When major cyberattacks occur, organisations often describe them as sophisticated to justify their impact. However, 95% of the time the real issue isn’t the complexity of the attack but the failure to detect intrusions early enough to prevent cybercriminals from wreaking havoc.
It’s interesting how often the term “sophisticated” is used to describe attacks that exploit basic security flaws. It’s as if companies are trying to shift blame, so that they don’t reveal their own negligence in front of shareholders.
A notable example is British Airways. In 2018 it experienced a data breach and referred to it as a “sophisticated breach of the firm’s security systems”. However, investigations revealed that the attack was actually a simple cross-site scripting (XSS) attack, where cybercriminals injected malicious code into the company’s website using a compromised account.
This method is relatively common and not particularly sophisticated, but it shows how easily attackers can exploit companies’ security vulnerabilities. It also highlights how even the simplest attacks can have the same devastating consequences as their more sophisticated counterparts.
Recent stats from the Nclose State of Ransomware in SA 2024 Survey put this into perspective. Out of the 500 IT executives we surveyed, 63% reported at least one ransomware attack in the past two years. The cost of these attacks is measured in reputational harm, downtime and financial loss, with 36% of respondents losing between R100,000 and more than R10m.
Recovery time varied from less than 24 hours (14% of respondents), to one to three days (19%), four to seven days (13%) and more than seven days (19%). The primary cause of attacks? Not sophisticated footwork on the part of attackers, but rather the same tried-and-tested methods that are all too common: software vulnerabilities (21%), phishing or social-engineering attacks (16%), supply-chain attacks (13%), compromised credentials (9%) and insider threats (7%).
The complexity of the attacks is not the real problem. What matters most is dwell time: cybercriminals thrive on extended undetected access. Dwell time measures the time from when a company is attacked to when the breach is detected.
The good news is that dwell time is decreasing. According to a Mandiant report, the median dwell time six years ago was 78 days. In 2023 the median dwell time was only nine days, compared to 13 days the year before.
One reason dwell time has reduced is that companies are getting better at detecting threats, both internally and externally. This enables security teams to seize bad actors during the initial stages of the attack, such as reconnaissance and exploitation.
But the bad news is that criminals are also getting faster at breaking into companies’ IT systems. If you look at the speed with which attacks occur, it’s no wonder the dwell time has reduced. Specialised hackers in the cyber kill chain frequently sell privileged information on to others, such as standard usernames and passwords. This makes it easier for more senior hackers to escalate their attack.
Often the reason hackers manage to access organisations’ IT systems is because of poor managed detection and response (MDR). MDR is a cybersecurity service that blends advanced technology with human expertise to swiftly detect and mitigate threats through proactive threat hunting, continuous monitoring and incident response. The sooner a company is able to detect a threat, the less damage the attack will cause.
Of course, this doesn’t mean the focus should shift away from prevention and good IT hygiene, as these are both important. But MDR can significantly minimise loss due to its ability to quickly reduce the impact of potential security incidents.
We don’t detect threats by looking at security logs, as these aren’t enough to get to the root cause of cyberattacks. Rather, we consider detection-use cases. These tell us that when a particular sequence of events occurs it means a cyberattack is under way. By using detection-use cases, we’re able to detect attacks with a high level of fidelity and low levels of false positives.
In summary, don’t be fooled by the “sophisticated attack” narrative. Make sure your company’s cybersecurity systems are robust enough to stand up to the variety of threats that await you in the coming months. And remember: whether sophisticated or simple, every threat needs to be treated with the same importance.
• Osler is co-founder and business development director at Nclose.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.