Quarter of firms can't tell how hackers get in

After a breach, a quarter of most firms don't know how the attackers got in

The majority of large companies have experienced a breach over the past twelve months, but almost a quarter, 23 percent, of firms do not know how the hackers got in, according to a new survey.

"That was pretty eye-opening," said Tim Helming, director of product management at DomainTools, the company that sponsored the research. "If you don't know how it got onto your network, you can't protect against it."

Of the firms who did know how the attackers got in, 67 percent said that malware had infiltrated their networks through email, 63 percent named web surfing as a vector of infection, 12 percent cited cloud apps or social media, and 4 percent pointed to instant messaging.

Helming said that there are things companies can do to analyze malware in a secure lab environment.

"You can intentionally take apart the malware and look inside and it and find information like domains in there that you can use to continue your investigation," he said.

One reason that so many companies could not spot the channel through which malware got into their network was that almost half, or 46 percent, of all organizations surveyed did not have a threat intelligence solution in place.

The most frequent reason sited was that the cyberthreats they had experienced have not been serious enough, according to an Osterman Research survey of 120 security and business executives at large companies.

Another 36 percent said that the cost of the technology is too high.

But threat intelligence is a broad category, said DomainTools CEO Tim Chen. It covers everything from free Web-based, open-sourced data that's available to anyone who can find it to threat intelligence platforms that are sold independently or are embedded in bigger solutions or SIEM products.

"When people complain that it's expensive and they can't afford it, they're talking about some of these more sophisticated platforms," said Chen.

But even free or low-cost resources can be useful for investigators trying to analyze a threat.

For example, according to Helming, identifying a piece of malware can tell a company about who the attackers are.

"Then often you can find information about what their MO is," he said. "Such as, this attack group spreads malware through phishing attacks. Or this group tries to send downloadable malware files as email attachments."

That can help a company zero in on the attackers' access point.

A toe-hold can start with something as small as a domain name, he said.

Using online domain lookup tools, investigators can often tell if it's a legitimate domain hijacked by criminals, or a domain associated with other nefarious organizations and activities.

"That can help close that visibility gap," he said.

According to the Osterman report, this kind of painstaking manual investigation can take weeks -- and isn't worth the hassle for smaller incursions.

And that could be be a problem.

"We've all seen that the leading edge of a very serious breach might look like something that's not a big deal," said Chen.

"However, current-generation tools make the process of attack attribution much more cost effective," said the report.

Security researchers understand the value of threat intelligence, Helming said.

According to the survey, 82 percent said they would use it all the time if it was available to them.

Join the CSO newsletter!

Error: Please check your email address.

More about Osterman Research

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place