Human errors still a leading cause of cyber incidents, says Kaspersky

There were more than two critical cyber incidents with direct human involvement per day last year, according to new research from Kaspersky.

The company's annual Managed Detection and Response (MDR) Analyst Report concludes that nearly a quarter of incidents were driven by humans.

Just over one-in-five involved various types of cyber exercises which had been previously classified by Kaspersky as targeted attacks, but which were redesignated after explanation by the customer.

The government sector was hardest-hit, accounting for 22.9% of all detected high-severity incidents. IT companies came second. at 15.4%, closely followed by financial and industrial companies with 14.9% and 11.8% of incidents respectively.

The most incidents per 10,000 devices were found in mass media organizations, development companies, and government agencies.

Despite concerns over human-related errors, Kaspersky noted that the percentage of malware attacks resulting in serious consequences dipped slightly last year, accounting for just over 12% of the total reported critical incidents.

This, the company noted, marks the smallest share of high-severity incidents in recent years.

This trend can be attributed to the commoditization of attacks through the widespread adoption of existing tools, originally designed for conducting targeted campaigns which, due to deliberate or accidental leaks, have become common.

These tools are now being repurposed in attempts to implement fully automated attacks, says the firm.

"In 2023, Kaspersky detected a smaller number of high-severity incidents, but observed a simultaneous increase in the number of medium and low severity ones. This redistribution of occurrences is associated with the detection of malware without visible traces of active human participation in attacks, which can be explained by the commoditization of tools," said Sergey Soldatov, head of security operations center at Kaspersky.

"However, it’s important to understand that the low number of high-severity incidents does not necessarily indicate low damage. Targeted attacks are now planned more carefully, and become more dangerous. Therefore, we recommend the use of effective automated cybersecurity solutions managed with the help of experienced SOC analysts."

Malware attacks accounted for just over 12% of incidents - the lowest proportion yet, according to the firm. Most were classified as medium or low severity.

Fewer than one-in-twenty related to publicly available critical vulnerabilities, while around 4% were the result of successful social engineering with further attack development.

And fewer than 1% of incidents were linked to insiders, while nearly one in three related to suspicious activity from legitimate accounts with no visible signs of compromise.

Almost one-in-ten incidents involved Living Off the Land Binaries - LOLBins - with the figure rising to a third of high-severity incidents. The most popular LOLBins were powershell.exe and rundll32.exe, which were used in 2% of all incidents and in 12% of critical incidents.

Meanwhile, a relatively high number of incidents were associated with the detection of adding accounts to various privileged groups such as domain admins or enterprise admins.