European organisations are taking longer to detect breaches than their counterparts in North America, according to a study by FireEye.
Organisations in EMEA are taking almost six months (175 days) to detect an intruder in their networks, which is rather more than the 102 days that the firm found when asking the same questions last year. In contrast, the median dwell time in the Americas improved to 76 days in 2017 from 99 in 2016. Globally it stands at 101 days.
The findings about European breach detection are a particular concern because of the looming GDPR deadline, which will introduce tougher breach disclosure guidelines for organisations that hold Europeans citizens' data. GDPR can also mean fines of €20 million, or four per cent of global turnover, whichever is higher.
FireEye's report also records a growing trend of repeat attacks by hackers looking for a second bite of the cherry. A majority (56 per cent) of global organisations that received incident response support were targeted again by the same of a similarly motivated attack group, FireEye reports.
FireEye has historically blamed China for many of the breaches its incident response teams detected. But as the geo-political landscape has changed Russia and North Korea are getting more and more "credit" for alleged cyber-nasties.
But a different country - Iran - features predominantly in attacks tracked by FireEye last year. Throughout 2017, Iran grew more capable from an offensive perspective. FireEye said that it "observed a significant increase in the number of cyber-attacks originating from Iran-sponsored threat actors".
FireEye's latest annual M-Trends report (pdf) is based on information gathered during investigations conducted by its security analysts in 2017 and uncovers emerging trends and tactics that threat actors used to compromise organisations.
Why are European orgs getting worse at breach detection?
Stuart McKenzie, VP EMEA, Mandiant at FireEye, explained that there are a number of factor the median detection time for breaches in Europe and not all of them are negative. An increase in government/law enforcement agency notification programs is one factor.
"This uptick has been focused on Advanced Persistent Threats, and has uncovered some historic attacks in organisations which have moved the number upwards," McKenzie said. "This has also included attacks against ICS environments where the attackers wish to remain stealthy and pre-position attacks for future action.
"Additionally we see organisations treat ransomware or destructive attacks, such as NotPetya and Wannacry, as response readiness reviews and an opportunity to improve strategic defences as opposed to Incident Response investigations. This has meant that many destructive attacks are no longer categorised as response which was potentially skewing the numbers down."
What kind of information and organisations are Iranian threat actors targeting?
"Targeting by Iranian threat actors, specifically within the Middle East, has been very broad. We see all key industries included - healthcare, financial, government, energy, to name a few.
"The most common objective appears to have been intelligence gathering. This has been broad and pervasive, and has included information gathering on individuals, or groups of individuals, making the attacks unlikely to be criminal and more likely aligned with state objectives." ®