Infosec news cycles: How quickly do they fade?
Google Trends spikes, on average, lasted a few weeks for major infosec news events like SolarWinds, Log4Shell and the Colonial Pipeline ransomware attack.
Widespread critical vulnerabilities and major cyber attacks often fade from the public consciousness in a matter of weeks, even as the impact of these events linger for months and years.
Since the end of 2020, numerous incidents and vulnerabilities reached beyond the realm of security professionals and into the mainstream: the SolarWinds supply-chain attack, widespread Microsoft Exchange Server vulnerabilities ProxyLogon and ProxyShell, the Colonial Pipeline ransomware attack and the Log4shell vulnerability in Log4j, to name a few.
There are wide-reaching effects in these cases; tens of thousands of servers may have been left vulnerable, or a federal government may have been compromised. Yet no matter what the story is, the bulk of public attention given to an event often dies down within a few weeks.
Examples of this can be found on Google Trends, which tracks the interest in a Google search term over time. The Google Trends spike for the term "Log4j" lasted about a month. "SolarWinds" also lasted around a month before tapering off, as did "Colonial Pipeline."
Terms connected to the Microsoft Exchange Server vulnerabilities like "ProxyLogon" and "Exchange Server" had similar spikes, albeit with a slower fade back to pre-vulnerability interest levels -- potentially due to newer Exchange vulnerabilities being discovered in the months following ProxyLogon's disclosure last March.
Shortened news cycles could have negative effects for enterprises and their infosec teams. For example, Log4Shell received a significant amount of media attention -- thanks to the scope and severity of the flaw -- over the course of several weeks. A recent study by Immersive Labs found it took security teams an average of two days to fully address the Log4j vulnerability, compared to an overall average of 96 days for all other vulnerabilities.
Short cycles, long remediations
There are multiple possible reasons for this "short" public attention span. The first involves the nature of the modern news cycle -- something that extends far beyond infosec.
Newslifespan.com, a collaborative project between Google Trends, Axios and digital design firm Schema, tracked major news stories throughout 2018 in order to study how news enters and leaves the public consciousness. Big stories generally lasted for a week; some lasted a few weeks and some a few days, but the so-called "attention economy" appears to exist whether the news is about a server bug or a blood moon.
One commonality between the cybersecurity and non-cybersecurity news cycles is that both are heavily influenced by how new something is, Malwarebytes threat intelligence researcher Roberto Santos said.
"New things usually get more attention in any area, not just cybersecurity," Santos said. "During the first days of a vulnerability's active exploitation, everyone talks about, detects and responds to it, but after a while it becomes a normal security issue and fewer people talk about it."
That said, there are key differences between a big vulnerability and most one-off news events. For one, the story of a vulnerability never ends when it's disclosed -- it's often just the beginning. Thanks to reasons like imperfect patching rates, servers can be vulnerable to attacks in the months and years following an initial bug report, and threat actors regularly launch new campaigns against years-old vulnerabilities.
Guillermo Christensen, a partner with law firm Ice Miller who specializes in cybersecurity incidents, referred to this as a "lag effect."
"The full impact of [a major vulnerability] won't really be written for years to come," he said. "Which is to say, there are going to be things we're going to pick up on like breaches in two or three years that we won't know about until then, but the source will without a doubt be [the vulnerability]."
When a threat actor attacks a large organization via a vulnerability, the victim may not know it was attacked for another year thanks to dwell time. Incident response and disclosure further extend the timeline, by which point it would no longer be connected to any initial vulnerability news cycle -- hence, a lag effect.
This could be one reason why only a few major breach disclosures appear in the weeks following an event.
The small number of post-vulnerability breach disclosures could also be due to the fact that breaches or attacks against smaller companies rarely reach the public consciousness. Brian Martin, vice president of intelligence at Risk Based Security, said big companies dominate the news cycle not only because of their prominence, but also the expectations that go along with being a massive enterprise.
"The big names rise to the top because in our minds, whether it's reality or not, we say, 'Wow, they have a billion-dollar profit. They should have the resources to stop this, right?'" he said. "The reality is that there's a lot of technical debt, that the company has over 5 million endpoints, and that there are no security solutions that do everything at once. They're trying to juggle 87 different products and vendors to create this hybrid, weird, blended solution that still has huge gaps."
Santos stressed that a vulnerability's presence in the news cycle does not necessarily equate to that flaw's threat level.
"When a vulnerability has become normal, some companies think that it is not an issue anymore and they stop paying attention to it, but the truth is that it is still a big issue and can affect a lot of companies even if it stops hitting the news," he said. "On the other hand, a vulnerability not being in the news does not mean companies are not working on it."
Alexander Culafi is a writer, journalist and podcaster based in Boston.