Attackers typically take days or weeks to exploit new vulnerabilities, but defenders are slow to learn about critical issues and take action, requiring 96 days on average to learn to identify and block current cyber threats, according to a new report analyzing training and crisis scenarios.
The report, Cyber Workforce Benchmark 2022, found that cybersecurity professionals are much more likely to focus on vulnerabilities that have garnered media attention, such as Log4j, than more understated issues, and that different industries develop their security capabilities at widely different rates. Security professionals in some of the most crucial industries, such as transport and critical infrastructure, are twice as slow to learn skills compare to their colleagues in the leisure, entertainment, and retail sectors.
The amount of time it takes for security professionals to get up to speed on new threats matters — CISA says that patches should be applied within 15 days, sooner than that if the vulnerability is being exploited, says Kevin Breen, director of cyber threat research at Immersive Labs.
"We have all these organizations pushing for fast patching, but the network defenders are not training at the same pace," he says. "And, if you are not able to patch, then you need to be learning how to defend against the exploits."
Cybersecurity Threat Exercises
The report uses data from more than 2,100 organizations that participated in more than a half of a million simulations and exercises as part of Immersive Labs' cybersecurity training and crisis exercises. The report collects data from cybersecurity crisis exercises, training of security professionals to handle current threats, and education of developers in application security.
Immersive measured how quickly, for example, security professionals completed 185 modules that focused on specific current threats, finding that its users learn, on average, a new module within 96 days of the content being published. The leisure and entertainment industries led the pack in terms of learning about the latest threats, only taking an average of 65 days to develop a skill, while the transport industry took the longest at 145 days.
"It is perhaps no surprise that sectors with digital at their heart — such as e-commerce, entertainment and media — outperformed other sectors by building human capabilities against breaking threats faster," the report stated.
The study showed which attack techniques companies had prioritized for training. The most popular learning and testing modules involved the execution stage of attacks, as defined by the MITRE ATT&CK framework, a topic that was five times more popular than similar labs on data collection and infiltration, according to Immersive Labs data.
The focus on earlier stages in the ATT&CK framework makes sense, says Breen.
"If you can detect an attacker early on in the cycle, then you don't have to worry so much, because you stopped them early," he says. "There certainly is a human element at play there. They want to try to prevent these attacks before they happen, so they naturally focus on 'how do I stop them from getting in' rather than 'how do I react if they have already got in.'"
When specific threats are widely discussed in the media, security professionals also learned the skills to deal with those threats much more quickly. The top 5 skills developed most quickly — completed within five days — include four modules covering the Log4j vulnerability and the Log4Shell exploit and another module covering the InstallerFileTakeOver exploit for Windows, the report stated.
Different industries had different approaches to training and exercises. The industries with the highest number of crisis exercises per year included technology, financial services, and government, with a respective annual average per company of nine, seven, and six exercises. While the average educational organization only conducted two exercises per year, those organizations tended to have many more participants, with 21 participants per crisis scenario, three times as many as the next sectors — technology and consulting — both of which had an average of seven participants.
Manufacturing had the greatest aggregate score on the exercises, with companies in the sector averaging a performance score of 85%, compared to the worst industry sector, healthcare, which scored an 18%.
"Some of the industries treat this almost as a checkbox exercise — they do their one exercise a year, and they only have a few participants," Breen says. "You can't just bring in your technical teams; you have to bring in your legal teams, your communication teams, and HR teams to get a holistic view."
Seven out of 10 of the crisis scenarios where participants had the lowest confidence in their decisions involved ransomware. While 83% of organizations refused to pay ransomware groups during the scenarios, the most likely to pay were educational organizations at 25%, while no critical infrastructure organizations decided to pay.
Breen recommends that companies run frequent crisis exercises and bring in a more diverse group of participants from other business groups. In addition, companies should learn the skills needed to shift security left into development, and patch as quickly as possible.