Submitted:
18 October 2024
Posted:
21 October 2024
Read the latest preprint version here
Abstract
Keywords:
1. Introduction
2. Materials and Methods
3. Results
Many times, it has to do with limited resources within a company. My perception is that’s probably due to largely financial reasons in terms of hiring and just not having enough staffing.
I do not want to say that many companies do not have enough people… but that is really what it comes down to… However, to actually have someone or a group of people who know what to do with that data and can do something with it. That takes many man hours and it is and it’s not really making you any money, so. It’s hard for some companies to justify spending the money to bring the people.
You need really good, centralized log management so that you can get access to stuff that has… timestamps synchronized across multiple systems. The initial system could have been compromised because those logs are no longer reliable.
You do not have your EDR or antivirus enabled everywhere, and if you do, it might be full of exceptions [and] it might be out of date…your firewall might not be configured correctly. Let alone you might not even have the people…who have enough time to monitor all those things.
I think it is some of the new processes that they have in place, many of which we are not even aware of. So, I think it is just that they are just becoming better and better at what they do. Moreover, it is making it very difficult for us and when I say us, I just mean cybersecurity professionals to detect these kind of things from happening earlier. And I think they're finding out way is that we’re preventing their attacks and they’re [i.e., hackers] looking for more creative solutions and it’s working.
We have a pretty good process for detecting these things and getting people at … the technician level to talk. We only have a couple of people who have the authority to say, this is an incident we need to get all hands-on deck and pull everybody in and start working this and sometimes there’s a fear that you don’t want to cry wolf so you sit on something longer than you should.
As far as team compositions go: an open and honest team that can communicate with one another…capable of shoring up each other’s weaknesses. Let’s say I’m fairly particularly strong at reverse engineering and malware triage. Whereas maybe one of my other leads is better about going through network packet analysis and stepping through how that works in the networking portion. Build a team that’s communicative, dedicated, and passionate for the work and shores up each other’s weaknesses without shaming one another for them is one way to develop a team that will be effective at handling any potential issues.
Tactics, Techniques, Procedures (TTPs) that we could look for that they might have, or we could use it to find stuff in our environment faster. That I think would be very useful. The threat intelligence that we use…we also pay a company and they do curated threat intelligence based on our technology stack.
We definitely have developed proprietary sort of homegrown, apps and the biggest motivation was just to have something built in-house even if you’re using third parties it helps to have processes in-house. So, I think that’s what’s what the motivating factor was and then in terms of the effects it was great I mean I feel like we were able to see improvements and see benefits right away.
One of the things that, has worked really well for us, is some of those response tools that I’ve mentioned, EDR, XDR, and SIEM tools. They do a great job of helping you understand impacts and what the exact well time was, and how long. The threat lasted how long before it kicked off, how long afterward there’s a lot of monitoring. Capabilities are built into those as well. Participant 8 mentioned they use multiple InfoSec tools, including Defender EDR and Rapid 7 SIEM. The Rapid 7 SIEM tool acquires security and management alerts. Defender EDR and Rapid 7 pick up malware on servers or endpoints immediately isolate the endpoints and disable the primary users.
When it comes to team composition, the most effective is a team that does not rotate out. If you could have a solid team that stays together for years…that’d be great because that way we don’t have to keep training new people on how we do things and all it works.
The best information you can have [is] to know the subject matter expert for the different business applications. Someone who knows the front end and also someone who can tell you what the logs mean. Because a lot of times, that’s not documented very well. You have to have that to understand what happened and to put the pieces together. You definitely need analysts who are good at taking a lot of data and crunching it and pulling out the correlations [and] you need people who are good at communicating across business and technology.
Once an incident starts. We’ve got great documentation on that. But as far as deciding when to call an incident or what constitutes an incident that’s still basically left up to the couple of people who have that authority and they rely on people to bring them things … we also need to process what constitutes an incident better.
The biggest need that arose from that is within the last three years we’ve had a massive increase in the security budget. So, we’ve onboarded a lot of tools and a lot of people. We went from a team of maybe 8 to 30.
It’s really just being able to measure it throughout that process and understanding from the start of an attack to when it’s detected to when it’s completely taken care of …over the course of that time.
Making change requests was a weekly activity, and the change request in this case would be to remove the software to remove the vulnerability. I did not want to do it because it took too long…you had to wait until after hours. My philosophy there was to do the simplest thing…on a regular basis to make sure that everything was immediate.
Cyber kill chain to MITRE ATT&CK framework to the diamond model …have all played a part in influencing my opinion and my approach to dwell time. Some of them will dictate exactly the start to finish of this life cycle of an attack whereas others will enumerate the target of a specific adversary and what other sections they might be accessing.
4. Discussion
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- IBM. Cost of a Data Breach Report 2023; IBM: Armonk, NY, USA, 2023. Available online: https://www.ibm.com/reports/data-breach (accessed on 13 September 2024).
- Petrosyan, A. Cost of a Data Breach in the U.S. 2022. Statista, 2023. Available online: https://www.statista.com/statistics/273575/us-average-cost-incurred-by-a-data-breach (accessed on 13 September 2024).
- Alam, S. Cybersecurity: Past, Present and Future. ArXiv Preprint ArXiv, 2022. [CrossRef]
- Eling, M.; McShane, M.; Nguyen, T. Cyber Risk Management: History and Future Research Directions. Risk Manag. Insur. Rev. 2021, 24, 93–125. [CrossRef]
- International Telecommunications Union. Global Cybersecurity Index (GCI) 2018; ITU: Geneva, Switzerland, 2019. Available online: https://www.itu.int/dms_pub/itu-d/opb/str/D-STRGCI.01-2018-PDF-E.pdf (accessed on 13 September 2024).
