To put it simply, the classic logic of a SIEM system works as follows: if event A occurs, followed by event B, this may be a sign of an attack, and an information security specialist should be notified. But in today’s environment, this simple scenario is increasingly failing. Just recently, our experts analyzed a high-profile incident: attackers compromised the update infrastructure of the popular Notepad++ software, and distributed malware via the update mechanism. It’s simply impossible to have rules in place in advance that are specifically designed to counter such scenarios.

The attacks themselves have become more sophisticated: attackers use legitimate tools, they attack through the supply chain by compromising software outside the corporate perimeter, stretch out their scenarios over time, and disguise their actions as normal activity. In other words, they do not “break into” the infrastructure; more often than not, they log in and use legitimate software. As a result, the classic fixed rules of the past either fail to trigger, or generate too many false alerts. This is what prompted the shift toward more flexible correlation scenarios.

Dynamically updated SIEM content

Correlation content today isn’t a static set of rules, but a process: it’s constantly evolving and adapting to current threats. In 2025 alone, we released 55 rule-package updates for different versions and languages of our Kaspersky SIEM system. In just one year, we added 10 new rule packs, as well as 250 detection rules and numerous improvements to existing content. This year, we’ve already added 43 new rules and refined another 63. In total, this amounts to over 850 rules covering a significant portion of the MITRE ATT&CK framework.

Kaspersky SIEM rules are written based on insights from our experts who analyze real-world, recent attacks: we primarily draw on the findings of our managed detection and response (MDR) service and our threat research. As a result, our rules cover scenarios — from reconnaissance to privilege escalation — that involve the latest approaches used by attackers. For example, we detect the use of new attack techniques such as ToolShell.

In addition to scheduled updates, the team regularly releases so-called emergency content — rule sets for rapid response to new and unexpected attack techniques. In February, for example, detection rules were released for authentication bypass in Fortinet products via the SSO mechanism: attackers used specially crafted SAML requests to gain access to systems without credentials.

From events to attack chains

Moreover, modern SIEM rules no longer describe individual events, but rather sequences of actions. Scenarios are built around the stages of an attack: from initial access, to privilege escalation and persistence. Kaspersky SIEM’s effectiveness is enhanced through integration with Kaspersky EDR and dedicated rule sets for Active Directory, which implement dozens of attack detection scenarios at various stages. This approach allows us to see not just individual signals, but the full picture.

Integration and internal visibility

Another way to improve the effectiveness of an SIEM system is to expand data sources. A classic SIEM aggregates events from different levels of the infrastructure: from logs to telemetry from endpoints and internal systems. In addition to this, our SIEM system includes specialized rule sets for our other solutions (Kaspersky Security Center, Kaspersky Security for Mail Groups, K Anti-Targeted Attack platform), which allow monitoring of administrator actions, authentication, and service status. As a result, the system becomes a tool not only for detecting attacks, but also for monitoring internal activity.

Overall, SIEM is no longer just a set of rules, but has evolved into a continuously updated detection system. Its effectiveness is determined not by the number of detections, but by their relevance, coherence, and how accurately they reflect the actual actions of attackers. Stay up to date regarding our Kaspersky Unified Monitoring and Analysis Platform (SIEM) on its official product page.

Kaspersky official blog – ​Read More

Every year, hundreds of millions of real user passwords leak onto the dark web. We analyzed 231 million unique passwords from dark-web leaks between 2023 and 2026, and the conclusions are bleak: the vast majority are extremely weak. To crack 60% of these passwords, a hacker needs only an hour and a few dollars in their pocket. Furthermore, password cracking is accelerating by the year; in our similar 2024 study, the percentage of vulnerable passwords was lower.

Today we’re looking at just how reliable the average password is (spoiler: not really), and how you can secure your data and accounts using more robust methods. At the same time, we’ll highlight the patterns most commonly found in actual user passwords.

How passwords are cracked

In our previous study, we detailed the methods for storing and cracking passwords, but here’s a quick refresher on the essentials.

These days, passwords are almost never stored in plain text. For instance, if you create an account with the password “Password123!”, the server won’t store it as-is. Instead, the password is hashed using specific algorithms, turning it into a fixed-length string of letters and numbers (a hash) which is what actually stays on the server. For example, here’s what the MD5 hash for “Password123!” looks like:

2c103f2c4ed1e59c0b4e2e01821770fa.

