Blog

Alert Fatigue – Risks and Measures

Alert fatigue refers to the phenomenon of cyber analysts being overloaded by the high number of alerts issued by security tools. This can lead to analysts overlooking or even ignoring alerts that indicate real attacks in the flood of false positives. This puts the security of the company in question at risk. Find out what the exact risks are and what measures you can take against them here.

What Is Alert Fatigue?

To detect cyberattacks, companies use security tools such as firewalls or antivirus programs that generate notifications about potential security events. If these notifications are not configured properly, hundreds of alerts may be issued in a short period of time. Cyberanalysts are thus confronted with a flood of alerts that often turn out to be false positives (or false alarms). However, if such an alert is indicative of a real emergency, it may be lost in the multitude of notifications. This could cause cyberanalysts to overlook or even ignore critical alerts and consequently fail to act on them, putting the organization’s security at risk. This phenomenon is referred to as “alert fatigue” [1]. The consequence is a longer response time to incidents, which also makes it easier for attackers.

What Are the Risks of Alert Fatigue?

The biggest risk of alert fatigue is that successful attacks will not be detected due to missed or ignored alerts. For example, the Oneconsult International Computer Security Incident Response Team (OCINT-CSIRT), when helping companies to deal with incidents, regularly finds that, among other things, heeding antivirus alerts could have prevented the attack, as mentioned in a blog post in the “DFIR, simple” series (in German). A successful attack can have far-reaching consequences, such as the destruction of systems, high ransom demands, or damage to the company’s image.

Since attackers use various more or less advanced techniques to compromise their targets, security systems should be able to detect the early signs of an attack to prevent security incidents. To do this, security tools such as a SIEM (Security Information and Event Management System) are used to collect, manage and correlate data from various sources to report suspicious activity. This generates numerous alerts on a daily basis. Given the variety of attack vectors used by attackers, basically any unusual behavior can indicate an incident. Cyberanalysts must therefore verify that it is a real attack. The problem is that many of these alerts are false positives, which makes identifying a true positive relatively complicated. There is therefore a high risk that important alerts will be overlooked or even ignored in a real attack, which significantly increases response time and allows attackers to continue to infiltrate the network undetected.

Another risk of alert fatigue is overload. Constant alerts and their seemingly endless sorting cause cyberanalysts to become overwhelmed and stressed. In addition, they are afraid of overlooking incidents. This can also affect their personal lives, for example through poor work-life balance or sleep disturbances, and also reduce their productivity.

What Can Be Done About Alert Fatigue?

The following measures are recommended to prevent or at least reduce alert fatigue:

  • Avoiding redundant alerts so that an alert is not issued multiple times for the same event. Alerts can be consolidated, e.g., by merging the results of the security tools on a single platform to unify the configurations and origins of the alerts.
  • Adjusting thresholds to prevent security systems from generating excessive alarms, thus also reducing the number of false alarms.
  • Improving the precision of alerts to minimize the time required for assessment by adding context and details such as the exact origin of the problem.
  • Using different alert levels to distinguish between important and unimportant alerts to prioritize and quickly identify when immediate action is needed.
  • Developing use cases that define alerts and their thresholds.
  • Creating checklists or playbooks that correspond to the different alerts and describe the next necessary steps.

Summary

Alert fatigue can lead to serious consequences, such as system destruction or high ransom demands, if it causes an attack attempt to go undetected and ultimately succeed. However, if you implement the measures described, the risk of such an incident can be significantly reduced.

If you need advice or assistance in assessing alerts and reducing alert fatigue, we are happy to help. Contact us without any obligation.

In our “Oneconsult Glossary” you will find, in addition to Alert Fatigue, other technical terms: Glossary

Author

Nadia Meichtry studied forensic science at the University of Lausanne and graduated with a master’s degree in digital forensics in summer 2020. During her studies, she completed an internship in the forensic team of the Cantonal Police of Vaud. She wrote her master thesis while doing a 4-month internship in a cybersecurity company in Vienna. In her master thesis she analyzed the firmware of IoT devices. In the first part of her thesis she worked on the vulnerability assessment of several versions of the same firmware by using different vulnerability scanners. In the second part she addressed the forensic analysis of compromised IoT devices. She is certified GIAC Certified Forensic Analyst (GCFA), GIAC Reverse Engineering Malware (GREM), a certified OSSTMM Professional Security Tester (OPST) and has been employed since August 2020 as Digital Forensics & Incident Response Specialist at Oneconsult.

Published on: 02.02.2022

Teilen

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 12:00 p.m. and 1:00 p.m. – 5:00 p.m (exception: customers with SLA – please call the 24/7 IRFA emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

qr_code_emergency_2022
Add CSIRT to contacts