Vulnerability Management, RSAC

A whole new alert fatigue plagues the infosec community

A U.S. Cyber Command member works in the Integrated Cyber Center, Joint Operations Center at Fort George G. Meade, Md.

A conversation during one of our weekly editorial meetings recently went something like this:

Senior Reporter Derek Johnson: There’s another CISA alert.

Me: Are we covering it?

Derek: I can’t figure out which matter all that much anymore.

I'm paragraphing, but Derek's point was clear, and elaborated upon one day later via Twitter: “The sheer volume of cybersecurity alerts that have come out of U.S. and western governments in the past six months has been head spinning. Some have detailed previously unrevealed campaigns or malware. Others have felt more like recycled best practices or general cyber PSAs.”

(That was in response to a tweet from Ian Thornton-Trump CD, chief information security officer at Cyjax Limited, who called a recent alert “recycled crap that has been in circulation since someone invented a cyber security framework.”)

I share this less to criticize the quality of particular government alerts as much as to question the value of the onslaught, particularly as the infosec community struggles more than ever to weed out tangible threat from geopolitics. Individuals are indeed seeking guidance; but some tell me that what they receive in return feels counterproductive.

Now, as we prepare to unite in person at the RSA Conference, I wonder how organizers and presenters wrestled with this challenge while finalizing the agenda. Consider that the Russia-Ukraine conflict, the source of many of the recent government alerts, kicked off after the call for papers closed. It wasn't a consideration when planning began. Now it is. But which aspects could impact cyber professionals’ day to day? What do they need to know really? As a trade brand we struggle with this ourselves: helping identify what in the never-ending flow of cyber news and events bears relevance to how cyber professionals do their jobs.

Some RSA speakers stepped up to answer those questions with their own sessions. Niloofar Razi Howe of Energy Impact Partners, for example, will speak about cyber’s impact on modern conflict and the implications the Russia-Ukraine war will have on future conflicts in the region; one could figure that she will touch on the potential threats tied to critical infrastructure during cyberwar, and the potential for threats to extend beyond conflict borders. That's valuable. And sponsor sessions from SentinelOne and Forescout will respectively look at the use of wiper malware in Ukraine, and at how threat intel can be used to hunt Russian and other nation-state actors. They’re taking tactics that emerged in the conflict and explaining how any organization might protect themselves from comparable threats – clearly connecting the dots from cyber used in military operations on the other side of the world to cyber used in the enterprise. Again, valuable.

But can we say that about the alerts? Some have indeed pointed to specific malware distribution. Like SentinelOne’s session, that is tangibly useful. Others pointed to the targeting of critical infrastructure. Those are sometimes useful – specific enough to offer guidance – and sometimes less so – vague and obvious. And then there’s alerts like the one mocked by Ian Thorton-Trump CD, “Weak Security Controls and Practices Routinely Exploited for Initial Access,” that to borrow from Derek, read more like dated public service announcements. Useful to some, but perhaps misplaced as an "alert."

What’s the harm? At the very least distraction. A security administrator for a defense contractor told me recently that this is a whole new type of alert fatigue – bombardment with messaging about potential risk, which may or may not directly impact how teams manage their own systems and networks. Should they divert resources? Do they shift strategies? Could they realistically be a target? Didn't they address these risk already, or are they misremembering? The most sophisticated may know to dismiss those which practically speaking are little more than noise, but some could find themselves taking their eye off the ball, questioning themselves, wasting time.

Of course this is at least in part a product of the times. Vulnerabilities tied to the pandemic, threats emerging as a result of military conflicts and general rise in cybercrime leave all security teams juggling priorities and making judgement calls. They also bring a lot of media attention, which in turn catches the eye of executive and board leadership and spurs questions. The onslaught of alerts may be more a reality check that in and of itself serves a purpose.

But it also could backfire. Too many will just leave at least some to be ignored entirely.

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.