Digital forensics and incident response teams face increasing workloads amid evolving cyberattacks, recruiting and hiring challenges, and a lack of effective automation. The evolution of cybercrime is weighing heavily on digital forensics and incident response (DFIR) teams, leading to significant burnout and potential regulatory risk. That’s according to the 2023 State of Enterprise DFIR survey by Magnet Forensics, a developer of digital investigation solutions.The firm surveyed 492 DFIR professionals in North America and Europe, the Middle East, and Africa working in organizations in industries such as technology, manufacturing, government, telecommunications, and healthcare. Respondents described the current cybercrime landscape as one that is evolving beyond ransomware and taking a toll on their ability to investigate threats and incidents, Magnet Forensics said.Alert fatigue causing DFIR burnout, automation valuable for DFIR functionsMore than half (54%) of DFIR professionals surveyed said they feel burned out in their jobs, with 64% stating that alert and investigation fatigue is a likely contributing factor. The surge in investigations and the data associated to them is either a “large” or “extreme” problem for organizations, 45% of respondents said, while 42% cited evolving cyberattack techniques as either a “large” or “extreme” problem for their investigations. This represented a 50% increase from the 2022 State of Enterprise DFIR report. “One very real consequence is that it’s taking too long to identify the root cause of attacks,” the 2023 report stated. “This can lead to costlier and more drawn-out consequences for organizations while also making it more difficult to learn from these attacks and prepare for future incidents.” Most of organizations represented in the survey are therefore more likely to outsource at least some DFIR investigations. Stress and burnout have impacted cybersecurity professionals for a number of years, with research from 2022 highlighting the effect of information overload and burnout on SOC performance. Magnet Forensics’ respondents generally agreed that addressing the burnout and alert fatigue facing DFIR professionals is hampered by recruiting and hiring challenges as well as onboarding difficulties and a lack of automation. Increased investment in automation would be “highly” or “extremely” valuable for a range of DFIR functions including the remote acquisition of target endpoints and the processing of digital evidence, half of respondents said. However, while automation such as security orchestration, automation, and response (SOAR) is already in place in many SOCs, those solutions orchestrate and automate cybersecurity runbooks by taking telemetry, enforcing actions and using other tools, the report noted. “While important for threat containment and remediation, these runbook-related activities are distinct from those performed by digital forensics automation solutions, which execute a data transformation pipeline by orchestrating, automating, performing, and monitoring forensic workflows,” it added. There remains an opportunity for digital forensic-specific automation investments to enable valuable improvements in DFIR outcomes, but automation platforms must be better suited to maximizing compatibility with orchestrating the alerting and response workflows organizations already have in place.DFIR workloads open businesses up to regulatory risksDFIR workload pressures are opening businesses up to increased regulatory risks, specifically rules relating to the reporting of incidents, the research found. Two-thirds (67%) of respondents said that their role has been impacted by new reporting legislation, but almost half (46%) stated that don’t have the time to understand cybersecurity regulations due to their workload. “Ideally, regulations should be read and interpreted by legal professionals who can “translate” them into clear and actionable information for DFIR practitioners,” the report read. If obtaining official legal interpretation is not possible, DFIR leaders should ensure teams have the resources they need to read and digest the information, supplementing with limited access to legal counsel for especially confusing requirements, it added.Data exfiltration/IP theft, BEC most common incidentsData exfiltration/IP theft is the security incident most frequently encountered by those surveyed, with 35% of respondents indicating that their organization encounters this type of security incident “somewhat” or “very” frequently. Business email compromise (BEC) is the next most common (34%) and now occurs more frequently than ransomware, which was the most common security threat in last year’s report. However, ransomware-infected endpoints still have the highest impact on organizations, the survey found.Evolving BEC threats are a notable trend. In January, security researchers demonstrated how the ChatGPT chatbot and the GPT-3 natural language generation model it uses can be used to make social engineering attacks such as BEC scams harder to detect and easier to pull off. It showed that not only can attackers use the technology to generate unique variations of the same phishing lure with grammatically correct and human-like written text, but they can build entire email chains to make their emails more convincing and can even generate messages using the writing style of real people based on provided samples of their communications.In August 2022, BEC scammers bypassed Microsoft 365 multi-factor authentication (MFA) to gain access to a business executive’s account before adding a second authenticator device for persistent access. According to researchers, the campaign was widespread and targeted large transactions of up to several million dollars each. Related content news Singing River ransomware attack now thought to have affected over 895,000 The health care provider has dramatically increased its estimate of the number of patients affected by the August 2023 attack. By Shweta Sharma May 15, 2024 4 mins Data Breach Ransomware brandpost Sponsored by Sans Institute Clock is ticking for companies to prepare for EU NIS2 Directive Many companies are still not ready for the impact of NIS2, but SANS can help them prepare. By Laura McEwan May 15, 2024 3 mins Security feature Backlogs at National Vulnerability Database prompt action from NIST and CISA A crisis at the key US service for ranking vulnerabilities has been fueled by short resources and an explosion of security flaws as the volume of software production increases. By John Mello Jr. May 15, 2024 10 mins Threat and Vulnerability Management Security Practices Vulnerabilities news FBI warns Black Basta ransomware impacted over 500 organizations worldwide CISA advisory includes indicators of compromise and TTPs that can be used for threat hunting. By Lucian Constantin May 14, 2024 6 mins Ransomware Phishing Healthcare Industry PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe