The attacker’s landscape has changed yet again. What was once an era of advanced attackers seeking to gain access into an environment has been transformed by attackers who quickly smash and grab global hotel chains, for example, to pilfer millions of credit card numbers. Electricity in international countries is brought to a standstill as nationstates seek to prove a point. And in the blink of an eye, businesses are held hostage by ransomware. As the landscape has changed, opening new opportunities for breaches and lowering the attacker’s barrier to entry, organizations have started to respond and are realizing they must respond quickly.
Incident responders present an unusual challenge to an organization because they can measure their success by many metrics. One of these measures is how quickly the organization can detect, isolate and remediate infections in the environment. The longer an attacker has access to an environment, the more damage can be done.
Of the 591 respondents to qualify and take the 2016 SANS Incident Response Survey, approximately 21% cited their time to detection, or “dwell time,” as two to seven days, while 40% indicated they could detect an incident in less than one day. Conversely, 2% of organizations reported their average dwell time as greater than one year. Survey participants reported that 29% of remediation events occur within two to seven days, while only 33% occur in less than one day.
The survey also found that incident response (IR) teams have various blends of automatic and manual technology, which can be a bonus for teams with skilled members and a hurdle for teams with inexperienced practitioners. Other promising statistics indicate that 76% of respondents had dedicated internal IR teams, an uptick from our 2015 survey.
Malware still maintains the top spot as the underlying cause of reported breaches, at 69%, but unauthorized access is recognized as a growing problem, with 51%, as attackers take advantage of weak, outdated remote access and authentication mechanisms. Organizations are also reporting that 36% of attacks are advanced persistent threats (APTs) or multistage attacks, indicating that advanced attack groups are still targeting organizations.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program