Cyber Threats 2025: Kaspersky MDR Analysis of 400,000 Alerts
Kaspersky's MDR, Incident Response, and Compromise Assessment services processed data from 200,000 corporate clients. In 2025, they logged 400,000 alerts. AI automatically resolved 95,000 (24%), SOC analysts filtered 87% of the remaining 300,000. Just 21,000 incidents reached customers.
Response times: 42 minutes for critical, 33 minutes for medium, and 31 minutes for low. That's a 22% improvement over 2024, thanks to automation.
Incident Criticality Trends
The share of critical incidents has been dropping for the sixth straight year: from 14.3% in 2021 to 3.8% in 2025. MDR caught up to three such cases daily. 97% of incidents were medium or low severity, mostly from automated malware and opportunistic attacks.
Human-operated attacks are rarer as a percentage but still the most dangerous. Catching them early explains the downward trend in criticality.
Most Targeted Industries
Top 3 industries by incident share:
- Government — 19%
- Manufacturing — 17%
- IT — 15% (surpassing finance)
IT sector saw 4.9% critical incidents, government 4.3% (above average). The rise in IT attacks ties to supply chain compromises: hackers breach service providers and integrators to reach clients. We've seen cases chaining multiple organizations.
Initial Access Vectors
From Incident Response data:
- Public app exploits — 43.7%
- Compromised credentials — 25.4%
- Trusted relationships (vendors) — 15.5%
Phishing dropped out of the top 3 in 2023 and now plays a supporting role in kill chains. Vendor attacks surged since 2023: breaching weakly secured firms with remote access to clients, making traffic look legit.
Impact of Successful Attacks
Data encryption topped damage-causing incidents at 39%. Next: persistence for disruption (12%), web exfiltration (7%).
Detection timing differences:
- Post-damage: encryption, data destruction, service outages.
- Pre-damage: persistence, Active Directory compromise.
Dwell time hinges on monitoring maturity, not the entry point.
Exploited Vulnerabilities
50% of Incident Response vulns were RCE, often unauthenticated. Top ones:
- CVE-2025-31324 (SAP NetWeaver, CVSS 9.8) — unauthorized file upload
- CVE-2025-42999 (SAP NetWeaver, CVSS 9.1) — insecure deserialization, RCE
- CVE-2025-61882 (Oracle E-Business Suite, CVSS 9.8) — unauthenticated service takeover
- CVE-2024-55591 (Fortinet FortiOS, CVSS 9.8) — authentication bypass
A third of vulns dated to 2021—ProxyLogon in Exchange remains relevant four years later. Attackers exploit known flaws with available patches.
Attacker Tools
LOLBins in critical MDR incidents:
| Tool | Share |
|---------------|--------|
| powershell.exe| 14.4% |
| rundll32.exe | 5.9% |
| mshta.exe | 3.8% |
| comsvcs.dll | 3.0% |
| msedge.exe | 2.7% |
mshta.exe spiked due to fake CAPTCHA lures. Specialized tools: Mimikatz (14.3%), PowerShell (8.1%), PsExec/AnyDesk (7.5%). Case in point: DLL hijacking via MPDefender.exe.
SOC Challenges
Rule coverage averages 43%, dropping to 30% with 50+ data sources. Key issues:
- Coverage decay without oversight.
- Vendor rules without tuning—false positives galore.
- Unbalanced logging without detection (network, DB, web).
Emerging 2025 Techniques
T1568 Dynamic Resolution hit the top 10 for conversions (23%): DGA, Fast Flux DNS. Case: abusing URL reservations in HTTP.sys for stealthy C2, mimicking Exchange traffic.
Key Takeaways
- Critical incidents at 3.8%, but MDR stops them pre-damage.
- Top vectors: public apps (43.7%), credentials (25.4%), vendors (15.5%).
- Vulns: 50% RCE, third from 2021—with patches available.
- SOCs cover 43% of data; decay is a major risk.
- IT in top 3 (15%), hit via supply chains.
— Editorial Team
No comments yet.