This article was written by iThreat SVP of Strategy, Joe Farino, and was featured in New Jersey Banker Magazine 2021 Issue 3. If you would like to learn more about the NJ Bankers Association, please visit their website: https://njbankers.com/.
The Colonial Pipeline ransomware attack. Yet another LinkedIn user data breach. The Kaseya supply-chain attack. State-sponsored cyber espionage and hacking like the recent widespread Microsoft Exchange compromises. Incessant and costly vendor and business email compromise (VEC & BEC) phishing scams. Recent high-profile cyber security incidents such as these continue to drive increasing wide awareness of cyber-security issues.
Endless demand for solutions for prevention and mitigation have driven staggering investment and rapid maturation in the $176.6 Billion USD cyber-security industry to meet the increasing cyber security demand and associated budgets. Cyber security tools and services do a great job of detecting and mitigating anomalous network traffic, unauthorized computing system and network configuration changes and access, data exfiltration, vulnerability scanning, unpatched systems, and even educating workers about cyber security and associated best practices.
Modern Security Intelligence Programs Should Emulate Cyber-Security Program Maturation
Organizations are allocating resources to address cyber security concerns, but many fail to implement a comprehensive security threat detection program. Physical Security, Global Intelligence, General Counsel, Risk Management, and Brand Protection professionals continue to struggle with detecting and mitigating consequential dialogue and text individuals are posting online that represent real and implied threats to their organizations.
World Trademark Review estimates brand infringement costs organizations $320B annually. IBM’s 2020 Cost of Insider Threats report estimates insider threats alone cost organizations $11.4M. Yet these teams’ budgets typically pale in comparison to their cyber security counterparts. Consequently, there are far fewer vendors and solutions helping detect, investigate, and remediate more human threats such as information leaks, threats directed at key staff, extremist or activist threats of disruption, embargo agreement violations, counterfeiting, intellectual property infringement, insider threats, and other security concerns that often lead to disastrous consequences.
Legacy Approaches to Security Threat Monitoring
Many organizations realize they must stay ahead of these human security threat concerns but still employ a legacy approach in their attempt to detect security threat signals. A legacy approach typically includes:
- Google and other search engine alerts for company name, executive names, product and service names, facility names and addresses, company phone numbers, etc.
- Browser-bookmarked social media searches for the above identifiers and mentions of company and key personnel and promotion social media account names.
- Closely monitoring customer feedback email accounts (help@, info@, inquiries@, etc.) for negative feedback and threats.
Legacy approaches to security threat detection are better than not having any approach to such an important endeavor. However, legacy solutions are usually woefully inadequate and fail to detect important threats.
Problems with Legacy Approaches to Security Threat Monitoring
Legacy approaches to security threat detection are better than not having any approach to such an important endeavor. However, legacy solutions are usually woefully inadequate and fail to detect important threats. Key problems with a legacy approach include:
- Analysts find almost all alerts they receive to be false positive or irrelevant, making it very hard to find important signals amid the flood of noise. Most mentions of company identifiers tend to be made in an unimportant context. Analysts face alert fatigue and fail to notice important threat signals amid the sea of false positives and inconsequential mentions.
- The Indexed web is estimated to be substantially less than 10% of the data on the Internet. Deepweb (unindexed) and Darkweb (requires special software to access such as the Tor browser) make up the remainder of Internet data, and signals found there are missed by legacy approaches or at least usually are not indexed and subsequently found until far too late. With so much of online activity happening in Deepweb source sites, most important signals will be missed.
- When analysts do uncover an important finding, it is often unclear to who they should distribute their findings, so they fail to initially include all appropriate stakeholders and it becomes even more difficult to ensure related updates and mitigation actions include all pertinent parties required to effectively mitigate the threat. Furthermore, threads become difficult to track amid inboxes full of important unrelated matters.
- While most analysts are capable of reviewing posts to determine if they represent a security threat, they often lack the time, investigative skills, and/or investigative tools needed to unmask the parties responsible for the threats who are often hiding behind obfuscation practices and technologies, “anonymous” aliases, and throwaway email accounts.
Elements of Modern Security Threat Monitoring Programs
Organizations implementing a modern and more comprehensive security threat monitoring program should ensure the program and solutions they employ includes:
- The ability to leverage and continually refine complex detection rules. As importantly, if not even more so, they will need the ability to leverage and continually refine false positive negation rules to help filter the sea of noise to a manageable number of items for analyst review. Time for continual rule refinement should be included in the scope of the program. This will be imperative in avoiding analyst fatigue to help ensure important threat signals are not missed. Rules need to be updated as the organization’s key assets and offerings change. Rules should be updated as the ways in which the world discusses the organization and its assets change. Rules may need to be updated as the organization adds operations in new regions or ceases operations in a region.
- The ability to apply detection and negation rules to Deepweb and Darkweb data. As the indexed Internet represents substantially less than 10% of the data on the Internet, failure to integrate services and providers that provide access to data from these worlds will undoubtedly lead to missed signals and failure to detect signals until it is too late. There are several great data providers that collect and index important Deepweb and Darkweb data and make it available to their customers for search.
- Response planning in advance of security incidents to ensure when a threat is detected, analysts know in advance who should be advised of the threat, how to ensure the recipients have received their initial findings reporting, and how to ensure the key stakeholders remain in the loop through the response and mitigation process. A solution that saves distribution settings for each threat type and category and provides distribution automations for the analyst will save valuable time and help ensure the value of advance planning.
- In-house or external open-source intelligence (OSINT) analysts and investigators with the requisite investigative skills, tools, and experience needed to unmask the parties responsible for detected threats who are often hiding behind obfuscation practices and technologies, “anonymous” aliases, and throwaway email accounts.
Ensuring these key elements of a modern and more comprehensive security threat monitoring program are imperative for organizations seeking to avoid the costly repercussions of unmitigated security threats.
iThreat SignalAlert Security Threat Monitoring & Investigations Programs
Would you like to make sure you are aware of insider and other threats facing your organization? Need to figure out who is behind the aliases, groups, websites, and communities targeting your executives, key staff, intellectual property, sensitive information, facilities, business reputation, brands, and business continuity? SignalAlert Monitoring and Investigations Programs help our clients address these problems and more. Please click the link to learn more and fill out the contact form and iThreat will contact you to learn more about your organization’s challenges and concerns and discuss how iThreat SignalAlert programs and services may be of assistance.