Part 1 in a series featuring data points from the Cyber Workforce Benchmark.
The number one job of an enterprise security team is to prevent their organization’s applications and infrastructure from cybersecurity breach. And from our vantage point, it appears that most organizations are focused on developing the necessary human capabilities to do this.
But here’s the question: is it enough?
We’ve conducted hundreds of thousands of exercises and simulations with organizations across a broad spectrum of industries and geographies. In the process, we’ve kept our eye out for useful insights into the overall state of cyber-resilience.
You can find our complete analysis in our Cyber Workforce Benchmark 2022. But today, let’s focus on the types of exercises that security teams choose to spend their time on. By doing so, we gain insight into how well cyber-readiness efforts align with today’s threat landscape.
Defense-in-depth applies to human capabilities as well
Over the last decade, most security teams have broadened their infrastructure protection strategy from perimeter protection to a defense-in-depth mindset. Do they still use firewalls and take every possible step to protect the perimeter? Of course. But most teams have opened their eyes to the fact that even with a strong perimeter, cyber security breaches are a fact of life. Therefore, it’s important to employ a layered security approach that includes additional lines of defense once a threat actor successfully accesses a sensitive system or environment.
In fact, many are now applying Zero Trust Architecture principles that assume that no user or device can be implicitly trusted, regardless of whether they are inside or outside of a traditional network or cloud infrastructure perimeter.
The same mindset should be applied to human capability development. If your security team is highly effective at detecting and stopping cybersecurity breach attempts, this is obviously a key strength. It’s the human equivalent of a well-managed firewall.
But if your team lacks the skill to analyze, contain, and recover from successful breaches, you don’t truly have a cyber-resilient organization.
Viewing human capability development through the MITRE ATT&CK® lens
Many of the exercises we conduct with our customers align with proven industry frameworks. One of the best known is MITRE ATT&CK®. One element of MITRE ATT&CK® is a set of common enterprise tactics that appear at different stages of an advancing attack.
The organizations we observed focused a significant percentage of their human capability development efforts on countering tactics that appear early in the attack chain.
| MITRE ATT&CK® Tactic | Adversary’s Objective | Exercise Coverage |
|---|---|---|
| Initial Access | Get into your network | 31% |
| Execution | Run malicious code | |
| Persistence | Maintain a foothold |
In contrast, the teams we observed place much less focus on developing the skills necessary to stop an in-progress breach from escalating and ultimately achieving its intended outcome.
| MITRE ATT&CK® Tactic | Adversary’s Objective | Exercise Coverage |
|---|---|---|
| Collection | Gather data related to their goal | 8% |
| Impact | Manipulate, interrupt, or destroy your systems | |
| Exfiltration | Steal your data |
A conclusion we might draw from this is that security teams are investing an appropriate amount of effort in developing strong “human firewall” capabilities to keep threat actors out of their systems and environments. But if a breach is successful, these teams may be less equipped to contain and recover effectively.
Read more cybersecurity breach data points in our infographic.
Closing the cybersecurity breach gap is possible with the right focus
The news isn’t all bad when it comes to readiness after the point of breach. While the organizations we observed did not complete these labs as often, when they did, they generally completed them faster than exercises focused on earlier stages of the attack chain.
While the average MITRE ATT&CK® lab exercise took 12 minutes longer to complete than our benchmark expectation, those focused on the earliest stages of the attack chain exceeded the expected completion time by 23 minutes. Meanwhile, when users focused on the later stages of the attack chain, such as Collection, Command and Control, Exfiltration, and Impact, they completed these labs faster than average at just over 10 minutes above our expected completion time.
Key takeaway
Overall, our analysis suggests that organizations may be repeating the mistakes of the past by putting too much faith in their ability to keep threat actors out. While a continuing focus on breach prevention is a must, it’s also important to build on this foundation with the human capabilities needed to respond, contain, and recover from the inevitable subset of breach attempts that succeed.
Download the complete Cyber Workforce Benchmark 2022 for our complete analysis
The topic I covered today is just one of the many insights you can find in our full Cyber Workforce Benchmark 2022 document. Download your free copy for a more complete view of the state of cyber resilience globally, along with expert perspectives from fellow security executives and capabilities development experts.
