Evidence is mounting that Security Operations Center (SOC) teams may be buckling under an avalanche of phishing attacks both real and imagined. Even before work-from-home mandates, phishing was implicated in as much as 67% of all corporate data breaches, according to Verizon’s 2020 Data Breach Investigations Report (VDBIR). And while Ponemon Institute’s 2020 Total Cost of a Data Breach Report estimates an average $8.6 million13 in costs per incident for US-based companies, the organization finished collecting data in April14. It warns remote working amid the pandemic is likely to increase that amount by another $137,000 per breach15. It didn’t help that during the second half of 2020, anxious employees swamped already resource-constrained SOC teams with a title wave of suspected phishing incidents—most of which were ultimately deemed false positives. But organizations employing automated response technologies report were able to neutralize unreported threats while accelerating time-to-containment.
For this report, ACID researchers analyzed data from large organizations with an average of 21,000 employees in industries such as high-tech, healthcare, agriculture, construction, retail, energy, and more. The objective is to gain insights on reported incident volumes, false positive rates, and the impact of automation on the investigation and remediation of email threats from July through December 2020. This section of the H1 2021 Email Fraud and Identity Deception Trends Report features our analysis of these conversations.
Our mass experiment in working remotely via home Internet connections and personal computers has provided email threat actors with whole new avenues to potentially infiltrate corporate networks. It doesn’t help that one-in-five employees fall for malicious emails and two-thirds16 of them will go on to provide credentials to the fraudsters, according to a report from Microsoft. The really weird aspect about this: When they aren’t clicking on actual phishing attacks, they’re forwarding legitimate emails—a lot of them—to the SOC team for fear they’re fraudulent. According to large client organizations participating in our H1 2021 Phishing Incident Response Survey, employee-reported phishing incidents topped 65,898 during the second half of the year. Unfortunately, 61% of them were ultimately found to be false positives. Which means SOC analysts were forced to spend valuable time investigating and resolving them—even as time-to containment of true breaches and attacks grows longer and more costly.
Each minute wasted chasing down false positives means another minute a legitimate phishing email remains an active threat, increasing the chances it will lead to a data breach. According to Ponemon Institute, the average time to containment was already 280 days before the pandemic. And 76% of companies say remote working is likely to make that worse. But according to the organizations in our survey, automation is proving critical to preventing these kinds of infiltrations from ever happening—and collapsing time-to-containment from weeks or months down to just minutes for those that do. This is in part because on average, automated processes enable them to uncover far more attacks than those reported by employees.
Organizations in our survey report automated phishing response detects 88X more email threats than manual processes alone. Out of 13,986 verified phishing emails reported during the second half of 2020, companies with automated phishing response processes successfully identified 972,347 additional email threats that were similar, or directly related, to those reported by employees. Automating tasks associated with analysis and triage are credited as being central to achieving increased efficiencies and savings while avoiding breach costs.
Malicious Phish Reports
All Similar Messages Found
Similar Messages Confirmed Malicious
Organizations in our survey report that continuous detection and response (CDR) technologies leveraging shared threat intelligence identified more than 21,712 malicious messages beyond those detected through automated phishing response alone. That’s a 4X increase over the previous six month period. Additionally, 724 unique events identified solely through these technologies. At their most essential, CDR technologies identify latent threats that have evaded detection through new identity deception techniques, dormant payloads, or “time-bombed” URLs that redirect only after they’ve been delivered to the target’s inbox. By analyzing company-wide email metadata, these technologies forensically recognize and remove email threats from all inboxes automatically.
According to survey participants, legitimate phishing attacks reported by end users are remediated within 38 minutes with the aid of automated response technologies that prioritize incidents based on potential impact to the organization and the identification of all affected employees. To put the importance of this kind of capability into perspective, studies from Aberdeen show there’s a 30% chance of a first-user click on a malicious email within 60 seconds of delivery, with a median time-to-first-click on malicious emails of just 134 seconds.