Stats & Trends
Jack Danahy
Sep 2015

The Need for Speed: Stats Show Attackers Are Getting Faster and Security Teams Can’t Keep Up

Photo by Source

speed_of_a_data_breach.jpg

Companies are increasingly aware that attackers are operating at a speed that they just cannot match, and even the largest businesses are falling further and further behind. The stats below show how little time it takes for a system to become compromised, how quickly that attack spreads, and then how painfully long it can take to identify, respond to, and remediate a breach.

 Click to tweet this image

Security Response Times Are Stuck in Neutral While Attackers Sprint Ahead

The timeline presented in Verizon’s 2015 Data Breach Investigations Report (the source for the majority of these stats) is a startling one. Not only do phishing campaigns tend to claim their first victims in short order, they can then spread throughout an organization in a matter of minutes — far faster than security teams can realistically expect to detect and react to them.

  • 82 seconds: the median time it takes for a phishing campaign message to get its first click
  • 60% of phishing attacks are able to compromise an organization within minutes
  • 50% of phishing victims open emails and click on links within the first hour 
  • 1 hour: 40% of phishing attacks spread to a second organization
  • 24 hours: 75% of phishing attacks have spread from Victim 0 to Victim 1 


According to the
2015 (ISC)2 Global Information Security Workforce Study, less than half of security professionals believe their organizations have improved their readiness to prepare for, discover, and recover from a security breach last year. This may well be reflected in the most recent Mandiant M-Trends report from FireEye, which showed that less than a third of all breaches were discovered by these internal resources, leaving 69% found by outside sources.

In short, we’re just not quick enough to stop these attacks soon enough. Meanwhile, attackers continue to adapt, innovate, and streamline their techniques, and the gap only widens.

Case in Point: The Excellus BlueCross/BlueShield Breach

Last week, I wrote about the Excellus BlueCross/BlueShield breach, which exposed 10.5 million records. That may sound like a lot (and it is), but the real eye-popping figure is how much time the attackers had to work with before the compromise was detected.

In the Excellus case, the compromise started on December 23, 2013, and wasn’t discovered until August 5, 2015. That’s 590 days. And as other prominent breaches have shown, attackers need far less time than that to do damage.

  • The Office of Personnel Management lost 21 million detailed personnel records in in 182 days.
  • Anthem lost 80 million records in 48 days.
  • Target lost 40 million credit and debit cards in 33 days.
  • For those of you keeping track, the average is a loss of about 178K records per day (tweet this).


Much of this delay is caused by the difficulties in identifying these attacks and breaches, but some of this lag is caused by a lack of available protection. As an example, last year saw an all-time high of 24 discovered zero-day vulnerabilities (new vulnerabilities for which there is no existing history or patch). According to Symantec’s
Internet Security Threat Report, attackers moved in to exploit these vulnerabilities much faster than vendors could create and roll out patches.

The top five zero-days of 2014 were actively used by attackers for a combined 295 days before patches were available. (tweet this)


As attacks grow more sophisticated and more cleverly obfuscated, identifying and reverse engineering the exploits only grows in its duration and complexity.

Once a vulnerability is understood, and addressed, there is even more delay, as organizations successfully apply patching efforts. In another eye-popping stat from the Verizon Data Breach Report, it was found that 99.9% of exploited vulnerabilities were compromised more than a year after the vulnerability and its potential impact had been made public.

Caught Playing Whack-a-Mole

If you feel like you’re hopelessly chasing after a retreating point on the horizon, you’re not alone. Marty Roesch, Sourcefire founder and now Chief Architect for the Security Business Group at Cisco, says even the largest, most sophisticated organizations struggle to get the basics right, let alone to keep pace with rapidly evolving threats.

A big part of the problem is that many of us are tasked with organizational protection and we are focused on defending against the current threats, so we are always several steps behind the attacks that can affect us tomorrow. This leads to the mindset that Marty equates with “playing whack-a-mole with the hackers.”

The old way of looking at cybersecurity was, “if you just raise the bar high enough, the bad guys will go away,” Roesch explains. “They don’t go away anymore. The barriers to entry are low.” I’d add that plenty of organizations have only sought to raise their bar high enough to make other victims more attractive.

That’s especially true for small businesses with limited security staff, budgets, and resources. It looks like that attackers have recognized this as well, because According to Symantec’s Internet Security Threat Report, “60 percent of all targeted attacks struck small- and medium-sized organizations.”

Closing the Gap

This problem is only going to be resolved by a combination of two things:

  • more versatile technology
  • more disciplined users

Simple monitoring advancements, looking for indications of compromise, cannot be the solution.

More versatile technology

Good attack kits hide their tracks, encrypt their traffic, disable monitors, and work very hard to be unnoticeable. Existing signature-based approaches cannot recognize these new attacks any more than the overtaxed security analysts can. The technical component of this solution will recognize the attack in its infancy, prior to the persistent corruption and obfuscation that is used to mask its existence.

More disciplined users

End users are the other critical area for improvement. They must be incorporated into this challenge, and they must understand the important role that they play.

In a vast majority of these successful breaches, the initial attack site was a single user on a single machine, clicking on a single attachment or corrupted link.

This gap will be narrowed by two new behavioral advances: Technology which can analyze the exploit behavior, and humanity which can be taught to avoid creating the opportunity for infection. Doing these things makes reducing that gap only a matter of time. 

Photo by Luis Llerena

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.