Every time the user enters their password, it’s converted into a hash and compared against the one stored on the server; if the hashes match, the password is correct. If an attacker gets their hands on this hash, they have to decrypt it to recover the original password — this is what’s known as “password cracking”. This is typically done using owned or rented GPUs, and several methods can be employed for the crack:

• Exhaustive enumeration (brute force). The computer tries every possible combination of characters, calculating the hash for each one. This method is the easiest way to crack short passwords, or those consisting of a single character set (such as digits only).
• Rainbow tables. A total nightmare for anyone with a simple password, this is essentially a “phone book” for passwords whose hashes have already been cracked via brute force or smart algorithms. All an attacker has to do is find a matching hash and see which password corresponds to it.
• Smart cracking. These algorithms are trained on databases of leaked passwords. They understand the frequency of different character combinations, and run their checks from the most likely to the least popular sequences. They account for dictionary words, character substitutions (a → @ or s → $), and consider common password structures like “dictionary word + number + special character”, while checking hashes against rainbow tables. Combining these methods significantly accelerates the cracking process.

Beyond that, attackers can also intercept passwords in plain text. There are numerous ways to do this, ranging from phishing (where a victim is lured to a fake web page and enters their password voluntarily) and keyloggers that capture keystrokes, to stealers or Trojans that swipe documents, cookies, clipboard data, and more. Unfortunately, many users keep their passwords as plain text in notes, messaging apps, and documents, or save them in browsers where attackers can extract them in seconds.

Every year, we track around a hundred million plain-text password leaks. We use these databases to warn Kaspersky Password Manager users if their data has been compromised. To address the most frequent question we get on this: no, we don’t know our users’ passwords. We’ve explained in non-techie language exactly how we compare your passwords to leaked ones without actually knowing them — and why neither your passwords stored in Kaspersky Password Managernor even their hashes ever leave your device — in our overviews of our leak analysis technology and our password manager’s internal architecture. Give them a read; you’ll be surprised by just how elegant the design is.

60% of passwords are cracked in under an hour

We expanded the database from our previous study by an additional 38 million real passwords posted by attackers on dark-web forums and compared the results. Testing was conducted using a single RTX 5090 GPU for passwords hashed with the MD5 algorithm. The data for the analysis was obtained from our Digital Footprint Intelligence service. You can review the algorithm we used to assess password strength in our article on Securelist.

Unfortunately, passwords remain as weak as ever, while cracking them becomes faster and easier with every year. Today, 60% of passwords can be cracked in less than an hour; two years ago, that figure was 59%. But the truly frightening part is something else: nearly half of all passwords (48%) are cracked in less than a minute!

Attackers owe this boost in speed to graphics processors, which grow more powerful every year. While an RTX 4090 in 2024 could brute-force MD5 hashes at a rate of 164 gigahashes (billion hashes) per second, the new RTX 5090 has increased that speed by 34% — reaching 220 gigahashes per second.

And although a high-end video card like that currently retails for several thousand dollars, the price tag isn’t much of a barrier: there are plenty of cheap cloud services available for renting GPU computing power. Depending on the configuration and the model, rental costs range from a few cents to a few dollars per hour. As we’ve seen, one hour is all an attacker needs to crack three out of every five passwords they’ve found in a leak. Plus, depending on the scale of the task, they can always rent ten or even a hundred GPUs instead of just one…

It’s worth noting that cracking every password in a dataset doesn’t take much longer than cracking a single one. During each iteration, once the attacker calculates a hash for a specific character combination, they check if that same hash exists anywhere in the dataset — and the larger the dataset, the easier it is to find a match. If a match is found, the corresponding password is flagged as “cracked”, and the algorithm moves along to the next one.

Which passwords are vulnerable?

The strength of any password depends on its length, content variety, and the randomness of that content. Passwords created by humans turn out to be the least resilient — unfortunately, humans are quite predictable. We use dictionary words and character combinations that smart algorithms have long since mastered, we avoid long random strings, and patterns can be found even in keystrokes we believe are random. Interestingly enough, passwords generated by AI still carry the fingerprints of a human approach; we covered this in a separate post on how to create a strong yet memorable password.