- Cho, H.; Lee, S.; Kim, N.; Kim, B.; Park, J. Method of Quantification of Cyber Threat Based on Indicator of Compromise. In Proceedings of the International Conference on Platform Technology and Service (PlatCon), Busan, Korea, 29–31 January 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 182–188. [CrossRef]
- Rogers, R.W. A Protection Motivation Theory of Fear Appeals and Attitude Change. J. Psychol. 1975, 91, 93–114. [CrossRef]
- Howell, C.J.; Maimon, D.; Perkins, R.C.; Burruss, G.W.; Ouellet, M.; Wu, Y. Risk Avoidance Behavior on Darknet Marketplaces. Crime Delinq. 2022, 70, 519–538. [CrossRef]
- Kim, J.K.; Crimmins, E.M. Age Differences in the Relationship Between Threatening and Coping Mechanisms and Preventive Behaviors in the Time of COVID-19 in the United States: Protection Motivation Theory. Res. Psychother. Psychopathol. Process Outcome 2020, 23, 485. [CrossRef]
- Sulaiman, N.S.; Fauzi, M.A.; Hussain, S.; Wider, W. Cybersecurity Behavior Among Government Employees: The Role of Protection Motivation Theory and Responsibility in Mitigating Cyberattacks. Information 2022, 13, 413. [CrossRef]
- De Kimpe, L.; Walrave, M.; Verdegem, P.; Ponnet, K. What We Think We Know About Cybersecurity: An Investigation of the Relationship Between Perceived Knowledge, Internet Trust, and Protection Motivation in a Cybercrime Context. Behav. Inf. Technol. 2022, 41, 1796–1808. [CrossRef]
- Lee, C.S.; Kim, D. Pathways to Cybersecurity Awareness and Protection Behaviors in South Korea. J. Comput. Inf. Syst. 2023, 63, 94–106. [CrossRef]
- Patel, A.; Roy, S.; Baldi, S. Wide-Area Damping Control Resilience Towards Cyber-Attacks: A Dynamic Loop Approach. IEEE Trans. Smart Grid 2021, 12, 3438–3447. [CrossRef]
- Liu, C.; Jiang, B.; Wang, X.; Yang, H.; Xie, S. Distributed Fault-Tolerant Consensus Tracking of Multi-Agent Systems Under Cyber-Attacks. IEEE/CAA J. Autom. Sin. 2022, 9, 1037–1048. [CrossRef]
- Qi, W.; Lv, C.; Zong, G.; Ahn, C.K. Sliding Mode Control for Fuzzy Networked Semi-Markov Switching Models Under Cyber Attacks. IEEE Trans. Circuits Syst. II Express Briefs 2021, 69, 5034–5038. [CrossRef]
- Izycki, E.; Colli, R. Protection of Critical Infrastructure in National Cybersecurity Strategies. In Proceedings of the European Conference on Cyber Warfare and Security, Coimbra, Portugal, 2019. Available online: https://www.researchgate.net/publication/335760609 (accessed on 13 September 2024).
- Gatzert, N.; Schubert, M. Cyber Risk Management in the U.S. Banking and Insurance Industry: A Textual and Empirical Analysis of Determinants and Value. J. Risk Insur. 2022, 89, 725–763. [CrossRef]
- Braun, V.; Clarke, V. Reflecting on Reflexive Thematic Analysis. Qual. Res. Sport Exerc. Health 2019, 11, 589–597. [CrossRef]
- Safi, R.; Browne, G.J. Detecting Cybersecurity Threats: The Role of the Recency and Risk Compensating Effects. Inf. Syst. Front. 2023, 25, 1277–1292. [CrossRef]
- Cooke, D.M. Cybersecurity: Building a Better Defense with a Great Offense; Cybersecurity Journal: New York, NY, USA, 2021. [CrossRef]
- Neto, N.N.; Madnick, S.; Paula, A.M.G.D.; Borges, N.M. Developing a Global Data Breach Database and the Challenges Encountered. J. Data Inf. Qual. 2021, 13, 1–33. [CrossRef]
- Grody, A.D. Addressing Cyber Risk in Financial Institutions and in the Financial System. J. Risk Manag. Financ. Inst. 2020, 13, 155–162. Available online: https://www.ingentaconnect.com/content/hsp/jrmfi/2020/00000013/00000002/art00007 (accessed on 13 September 2024).
- Tsiodra, M.; Panda, S.; Chronopoulos, M.; Panaousis, E. Cyber Risk Assessment and Optimization: A Small Business Case Study. IEEE Access 2023, 11, 44467–44481. [CrossRef]
| Theme | Frequency |
| Inadequate personnel, resources, and poor management | 9 |
| Poor system and slow response to attacks | 8 |
| Evolving cyber intrusion tactics by hackers | 5 |
| Theme | Frequency |
| Knowledge of Hacker | 23 |
| Processes | 9 |
| Expertise | 10 |
| Tools | 4 |
| Theme | Frequency |
| Third-party threat intelligence subscriptions | 16 |
| InfoSec Tools: EDR, XDR, SIEM, automated tools, MSSP, Splunk, user behavior analytics, and Arctic Wolf tools |
15 |
| Theme | Frequency |
| Teamwork and good management | 22 |
| Integrated automation and documentation | 18 |
| Frequent audit logging and cybersecurity assessment | 9 |
| Cyber Kill Chain, MITRE ATT&CK, and NIST cybersecurity frameworks | 7 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).