In the previous article on Cyber Threat Intelligence (CTI) analysts, we covered what a CTI analyst is and discussed how they can bridge the gaps between IT, security, and the rest of the business. We touched on how this is beneficial to the maturity of any organisation, but what exactly did we mean by this?
In this second article of our CTI analyst series, we will outline the unique benefits that a CTI analyst brings to any organisation by enhancing the following areas:
- Strategy and planning of IT and security by taking a holistic view;
- Intelligence on the cybersecurity landscape and industry trends;
- Collaboration with the recognised bodies and regulations.
Enhancing the strategy and planning of the business – OSINT
Have you ever prepared for a meeting with a new contact by visiting LinkedIn and checking out their profile? If not, it might be beneficial to take a few moments to do so. You may find some common connections. Using public social media sites to identify someone is an example of what is commonly referred to as open-source intelligence (OSINT).
What is OSINT?
In essence, OSINT entails looking at publicly available data. This may be government records, such as Companies House in the UK, or social media posts on Facebook and Twitter. It can include utilising search engines to look for articles and pictures relating to your target, or searching historic records, like the WayBackMachine and ancestral information sites for family connections.
OSINT is a powerful tool. Not only does it identify the image that a target wishes to present to the world. It can also reveal much about the target’s carefully selected interests, ‘likes’ and publicly posted updates. OSINT will reveal information and habits that might not otherwise be picked up, because of the way in which it is reviewed, and by whom. In many situations, these experts can identify malicious actors and discover relationships, information which can be used to enhance a family’s privacy and security plan.
How do businesses use OSINT?
Interestingly, many organisations’ use of OSINT has been neither formalised nor widely adopted. It often appears that various public postings that could be detrimental or harmful to the organisation have to reach a wide audience before they are noticed and before action is taken. A prime example of this was the story of a Canadian CP rail conductor who was fired for a second time after the company expressed concerns over social media posts, including “racy” boudoir photos allegedly taken on rail company property.
Given the previous behaviour of the Canadian CP rail conductor, should the organisation have been monitoring her public online activity before it became an embarrassingly public story? It may have been possible to deal with the situation quietly and professionally, an opportunity that OSINT could have identified before it became national news. An OSINT program is the ultimate proactive measure – identifying those potential situations and suggesting mitigative action before the court of public opinion becomes judge, jury, and executioner.
In order to establish or gain support for an OSINT program, an organisation often needs an illustrative example of how effective an OSINT program can be. What we have found to be beneficial is an examination of the board or a senior executive’s digital footprint and a demonstration of the information that might be exposed in the process. Frequently, an information leak or scandalous situation only comes to light after the fact.
What would the OSINT program look for? One example is when a staff member has publicly disclosed an upcoming vacation or company event that could be used for targeted phishing.
Applying OSINT as Counterintelligence
“Counter-intelligence means activities concerned with identifying and counteracting threats to the security of your organization and staff.”
The first step of a malicious actor’s playbook is information gathering or reconnaissance. That is to say, the identification of a target(s) and any valuable information that can be used. The information gathered is ultimately turned into intelligence by the person in possession of it.
If your OSINT program has gathered the available information on your organisation and staff, steps can then be taken to make exploitation of that information more difficult. Scrubbing the public data of geo-location information of sensitive facilities and deleting staff photos with sensitive information (presence of CCTV and alarm and motion detector locations) are examples of making it more difficult for malicious actors. If you cannot completely remove it: identify and train staff to be aware of it.
What public information should be redacted?
The answer to that question is found in the threat models which target your organisation, staff and executive members. This can range from the physical threat of break-in or robbery to the travel plans of executives to potentially hostile regions where there is a chance of kidnap for ransom. Travel plans of executives should never be released on social media without an abundance of caution and planning, and specific redactions having been made.
Applying OSINT as Cyber Counterintelligence
Consider how much data we share daily. In our personal lives, most mobile numbers are connected to your full name, and your IP address is connected to the sites you access without controls. You also need to remember how your activities can expose the email addresses that you freely give for contact, your shopping habits through credit card usage and/or your location through fitness apps. These small pieces add up and can be used to identify you and your connections.
