Breach Detection by the Numbers: Days, Weeks or Years?

The cyber attacks reported by the media continue to highlight a common thread

Many of the breaches have gone undetected for weeks, months and sometimes years – take the recent Wendy’s breach for example. We call this the Breach Detection Gap (BDG) or dwell time, and it is defined as the time elapsed between the initial breach of a network by an attacker and the discovery of that breach by the victim.

The latest report from FireEye cites dwell time as 146 days on average globally, and a whopping 469 days for the EMEA region. According to a Trustwave Report, 81% of reported intrusions are not detected by internal security processes but rather by news reports, law enforcement notifications, or external fraud monitoring.  Unfortunately, this trend does not show signs of slowing as internal security processes are unable to keep up with increasingly sophisticated and pervasive threats.

A Closer Look at High Profile Breaches

The Wendy’s breach we recently blogged about is a good example. The breach started in the Fall of 2015; was initially reported by branches in February 2016; was announced in May 2016 citing 300 location impacted; with hundreds more of their locations, in fact, breached and only discovered/reported in early July – 1,025 total to be exact. The examples below offer a snapshot of additional high profile real-world attacks and the length of time elapsed before the breach was discovered. These well documented incidents cost the organizations affected millions in losses, regulatory fines, and brand reputation.


 Table 1: Breach Detection Gap Examples Table 1: Breach Detection Gap Examples

Known as “persistent compromises” there are many motives for attackers trying to maintain stealthy long term access to a network. Whereas loud, transient attacks like crypto-locker, web defacement, denial of service, or smash and grabs can be easy to identify due to the immediate effect they have, persistent threats meet their objectives by maintaining stealthy long term access to the network.


 Table 2: Persistent vs Non-persistent Compromises Table 2: Persistent vs Non-persistent Compromises

While access may be obtained within seconds or minutes depending on the vulnerability exploited, mapping and navigating a large or complicated network to find the data or individuals the attacker is looking for can many times take days or weeks.  Additionally, monitoring users on the newly compromised network for a period of time to learn internal operations is essential to an attacker’s success, as was demonstrated in the Sony attack. This however also gives network defenders an opportunity to disrupt and counter.

Closing the Breach Detection Gap with Threat Hunting

Although the BDG problem is complex, it exists primarily for two reasons:

  1. The growing sophistication of modern attackers.
  2. Current real-time security processes are ineffective at detecting post-compromise activity, especially as time passes after the initial attack.

The BDG problem has become so pervasive that many argue organizations should operate under the assumption that their respective networks will be penetrated if they aren’t already. The U.S. Department of Defense adopted this premise several years ago, and in response, created “hunt teams”, which, at a basic level, consisted of trained incident responders and analysts who proactively and iteratively search critical networks and/or historical log data for signs of a missed compromise.

Threat hunting is differentiated from real-time intrusion detection, which works to prevent or detect attacks early in the attack cycle, by instead utilizing post-compromise detection techniques.  Hunting is on the spectrum of incident response activities except it is done proactively, before you know there is a problem. The goal is to reduce the dwell time of attackers and remove them before they can cause further damage.

Download our white paper The Breach Detection Gap and Strategies to Close It to learn how threat hunting can help you identify and stop persistent compromises.

See Infocyte HUNT in Action. Request a Live Demo.

Request a Live Demo of Our Award-winning Threat Hunting and Incident Response Platform.

More from our blog

cybersecurity siem alert validation fatigue

Security Brief: SIEM Alert Validation and the Dangers of Alert Fatigue

March 27, 2019

Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.

Read More »
2018 healthcare data breaches report

5 Takeaways From Reviewing 2018’s Healthcare Data Breaches

March 19, 2019

In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…

Read More »
hidden cyber attacks

Hunting, Detecting, and Responding to Hidden Threats Using FSA

March 12, 2019

A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…

Read More »