50% of cybersecurity attacks are from repeat offenders

Lack of awareness and gaps in knowledge are a weak link for cybersecurity leadership who are responsible for strategic planning of cybersecurity defenses, leaving organizations exposed to risks, a Ponemon survey reveals.

With 2021 already claiming high-profile victims such as Colonial Pipeline and JBS, along with the world’s first bank announcing a $1 billion cybersecurity budget, there is an urgent need for CISOs to rethink their strategy and look for alternative ways to empower their teams.

The survey queried almost 1800 cybersecurity leaders and practitioners about their views specifically on external threat hunting and the people involved in this emerging and increasingly necessary technique organizations are adopting to build their defensive capabilities.

Severe business disruption caused by repeat offenders

In the new findings, half of the attacks on organizations that caused severe business disruption were by repeat offenders – and 61% of those victims said they were unable to remediate these compromises, leaving critical systems and data at risk. The survey reveals organizations acknowledge they are suffering, not just from disruptive cyberattacks, but from repeat offenders, and for many victim organizations, complete remediation has not been possible.

Only 35% of respondents said they were leveraging their security analysts effectively, indicating a lack of maturity with regards to threat hunting. Threat hunting, particularly external threat hunting, has empowered more sophisticated security organizations to identify and block impending attacks, augment threat detection, and achieve comprehensive remediation. Yet, the majority of respondents indicate that their organizations are not allocating enough resources to realize the full potential of their analyst teams and threat hunting.

Survey results indicate that the average 2021 budget for the respondents’ organizations for IT operations is $117 million. An average of 19% of this is allocated to IT security and of that an average of 22% is allocated to analyst activities and threat intelligence.

“IT and cybersecurity leadership often rely heavily on machine learning and automation as a way to achieve efficiency, viewing threat hunting as a tactical, reactionary function,” commented David Monnier, Team Cymru Fellow.

“However, from our experience, organizations that manage to get ahead of threats, both internally and throughout their third-party ecosystems, have dedicated a meaningful proportion of the budget to making external threat hunting a strategic priority.”

Josh Picolet, Head of Team Cymru’s Intelligence Analysis Team adds, “When building an effective security program, I always recommend CISOs balance automated analytics with human analysis and give their analysts the intelligence necessary to conduct adversary and supply chain infrastructure mapping. Using internal telemetry with internet traffic telemetry results in longer lasting network defense outcomes.”

Views on threat hunting

Respondents had varied views on what threat hunting was or how it was leveraged. Only 24% defined threat hunting as looking outside their enterprise borders to monitor adversaries and identify impending attacks. Most viewed threat hunting as a reactive method of internal threat detection, looking for malicious activity that has already taken hold.

Given that 70% of respondents said they had a high degree of difficulty gaining an attacker’s perspective on their organizations, the fact that so many organizations take an internal-only threat hunting approach makes sense.

Sixty-two percent of organizations are increasing investment in analysts and threat intelligence “to improve prevention and detection”. However, responses indicate that they are doing so with a very tactical and reactionary perception of what an analyst team should be.

The top three intelligence data types respondents said they had were dark web data (47%), domain registration data (42%) and endpoint telemetry (42%). Sixty-one percent acknowledged that threat intelligence could not keep up with the changes in how threat actors attack their organizations.

Additionally, despite the knowledge that traditional threat intelligence sources provide stale information, only 31% of respondents said that raw Internet traffic telemetry is important in their ability to plan preventive measures, detect threats and resolve security incidents.

This hints at the possibility that most organizations are building out their analyst teams and intelligence capabilities with a view to chasing more alerts and conducting post incident investigations, as opposed to achieving a proactive security posture.

“If this statistic is an accurate representation, it is disappointing,” stated Monnier. “As organizations build out their analyst teams and intelligence capabilities, they will see a far greater return on investment if they give that group the visibility it needs to trace, map and monitor adversary infrastructure and its interactions with enterprise or third-party assets.”