Anton Chuvakin’s review of the DBIR is my favorite. It is super concise and to the point.
Document page 10 / PDF 14 has a chart comparing compromise time and exfiltration time. Compromise time is typically in minutes while 20% of exfiltration is in minutes and 70% is in days. Both make sense given the data on hand.
If you’re getting in, you’re getting in relatively quickly. The message is delivered or the application vulnerability is found. If you fail, you’re changing tactics and your attack likely won’t be correlated with the previous attack. I’m not aware of many organizations doing any real threat intelligence. My MSSP’s and threat data providers can never answer if they’ve seen alerts from fellow customers.
My guess is time for exfiltration is based on the compromise. The shorter compromises are if the target had the data while the longer exfiltration are if a pivot was required. If the attacker can pull off a smash and grab, the exfiltration will be quick.
It’s too bad the vulnerability section is so poorly sourced. Then again, patching and QA typically aren’t given the resources to properly function at most organizations anyway.