Password length is the primary factor affecting cracking time. As you can see from the table below, it takes less than 24 hours to crack almost any eight-character password.

Percentage of varying password lengths crackable within a given timeframe

But the predictability of your password is just as important. Think you’re boosting security by adding a number or a special character to a memorable word? You are, but only slightly. The patterns people use to create passwords are easily predictable and, at times, pretty amusing — though this is no laughing matter.

What we learned about password patterns

Analysis of over 200 million passwords revealed characteristic patterns that allow smart algorithms to crack user passwords with ease.

Pick a number

More than half of all passwords (53%) end with one or more digits, while nearly one in six (17%) starts with a number. Every eighth password (12%) contains sequences that look a lot like years — ranging from 1950 to 2030 — and one in ten (10%) specifically falls between 1990 and 2026. This most likely happens because folks add their birth year (or that of someone close), some other significant year, or the year they created the password or account. Fun fact: based on the distribution of these dates, it suggests that the most active internet users were born between 2000 and 2012.

However, among all numeric combinations, the most popular turned out to be… you guessed it: “1234”. Overall, patterns involving sequential keyboard presses (“qwerty, ,”ytrewq”, and the like) appear in 3% of passwords.

Special characters aren’t a silver bullet

Most password policies in recent years require at least one special character. The absolute winner in this category is the @ symbol: it appears in one out of every 10 passwords. The period (.) comes in second, followed by the exclamation point (!) in third.

Love rules the world… and Skibidi Toilet does too

Emotionally charged words often form the foundation of a password, and despite everything, positive words are more common. Frequently occurring examples include “love”, “angel”, “team”, “mate”, “life”, and “star”. That said, negativity pops up too — mostly in the form of common English swear words.

Interestingly, viral memes are reflected in passwords as well. Between 2023 and 2026, the use of the word Skibidi in passwords skyrocketed 36-fold! Naturally (see the link if it doesn’t seem natural), “toilet” saw a boost too, though to a lesser extent.

Users tend to keep their passwords unchanged for years

More than half of the passwords (54%) we identified in recent leaks have surfaced before. Part of this can be explained by the same data migrating from one dataset to another. However, there’s a much more troubling reason too: many users simply haven’t changed their passwords in years.

Analyzing the dates found within passwords shows that combinations containing the years from 2020 through 2024 remain popular. It seems people add the current year to their password when they create it — and then forget about it for several years. This actually allows us to calculate the average lifespan of a password: about three to five years.

This is a dangerous trend. For one, smart algorithms can crack much more complex passwords over that kind of timeframe. Secondly, the longer your password remains unchanged, the higher the probability it will leak — whether through a breach, malware infection, or a phishing attack.

The situation gets even worse when the same password is used across multiple accounts. In this case, attackers don’t even need to crack anything; they just need to find your password in a single leak and plug it into other sites.

How to protect your passwords and accounts

If you’ve realized while reading this post that your own passwords are among those easily crackable — don’t panic. We’ve put together a list of simple but essential tips for you.

Use a password manager

The weakest passwords are the ones people come up with themselves. Creating and memorizing hundreds of sequences of 16–20 random characters (since every site requires a unique, long password) is a daunting, unrealistic task.

That’s why you should delegate password generation and storage to our password manager. It doesn’t just create and store complex, randomized passwords in an encrypted format; it also syncs them across all your devices. To decrypt your vault, you only need to remember one main password that no one knows but you — our guide on mnemonic passwords can help you with that.

Don’t store passwords as plain text

Whatever you do, never write down passwords in files, messages, or documents. They lack the robust encryption provided by a password manager. Furthermore, these kinds of notes fall into the hands of attackers instantly if you happen to pick up a Trojan or an infostealer.

Don’t store passwords in your browser

Many users save their passwords in their browsers — especially since they conveniently offer to do it automatically. Unfortunately, research shows that malware has evolved to extract these passwords from all popular browsers almost instantly. Kaspersky Password Manager can help you import saved passwords from your favorite browser — just follow our simple, three-step guide. Most importantly, don’t forget to clear the browser’s password storage once the import is complete.

