regions

A suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.

Distribution of reasons for industries

Although, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).

Detection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.

Initial vectors or how adversaries get in

Common initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.

By linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks.
Sometimes we act as complimentary experts for a primary incident response team from the victim's organization and we have no information on all of their findings – hence the 'Unknown reasons' on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that's not showing distrubution of 0- to 1-day vulnerabilities.

The distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization's network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.

Tools and exploits

30% of all incidents were tied to legitimate tools

In cyberattacks, adversaries use legitimate tools which can't be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.

Most legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.

Let's weight those tools based on occurrence in incidents – we will also see tactics (MITRE ATT&CK) where they are usually applied.

Exploits

Most of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.

MS17-010 SMB service in Microsoft Windows
Remote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | CVE-2019-0604 Microsoft Sharepoint
Remote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | CVE-2019-19781 Citrix Application Delivery Controller & Citrix Gateway
This vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure.
—|—|—
CVE-2019-0708 RDP service in Microsoft Windows
Remote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | CVE-2018-7600 Drupal
Remote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | CVE-2019-11510 Pulse Secure SSL VPN
Unauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel.

Attack duration

For a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary's activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.

Rush hours or days Average weeks Long-lasting months or longer
This category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods.
In some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary's activity. This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data.
Such attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group.
Common threat:
Ransomware infection Common threat:
Financial theft Common threat:
Cyber-espionage and theft of confidential data
Common attack vector:

  • Downloading of a malicious file by link in email

  • Downloading of a malicious file from infected site

  • Exploitation of vulnerabilities on network perimeter

  • Credentials brute-force attack
    | Common attack vector:

  • Downloading a malicious file by link in email

  • Exploitation of vulnerabilities on network perimeter
    | Common attack vector:

  • Exploitation of vulnerabilities on network perimeter
    Attack duration (median):
    1 day | Attack duration (median):
    10 days | Attack duration (median):
    122 days
    Incident response duration:
    Hours to days | Incident response duration:
    Weeks | Incident response duration:
    Weeks

Operational metrics

False positives rate

False positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn't have a specialist in threat hunting or they are managed by an external SOC that doesn't have the full context for an event.

Age of attack

This is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.

How fast we responded

How long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.

How long response took

Distribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.

MITRE ATT&CK tactics and techniques

Conclusion

In 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.

Improved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.

Various tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.

Adversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.

Applying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.

Related

githubexploit 46
mssecure 1
ics 11
threatpost 12
thn 12
kitploit 2
securelist 1
attackerkb 3
zdt 8
exploitpack 8
cisa_kev 4
hackerone 5
packetstorm 10
cve 3
checkpoint_advisories 5
malwarebytes 6
nessus 9
cisa 3
rapid7blog 1
krebs 1
impervablog 2
openvas 5
debiancve 1
metasploit 2
osv 3
prion 3
debian 3
saint 3
veracode 1
dsquare 3
ibm 1
qualysblog 2
freebsd 2
alpinelinux 1
f5 1
nuclei 3
symantec 1
zdi 1
wallarmlab 1
ubuntucve 1
seebug 1
archlinux 1
mscve 1
fireeye 2
citrix 1
ptsecurity 1
mskb 1
githubexploit
githubexploit
Exploit for Path Traversal in Pulsesecure Pulse Connect Secure
2020-04-16 16:32:47
Exploit for Path Traversal in Pulsesecure Pulse Connect Secure
2019-08-21 12:03:14
Exploit for Path Traversal in Pulsesecure Pulse Connect Secure
2019-09-09 15:58:39
mssecure
mssecure
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
2020-04-28 16:00:49
ics
ics
Chinese State-Sponsored Cyber Operations: Observed TTPs
2021-08-20 12:00:00
Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
2020-10-24 12:00:00
Iran-Based Threat Actor Exploits VPN Vulnerabilities
2020-09-15 12:00:00
threatpost
threatpost
Pioneer Kitten APT Sells Corporate Network Access
2020-09-01 13:35:19
Hackers Look to Steal COVID-19 Vaccine Research
2020-07-16 18:05:20
Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs
2020-09-14 21:20:46
thn
thn
Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide
2020-02-18 15:06:00
CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies
2020-09-15 09:14:00
US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor
2020-12-14 05:44:00
kitploit
kitploit
ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan
2021-12-01 20:30:00
ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan
2021-12-27 20:30:00
securelist
securelist
APT trends report Q2 2019
2019-08-01 10:00:05
attackerkb
attackerkb
CVE-2019-11510
2019-05-08 00:00:00
CVE-2019-19781
2019-11-05 00:00:00
Drupalgeddon 2
2018-03-29 00:00:00
zdt
zdt
Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure Exploit
2019-08-21 00:00:00
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - Drupalgeddon2 Remote Code Execution Exploit
2018-04-18 00:00:00
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit
2018-04-13 00:00:00
exploitpack
exploitpack
Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)
2019-08-21 00:00:00
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution
2020-01-11 00:00:00
Drupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (PoC)
2018-04-13 00:00:00
cisa_kev
cisa_kev
Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
2021-11-03 00:00:00
Drupal Core Remote Code Execution Vulnerability
2021-11-03 00:00:00
Microsoft SharePoint Remote Code Execution Vulnerability
2021-11-03 00:00:00
hackerone
hackerone
U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc
2019-08-12 18:42:25
U.S. Dept Of Defense: Pulse Secure File disclosure, clear text and potential RCE
2019-08-12 14:34:14
U.S. Dept Of Defense: [CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████
2020-12-21 07:51:14
packetstorm
packetstorm
Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure
2019-08-21 00:00:00
Citrix Application Delivery Controller / Gateway 10.5 Remote Code Execution
2020-01-13 00:00:00
Citrix ADC / Gateway Path Traversal
2020-01-16 00:00:00
cve
cve
CVE-2019-11510
2019-05-08 17:29:00
CVE-2018-7600
2018-03-29 07:29:00
CVE-2019-19781
2019-12-27 14:15:00
checkpoint_advisories
checkpoint_advisories
Pulse Connect Secure File Disclosure (CVE-2019-11510)
2019-09-04 00:00:00
Drupal Core Remote Code Execution (CVE-2018-7600)
2018-03-29 00:00:00
Drupal Core Form Rendering Remote Code Execution (CVE-2018-7600)
2020-11-05 00:00:00
malwarebytes
malwarebytes
CISA sets two week window for patching serious vulnerabilities
2021-11-04 21:23:02
Pulse VPN patched their vulnerability, but businesses are trailing behind
2019-10-18 16:36:36
Healthcare security update: death by ransomware, what’s next?
2020-10-08 15:30:00
nessus
nessus
Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)
2019-08-16 00:00:00
FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)
2018-04-16 00:00:00
Drupal Remote Code Execution Vulnerability (SA-CORE-2018-002) (exploit)
2018-04-13 00:00:00
cisa
cisa
NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks
2021-04-15 00:00:00
CISA Releases Test for Citrix ADC and Gateway Vulnerability
2020-01-13 00:00:00
Citrix Releases Security Updates for SD-WAN WANOP
2020-01-23 00:00:00
rapid7blog
rapid7blog
NICER Protocol Deep Dive: Internet Exposure of Citrix ADC/NetScaler
2020-11-04 15:24:04
krebs
krebs
Hackers Were Inside Citrix for Five Months
2020-02-19 15:55:04
impervablog
impervablog
Drupalgeddon 2.0: Are Hackers Slacking Off?
2018-04-13 19:13:25
How Imperva’s New Attack Crowdsourcing Secures Your Business’s Applications
2019-02-13 12:52:46
openvas
openvas
Debian LTS: Security Advisory for drupal7 (DLA-1325-1)
2018-03-29 00:00:00
Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)
2018-04-14 00:00:00
Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)
2018-03-29 00:00:00
debiancve
debiancve
CVE-2018-7600
2018-03-29 07:29:00
metasploit
metasploit
Drupal Drupalgeddon 2 Forms API Property Injection
2018-04-18 00:05:45
Citrix ADC (NetScaler) Directory Traversal Scanner
2020-01-13 22:39:05
osv
osv
CVE-2018-7600
2018-03-29 07:29:00
drupal7 - security update
2018-03-29 00:00:00
drupal7 - security update
2018-03-28 00:00:00
prion
prion
Code injection
2018-03-29 07:29:00
Arbitrary file deletion
2019-05-08 17:29:00
Directory traversal
2019-12-27 14:15:00
debian
debian
[SECURITY] [DSA 4156-1] drupal7 security update
2018-03-28 22:31:37
[SECURITY] [DSA 4156-1] drupal7 security update
2018-03-28 22:31:37
[SECURITY] [DLA 1325-1] drupal7 security update
2018-03-28 22:42:25
saint
saint
Drupal Form API command execution
2018-04-25 00:00:00
Drupal Form API command execution
2018-04-25 00:00:00
Drupal Form API command execution
2018-04-25 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2018-04-03 05:03:22
dsquare
dsquare
Drupal 7 SA-CORE-2018-002 RCE
2018-05-08 00:00:00
Drupal 8 SA-CORE-2018-002 RCE
2018-05-08 00:00:00
Pulse Connect Secure File Disclosure
2019-08-27 00:00:00
ibm
ibm
Security Bulletin: API Connect Developer Portal is affected by Drupal vulnerability (CVE-2018-7600)
2018-06-15 07:09:07
qualysblog
qualysblog
Staying Safe in the Era of Browser-based Cryptocurrency Mining
2018-07-25 17:00:02
Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)
2020-01-09 00:12:26
freebsd
freebsd
drupal -- Drupal Core - Multiple Vulnerabilities
2018-03-13 00:00:00
Template::Toolkit -- Directory traversal on write
2019-12-13 00:00:00
alpinelinux
alpinelinux
CVE-2018-7600
2018-03-29 07:29:00
f5
f5
K22854260 : Drupal vulnerability CVE-2018-7600
2018-03-29 00:00:00
nuclei
nuclei
Pulse Connect Secure SSL VPN Arbitrary File Read
2020-04-22 06:42:01
Citrix ADC and Gateway - Directory Traversal
2020-04-05 22:27:04
Drupal - Remote Code Execution
2021-02-15 13:33:33
symantec
symantec
Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability
2019-12-17 00:00:00
zdi
zdi
Microsoft SharePoint EntityInstanceIdEncoder Deserialization of Untrusted Data Remote Code Execution Vulnerability
2019-02-12 00:00:00
wallarmlab
wallarmlab
Drupalgeddon Two.
2018-04-20 19:31:22
ubuntucve
ubuntucve
CVE-2018-7600
2018-03-29 00:00:00
seebug
seebug
Drupal core Remote Code Execution(CVE-2018-7600) (Drupalgeddon2)
2018-03-30 00:00:00
archlinux
archlinux
[ASA-201804-1] drupal: arbitrary code execution
2018-04-01 00:00:00
mscve
mscve
Microsoft SharePoint Remote Code Execution Vulnerability
2019-02-12 08:00:00
fireeye
fireeye
Nice Try: 501 (Ransomware) Not Implemented
2020-01-24 17:00:00
404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
2020-01-16 00:00:00
citrix
citrix
CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance
2019-12-17 05:00:00
ptsecurity
ptsecurity
PT-2020-01: Arbitrary code execution in Citrix ADC
2019-05-12 00:00:00
mskb
mskb
Description of the security update for SharePoint Server 2010: March 12, 2019
2019-02-12 08:00:00
JSON
Related for SECURELIST:35644FF079836082B5B728F8E95F0EDD
githubexploit46mssecure1ics11threatpost12thn12kitploit2securelist1attackerkb3zdt8exploitpack8cisa_kev4hackerone5packetstorm10cve3checkpoint_advisories5malwarebytes6nessus9cisa3rapid7blog1krebs1impervablog2openvas5debiancve1metasploit2osv3prion3debian3saint3veracode1dsquare3ibm1qualysblog2freebsd2alpinelinux1f51nuclei3symantec1zdi1wallarmlab1ubuntucve1seebug1archlinux1mscve1fireeye2citrix1ptsecurity1mskb1