While many professionals might approach the end of a year as a time for pause and reflection, setting goals for the new year or at least some respite, cybersecurity professionals can’t shake the premonition that something bad is about to occur.
It’s no wonder why. Blame the SolarWinds attack discovered in December 2020 and the Log4j vulnerability discovered in November 2021 for all the anxiety.
“I like to think of this time of year as breach season since it’s proven itself time and time again that this time of year tends to be when significant activity tends to occur,” Ryan Olson, VP of threat intelligence at Palo Alto Networks Unit 42, said via email.
End-of-year stress and worries are common and, for better or worse, part of the job.
Sanity checks with friends and respected folks in the industry does temper the scariness around zero days and exploits, Sean Nikkel, senior cyber intelligence fusion analyst at Bitdefender, said via email.
“I think we all have some post-traumatic stress from the last few years because of SolarWinds, any of the Exchange ProxyShell vulnerabilities, Kaseya and Log4j,” Nikkel said. “We’re all definitely thinking about it and talking about it.”
Panic less by trusting the process
While the waning days of a year might elevate apprehension for some, cybersecurity professionals know that worry doesn’t translate to better defense. This is where training and preparedness come into play.
“I’ve been on high alert since the fall, ready for the next big security incident fire drill and I know my peers have been as well,” Olson said. “But in incident response and threat intelligence, we are always ready for whatever comes at us.”
Nikkel likened this posture and mode of operation to a battlefield medic who will instinctively triage, diagnose, troubleshoot and solve a problem or figure out a workaround.
“When you see the pros not panicking, and see it reduced to a process we’ve done before, it becomes easier to work through the problem and get things back up,” Nikkel said. “The key is to panic internally, but still work through and trust the process.”
Stress management is a practice every cybersecurity professional must contend with, but “unfortunately the daily grind and constant pressure not to miss something can take a heavy toll on the individual and the organization if left unchecked,” Michael DeBolt, chief intelligence officer at Intel 471, said via email.
Major incidents will happen (eventually)
Important tasks and security controls that are otherwise trivial can be inadvertently missed during times of stress, DeBolt said. To reconcile this tension, cybersecurity professionals must accept that critical incidents happen.
“For those of us in the trenches every day, the eventual discovery of a large-scale event or serious widespread security issue is never far from our minds, regardless of the season,” DeBolt said.
Context helps as well. While SolarWinds and Log4j became serious issues as 2020 and 2021 came to a close, respectively, the initial attacks and exploitations related to those incidents started months earlier.
“It’s not always that the bad guys are launching major attacks now,” Olson said.
Threat actors may not always choose the timing, but they do know this is a time where they can gain the upper hand as support teams take time off to celebrate holidays.
“There’s definitely some darker humor around that only IT people can appreciate. We all know that the bad guys know that there’s a really good chance a lot of people are sending out-of-office replies through the end of the year,” Nikkel said. “There’s no better time to attack and expect success from a very delayed response.”
While the impact of SolarWinds and Log4j rose to astonishing levels of magnitude, every incident is significant and maintaining that mindset can help responders stay focused and calm, Scott Caveza, senior research manager at Tenable, said via email.
“Cybersecurity is always a rollercoaster,” Caveza said. “Vulnerabilities or major events can come to light at any moment.”