Switch to passkeys

Wherever possible, use passkeys — a cryptographic replacement for passwords. In this setup, the service stores a public key, while the private key remains on your device and is never transmitted. During login, the device simply signs a one-time request. Additionally, passkeys are tied to a specific domain, meaning phishing attacks using spoofed addresses won’t work. Kaspersky Password Manager allows you to store both passwords and passkeys, solving the problem of syncing them across different ecosystems, including Windows, Android, macOS, and iOS.

Set up two-factor authentication

Enable two-factor authentication wherever possible. Even if your password is compromised, a properly configured 2FA setup makes it extremely difficult for the attacker to access your account. For maximum security, skip the one-time codes sent via SMS and use authenticator apps instead — and yes, Kaspersky Password Manager comes in handy here, too.

Practice good digital hygiene

Remember, storing your passwords correctly is only half the battle. It’s crucial to follow the rules of digital hygiene: avoid downloading unverified files, pirated software, cheats, or cracks, and don’t click on random links. The number of infostealer attacks has been steadily rising in recent years, which means you need a robust security solution for full protection. We recommend Kaspersky Premium — it protects all your devices from Trojans, phishing, and other threats. Besides, the subscription includes our password manager.

For those serious about account security, check out our collection of posts on passwords, passkeys, and two-factor authentication:

• Passkeys in 2025: your complete guide to passwordless sign-in
• Passkeys in 2025: tips for power users
• Creating an unforgettable password
• How to create strong passwords and where to store them
• Switching to Kaspersky: a step-by-step migration guide

Kaspersky official blog – ​Read More

Nowadays CISOs face escalating threats that outpace traditional defenses. The strategy is evolving from compliance-driven checklists to a threat-informed approach. MITRE ATT&CK provides a globally accessible knowledge base of real-world adversary tactics, techniques, and procedures (TTPs), enabling organizations to understand, prioritize, and counter actual attacker behaviors rather than abstract controls. 
 
This shift helps align security efforts with business realities: minimizing downtime, protecting revenue streams, safeguarding customer trust, and potentially lowering cyber insurance premiums through demonstrated proactive risk management. 

Executive Summary 

• Compliance-driven security measures control maturity, not adversary readiness. Threat-informed defense anchors risk management in real attack behaviors, which is where actual risk lives. 

• MITRE ATT&CK provides the taxonomy, not the intelligence. The framework names and structures adversary techniques; organizations need curated, real-world threat data to make those techniques actionable. 

• SOC workflow integration is non-negotiable. MITRE ATT&CK delivers risk reduction only when embedded into monitoring rules, triage processes, IR playbooks, and hunt methodologies. 

• Speed of context determines security outcomes. Whether in triage or incident response, the time it takes to understand what a threat is doing directly determines how much damage it can cause. ANY.RUN’s Threat Intelligence Lookup and Sandbox compress that context-gathering from hours to seconds.

• Threat hunting requires real attack patterns, not just technique categories. Generic ATT&CK-based hunt queries produce noise; high-fidelity feeds of current attacker behavior produce findings. 

• Risk reduction is measurable. MTTD, MTTR, MTTC, hunt yield rate, and false positive ratios are the business-level metrics that translate MITRE ATT&CK investment into language boards and insurers understand. 

Two Lenses, One Risk: Compliance vs. Adversary-Centered Approach 

Traditional risk management often relies on vulnerability scanning, compliance audits (e.g., NIST, ISO), and static controls. It focuses on known weaknesses and regulatory requirements but frequently misses how attackers chain behaviors in live environments. 

MITRE ATT&CK is adversary-centric and behavior-focused. It maps real-world TTPs across tactics like Initial Access, Execution, Persistence, and Impact. This enables gap analysis, threat modeling, and measurable improvements in detection and response. 

The most important takeaway from this comparison is not that compliance is worthless. It isn’t. Regulatory requirements create accountability, force documentation, and establish minimum hygiene floors that matter for smaller organizations with limited resources. The problem arises when compliance becomes the ceiling rather than the floor. 

