Experts have been warning us about a major cyber-security problem–the number of people who commit more than just one offense is staggering! When someone gets away with an initial crime without being punished then it becomes much easier for them to do something else wrong again in the future. In fact 50% of offenses are committed by hackers who already had at least two other cases pending against them before committing this latest hack on yet another unsuspecting victim.
Lack of awareness and weak links in knowledge are not a good thing for cybersecurity, which can lead to organizations being exposed. The Ponemon survey reveals that CISOs who are responsible for strategic planning of defenses might be leaving gaps.
The Ponemon Institute survey reveals that gaps in cybersecurity knowledge is a weak link for CISOs who are responsible for strategic planning of defenses, leaving organizations exposed to risks. With high-profile victims such as Colonial Pipeline and JBS already claiming damages from 2021 cyberattacks alongside the first bank announcing $1 billion worth of its own investment into cybersecurity, there’s an urgent need for these leaders to rethink their strategy and look beyond traditional approaches towards empowerment.
The survey polled 1800 cybersecurity leaders and practitioners to learn more about their views on external threat hunting. This technique is becoming increasingly necessary as organizations are adopting a proactive approach in building up their defensive capabilities when the risks of malware, cybercrime, hacking, or other attacks continues to grow exponentially each day.
The rise of advanced persistent threats have led many businesses around the world to take an external threat-hunting focused strategy which provides efficiency gains by sparing internal resources for better use protecting against breaches while also maximizing protection through enhanced visibility into what could happen next with real-time monitoring systems that detect anomalies before they become major problems.
Severe business disruption caused by repeat offenders
With repeat offenders on the rise, many organizations are finding themselves in a difficult position. A recent survey revealed that half of all attacks causing severe business disruption were by these individuals and 61% of their victims said they had been unable to remediate those compromises, leaving critical systems and data at risk. The unprecedented prevalence is especially troubling for companies who have seen it happen again after already dealing with an attack from one individual or group just months before this new study was conducted.
The findings also indicated that “for many victim organizations complete remediation has not been possible,” meaning businesses once more vulnerable to future security breaches now find themselves feeling hopeless when faced with such a daunting task as healing major assaults like these which leave them without access to crucial resources while simultaneously.
Threat hunting has been a boon for security, and this is evident by how the majority of organizations have not yet taken full advantage. The 35% who said they are utilizing their analysts effectively indicate that many more need to take up threat hunting as it’s proven an effective way to thwart impending attacks with no end in sight.
According to a survey, the average organization allocated $117 million for IT operations in 2021. Out of that budget an impressive 19% is dedicated towards security and 22 % will be spent on analyst activities and threat intelligence.
IT and cybersecurity leadership often rely heavily on machine learning and automation as a way to achieve efficiency, viewing threat hunting as a tactical, reactionary function.
David Monnier, Team Cymru Fellow
“However, from our experience, organizations that manage to get ahead of threats, both internally and throughout their third-party ecosystems, have dedicated a meaningful proportion of the budget to making external threat hunting a strategic priority.”
When building an effective security program, I always recommend CISOs balance automated analytics with human analysis and give their analysts the intelligence necessary to conduct adversary and supply chain infrastructure mapping. Using internal telemetry with internet traffic telemetry results in longer lasting network defense outcomes.
Josh Picolet, Head of Team Cymru’s Intelligence Analysis Team
Views on threat hunting
Respondents had varied views on what threat hunting was, or how it could be leveraged. Only 24% defined the term as looking outside their enterprise borders to monitor adversaries and identify impending attacks- while this is certainly a part of it, most viewed things in terms of reactive methodologies for internal threats only; they looked for malicious activity that has already taken hold from inside an organization’s network security system rather than monitoring potential attack vectors coming from external sources.
Given that 70% cited difficulty understanding attackers’ perspectives within organizations–and over 50% said they didn’t know much about people who are responsible for bringing new technologies into the business—it should come at no surprise then that so many respondents focus heavily on detection after later stages.
According to a recent survey, sixty two percent of organizations are increasing investment in analysts and threat intelligence “to improve prevention and detection.” The majority (61%) believe that they cannot keep up with the changes attackers use. Respondents cited domain registration data as an important type of information for their monitoring needs; it was followed closely by dark web data at 47%.
Sixty-one percent acknowledged that threat intelligence could not keep up with the changes in how threats actors attack their organization.
One word of caution is that while most organizations are building out their analyst teams and intelligence capabilities with a view to chasing more alerts, it’s possible they’re not realizing the benefits this should yield. While 31% say raw Internet traffic telemetry is important in planning preventive measures, detecting threats or resolving security incidents, only 7% mention any sort of proactive response strategy.
One reason for this could be because 68% report having too many false positives from analyzing normalized data feeds which can overwhelm analysts and lead them to miss some real events altogether.
If this statistic is an accurate representation, it is disappointing. As organizations build out their analyst teams and intelligence capabilities, they will see a far greater return on investment if they give that group the visibility it needs to trace, map and monitor adversary infrastructure and its interactions with enterprise or third-party assets.
MONNIER