IF YOU WORK in IT security, you’ve got one minute and 20 seconds to save your company from being hacked. This is not a drill. It’s the median time it takes for an employee to open a phishing email that lands on a company’s network and in their inbox, setting in motion a race to prevent data from leaking. That’s according to the new Verizon Breach Investigations Report, which is due to be released publicly tomorrow but was previewed to reporters today.
It’s no surprise that in the race to protect networks from hackers, the adversaries outnumber and outpower the defenders. But now we know just how rapidly the protectors have to act before their systems are lost to attackers.
“How long do you suppose you have until the first message in the campaign is clicked?” the authors of the report ask. “Not long at all, with the median time-to-first-click coming in at one minute, 22 seconds across all campaigns. With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.”
Verizon noted that 23 percent of recipients open phishing messages. But simply opening an email won’t necessarily install malware on a machine. More dangerous are the 11 percent of recipients who go so far as to click on malicious attachments.
Verizon’s annual report, now in its eighth year, analyzes breach intelligence and data from multiple sources, including customers of Verizon’s forensics response division and customers of FireEye, the firm that investigated the recent hack of Sony Pictures Entertainment. It also examines data from cases investigated by law enforcement agencies, and from government and industry computer incident response teams around the world. This year, Verizon analyzed data involving nearly 80,000 breaches contributed by 70 different organizations.
The report each year rarely offers surprises but instead focuses on providing a broad view of trends and developments in criminal hacking and cyberespionage as well as trends and improvements in defensive efforts. The takeaway from the report is rarely encouraging, as hacking attacks increase in number and sophistication each year.
This year’s report shows, for example, that once inside a victim’s network, the siphoning of data occurs rapidly in some cases before companies can react. In 24 percent of breaches examined, for example, the intruders began siphoning data within minutes and seconds of gaining entry, giving defenders little time to detect the theft and respond. Though there is some indication that response times are improving. In 37 percent of the breaches examined, defenders were able to contain the attack within hours. And in an additional 30 percent of cases, they were able to contain the adversaries within days. The problem, however, lies in the fact that while organizations may be quick to respond when they discover an attack, it still takes them a long time to uncover a breach.
“Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise,” Verizon notes in the report.
Typically, it takes months if not years to uncover a breach. In 2012, for example, FireEye reported that the average cyberespionage attack continued unabated for 458 days before the victim discovered the hack. Prior to this, it was normal to find attackers had been in a network two or three years before discovery.