A new study found that the detection of an attack occurs nine hours after the first victim is hit.
The report, conducted by researchers from Google, Samsung, PayPal and Arizona State University, analyzed millions of visits to phishing pages. Their research led them to find two key stats:
- The detection of each attack occurs, on average, nine hours after the first victim
- The average phishing attack, from first to last victim, lasts 21 hours
Further, more than a third of all victim traffic to phishing websites took place after the attack is detected.
This underscores a few important points. Detection is not a proper security response. For one, it takes far too long to actually detect. And, as this research finds, a significant amount of activity on phishing sites happens even after detection occurs. That means that relying on warning banners as an anti-phishing tool won't get the job done.
As this research shows, trying to remediate after an email has been delivered is a losing proposition. Waiting until the email hits the inbox is a recipe for disaster. It's giving threat actors a head start, one they don't often relinquish.
The better way is to prevent the malicious email from reaching the inbox in the first place. Prevention is the best way forward. Once it hits the environment, it's too late.