Optimizing Monitoring Services For Intelligence Teams
How do you make sure you are choosing the right solutions for your organization?
RFI services that answer client-specific questions are critical to the success of intelligence and security teams. Just as critical is the need for robust intelligence monitoring solutions. The market offers a wide range of monitoring to address security concerns and threats, including cyber, physical, reputational, fraud, and abuse. The solutions offer open source, dark web, social media, and external attack surface monitoring options. Understanding your own needs and priorities is critical to choosing the services that best secure your organization and minimize your risk.
In addition to evaluating the core capabilities and range of intelligence monitoring, organizations must consider data source integrity, and perhaps most importantly, the level of expert analysis included with each service. Security and risk teams are bombarded by information on a daily basis, by focusing on real intelligence that has been properly analyzed by experts, you can cut through the noise, optimize scarce resources, and focus your efforts on taking action and remediating attacks.
How do you make sure you are choosing the right solutions for your organization? The following considerations are a good place to start.
Establish an External Data Acquisition Strategy
An intelligence program consumes external data to solve problems and address prioritized intelligence requirements. Prioritization should be based on organization-specific and relevant threat models. Within security teams, most organizations use external data to address the following types of business risks:
• Cyber Threats
• Fraud and/or Platform Threats
• Physical Security
• Third Parties, Suppliers, and Subsidiaries
Regardless of the monitoring program, research and experience shows that successful management of these risks requires synthesis of four categories of information.
• Business: Information about U.S. and foreign corporations.
• Network and Telephony: External telemetry such as PDNS, malware samples (Virus Total),open web, domains, netflow, mobile data, and false positive aggregator (events not worth an analyst’s attention).
• Persons & Groups: Data solutions providers specializing in custom, scalable investigative and risk management tools for due diligence, threat assessment, identity verification, fraud prevention and debt recovery.
• Web & Social: Social media, dark web, news media, and foreign media.
These data categories are relevant across all risk types and against all threat actor types. As an organization grows and more threats emerge, the ability to monitor and analyze all of these data sources will be critical to ensuring proper security. Even the most mature organizations will be challenged by this process and if attempting to build your own program, a phased-approach will likely be required.
Don’t forget, in addition to the costs of licensing and procuring data, organizations must pay to store and exploit the data. Costs that must be included in your calculations include Infrastructure (Data storage, databases, and data pipelines) and Analytical Productivity (Aggregation tools, social network analysis, and mind maps).
Identify OSINT, Dark Web, and Social Media Requirements
Choosing open source/dark web/and social media feeds can be cumbersome as no platform has complete coverage (credit card sales, threat to executives, negative sentiment on brand reputation, discussions of zero day exploits, closed forums in social media, etc). Many feeds specialize in one or more types of open source research including typo-squatting domains, actors selling access to networks, credential dumps from breaches, and collection of open source repositories like GitHub. But none cover them all.
It is critical that you evaluate any collection gaps based on your business requirement. You must consider both coverage and the ability to alert on various key words and terms. Businesses must also ensure the ability to report if an account or user generated content (including breach dumps) is removed by a site administrator or the user themselves. Coupled with data engineering for search optimization and differentiated analysis, being able to flag, retrieve, and store these types of alerts is often critical to deriving proper context.
Expand to External Attack Surface Monitoring and Management
External Attack Surface Management is more than discovering a list of IPs or websites. It is the understanding of how a business’ internet-exposed assets link to your business.
As networks grow in complexity, expanding beyond the perimeter into the cloud and into employees homes becomes increasingly difficult for resource-constrained security teams tasked with maintaining awareness of their digital footprint. This creates opportunities for malicious actors to gain access to networks, personnel, corporate intellectual property, with the goal of deploying ransomware, and exfiltrating data.
As change occurs, organizations must evolve beyond basic vulnerability management and be able to dynamically map an organization’s expanding cloud and network presence. A solution’s ability to analyze external (and internal) traffic flows to identify services or devices accessed (or attempted to access) by malicious actors is helpful in prioritizing remediation.
When done right, external attack surface monitoring services combine the most critical elements of asset discovery, shadow IT, malicious/anomalous traffic detection (global netflow), and threat actor infrastructure mapping into a single finished contextual analysis, providing stakeholders with a real view of business risk.
Intelligence analysis can be a time-consuming and costly process. A well-prepared organization may evaluate dozens of data vendors a year depending on business requirements. Open source, dark web, social media and external attack surface monitoring are critical aspects of an intelligence program and are necessary to alert on wide-ranging events including ransomware attacks, threats to executives, breaches and attempted or ongoing fraud. While many programs spend money to procure feeds, unless they also focus on analysis, it is unlikely they will achieve the finished intelligence necessary to properly identify and reduce risk to their business.