Just one per cent of all Indicator of Attack (IOA) warnings are actually caused by network attacks.
This according to security giant Kaspersky, who analyzed (PDF) customer data over the first six months of 2019 and concluded that, 99 per cent of the time, alarms are being raised as the result of something other than a hacker.
The Kaspersky team analyzed more than 40,000 reports generated by its Managed Protection service and found that of those, just 515 were actually traced back to an attack on the customer's network.
This isn't unusual, says the security house. In fact, somewhat astonishingly Kaspersky argues that if you're not up to your armpits in such reports, you're doing something very wrong.
"If you don’t see a large number of false-positive events in your network, that probably means that you are missing a lot of important security incidents,” explained Sergey Soldatov, head of the security operation center at Kaspersky.
"Therefore, you should switch towards more wide-scale usage of Indicators of Attack methods, among other tools. While IoA-based alerts are much trickier to investigate due to the necessity to perform a lot of research to create efficient IoA and then a lot of manual analysis (when the IoA are triggered), our statistics show that these are most prone to false positives yet, they are the most effective and allow you to find really critical incidents.”
Here's the thinking: IOA warnings are based on the behavior Kaspersky and other researchers notice hackers using while they carry out attacks on networks. Increasingly, those attacks are designed to mimic legitimate network activities.
If your org hasn't had a security incident in the last year: Good for you, you're in the minorityREAD MORE
For example, Kaspersky said that 37 per cent of the attacks were taking place in code execution - a sign the attackers were hijacking legitimate processes to do their dirty work. Another 16 per cent of the attacks were detected performing lateral movement between systems on the network, another activity that happens legitimately every day.
In other words, companies are getting so many false positives from everyday activity because the bad guys are doing more to disguise their activities as everyday network traffic and system activity.
"The low IoA conversion rate reflects the need to detect advanced threats which use a ‘living off the land’ approach , with behaviors that are very similar to legitimate activity," Kaspersky writes.
"The more a malicious behavior mimics the normal behavior of users and administrators, the higher the rate of false positives and, consequently, the lower the conversion rate from alerts."
The alternative is that Kaspersky and other vendors could, you know, just produce better software that doesn't deluge admins with false positives, but you shouldn't hold your breathe on that score. ®