The Reason Why Biggest Cyberattacks Happen Slowly Most movies and TV shows about hackers show them using their skills to hack into a target within a matter of minutes. But the truth is, the biggest, most damaging (and lucrative) hacks are rarely planted overnight. Instead they begin with reconnaissance to map the network and observe user behavior in order to find a seemingly insignificant security hole that can be exploited to get unauthorized access and then open the floodgates to compromise vast quantities of data over an extended period of time - sometimes over many months or even years. According to The Cost of Data Breach Report by IBM, the average time is takes to detect and contain a cyberattack is 280 days. That’s over 9 months! And the cost of detecting and containing a malicious breach is even longer, 315 days. A Breach is Not an Event, it’s a Process The most important thing to understand about cyberattacks is that it’s a continuous process that has multiple steps. The first step usually is infiltration. This is the step by which the attacker gains a foothold in their target's network. Infiltration can happen in several ways: it can come by way of targeted credential theft, web application exploitation, third party credential theft and more. However, this is just the first step to take and there are many more to follow. Types of attackers will usually try and scope out their target first by carrying out reconnaissance. Reconnaissance is essentially exploring the network architecture, investigating what access they have via their stolen credentials, and where sensitive data is stored. To our example we can say that a thief claiming to be a friend of the house owner would have to act this way because they might be recognized if they don’t take precautions. Merchants are at risk from many different types of attack, so how do you protect your business from getting attacked online? Once cyber-criminals have finished their research and reconnaissance of an enterprise, they usually start moving laterally within the network in search of better access and causing disruption by stealing money or valuable information. These steps often take weeks and months to complete, and they're performed gradually through trialand-error. Attackers can be very meticulous in their efforts to identify sensitive resources. In the case of a cyberattack, we usually only hear about first and last steps – the infiltration into the network, and data exfiltration – but there’s a whole world of activity in between them.
Your Problem Isn’t Detection. It’s Correlation