Why root causes matter in cybersecurity

By Stu Sjouwerman

Enterprises continue to double-down investments on cybersecurity. But why aren’t cyberattacks slowing down?

No doubt, security decision makers act with the best of intentions. But it’s certainly possible that they’re disproportionately spending scarce resources on a limited set of threats without realizing more prevalent methods of ingress attackers use to infiltrate organizations.

LIKE BUBBLES IN A GLASS OF CHAMPAGNE

The problem with cybersecurity is that cyber risks are far too plentiful. Trojans, spyware, backdoors, adware, ransomware, viruses and malware, physical theft, social engineering, remote employees, personal devices, shadow IT, identity theft, unpatched software, network vulnerabilities, credential theft, SQL injection attacks—the list goes on and on.

Security teams view these risks as bubbles in a glass of champagne, each bubble needing a counter-offensive. As a result, security teams deploy multiple security tools to mitigate these diverse sets of security risks. But some bubbles are larger than others. Therefore, those bubbles need more security. Think of it this way: If you’re a military general, why would you divide all your resources equally across air, sea, and land, if indeed adversaries are mostly coming from the sea? It’s the same principle.

SO WHERE ARE ADVERSARIES REALLY COMING FROM? 

To understand where adversaries are coming from, one needs to re-adjust their thinking around the root causes behind breaches and not around discrete, individual security incidents. For instance, ransomware isn’t the real reason for why organizations get attacked. How does ransomware get in—that’s the real question we should be asking.

Let’s say an attacker uses stolen credentials to take a network offline. The stolen credentials aren’t the main culprit, it’s how those credentials were stolen in the first place. Similarly, if a third-party supplier is hacked, most people would call that a supply chain compromise. How that third party was hacked is something that needs to be addressed and investigated.

WHY UNCOVERING AND DOCUMENTING ROOT CAUSES IS HARD

In the cybersecurity industry, unfortunately, there is no official directory of root causes. Many vendors categorize certain attacks as root causes when in reality, these are often outcomes or symptoms. For example, ransomware, remote access, stolen credentials, etc., are all symptoms, not root causes. The root cause behind remote access or stolen credentials is most likely human error or some vulnerability.

HOW CAN REAL ROOT CAUSES BE DETERMINED? 

Root causes can usually be determined from three main factors: data, relevance, and individual experience. Relevance and individual experience relate to gauging threats from your own business context and experience, not from a security vendor’s. Where are my crown jewels? What are my top risks? What are my weaknesses? Analyze your security incidents and think about the most common tactics that attackers have been using to target your business.

Data includes both external and internal information. From an external perspective, phishing was reported as the most pervasive threat vector among scores of security research reports in 2022:

1. Secureworks noted that incident response cases doubled due to business email compromise (BEC) scams and phishing (a subset of social engineering), was present in 85% of BEC incidents.
2. Comcast observed that in 89% of attacks, threat actors used phishing to gain initial access into victim environments.
3. IBM identified phishing as a top initial access vector, used in almost 41% of all breaches.
4. The UK government highlighted that phishing was the most common threat vector observed in nearly 83% of reported attacks.
5. Cloudflare reported phishing as the primary method hackers use to get into an organization.
6. Infoblox uncovered that the most successful form of attack is phishing (58%).

Clearly, phishing and social engineering are the biggest threats. But are they a root cause?

The true root cause is human error. People are prone to mistakes, ignorance, and biases. We open malicious attachments, click on wrong links, surf the wrong websites, use weak credentials, and reuse passwords across multiple sites. We use unauthorized software, make public our private details via posting on social media for bad actors to scrape and harvest. We take security far too much for granted.

Human error in cybersecurity is a much larger problem than previously anticipated or documented. To clamp down on human error, organizations must train employees enough so they can develop a security instinct and improve security habits. Clear policies and procedures must be in place, so everyone understands their responsibility and accountability towards the business.

Unpatched software vulnerabilities are another reason why cyberattacks and breaches are successful. A majority of ransomware attacks in 2022 involved weaponizing old vulnerabilities. Poor patch management (considered a human error) is another critical root cause that needs to be looked at.

Future security and risk management leaders must balance their investments across both technology and human-centric elements to create a more effective cybersecurity program. Identify root causes because only they will determine the course of your cybersecurity strategy and subsequent investments.