DBIR – Exfil Time – Explore v Smash & Grab

Anton Chuvakin’s review of the DBIR is my favorite.  It is super concise and to the point.

Document page 10 / PDF 14 has a chart comparing compromise time and exfiltration time.  Compromise time is typically in minutes while 20% of exfiltration is in minutes and 70% is in days.  Both make sense given the data on hand.

 If you’re getting in, you’re getting in relatively quickly. The message is delivered or the application vulnerability is found.  If you fail, you’re changing tactics and your attack likely won’t be correlated with the previous attack.  I’m not aware of many organizations doing any real threat intelligence.  My MSSP’s and threat data providers can never answer if they’ve seen alerts from fellow customers.

My guess is time for exfiltration is based on the compromise.  The shorter compromises are if the target had the data while the longer exfiltration are if a pivot was required.  If the attacker can pull off a smash and grab, the exfiltration will be quick.

It’s too bad the vulnerability section is so poorly sourced.  Then again, patching and QA typically aren’t given the resources to properly function at most organizations anyway.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s