The cybersecurity information necessary to protect enterprise networks, data and other assets is most often found through research conducted by cybersecurity investigators.
These investigative teams create studies and reports that are widely distributed and reported and are then used by in-house or third-party vendors to develop threat strategies for new strains of malware or the latest phishing attack vector.
However, IT and security teams may be getting a distorted view of cyberthreats, according to research published in the Journal of Information Technology & Politics.
"Public and academic knowledge of cyber conflict relies heavily on data from commercial threat reporting," the paper said. "Commercial cybersecurity firms only focus on a subset of the universe of threats, and they only report publicly on a subset of the subset."
What's not reported ends up creating greater risks for those who can't afford premium services, and, because companies are so interconnected through third parties, risks to companies with smaller budgets get passed along through the supply chain. Information not shared among the greater community hurts everyone.
What are organizations missing in their cybersecurity coverage?
When organizations rely only on public threat reports, they only get a partial slice of the real activity, according to Dr. Lennart Maschmeyer, senior researcher with ETH Zurich, Center for Security Studies, and the paper's lead researcher.
"In other words," Maschmeyer, said in an email interview, "you get reporting on the 'coolest' and most unique intrusion sets hitting the most high-profile targets."
Vendors and cybersecurity researchers tend to prioritize their findings based on three key criteria: unique tactics, techniques and procedures (TTP), a high-profile threat actor, and/or a high-profile victim.
"The flipside is that activity that scores lower across these criteria tends to be neglected in public reporting. We do not know how much is missing because there is no alternative, more 'objective' dataset out there to compare it to," said Maschmeyer.
While all types of companies are at greater risk when only part of the story is being reported, it is SMBs who suffer most, as they are less likely to get the threat reporting most relevant to their business.
And unfortunately, because of the way the data is currently presented, there is no way to know what vital information might be missing, and that could be the difference between avoiding a potential threat and becoming a victim.
Because both the sources of data and processes involved in threat intel reporting remain hidden to the public, there is currently no way to determine what types of information are available but not being disclosed to the public, said Maschmeyer.
The disconnect between what's reported and what isn't
Cyberthreat research is expensive, as is the work to create a report for public consumption. Cybersecurity vendors who produce these reports often see them more as a marketing tool than as a public service.
"A good report boosts the firm's reputation and helps bring sales leads," said Lenny Zeltser, CSO with Axonius. "For this reason, reporting is often related to the firm's brand and focused to appeal to the type of customer the company wants to reach."
Reports also offer an opportunity for vendors to differentiate themselves from the rest of the crowd. After all, when there are dozens of companies that offer the same services, and so many public reports on similar topics, there needs to be something that makes one stand out above the rest.
"This is why many security reports focus on high-profile topics such as state-sponsored attacks; discussing mundane aspects of security (e.g., cyber hygiene) probably doesn't attract as much attention," said Zeltser.
Don't expect that to change. Businesses are going to focus on the research and publications on areas that advance their corporate interests. Sometimes that means concentrating on the company's core mission and covering the area where it has direct expertise.
"If we, as a society, believe this is insufficient, we should look to government organizations, sponsored by taxpayer funds, to fill in the gap," said Zeltser.
Organizations must remain aware of the limitations of public threat reporting as a data source when prioritizing cybersecurity spending and efforts.
"Public reporting is a great and rich source of information on threats, but the selection biases we have identified also indicate a significant chunk of activity that may threaten your organization is missing from these reports," Maschmeyer said.
Mitigating more common TTPs of known threat actors and increasing employee awareness of common threats should go a long way in reducing overall risk.
Correction: This article has been updated to correct the spelling of Lenny Zeltser, CSO with Axonius.