Threat Intelligence
July 19, 2022

Sounding the alarm: how high-profile threats influence learning behaviors

a red flag on a polelong exposure image of man walking by blue panels

Do High-Profile Cyber Threats Accelerate Security Team Learning?

In a previous post, we highlighted how the development of human cybersecurity capabilities often lags months behind other risk mitigation measures when new threats emerge. This isn’t too surprising, as security teams must balance proactive risk reduction activities with the reactive daily demands of real-time threats and incidents. But it also raises an interesting question:

Do security teams accelerate their learning when high-profile threats hit the headlines?

In other words, if a security issue gains media attention or reaches the company boardroom, does it motivate security teams to ramp up their knowledge of these threats faster than usual?

To answer this, we analyzed data from hundreds of thousands of exercises and simulations conducted with organizations globally. Our complete findings are available in the Cyber Workforce Benchmark 2022, but today, we revisit response times to breaking threats, focusing on how threat visibility impacts response speed.

High-Profile Incidents Are Now an Ongoing Fact of Life

Large-scale security incidents have become increasingly frequent and high-profile in recent years. For example, the multiple vulnerabilities discovered in Apache Log4j (December 2021) made global headlines due to their widespread impact. Security teams scrambled to assess and mitigate Log4j risks well into 2022, and some organizations are still dealing with the fallout. This came almost exactly a year after the SolarWinds attack, which similarly blindsided security teams worldwide.

Beyond these major breaches, ransomware attacks have also broken into mainstream media. One of the most widely covered was the Colonial Pipeline attack (2021), which forced a major U.S. energy company to shut down fuel supply operations until a multi-million dollar ransom was paid.

The Four Fastest-Developed Skills in 2021 Were All Related to Log4j

Given the extensive news coverage and far-reaching impact of Log4j, it serves as an excellent case study for examining how security learning speeds vary between high-profile and less visible threats. As noted in our previous post, security teams typically take 96 days on average to develop the skills necessary to defend against breaking threats. However, the response to Log4j was significantly faster.

When Immersive Labs released a Log4j-related exercise focusing on OWASP tools for impact assessment, it became the fastest human capability development we’ve ever observed. On average, organizations completed the Log4j lab in under a day—nearly 100 times faster than other threat intelligence labs. The next three fastest-developed cybersecurity skills in 2021 were also Log4j-related, with completion times ranging from 1.1 to 4.3 days. Overall, security teams responded far faster than average to Log4j vulnerabilities.

Security Teams Also Ramped Up SolarWinds Knowledge in Days

The speed and urgency of Log4j response mirrored a similar pattern we observed following the SolarWinds attack. While SolarWinds didn’t have the same far-reaching impact as Log4j, it posed a potentially devastating risk to affected organizations. Security teams recognized this and prioritized learning and mitigation efforts. Capability development related to SolarWinds was nearly 8× faster than average. Most security teams developed SolarWinds-related skills within 12 days—far faster than the typical response time for breaking threats.

Public Awareness of Threat Actor Groups May Also Drive Urgency

Beyond individual attacks, visibility of specific threat actor groups also appears to influence security learning priorities. When analyzing threat intelligence lab completions by threat actor group, we found that the most studied groups were those with extensive media coverage.

Here are the top five threat actor groups that received the most attention from security teams (in order of focus level):

  1. UNC2452: The infamous nation-state group responsible for the SolarWinds compromise.
  2. Iranian Threat Groups: Nation-state actors that were specifically highlighted in government warnings to enterprises.
  3. FIN 7: A notorious Russian hacking group charged by the U.S. for crimes against hundreds of companies.
  4. Hafnium: A nation-stake group responsible for a 2021 Microsoft Exchange Server breach that received extensive coverage due to its severe and broad impact.
  5. Darkside: A cyber-extortion group linked to numerous ransomware incidents, including the Colonial Pipeline attack.

These groups are just a subset of the broader universe of threat actor groups, but their visibility appears to have influenced the level of focus they received from security teams.

Key Takeaways

Many factors likely influence the priority and speed of human capabilities development, but it’s clear that security teams move faster in response to high-profile threats that reach boardroom visibility.

The key lesson isn’t that every threat should be escalated to the boardroom to artificially accelerate learning—this would be counterproductive. As the saying goes, when everything is urgent, nothing is urgent. Instead, security leaders should take actionable steps based on this data. Tracking overall capability development response time for breaking threats and incentivizing teams to improve this metric over time can be highly effective.

It’s also valuable to identify subsets of threats that are particularly critical to specific industries or businesses and find ways to elevate internal visibility when they emerge. Some threats may not break into mainstream media the way Log4j and SolarWinds did, yet they could pose a serious risk to organizations affected.

One approach is to create an inventory of the open-source software in use and track capability development response time for relevant breaking threats separately. An exploit for a niche open-source component may not make headlines, but if it plays a critical role in business operations, organizations should build processes for escalating its visibility and ensuring a faster-than-average response.

Download the Complete Cyber Workforce Benchmark 2022

The topic covered today is just one of many insights found in our full Cyber Workforce Benchmark 2022 report. Download your free copy for a more comprehensive view of global cyber resilience, featuring expert perspectives from security executives and capabilities development professionals.

  • 18 months
  • 2,100 organizations
  • > 500,000 exercises and simulations
  • > 1,500 threats and incidents

Want to see how Immersive Labs can help you? Reach out to book a demo.

Trusted by top companies worldwide
to enhance cybersecurity

Trusted by some of the world’s biggest brands, we’re committed to taking your cybersecurity readiness to the next level - and we’re just getting started.

What Our Customers
Are Saying About Immersive

Realistic simulation of current threats is the only way to test and improve response readiness, and to ensure that the impact of a real attack is minimized. Immersive’s innovative platform, combined with Kroll’s extensive experience, provides the closest thing to replication of a real incident — all within a safe virtual environment.

Paul Jackson
Regional Managing Director, APAC Cyber Risk, Kroll

Ready to Get Started?
Get a Live Demo.

Simply complete the form to schedule time with an expert that works best for your calendar.