Kaspersky research finds suspicious objects are malicious in almost three-quarters of investigated cases

Upon Kaspersky’s expert analysis of anonymized and aggregated statistics of requests to the Kaspersky Threat Intelligence Portal, research showed that when security researchers requested additional details of a suspicious object, 72% of cases turned out to be malicious and could put corporate security at risk.

On average, 44% of security alerts are not investigated, likely due to the vast volume of incoming warning signals that security teams are challenged with. As a result, analysts must carefully choose which alerts need investigating versus those that do not justify further attention.

Of the 72% of cases that are found to be malicious after undergoing additional research, the share of such objects is especially high for web-related items including domains (86%), IP addresses (75%) and URLs (73%). This figure slightly drops for files, as 61% of hashes were categorized as dangerous. These statistics imply that it is more difficult for researchers to distinguish legitimate files from malicious ones without consulting with the appropriate threat intelligence.

Overall, researchers are most interested to learn about which resources the endpoints in their network are communicating with, as shown by 41% of total requests falling under this category. With information on IP address reputation and associated web sites and files, security teams can make a decision if they should deny access to this resource or block any communication with it. In addition, a third (31%) of requests were about a file hash category, meaning analysts are looking for additional information about the file (i.e. geographical distribution, popularity and connections with other objects) during their investigations.

“As our statistics show, security analysts in organizations rarely make mistakes when they suspect that an alert poses a security risk and might need further investigation,” said Anatoly Simonenko, group manager for technology solutions product management at Kaspersky. “However, it’s not all about checking the hypotheses. To be able to accelerate their incident response and forensic capabilities, analysts need to see the bigger picture on a threat, quickly. Access to threat intelligence provides just that, ultimately saving time and effort for typically understaffed security teams.”

The Kaspersky Threat Intelligence Portal is a web service which provides customers with knowledge about cyber threats gathered by Kaspersky. The company provides free access to basic information about suspicions files, hashes, IP addresses and others at https://opentip.kaspersky.com/.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.