The US Justice Department just charged an alleged malware author with spying on local, state, and federal governments; companies; and individuals for a period of 13 years. Active monitoring could have reduced this long plundering of privacy.
The indictment asserts that Phillip R. Durachinsky:
- Created “Fruitfly,” a Mac-based malware capable of taking screenshots, logging keystrokes, and obtaining access to infected computers’ webcams.
- Spied on individuals between 2003 and January 2017, keeping detailed notes on his victims.
- Downloaded victims’ personal information, misused stolen login credentials to access accounts, and committed wire fraud.
Fruitfly was initially discovered in January 2017 and addressed by an Apple patch.
Why Time to Detect Matters
We’ve previously covered why breaches go undetected and the resulting impact. This spying incident may represent a record for longest time to detect. During this time, the alleged spy had extensive access to both personal information and presumably, in the case of computers owned by businesses, access to sensitive organization data.
For businesses, lag time dramatically affects the overall impact of a breach: the quicker you can detect a breach, the less harm done. Quick response time impacts the cost of a breach as well. A recent breach cost report notes that if the mean time to identify (MTTI) was under 100 days, the estimated average total cost of data breach was $2.80 million. If it was over 100 days, the estimated cost was $3.83 million.
Active monitoring is required to catch a breach early and plug the hole. Monitoring software listens for suspicious activity on your network (like anomalous use of valid credentials and off-hour access) and alerts on these signals. While 13 years is an extraordinarily long time, the average lag time before a breach is detected is 205 days. That’s a long time for a malicious intruder to wander around your network.