Immersive Labs: Average cyberthreat response takes 96 days

Immersive Labs' Cyber Workforce Benchmark found that some critical threats, including a zero-day vulnerability, took an average of six months to fully address.

A study by Immersive Labs found that it takes enterprise security teams an average of 96 days to develop effective responses against breaking cyberthreats.

The company, which provides an "immersive simulation engine" to run cybersecurity tests, drew data from 2,100 organizations for its inaugural Cyber Workforce Benchmark. The report discussed several different factors in dealing with cyberthreat response and broke each section down by how each sector performed in various threat simulations and exercises in the vendor's cybersecurity "labs."

The labs examined customers' cyberthreat response to real-life attacks and global crises while also providing simulated exercises for response teams to gain experience.

Kevin Breen, director of cyberthreat research at Immersive Labs, told SearchSecurity the simulations are a key aspect of learning to stop cyber attacks.

"Labs are a crucial part in preparing teams for emerging threats," Breen said. "Only with regular development of knowledge, skills and judgment can technical and non-technical teams make sure their capabilities are up to date. Passive, classroom-based training is obsolete the moment the PowerPoint is closed down, as attackers innovate at such a rapid pace."

Many of the labs focused on different areas of cybersecurity, such as finding vulnerabilities and understanding how to patch them and prevent them in the future. The report also broke down which parts of the response process took the longest for which teams and which sectors had the best response times to common issues.

The Cyber Workforce Benchmark report attempted to measure not just how quickly an enterprise customer can patch a critical vulnerability, but how long it takes the organization to develop a full understanding and effective mitigations of a new threat. For example, Immersive Labs found that a recent zero-day vulnerability in the popular mail transfer agent Exim took 204 days for security teams at large organizations to overcome. The exception to the rule, according to the company, was Log4Shell.

"The average number of days for cybersecurity teams to develop knowledge, skills and judgment around Log4j was two -- 48 times faster than the average threat intelligence lab," the report stated.

Breen discussed some of the most productive simulations ran by these organizations.

"There is way more involved for the average cybersecurity team than just applying a patch when there is a vulnerability -- all of which require upskilling," Breen said. "The quickest lab ran by people was how to use an OWASP [Open Web Application Security Project] dependency checking tool -- a piece of software that helped people understand the impact of the vulnerability on their own environment. They then learned how to best defend against any attack, before learning how an attacker abused the vulnerability, before finally upskilling on the best approach to patching. This all took place within a day, but explains the steps that a security team has to go through when defending against such a threat. It is not just a case of downloading a patch and applying it -- there is a whole lot more going on, all under pressure and in a very short space of time. More often than not, on a Friday or over the weekend."

How each industry performed

The Immersive Labs study tracked the average number of crisis exercises ran by companies in each sector, with the sectors being technology, financial services, government, consulting, retail and commerce, healthcare, education, infrastructure, manufacturing and transport.

The technology sector ran the most exercises, with nine on average per year, per company. Manufacturing and transport were at the bottom with one.

Another statistic found in this section was the "average performance score" by each sector across these exercises. According to the report, "each separate decision throughout a crisis simulation is given a score depending on how well it addresses the overall crisis. The performance score amalgamates these."

Immersive Labs found that the average score overall was 68%, but there was quite a bit of variance among the different industries. Manufacturing, education and technology all had an average score of at least 80%, while financial services and healthcare both fell below 50%. Manufacturing set the top bar at 85%, while healthcare came in far below the rest of the field at just 18%.

The report also examined the average time it took entities to develop "the human capabilities necessary to defeat attackers," and this too was broken down by sector. Breen discussed some of the findings of this part of the study.

"The data shows that the sectors with fastest time to human capability when posed with a cybersecurity threat are those which could perhaps be considered more innately digital, such as e-commerce," Breen said. "Perhaps this is a byproduct of the fact that a culture of technology is more entwined in their foundations.  As a counterpoint, more traditional sectors, such as transport and infrastructure, were slower in their development of human capabilities."

The report provided figures on response times, with retail and commerce being one of the quickest industries at 68 days on average, and infrastructure and transport being the two slowest, at 128 and 145 days, respectively. Technology and financial services fell near the middle of the pack, with tech taking 92 days on average to complete and financial services taking 97.

Prioritizing aspects of new threats

The study also highlighted what parts of an attack cybersecurity teams are most interested in understanding and studying. The report found that infosec professionals were most interested in knowing how threat actors entered their systems and how they got past the systems' defenses rather than what the actors did once they were inside.

Immersive Labs also found that the three most important areas were the execution of the breach, the defense evasion and then its discovery. The three least important were the impact of the breach, and the exfiltration and collection of the data.

The report described the amount of time it took entities to develop capabilities necessary for dealing with a breach. The fastest times were with examining the impact of the breach and the exfiltration and collection of the data, while the slowest was discovering how the threat actors gained initial access.

Immersive Labs also analyzed how often organizations that suffer ransomware attacks pay the ransom to recover their data. Through its simulations and examinations of real-life examples of data breaches and ransomware attacks, the company found that organizations often had very low confidence scores when faced with ransomware scenarios.

The findings also showed that education and consulting were the two industries that paid the ransom most often, at 25% and 23% of the time, respectively, and that critical infrastructure organizations never paid ransoms.

Dig Deeper on Risk management