Now, consider an organisation and its individual employees. Those employees often have a LinkedIn account which tells us their roles and responsibilities, technologies for which they have gained certifications or skills that they have developed. This information, when used properly, can become valuable intelligence on how the organisation runs, who’s responsible for what, and even who could be targeted by a malicious actor looking to exploit the power of an authority figure through social engineering.
A sensible balance between presenting public information about the organisation and its structure needs to be found. The OSINT program can provide an understanding and context of that information and the risk of being exploited. In situations where an organisation deals with highly sensitive information, a DNS entry for “classified-portal.3letteragency.gov” is probably a bad idea.
Imagine the benefits of a dedicated team who looks out for information that could save the organisation from reputational damage by looking for:
- Counterfeit or stolen property listed online
- Employee conduct, threats and harassment on social media
- Frustrated, angry or threatening customer correspondence
- Damaging reviews of product, services or work environment
- Leaked merger, acquisition and organisational partnership discussions
- Sensitive information publicly disclosed – accidentally or intentionally
- Inaccurate, harmful or out of date information
- Presence of fake websites, fake invoices or scams targeting customers, staff or the organization
- Staff disputes, associations or controversial comments in a public forum
- Credentials from data breach and compromised accounts belonging the organization
- Research and validation of the background of prospective employees or board members
- Unsavoury relationships, membership or pending court action related to the organization
Outcomes from OSINT program intelligence
From experience, it is all too easy to make roles and responsibilities implied and assume that all parties know their role. This is rarely the case. Therefore, to be explicitly clear, the OSINT program is specially trained to gather intelligence and create tailored guidance, and it will not act upon this intelligence unless approved. At times, areas of the OSINT program and ways of monitoring and identification may come into conflict with the rights of staff and customers to speak and associate freely. Therefore, there is still a need for an ethics board, and any actions taken must be decided by senior leaders working within an HR- and possibly legal counsel-sanctioned investigation.
Perhaps the guiding principle of the OSINT program should be the aphorism known as ‘Hanlon’s razor’: “Never attribute to malice that which is adequately explained by stupidity.”
The OSINT program will build intelligence and give recommendations, resilience prevention, detection and responses. Following this, the senior staff either directly take action or advise on actions to be taken, both in response and future prevention, via keeping in mind considerations like implementing more robust acceptable use policies, training, active monitoring and controls.
This piece first appeared on Tripwire as a guest authored article and has been modified. The original can be found here.
About the Authors: Ian Thornton-Trump, CD is an ITIL certified IT professional with 25 years of experience in IT security and information technology. Today, as Chief Information Security Officer for Cyjax Ltd., Ian brings to bear his significant experience concerning the threats faced by small and medium-sized businesses, and enterprises. His research and background have made him a sought-after cybersecurity consultant specialising in cyber threat intelligence programs for all sizes of organisation. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. After a year with the RCMP as a Criminal Intelligence Analyst, Ian worked as a cybersecurity analyst and consultant for multi-national insurance, banking and regional healthcare. His most memorable role was being a project manager, specialising in cybersecurity for the Canadian Museum of Human Rights. In his spare time, Ian teaches cybersecurity and IT business courses for CompTIA as part of their global faculty and is the lead architect for Cyber Titan, Canada’s program to encourage the next generation of cyber professionals.
Zoë Rose is a highly regarded cybersecurity specialist, who helps her clients better identify and manage their vulnerabilities and embed effective cyber-resilience across their organisations. Zoë is a Cisco Champion and certified Splunk Architect, who frequently speaks at international conferences. Recognized in the 50 most influential women in cybersecurity UK for the past two years, and the PrivSec 200, Zoë is regularly approached for media comment, has presented on National News, been featured in Vogue Magazine, and was the spokesperson for Nationwide’s Over Sharing campaign that had a reach of 306 million citizens.