Breakout Time
The first topic I want to inform you about is breakout time. Breakout time describes the time it takes for an attacker to gain initial access, scan the local network, deploy exploits, and begin moving laterally throughout the environment. According to the 2022 Global Threat Report from CrowdStrike the average breakout time was 1 hour and 38 minutes. A previous 2019 CrowdStrike report broke this down by threat actor groups as follows:
- Cybercrime gangs – 9 hours and 42 minutes
- Iranian-sponsored threat groups – 5 hours and 9 minutes
- Chinese-sponsored threat groups – 4 hours
- North Korean-sponsored threat groups – 2 hours and 20 minutes
- Russian-sponsored threat groups – 18 minutes and 49 seconds
Even with a breakout time of nearly 10 hours and using the M-Trends data, attackers will have compromised out environments and moved laterally through it for over 27 days before they are detected. Sadly, the difference between the worst case (18 minutes, 49 seconds) and the best case (9 hours, 42 minutes) accounts for approximately 1.4% of the total breakout time using the M-Trends numbers. Using the Ponemon Institute numbers, the difference between best case and worst-case breakout time accounts for 0.18% of the total breach. Put simply, over 98% of the time between initial compromise and detection occurs after the attacker has begun moving throughout the environment using the best-case numbers for defenders.
Dwell Time and Breach Cost
One of the factors that can significantly affect the cost of a breach is breach lifecycle, or the time between the initiation of the breach and full breach containment. This is similar to the previously used term “dwell time”. In the Ponemon study, the breach lifecycle includes the time to identify (how long does it take to detect a breach has occurred) and the time to contain (how long does it take an organization to resolve the issue). According to the 2022 study, the average time to identify a breach is 212 days while the average time to contain is 75 days for a total of 287 days. Put another way, if you detected a breach on January 1st, the breach would not be detected until July 31st and would not be fully contained until October 14th. While these averages are, no doubt, concerning, they don’t paint the complete picture. The cost of a data breach study also factored the affect the breach lifecycle had on breach cost going back to 2015.
| Year | Lifecycle < 200 Days | Lifecycle > 200 Days | Percent Increase |
| 2015 | $2.65 million | $3.32 million | 25.3% |
| 2016 | $2.54 million | $3.61 million | 42.1% |
| 2017 | $2.79 million | $3.75 million | 34.4% |
| 2018 | $3.21 million | $4.15 million | 29.3% |
| 2019 | $3.34 million | $4.56 million | 36.5% |
| 2020 | $3.21 million | $4.33 million | 34.9% |
| 2021 | $3.61 million | $4.87 million | 34.9% |
What is clear from this data is that the amount of time it takes to detect and respond to breaches directly affects the cost of a data breach. Accepting the fact that attackers will compromise our networks and remain there for weeks to months before detection and containment is, in fact, accepting increased data breach costs. This should be unacceptable. Unfortunately, for many organizations, this is not just acceptable, it is considered normal.
SOC Inefficiencies
The biggest reason while allowing attackers to invade our environments for weeks or months is standard operating procedure involves our collective inability to reliably detect attackers in a timely manner. According to a study conducted by the Ponemon Exabeam SIEM Productivity Study, 33% of SOC alerts are false positive while an article on www.helpnetsecurity.com (SOCs still overwhelmed by alert overload, struggle with false-positives) found that 82% of respondents reported more than 25% of alerts were false. Of those, 37% stated that between 25 and 50 percent of alerts were false, 36% of respondents stated that 50 to 75 percent of alerts were false and 9% stated that 75 to 99 percent of alerts were false. Putting it another way, if you have three SOC analysts, you are paying one of them to do nothing but weed through false alarms. Not only is this inefficient, but it also creates alert fatigue. According to the 2019 Exabeam State of the Security Operations Center report, false positive alerts were a concern for 27% of organizations, 24% of respondents stated alert fatigue is a significant pain point, while 39% of respondents stated that keeping up with alerts is their biggest challenge.
I hope this gave you an insight on how to optimize and make the most out of your IT security budget.
Next time, we will be looking into how simple the solution to your cyber security problems can be when you’re using cyber deception as an extension to your existing methods.
If you want to get ahead in fighting off cyber attacks, contact us today!
Image provided by Canva.com
