Small and mid-sized organizations remain especially vulnerable to persistent compromises
Despite sophisticated prevention security tools, small to mid-sized organizations continue to be especially vulnerable to long lasting breaches due to their inability to support the level of IT staffing traditionally required to run a comprehensive detection and response function, according to Infocyte.
Key findings include:
- 22 percent of small and mid-market organizations’ networks have encountered a ransomware attack that bypassed their preventive security controls.
- Fileless attacks using memory injection techniques are becoming common.
- A majority of attack detections are being made with generic detectors like machine learning scores, making it more difficult to communicate risk or impact for orgs without the right analysis expertise.
- We find riskware (includes unwanted applications, web trackers, and adware) are pervasive but a correlation exists between organizations that struggle with controlling unwanted apps and low readiness to handle the significant attacks when they do occur.
“There is still a lot of work to be done to improve detection the response readiness of small and mid-market organizations to modern cyber threats,” said Curtis Hutcheson, CEO at Infocyte.
“However, armed with the right detection and incident response program including tooling, staffing and empowerment, security teams can close gaps in their defenses, proactively identifying and responding to hidden threats and vulnerabilities before they cause damage.”
Dwell time remains a major problem
Researchers revealed that dwell time, the time between an attack penetrating a network’s defenses and being discovered, remains a major problem for small and mid-sized organizations. The methodology used to measure dwell time also paints a very different picture of how long threats like malware are persisting in these types of organizations.
- The average dwell time for confirmed, persistent malware (not including riskware) for the small and mid-sized organizations we inspected was 798 days, far in excess of the reported dwell times for large enterprises.
- Dwell time for modern attacks that include ransomware (i.e. Ryuk) are much lower: averaging 43 days between infection of the initial trojan (often Trickbot or Emotet) and remediation due to how ransomware informs the victim.
- Nearly three quarters (72 percent) of inspected networks have riskware and unwanted applications in their environment that took longer than 90 days to remove. Although generally lower risk, we find networks that fail to control riskware is an indicator of lower readiness to respond to high-priority threats when they are uncovered.
- Infocyte discovered that the dwell time for riskware was much longer for small and mid-sized organizations, averaging 869 days of dwell time.
“Infocyte’s findings should be a wake-up call for SMBs that are overly confident in their organization’s cybersecurity posture. The reality is that many lack the resources, technology, expertise, and visibility to protect their organizations, let alone their customers’ and partners’ data.
“The long dwell times reported by Infocyte indicate SMBs are at a higher risk of compromise than their larger enterprise counterparts,” said Aaron Sherrill, Senior Analyst at 451 Research.
“While modern cybersecurity threats that evade legacy preventative and detection tools are a growing security gap for SMBs, many are unable to remediate the threats they do know about in a reasonable timeframe.”
The report summarizes the widest study of the use of fileless malware using memory (or code) injection, a stealthy fileless technique used to execute external malicious code inside another whitelisted process.
More than 60 percent of injections Infocyte found in critical Microsoft Windows processes were malicious and the most common inject locations for confirmed attacks were the Google Chrome process (31 percent) and the Microsoft Internet Explorer process (15 percent).
The report also uncovered that the rise of machine learning and behavioral categorization is making it harder to characterize threats for organizations without threat and malware analysis expertise.
In fact, 61 percent of all detections of active (non-riskware) malware are made with a generic detection such as a machine learning categorization algorithm or behavioral heuristic, which often requires additional verification to confirm and makes it difficult to measure and communicate risks or impact to the business for IT administrators.