One of the biggest misconceptions in cyber security is the belief that ‘it won’t happen to us.’
Despite a growing awareness of cyber attacks and data breaches, organisations often mistakenly believe that they won’t become a target. ‘Why would they target us? We don’t hold anything of value.’
Cyber incidents are a matter of when, not if
The reality is that anyone can be taken down – even the threat actors themselves.
In part, this is because virtually every organisation has something worth stealing. We get a sense of how much data is worth by the level of fines the EU GDPR (General Data Protection Regulation) sets: the greater of 4% of global annual turnover or €20 million (about $22 million).
Cyber attackers also aren’t fussy. They often target vulnerabilities rather than organisations. So, if you’re not taking security seriously, and therefore not patching, a security incident is only around the corner – assuming it hasn’t already happened.
But even if you’re not making yourself an easy target, a security breach is only a matter of time.
The importance of defence in depth
Unfortunately, no single security measure is 100% foolproof. That’s why layering your defences is important – if one control fails, another control can step in.
A cyber-defence-in-depth approach improves your chances of preventing an attack, but it also ensures you can quickly detect an attacker if someone slips through the net despite your best efforts.
Plus, you can put responsive measures in place so you can minimise the damage and recover your systems quickly.
So, how do you detect a cyber attack?
Step one is to understand your baseline: what’s normal? Without a clear answer, you can’t detect suspicious activity that may signal a cyber attack.
For example, would you expect staff to log in at 3:00 am? And would you expect them to log in from outside the country?
Neither of these automatically mean a breach occurred – a legitimate user might be traveling or using a VPN, or an emergency might have cropped up – but you need to ‘teach’ your detection tools what constitutes strange behaviour so they can flag it.
A person should then follow up on those alerts, to check whether they need to be escalated.
What detection tools can I use?
Various automated solutions exist, including:
- An IDS (intrusion detection system)
- An IPS (intrusion prevention system)
- EDR (endpoint detection and response) solutions
You should also have systems for logging user/system activity and forwarding that to a centralised SIEM (security information and event management) solution or a SOC (security operations centre).
Though good security relies on three pillars – people, processes and technology – reliably detecting malicious activity on your systems is virtually impossible unless you use tools like these. The sheer volume of event logs* you’d have to filter through would just be too much otherwise.
*These are logs of security events: everyday events on a computer system or network – logins, incoming emails, files received, etc.
How quickly can they detect an incident?
As these tools are automated, they can identify suspicious activity in real time.
However, they can’t tell you whether it was truly a cyber attack – you need a human follow up to determine that.
So, how long does it take to detect an incident? It depends on the speed of your response.
According to Mandiant’s M-Trends 2024 Special Report, the global median dwell time* is trending downwards, currently at 10 days.
*Dwell time is the time between a threat actor first compromising the system and the organisation detecting the attacker.
How else can you detect a security breach?
It’s always best if you can detect attacks internally. This allows for the fastest possible response, minimising the damage and saving you money.
However, this isn’t the only way to detect a breach.
As Mandiant pointed out, one of the key reasons defenders are identifying attacks more quickly is that ransomware is on the rise. This is supported by Verizon’s 2024 Data Breach Investigations Report, which found a year-on-year rise in extortion attacks.
Extortion attacks (such as a ransomware attack) are inherently detected quicker than other types of cyber crime – a ransomware gang can’t extort you if they don’t let you know that they’ve exfiltrated your data. Likewise, if they’ve encrypted your systems or data, you’re more likely to quickly notice that, too.
That’s one type of external detection. It’s also not uncommon for law enforcement to uncover a breach and notify the organisation.
What about accidental breaches?
Though automated tools may be able to pick up on certain types of accidental breach, ideally you want to train staff to report (potential) security incidents to IT – or your security team if you have one – directly.
This allows for a faster response.
This could mean staff reporting they’ve received a phishing email, or perhaps clicked a malicious link. It could mean reporting their device is acting strangely, or that they’ve sent confidential data to the wrong person.
It’s not limited to cyber incidents, either – they could report seeing an intruder in the building.
Though insider threats are significant, with the right training, staff can be turned into an asset for your defences. They’ll not just be less likely to cause a breach – they’ll help you identify incidents quicker.
Train staff not to fall for phishing
Turn your staff into a security asset, not a security risk, with our Phishing Staff Awareness Training Programme.
This 45-minute elearning course helps employees spot the signs of phishing and explains the importance of staying alert.
If you mandate one course for your staff this year, make it about phishing.
The post How Long Does It Take to Detect a Cyber Attack? appeared first on IT Governance Blog.
