Most cybersecurity leaders are making decisions without understanding their attackers

Uncovering results that would leave Sun Tzu more than a little disappointed, a study conducted by researchers at Mandiant (now part of Google Cloud) shows security decision-makers are often left to navigate decisions without the context they need—or, put another way, without knowing their enemy.

The survey found that 79% of respondents, consisting of 1,350 business and IT figures who make cybersecurity decisions at orgs with at least 1,000 employees, make decisions without adversary insights “at least the majority of the time.” While the poll found that nearly all (96%) are satisfied with the quality of the threat intelligence their organizations use, 47% said effectively applying that knowledge was one of their biggest challenges. Just 35% reported their organizations have a comprehensive knowledge of relevant threat actors and their tactics, technique, and procedures (TTPs).

Almost all respondents (98%) said they need to be faster at updating their security strategy based on day-to-day intel, while 79% said their organizations could spend more time identifying critical cybersecurity trends.

Luke McNamara, Mandiant principal analyst at Google Cloud, told IT Brew the results indicate that while there’s a solid consensus that attribution and awareness of the threat posed by specific threat actors is important, operationalizing that data remains difficult in practice.

“It’s one thing to create good, high-quality intelligence,” McNamara said. “It’s another thing to make sure that the right individuals within the organization have access to that.”

Intelligence on where, when, and how threat groups are operating, and which sectors they are targeting, can help focus limited security resources where they’ll be most effective. The survey also found that security teams may be struggling to separate the wheat from the chaff when it comes to oncoming alerts and data—84% were fairly or very concerned they may be missing real threats due to the number of alerts, while 69% said they felt overwhelmed.

“That is really the big challenge that a lot of organizations are finding now with threat intel,” McNamara said. “Intel has gotten better. There’s more providers out there, more sources of threat intelligence to consume, even internally, off their own network, that organizations can produce. It’s figuring out: How do we use this most effectively?”

In practical terms, McNamara told IT Brew, access to that kind of information can help cybersecurity professionals explain how threats can translate to business risk. One example is APT32, a cybercriminal group that operates out of Vietnam and that he said Mandiant has noticed targeting Western companies in the automotive sector.

“That sort of intelligence, if I’m a Western automotive company, and I’m looking to expand operations in that country, that’s a level of cyber risk that I can be armed with and take into account alongside all the other factors that would obviously go into making a business decision like that,” McNamara said. “Lessons to be drawn from that can be useful for a board-level discussion [or] the C-suite.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.