The Many Faces of Threat Intelligence Part 1: Identifying the Problems
Threat intelligence data has become more and more crucial to effective enterprise security practices. Threat intelligence solutions gather raw data and indicators about existing and emerging threat actors and threats. This data is then analyzed with the hope of informing and preparing organizations for cybersecurity risks like zero-day risks, threat actor attacks, advanced persistent threats, and the exploitation of known vulnerabilities. Many organizations view threat intelligence exclusively in this context. They view it as part of the solution to cybersecurity concerns. This is far from the truth.
In reality, threat intelligence and open-source intelligence can inform and impact a wide range of business problems and risks. These concerns span organizations from IT to cybersecurity, to physical security, to trust and safety, to marketing, and beyond. Threat intelligence can play a role in all of them.
Let’s start by looking at the different business problems and risks faced by enterprises. Obviously, these problems and their importance will vary based upon industry, organizational size, and go-to-market strategies. The simplest way to begin this exploration is to look at the different intelligence domains and associated risks. Intelligence solutions for enterprise security teams typically break down into the following categories:
● Cyber Threat Intelligence
● Reputation Intelligence
● Fraud Intelligence
● Platform Intelligence
● Protective Intelligence
● Third-Party Intelligence
Cyber Threat Intelligence
The domain that everybody thinks of first is Cyber Threat Intelligence—the domain of cybersecurity teams. Here, threats to confidentiality and integrity, and availability to data, systems, and networks are all well understood. Identifying digital threats outside firewalls, unmasking insiders within networks, and hunting for threats on the dark web are well-established services.
Frequent use cases include:
● Vulnerabilities and exposure outside the perimeter
● Human behaviors of insider threats
● Data leakage
● Identifying unknown assets with attack surface monitoring
● External threat hunting
● Open-Source Intelligence Research (OSINT) on the open/deep web
Reputation intelligence is not exclusively concerned with “the brand”. CMOs and their teams are concerned with brand awareness and user sentiment toward products or services with an eye to the impact of that information on go-to-market or product management strategy. Reputation intelligence goes beyond sentiment analysis and looks at threats to the brand that could indicate a coordinated effort by adversaries, insiders, or competitors. Simple keyword searches for negative sentiment across the internet will not achieve this objective and will lead to excessive and often irrelevant findings and noise.
Examples of use cases of concern to enterprises include:
● Disgruntled employees
● Short and distort schemes
● Domain and application spoofing
Fraud intelligence is a major concern to practitioners at online platform companies where people interact. These enterprises include ecommerce, marketplace, gig economy, and social media companies. In these environments, fraudsters routinely leverage corporate environments, services, and systems for monetary gain.
Use cases include:
● Account takeover
● Identity theft
● Purchase operations
● Corporate process loophole exploitation
● Disjointed technology stack exploitation
● Illicit money purchases
● E-commerce exploitation
● Organized retail crime rings, including gift card and rewards card fraud, chargeback scams, and fake customer support scams are classic examples of fraud.
Closely related to fraud intelligence and also of concern to trust and safety teams is platform intelligence. It can be used to address adversaries that abuse platforms and negatively impact the consumer experiences and trust in the brand.
Common use cases include:
● Misuse or abuse of credentials
● Counterfeiting APIs
● API manipulation via scripts and bots
● Population manipulation via misrepresentative content syndication
● Gaming the ratings
● Fraudulent department operations
Protective intelligence addresses concerns that have existed for centuries, specifically physical threats against a business, its people, and its facilities. This can range from death threats against a CEO, to the promotion of a protest at a company event, to a bomb threat against a company’s headquarters. Protective intelligence can be used to identify, assess, and mitigate these threats. While coordinated with IT and cybersecurity teams, these use cases are generally the domain of traditional physical security teams.
Third party intelligence typically falls into two categories:
1) The evaluation of supply chain risk relative to key vendors and partners and
2) Investment due diligence on potential acquisition targets.
The coverage and impact of the recent SolarWinds and Log4J vulnerabilities has elevated the importance of third-party intelligence in the technology supply chain. Simultaneously, due diligence investigations are becoming more important due to record levels of merger and acquisition activity. The stakeholders may be very different — in one case it’s the investment manager and in the other case it’s the compliance manager. The key to both is using open-source intelligence to begin the process earlier and expand the coverage beyond cyber hygiene and compliance to now include the evaluation of key individuals and non-traditional business risks exposed by key personnel.
The Common Thread
While all of these use cases, stakeholders, and intelligence domains may initially appear vastly different and unconnected, they are not. Regardless of the type of risk and the adversary you encounter, there are common approaches that will allow enterprises to identify and mitigate those risks. Actionable intelligence must correlate a vast amount of data, connect threat actors to their motivations and the associated risks, and identify attack processes. The key to achieving positive outcomes rests in a combination of OSINT, technical signature analysis, and threat actor engagement. In my next column, I will discuss a best practices approach to achieving those desired outcomes by adding multi-domain cyber and open-source intelligence to your security and threat intelligence program.