It started with a breached email account in late 2022. 5 days of dwell time.
And then the attacker or attackers accessed additional files (and, of course, emails). For 5 days, the intruder intruded. Poking around using that access.
Defenders noticed at the end of the 5 days and booted the attacker out. What followed was what you’d expect. Thankfully, it wasn’t a catastrophic incident.
It was, however, certainly expensive for this small organization. Consider – at a minimum:
◍Intracompany notification of the breach and password handling.
◍Employee concern, consternation while determining depth/breadth of attack
◍Corporate IT and cybersecurity staff attention and priority – for over a month. Who’s affected and to what degree? Of the disclosed information – how was it classified?
◍Third party additional expert support and analysis – concluded 5 months later
◍Customer communication about the breach and its effects, signed by the CEO
◍Credit monitoring offer for affected customers
◍Reporting to the government of affected customers, as per law for the state
◍Legal fees (or productivity loss if attorneys were in house).
◍System hardening to better protect computers, networks, and – hopefully – people
This was a small, well-contained breach with strong communication about it to the organization’s stakeholders.
And yet I’m sure it was a nightmare for a while and a hassle much, much longer.
I didn’t find this information in a newspaper or a case study, but it is real. It’s a midwestern financial institution whose name I’d like to protect.
Much of the path above will be common for discovered cyberattacks. If you’re not prepared on what to do the moment you find something suspicious, your costs will be far greater than if you are prepared – time and money.
That 5 days of attacker access I mentioned is called dwell time. The longer the dwell time of the intruders, the more exposure for your organization.