Opportunistic cyberattacks and the effectiveness of EDR tools are examined in a report by InterCERT France, revealing average incident response times of fifty days. The study of 212 questionnaires from 95 CERTs found that 73% of attacks are opportunistic, with profit being the main motive for cybercriminals. Challenges include identifying specific malware strains and insufficient log sources for resolution. The report emphasizes the importance of timely incident acknowledgment to improve response effectiveness and resilience in organizations.
Opportunistic cyberattacks, the effectiveness of EDR (Endpoint Detection and Response) tools, and average incident response times hovering around fifty days are critical topics highlighted in a new report released by InterCERT France. This organization has spent the past year analyzing responses to cyber incidents, aiming to provide valuable insights.
With a membership exceeding one hundred, InterCERT is dedicated to enhancing the sharing of technical information and best practices among cybersecurity professionals. Established as an official association in October 2021, following informal beginnings in the early 2000s, InterCERT’s mission is to spread knowledge and expertise in the cyber defense realm.
This inaugural report serves as a pioneering effort to “share concrete lessons” that will “strengthen collective resilience.” After collecting data from 212 questionnaires filled out by 95 CERTs, several significant findings emerged. Notably, 73% of participants indicated that the majority of attacks are opportunistic rather than specifically targeted. This trend is also reflected in ransomware incidents, with only 10% of respondents feeling they were specifically targeted.
The Profit Motive Behind Attacks
According to InterCERT’s findings, “The majority of attacks are driven by profit: the allure of financial gain remains the primary motivation for cybercriminals.” The report highlights that critical sectors, including defense, aerospace, healthcare, energy, and the public sector, are particularly susceptible to cyber-espionage activities.
The average time taken to detect an attack stands at 27 days, a duration that appears to be closely linked to the size of the affected organization. “The larger and more complex an organization is, the longer it takes to detect a breach,” InterCERT explains, noting that smaller entities often experience immediate effects from intrusions.
Nevertheless, there are instances where analysts face challenges in identifying specific malicious tools. “In nearly 10% of cases, pinpointing a particular tool was not feasible,” InterCERT reports. The association also emphasizes the rising trend of using LOLbins (Living Off the Land Binaries)—legitimate executables and scripts already present on systems—to conduct attacks.
Challenges in Identifying Sources
Moreover, in 40% of ransomware cases, the specific strain of malware could not be identified, with the average response time for such incidents stretching to 50 days. On average, one individual spends about 40 days addressing these attacks.
Data exfiltration accompanies two-thirds of these cyber incidents. While only 17% of respondents reported backup deletions, a third consider their backups compromised. Additionally, a quarter of respondents noted that backups were only partially useful due to insufficient testing.
Following these breaches, half of the CERTs involved expressed concern about lacking adequate log sources for effective resolution. EDR software is viewed as “particularly valuable or even differentiating in one out of two incidents.” Implementing such cybersecurity solutions is regarded as a key strategy during the recovery phase.
Overcoming Denial for Effective Response
In 2023, half of the cyber incidents managed by CERTs were resolved in under eight days.
However, 14% of crises extended beyond 32 days, often occurring when external CERTs were engaged. “Many victims tend to report compromises with significant delays, frequently at the end of the week, just before the weekend,” InterCERT observes.
“It is crucial to motivate organizations to break free from this state of denial, which hinders teams from intervening during manageable stages of a crisis. Early acknowledgment of an incident is essential for swift resolution,” the association concludes.