Where Strategy Meets Reality: Making MITRE ATT&CK Operational 

MITRE ATT&CK is not a product. It does not detect threats. It does not alert your analysts, contain attackers, or generate threat intelligence. The organizations that extract real risk reduction from MITRE ATT&CK are those that connect the framework’s taxonomy directly to how their SOC actually operates: the tools analysts use, the data they see, the workflows they follow under pressure.

1. Eyes Wide Open: Enhancing Monitoring for Early Threat Detection 

MITRE ATT&CK is a powerful compass for monitoring strategy. It tells defenders which techniques adversaries use during specific phases of an attack. T1566 (Phishing) for initial access, T1055 (Process Injection) for defense evasion, T1021 (Remote Services) for lateral movement, etc. Security teams can use the framework to build detection hypotheses, design SIEM rules, and prioritize which telemetry sources to collect. 

What the SOC Actually Needs 

The value of monitoring emerges from early visibility to enable swift action, reducing dwell time and limiting blast radius. Analysts need alerts with sufficient fidelity and timeliness to intervene while the attack is still in progress. That requires not just knowing which techniques exist, but understanding the current threat landscape: which groups are active, which malware families are being deployed this week, and which detection signatures are already stale. 

Solution: Stay Current with Live Threat Feeds to Cut Detection Lag 

Threat Intelligence Feeds provide continuously updated, machine-readable threat intelligence stream of IOCs (indicators of compromise) with malware family tags derived from real detonations in ANY.RUN’s Interactive Sandbox. Security teams can pipe these feeds directly into their SIEM or EDR, ensuring that MITRE-mapped detection rules stay current with actual adversary activity. 

Business objective: Cut MTTD for novel threats. Increase the ratio of high-fidelity alerts to total alerts, lowering analyst alert fatigue and improving coverage of emerging attack vectors. 

2. Speed Matters: Accelerating Triage with Behavioral Context 

MITRE maps alerts to techniques, but analysts need rapid understanding of intent, impact, and validity to avoid alert fatigue. An alert tagged T1059.001 (PowerShell) tells an analyst that the technique involves command and scripting interpreter abuse. T1112 (Modify Registry) points to potential persistence or defense evasion. This context is valuable. But it is the starting point, not the destination. 

What the SOC Actually Needs 

Analysts dealing with hundreds of alerts per shift cannot afford multi-minute pivot chains to understand whether a flagged PowerShell execution is a legitimate IT automation script or the first stage of a ransomware deployment. They need behavior and impact context fast: What did this process actually do? Has this file hash or domain been seen in confirmed malicious activity?  

Solution: Reduce MTTD with Full Attack Visibility inside a Sandbox 

Threat Intelligence Lookup is a searchable threat data repository built on ANY.RUN’s analysis history. Analysts can query file hashes, IPs, domains, URLs, and process names and instantly surface related sandbox reports with MITRE ATT&CK mappings, malware family attributions, and associated threat actor context.  

During triage, analysts can answer the key questions before escalating: Is this a known threat? What does it do? Which ATT&CK techniques are involved? What is the likely impact?  

Interactive Sandbox complements TI Lookup for unknown samples. If an URL yields no TI Lookup match, analysts can submit it to the sandbox and receive a full behavioral report (process tree, network activity, file system changes, and ATT&CK technique tags) in minutes.  

Unlike automated sandboxes that process samples silently, ANY.RUN lets analysts interact with the execution — clicking through prompts, observing network connections, and watching process trees unfold — while the sandbox maps every observed behavior to MITRE ATT&CK techniques in real time.   

Business objective: Reduce mean triage time per alert. Decrease false positive escalations. Increase analyst capacity without headcount growth, enabling the SOC to handle greater alert volume at the same staffing level. 

3. Incident Response: From Labels to Action 

MITRE ATT&CK gives incident responders a structured model for understanding what an adversary may have done across the kill chain. It offers a common language and playbooks for containment, full visibility into attacker actions for precise, minimal-disruption response. This is genuinely valuable for architecting investigations and communicating findings to stakeholders. 

What the SOC Actually Needs 

During an active incident, responders need execution context. Which processes ran? In which order? What registry keys were modified? Which files were dropped and where? Which internal hosts did the malware beacon to? Without this granular execution responders end up remediating visible symptoms while the attacker maintains persistence through overlooked footholds. 

