One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and gives them context to response time expectations during an incident.
IR Preparedness
When we talk to entities about incident response preparedness, we often start with the detection and containment metrics because they are two areas in which companies can improve their “compromise ready” posture before an incident occurs.
Detection. The time of 66 days from occurrence to detection includes all incident types from 2017, some of which companies usually detect immediately (e.g., ransomware and Office 365 account takeovers) and some of which they do not (e.g., network intrusions). The average detection time for network intrusions in 2017 was 84 days, with more than 90% of those incidents detected in less than six months. The 84-day detection time for network intrusions closely matches the “dwell time” metric from Mandiant’s “M-Trends 2018” report, which shows the median time from occurrence to discovery of the network intrusions Mandiant investigated in 2017 as 101 days. The all-incident types detection time average we report has held steady over the past three years – 69 days in 2016 and 61 days in 2017. Mandiant’s dwell time data shows an improvement over the prior six years, down from a median of 416 in 2011.
From “M-Trends 2018,” prepared by Mandiant, a FireEye Company
If an attacker broke into a network months before an entity becomes aware and begins to investigate, if logs critical to identifying what the attacker did were never generated or “rolled over” due to log retention settings, the ability to have certainty about what occurred and what data may be at risk is affected. Not only does insufficient logging cause investigations to take longer to complete, it often leads to scenarios in which an entity knows an attacker broke into its network and had sufficient access to steal data, but a forensic firm is not able to conclusively tell the entity what data was stolen, nor can it rule out the possibility of data having been stolen. That scenario often leaves an entity facing a decision of whether it should assume that the worst-case scenario of data theft occurred even in the absence of actual evidence that it did.The time delay from occurrence to detection highlights the importance of having (1) endpoint threat-detection tools (something beyond antivirus), (2) good network and host logging practices, and (3) a dedicated internal team or security vendor that monitors alerts from security tools and investigates to triage the alert. Network security teams respond to and stop many security events in minutes or hours, preventing the “event” from becoming an “incident.” However, sometimes the attacker’s access is not detected at the outset. Often, we then see attackers compromise legitimate credentials and use legitimate system tools (e.g., PowerShell) to move around the network for weeks or months in a way that is not identified as suspicious.
Containment. After an entity becomes aware of an incident, there is a rush to stop it from continuing. Some incidents are easier to contain than others. Network intrusions, for instance, often take longer to contain than others. The containment time average in 2017 was three days for all incident types and five days for network intrusions. In network intrusion incidents, after indicators of a network compromise are identified, we work with the entity and the forensic firm to build a containment plan. Usually the forensic firm needs time to understand the entity’s network, how the attacker is accessing the network, and the tools the attacker is using before it can build out the components of an effective containment plan for the entity to implement. The compromised entity’s ability to support the forensic firm’s investigation by accurately describing its environment and what devices have sensitive data, and by providing visibility to endpoints and access to logs with sufficient detail, is a significant factor in the time it takes to contain an incident. The overall network security posture is also a factor – a flat network without security tools operating on public internet-facing devices running unpatched applications is hard to secure in a matter of days.
IR Response
Investigation. A lot of people, especially the members of an incident response team that are not from the security group, expect to get all of the answers about an incident very quickly. The reality, especially for forensic investigations of network intrusions, is that the time to complete an investigation is measured in weeks, not hours or days. For 4% of network intrusions in 2017, the investigation took longer than three months to complete. For members of an incident response team responsible for deciding on timing of communications and content, knowing that it will likely be weeks before there is certainty about what occurred can help the entity make effective timing choices and limit content to only statements the entity knows to be accurate and not likely to change.
Notification. One of the most common questions we get from entities at the start of the investigation is how fast they should or need to notify individuals or regulatory authorities. The focus is twofold – regulatory compliance and reputation. For most entities, the decision is not about whether to notify and comply with applicable law. Rather, often the discussion is about whether the entity should provide notification “immediately” in the interest of “transparency.” There are plenty of examples of entities that released communications early in an investigation of an incident that later had to update and change its message, which caused some to view those entities as not handling the incident response well or worse.
The close proximity of the timing of the completion of the investigation to the timing of providing notification – an average gap of two days in 2017 – shows the value of preparing to notify in a parallel track during the investigation. Often preliminary findings provide enough for the team responsible for communications to begin to prepare for notification (e.g., drafting messaging, engaging notification vendors for larger notices, preparing the call center) during the investigation. Then, when the investigation reaches an acceptable point of certainty, the communication materials can be quickly finalized and released. Entities that wait to address notification until after getting the final findings may face delays that could have been avoided. For example, companies that provide notification mailing services often require the entity providing notice to supply the mailing vendor with all necessary deliverables five days before letters will be mailed.
Take Action
The Data Security and Incident Response Report identified four steps that entities can take to shorten the overall timeline: (1) enhance logging practices, both in length of retention and detail logged, (2) identify a primary forensic firm before an incident occurs, negotiate a master services agreement with that firm, and then bring that firm on-site to do onboarding, (3) use endpoint security tools (deployed pre-incident or by working with the forensic firm to deploy its endpoint agent) to get visibility faster, and (4) be mindful that the pressure to move quickly and provide transparency must be balanced with the need for an appropriate investigation that enables an effective containment plan and certainty about what occurred.