Kaspersky experts have analysed the anonymized and aggregated statistics from requests to the Kaspersky Threat Intelligence Portal. An always-on web service, it is understood that it has access to several petabytes of global security intelligence data that is updated almost in real-time according to Kaspersky's description.
The analysis showed that when security researchers requested additional details of a suspicious object, 72 per cent of cases turned out to be malicious and could put corporate security at risk if not investigated.
On average, 44 per cent of security alerts faced by organizations are not investigated. The reason may lie in the huge volume of incoming warning signals that security teams struggle to fully cope with. So, analysts have to choose carefully which alerts they need to investigate, and which do not deserve their attention. In this situation, it’s helpful to have a framework which helps you to make the decision.
Anonymized and aggregated statistics from the Kaspersky Threat Intelligence Portal showed that in most cases, the initial call to check the alert is proven to be right: the majority (7 out of 10) of analyzed requests submitted through the service turn out to be malicious. The share of such objects is especially high for web-related items; domains - 86 per cent, IP addresses - 75 per cent, and URLs - 73 per cent. This figure slightly drops for files, as 61 per cent of hashes were categorized as dangerous. This implies that it is harder for researchers to distinguish legitimate files from malicious ones without consulting with the appropriate threat intelligence.
Overall, researchers are typically most interested to learn about which resources the endpoints in their network are communicating with – 41 per cent of total requests fall under this category. With information on IP address reputation and associated web sites and files, security teams can make a decision if they should deny access to this resource or block any communication with it. In addition, a third (31per cent) of requests were about a file hash category – meaning analysts are looking for additional information about the file (e.g., geographical distribution, popularity, and connections with other objects) in their investigations.