Evolving cyberattacks, alert fatigue creating DFIR burnout, regulatory risk

The evolution of cybercrime is weighing heavily on digital forensics and incident response (DFIR) teams, leading to significant burnout and potential regulatory risk. That’s according to the 2023 State of Enterprise DFIR survey by Magnet Forensics, a developer of digital investigation solutions.

The firm surveyed 492 DFIR professionals in North America and Europe, the Middle East, and Africa working in organizations in industries such as technology, manufacturing, government, telecommunications, and healthcare. Respondents described the current cybercrime landscape as one that is evolving beyond ransomware and taking a toll on their ability to investigate threats and incidents, Magnet Forensics said.

Alert fatigue causing DFIR burnout, automation valuable for DFIR functions

More than half (54%) of DFIR professionals surveyed said they feel burned out in their jobs, with 64% stating that alert and investigation fatigue is a likely contributing factor. The surge in investigations and the data associated to them is either a “large” or “extreme” problem for organizations, 45% of respondents said, while 42% cited evolving cyberattack techniques as either a “large” or “extreme” problem for their investigations. This represented a 50% increase from the 2022 State of Enterprise DFIR report. “One very real consequence is that it’s taking too long to identify the root cause of attacks,” the 2023 report stated. “This can lead to costlier and more drawn-out consequences for organizations while also making it more difficult to learn from these attacks and prepare for future incidents.” Most of organizations represented in the survey are therefore more likely to outsource at least some DFIR investigations.

Stress and burnout have impacted cybersecurity professionals for a number of years, with research from 2022 highlighting the effect of information overload and burnout on SOC performance. Magnet Forensics’ respondents generally agreed that addressing the burnout and alert fatigue facing DFIR professionals is hampered by recruiting and hiring challenges as well as onboarding difficulties and a lack of automation. Increased investment in automation would be “highly” or “extremely” valuable for a range of DFIR functions including the remote acquisition of target endpoints and the processing of digital evidence, half of respondents said.

However, while automation such as security orchestration, automation, and response (SOAR) is already in place in many SOCs, those solutions orchestrate and automate cybersecurity runbooks by taking telemetry, enforcing actions and using other tools, the report noted. “While important for threat containment and remediation, these runbook-related activities are distinct from those performed by digital forensics automation solutions, which execute a data transformation pipeline by orchestrating, automating, performing, and monitoring forensic workflows,” it added. There remains an opportunity for digital forensic-specific automation investments to enable valuable improvements in DFIR outcomes, but automation platforms must be better suited to maximizing compatibility with orchestrating the alerting and response workflows organizations already have in place.

DFIR workloads open businesses up to regulatory risks

DFIR workload pressures are opening businesses up to increased regulatory risks, specifically rules relating to the reporting of incidents, the research found. Two-thirds (67%) of respondents said that their role has been impacted by new reporting legislation, but almost half (46%) stated that don’t have the time to understand cybersecurity regulations due to their workload.

“Ideally, regulations should be read and interpreted by legal professionals who can “translate” them into clear and actionable information for DFIR practitioners,” the report read. If obtaining official legal interpretation is not possible, DFIR leaders should ensure teams have the resources they need to read and digest the information, supplementing with limited access to legal counsel for especially confusing requirements, it added.

Data exfiltration/IP theft, BEC most common incidents

Data exfiltration/IP theft is the security incident most frequently encountered by those surveyed, with 35% of respondents indicating that their organization encounters this type of security incident “somewhat” or “very” frequently. Business email compromise (BEC) is the next most common (34%) and now occurs more frequently than ransomware, which was the most common security threat in last year’s report. However, ransomware-infected endpoints still have the highest impact on organizations, the survey found.

Evolving BEC threats are a notable trend. In January, security researchers demonstrated how the ChatGPT chatbot and the GPT-3 natural language generation model it uses can be used to make social engineering attacks such as BEC scams harder to detect and easier to pull off. It showed that not only can attackers use the technology to generate unique variations of the same phishing lure with grammatically correct and human-like written text, but they can build entire email chains to make their emails more convincing and can even generate messages using the writing style of real people based on provided samples of their communications.

In August 2022, BEC scammers bypassed Microsoft 365 multi-factor authentication (MFA) to gain access to a business executive’s account before adding a second authenticator device for persistent access. According to researchers, the campaign was widespread and targeted large transactions of up to several million dollars each.