A new report from the Kaspersky Compromise Assessment division highlights that many organizations are missing cybersecurity incidents due to reactive approaches, insufficient monitoring, and operational deficiencies. The report reveals that in 31% of incidents that were analyzed, malicious activity in organizations had been going on for over three months. Over half (52%) of high-severity compromises were only discovered after 90 days of going undetected, and the oldest incident identified over the last year remained undetected for as long as four years.
Monitoring tools and controls are not self-sufficient. Of all the incidents discovered, 20% were found manually, while 60% were missed by enterprises because of the absence of high-confidence alerts from existing tools. This indicates a critical reliance on automated tools that are not always effectively configured or monitored. Monitoring tools must be continually configured and adapted to the ever-changing threat landscape, and the human element remains vital: analysts need to actively review low-confidence alerts that often go uninvestigated.
Malicious files restored from backups. For many organizations, their backup systems were a blind spot. As many as 40% of all discovered web shells (malicious scripts or programs) resided undetected in backups, which meant they could be restored after initial incident response activities were completed. Backup integrity and content should be thoroughly inspected.
Communication issues may lead to missed incidents. Nearly a third (32%) of compromise assessments revealed internal communication issues like unclear action confirmation or knowledge loss due to staff turnover. This highlights the need for regular exercises to test not only technical playbooks but also human and communication workflows, as well as operational level agreements.
The incident response practices must be regularly updated. For incident response to be truly efficient and effective, playbooks must be treated as “living documents” that are regularly updated as new artifacts and threat intelligence emerge. Failing to adapt incident response plans to the evolving threat landscape significantly increases the risk of missing critical threats and allowing compromise.
“Organizations face not only external risks, but also hidden threats within their infrastructure, and signs of compromise are not always obvious. Proactive security audits make it more likely that organizations will detect a compromise. Integrating regular, third-party compromise assessments into organizational processes can reduce the probability of unexpected high-severity incidents and improve overall risk posture,” comments Amged Wageh, expert at Kaspersky Compromise Assessment.
Read the full report on Securelist.