Solution: Compress Containment Time with Complete Execution Context 

Interactive Sandbox generates a complete execution timeline for any submitted sample: full process trees (parent/child relationships, command-line arguments), all network connections (DNS queries, HTTP/S requests, C2 communication patterns), file system changes (created, modified, deleted files), and registry modifications.  

Every action is timestamped and tagged with the corresponding MITRE ATT&CK technique. Responders don’t need to reconstruct what malware did from endpoint telemetry alone. They have a ground-truth behavioral record from a controlled detonation. 

TI Lookup accelerates the lateral movement investigation. If an incident involves a suspicious IP or domain used for C2, TI Lookup surfaces all previous ANY.RUN analyses involving that indicator. It helps reveal which malware families have used it, when, and in what context.  

Business objective: Reduce mean time to contain (MTTC) by giving responders complete execution context at the start of an investigation. Decrease re-infection rates by ensuring all persistence mechanisms are documented and remediated. Reduce incident response costs by compressing investigation timelines. 

4. Proactive Defense: Supercharging Threat Hunting with Real Patterns 

Threat hunting (proactively searching for adversary presence that evaded automated defenses) is where MITRE ATT&CK suggests hypotheses: if you are in a financial services organization, groups like FIN7 or Carbanak are relevant threats; their documented techniques (T1059, T1027, T1547) suggest where to look in your telemetry. This starting point is invaluable. 

What the SOC Actually Needs 

A successful hunt requires more than “look for PowerShell abuse”. It requires the specific parent-child process relationships, the exact command-line patterns, the particular registry keys, the network destinations that real-world attackers targeting your industry have actually used recently. Generic ATT&CK-based hunt queries produce excessive noise and burn hunter time on false leads. Real attack patterns are the fuel that makes hunts productive. 

Solution: Turn Hunt Hypotheses into High-Yield Findings with Real Attacker Patterns 

Threat Intelligence Lookup enables hunt pivoting at scale. A hunter who identifies a suspicious process name can query TI Lookup to find all samples that share that process, discover related IOCs, identify the malware family, and extract the precise command-line patterns that family uses. This turns a single hunt lead into a comprehensive behavioral profile needed to write high-confidence hunt queries. 

The combination of TI Feeds and TI Lookup transforms threat hunting from a creative exercise into an evidence-based discipline grounded in real adversary behavior. 

Business objective: Increase the yield rate of threat hunts (confirmed findings per hunt hour). Identify attacker dwell time earlier, reducing the average time an adversary operates undetected inside the network. Demonstrate proactive risk reduction to board and audit stakeholders. 

Conclusion: From Framework to Force Multiplier 

MITRE ATT&CK has fundamentally changed how the security industry thinks about risk: from abstract control gaps to concrete adversary behaviors. For CISOs, this shift represents an opportunity to speak a language that resonates equally in the boardroom and the SOC: the language of what attackers actually do, and how prepared your organization is to detect, contain, and recover. 

But the framework’s potential is only realized when it is connected to operational reality. MITRE ATT&CK without actionable threat intelligence is a map without territory. The SOC workflows that matter (monitoring, triage, incident response, and threat hunting) all require real-world adversary data to function at the speed and fidelity modern threats demand. 

ANY.RUN’s threat analysis and intelligence products are purpose-built to close this gap. Together, they transform MITRE ATT&CK from a conceptual framework into an operational engine that drives measurable risk reduction across every phase of the security operations cycle. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect, investigate, and respond to threats faster.

ANY.RUN solutions include Interactive Sandbox, Threat Intelligence Lookup, Threat Intelligence Feeds, and integrations for SOC workflows across SIEM, SOAR, EDR, and other security tools. Together, they help teams safely analyze suspicious links, files, and scripts, uncover phishing behavior, trace credential theft and remote access activity, and enrich investigations with real-world threat context.

Built for security-conscious organizations, ANY.RUN is SOC 2 Type II attested and supports enterprise-ready controls such as SSO, MFA, granular privacy settings, and AES-256-CBC encryption.

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN gives SOC teams the visibility they need to move from uncertain alerts to evidence-based decisions.

FAQ 

The post How CISOs Reduce Cyber Risk with MITRE ATT&CK  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More