“I am a veteran of the crypto wars.”
This was a sentence I heard during the excellent HUMAN event at the RSA conference recently held in San Francisco. Many in the audience scoffed at this statement, however what I inferred as the sentiment was that working within a modern cyber security context can be stressful, even traumatic.
This is not a new revelation. CREST, the non-profit standards agency based in the UK, published an insightful report on the effects of stress and burn out on the cyber security workforce. You should definitely check out the report yourself, but some of the key points can be summarised:
- Cyber security is a high-pressure profession
- Stress effects all level of security personnel up to and including CISOs
- Increased pressure being created by a more complex threat landscape in the form of more sophisticated and organised threat actors
Many of the issues highlighted within the report can be laid at the door of the cyber security skills shortage, an issue highlighted and discussed in the report and something that we are all painfully aware of. Yet I would argue that the 3rd summary point highlighted above is a less obvious but highly significant contributor to the increased cognitive load on cyber security professionals.
Driving factors behind the increased complexity of the threat landscape
Building on CREST’s observation around the increased complexity of the threat landscape I would make the following assertions over the past decade:
- The overall threat posed by the cyber threat landscape has increased significantly, with the very real possibility of an existential cyber-attack being the reality of many businesses in 2022.
- The cyber threat landscape is more complex and nuanced than the equivalent “bomb and bullet” threat landscape. Take for example the issues of attribution – where an AK47 is manufactured is rarely a determining factor in an assessment around a terrorist attack, yet that providence of a piece of malware is often of pivotal importance within a cyber-attack.
- The frameworks we use within CTI have become more complex over time – witness the evolution of the 7 step Lockhead Martin Kill chain into the 14 step MITRE ATT&CK framework as a prime example of this trend.
When taking just these three factors into account the increased cognitive load of CTI work becomes apparent. Mix in the increasing demands of corporate culture, which seems to have become even more demanding in the post COVID world, and the recipe for stress becomes clear.
What can machines do to help?
I believe that just plugging the skills gap is not enough on its own to decrease stress and burn out in cyber security. While there may be more people to share the load, ultimately the individual analyst has to cope with an ever-expanding portfolio of data and tools to generate a single assessment of that threat. It is within this context – of helping the analyst wrangle data and analytical frameworks – that Artificial Intelligence tools like Elemendar’s READ. can help.
Take for example the Pyramid of Pain, a well-established framework for assessing the impact of researching different types of indicators in respect to an adversary’s ability to achieve their objective. Without tooling the human analyst is often mired in the lower levels of the Pyramid of Pain and is stuck with processing lower-level indicators such as hashes and IP addresses. A tool like READ., through automated extraction, frees the analyst to focus on the higher and more impactful levels of the pyramid in the form of TTPs.
Shown below is an abstraction of this workflow from the initial unstructured report, to two separate extractions within READ. (one extraction with all indicator types included and one extraction with just TTPs) and how this maps to the Pyramid of Pain.
We’ve discussed and added additional nuance to the issue of stress and burn out within cyber security. This is a known issue but what is less well defined is how tooling can be used to elevate stress and burnout in personnel. I reason that simply adding more staff is not enough on its own, but that instead smart tooling is a necessary part of the solution.