Is a major cyber event about to occur, creating a holiday season nightmare for cyber defenders?

Last year, there were Log4j vulnerability exploitations and the year before it was the SolarWinds supply chain attack. These cyber events had cybersecurity professionals scrambling throughout the holidays, and the impacts lasted well into the following year.

According to Cybereason research, many organizations remain unprepared to handle a ransomware attack on a holiday or weekend, as they continue to operate with a skeleton crew at these times. It’s no surprise that security operations center (SOC) teams operate so lean on holidays and weekends. That’s because security professionals are experiencing record levels of burnout compounded by a protracted global talent shortage and relentless adversaries.

Next Big Cyber Event ‘Never Far from Our Minds’

Michael DeBolt is chief intelligence officer at Intel 471. He said for those defending against cyber threats in the trenches every day, the eventual discovery of a large-scale cyber event or serious widespread security issue is “never far from our minds, regardless of the season.”

Intel 471’s Michael DeBolt

“Being vigilant and prepared are key requirements for a cybersecurity analyst or threat intelligence professional responsible for protecting their organization,” he said. “Unfortunately, the daily grind and constant pressure not to miss something can take a heavy toll on the individual and the organization if left unchecked. Under stress, important tasks and security controls that are otherwise trivial can be inadvertently missed.”

Reconciling this tension first requires accepting that a critical cyber event can happen, DeBolt said. It’s not a matter of if, but when.

“With this backdrop, the key is to be prepared,” he said. “Build confidence in your security and risk posture so you are positioned to resolve critical events quickly with minimal impact. Nothing is 100% preventable. But prior planning that addresses internal weaknesses and external threats illuminates key risk areas and fine-tunes your immediate action plan should an unforeseen critical event occur. Having a solid understanding of your environment will enable you to triage a quick and accurate assessment of whether the threat actually poses a real and present risk to your organization.”

Automation Can Help

John Bambenek is principal threat hunter at Netenrich. He said critical business assets continue to exist outside working hours, but the humans to protect them have families and want time off.

Netenrich’s John Bambeneck

“You either have to highly incentivize people to work or they’ll be at home and it’s hard to justify the cost,” he said. “Even in a breach, it’s hard to bring people back.The less resourced a security team is, the harder it becomes for holidays because the money isn’t there for holiday pay or outsourcing. Automation can help. If there are defenses that thwart attacks as they occur, some measure of protection exists. Multinationals can prioritize security staff in places where different holidays are celebrated so constant coverage is available. Ultimately this remains a resilience problem.”

Every security program needs to start with business continuity and disaster recovery, knowing that most attackers do not share the time zone of their victims, Bambenek said. Having procedures in place to allow remote workers the ability to remotely restore critical business functions is key.

Plans Should Already Be In Place

Mike Parkin is senior technical engineer at Vulcan Cyber.

Vulcan Cyber’s Mike Parkin

“This time of year can be a challenge in general,” he said. “How IT departments are preparing can vary wildly from organization to organization, with some doing a much better job than others. Hopefully, the majority have already made their preparations and have the appropriate plans in place. This close to the holidays, organizations should already have their schedules set so they know what personnel resources are available and their contingency plans in place. The last round of patches and mitigations should be done. And finally, the reminders to staff to be aware of social engineering efforts and phishing attacks should be out, with another round ready to go right before everyone leaves on break.”

Cybersecurity professionals are dealing with environments that are “active” 8 a.m. to 5 p.m., but are under threat around the clock, Parkin said.

“Even with limited resources, proper planning and solid communication can soften the blow when an attack comes outside the organization’s normal business hours,” he said. “Automation and well-designed playbooks combined with a solid risk management program can serve as a force multiplier for a limited staff until the full team can react.”

Ensuring On-Call Coverage

Tanium’s Melissa Bischoping

Melissa Bischoping is director of endpoint security research at Tanium.

“So how has my experience with SolarWinds and Log4j better prepared me to brace for a cybersecurity incident of equal or greater magnitude this time of year?” she said. “Ensuring that there’s adequate staffing coverage and communication plans is a huge part of preparation. It’s not uncommon to hear those in the industry say that holidays and weekends are the most likely time to get a call for a major event. So ensuring that you’ve got the right on-call coverage where needed, and you’re balancing that with providing time to recover and prevent burnout is essential.”

With every cyber event, after-action reviews to document lessons learned and implementing those improvements is an essential part of the lifecycle, Bischoping said.

“Don’t forget to do this,” she said. “There is always room to improve your process or identify where you could close gaps in capability or visibility.”