All SOC teams face cognitive overload from time to time. Danika Nilson, cyber threat hunter at Forescout Frontline, faced it during a week-long red team/blue team exercise of 'defend the castle' (i.e. protect your network). In an article recounting the experience, she describes how the exercise eventually became so repetitive, that one of the senior staff realized he was blindly monitoring his own system instead of the opponent's network.
This was an eye-opening moment for Nilson, as she realized how the overwhelming demands of her job sometimes led to her forgetting to 'monitor herself'. She writes, "Unlike computers, we cannot add more RAM or plug in an external hard drive to our brains." Threat hunters like Nilson often have to parse thousands of network events. Repeating this on a daily basis adds up, resulting in cognitive overload. This could lead to loss of focus, self-doubt, and imposter syndrome, which is not an ideal situation for anybody's mental state of being, let alone that of a SOC analyst.
Cognitive overload is a serious cyber threat. Overwhelmed brains do not make good soldiers. Threat hunters actively dedicate themselves to finding possible, hidden threats in the organization's network. If they are not in a positive and healthy state of mind, this could lead to undetected bad actors or threats infiltrating the network.
Let's take the example of BlackMatter, a ransomware-as-a-service (RaaS) organization that focuses on individual victims and obtaining their corporate credentials. BlackMatter offers to pay up to $100,000 for information on stolen credentials and insider threats, specifically targeting organizations that have not implemented authentication protocols like MFA. Some attacks happen after extensive research of individual victims, and even involve tailored ransomware payloads based on this knowledge.
Let's say one of the targeted organization's employees, with malicious intent or a desperate need for quick money, observes that a threat hunter has a hard time focusing because of their excessive overload. The employee details their observations and sells this intel online. Eventually a threat actor from BlackMatter purchases this information and uses it to hack into one of the devices that's fallen under the threat hunter's radar and escalates privileges to access other systems. Voila, an attacker has compromised the network.
Such possibilities are endless, and organizations must take necessary precautions to eliminate vulnerabilities caused by cognitive overload.
Here are some measures organizations can take to address cognitive overload in their cybersecurity teams:
To learn more about how a robust SIEM solution like Log360 can help you eliminate vulnerabilities caused by cognitive overload and lead to happier, more efficient SOC teams, sign up for a free, personalized demo with a product expert.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.