Sounding the alarm: how high-profile threats influence learning behaviors

In a previous post, we highlighted how the development of human cybersecurity capabilities often lags months behind other risk mitigation measures when new threats break. This isn’t too surprising because security teams are always forced to balance proactive risk reduction activities with the more reactive daily demands of real-time threats and incidents.

But it also raises an interesting question:

In other words, if a security issue hits the news – or the company boardroom – does it motivate security teams to ramp up their knowledge of these particular threats faster than usual?

To answer this, we once again turned data we’ve collected from the hundreds of thousands of exercises and simulations we’ve conducted with organizations globally.

You can find our complete analysis in our Cyber Workforce Benchmark 2022. But today, I’m going to revisit response time to breaking threats, focusing on the impact that threat visibility has on response time.

Large-scale, global security incidents have been a regular occurrence in recent years. For example, the multiple vulnerabilities discovered in Apache Log4j in December 2021 made headlines around the globe due to the potential impact and the sheer number of systems and organizations that were vulnerable. Scrambling by security teams to assess and mitigate the impacts of Log4j continued well into 2022. In fact, some organizations are still dealing with the fallout.

The Log4j situation came almost exactly a year after the high-profile SolarWinds attack made headlines and similarly blindsided security teams worldwide.

There have been numerous other isolated attacks that have broken through into mainstream public awareness as well. Coverage of individual ransomware attacks appears regularly in mainstream news outlets. One of the highest-profile examples is the 2021 ransomware attack against Colonial Pipeline, which forced the U.S. energy company to shut down a fuel pipeline that serves a large section of the eastern United States until a multi-million dollar ransom was eventually paid.

Given its extensive news coverage and far-reaching impact, the Log4j incident is an excellent lens through which to view how the speed of learning varies between high-profile situations and less visible breaking threats.

As noted in our previous post, cybersecurity teams took an average of 96 days to develop the skills necessary to defend against breaking threats.

The speed of human capabilities development for Log4j-related skills far exceeded the average response time.

Following the discovery of the Log4j vulnerabilities, Immersive Labs released a lab exercise focused on the effective use of free OWASP tools for determining the impact of Log4j across an enterprise. This was the fastest development of human capability we’ve ever observed. It took less than a day on average for organizations to complete, nearly 100 times faster than other threat intelligence labs.

The next three fastest developed human capabilities we observed in 2021 were also related to Log4j. They took between 1.1 and 4.3 days to complete on average. So overall, security teams responded significantly faster than average to the high-profile Log4j vulnerabilities.

The speed and urgency with which organizations approached Log4j human capability development mirrored a similar response that we observed when the SolarWinds attack was discovered. While the impacts of SolarWinds were not as far-reaching as Log4j, the impact on affected organizations was potentially devastating. For that reason, security teams responded quickly with efforts to learn about the attack and mitigate any risks.

Capability development related to SolarWinds was nearly eight times faster than average.

While this wasn’t as fast as the response to Log4j, most teams ramped up their knowledge and understanding of SolarWinds within 12 days – far faster than an average breaking threat.

In addition to specific threats and attacks driving urgency, visibility of specific threat actor groups also appears to influence learning priorities. For example, when we view threat intelligence labs completion by threat actor group, we see the most representation by well-known groups that have received extensive media coverage.

Here are the top five examples, in order of the focus they received from security teams:

1. UNC2452: The infamous nation-state group responsible for the SolarWinds compromise.
2. Iranian Threat Groups: Nation-state actors that were specifically highlighted in government warnings to enterprises.
3. FIN 7: A notorious Russian hacking group charged by the U.S. for crimes against hundreds of companies.
4. Hafnium: A nation-stake group responsible for a 2021 Microsoft Exchange Server breach that received extensive coverage due to its severe and broad impact.
5. Darkside: A cyber-extortion group linked to numerous ransomware incidents, including the Colonial Pipeline attack.

These groups of just a subset of the overall universe of threat actor groups. But the visibility these groups attained appears to have influenced the level of focus they received from security teams.

There are likely many factors that influence the priority and speed of human capabilities development. But there is no denying that security teams move faster in response to high-profile threats that reach boardroom visibility.

So what can cybersecurity and risk leaders learn from this?

The key lesson isn’t that every threat should be escalated to boardroom visibility in an effort to artificially motivate teams to accelerate their learning. This will likely be counter-productive, since, as the saying goes, when everything is urgent, nothing is urgent.

But there are actionable steps that security leaders can take based on this data. First off, it is worthwhile to track overall capabilities development response time for breaking threats and incentivize the team to drive this metric down over time.

There is also value in trying to identify subset categories of threats that are of particular criticality to specific industries or businesses and find ways to elevate internal visibility when they break. For example, within the long tail of threat intelligence data, there are likely threats that won’t break through into mainstream media coverage the way that Log4j and SolarWinds did but that pose a critical risk to the organizations affected.

For example, one step organizations can take is to create an inventory of the open source software in use and track capabilities development response time for relevant breaking threats separately. After all, an exploit for a niche piece of open source software may not break through into mainstream coverage and awareness. But if it is widely used for a critical function in your business or industry, you should build processes for escalating to boardroom visibility and incentivizing faster-than-average capability development response.

The topic I covered today is just one of the many insights you can find in our full Cyber Workforce Benchmark 2022 document. Download your free copy for a more complete view of the state of cyber resilience globally, along with expert perspectives from fellow security executives and capabilities development experts.

Want to see how Immersive Labs can help you? Reach out to book a demo.