Access a world-class intelligence capability tailored to your specific needs. Control a multi-million dollar program without the time or expense and solve problems both lasting and acute.

What is Managed Intelligence?


3 min read

How to Successfully Implement a Threat Intelligence Program

By Landon Winkelvoss on Nov 23, 2020 5:21:55 PM

Threats continue to occur on a global scale. They are large, they are complex, and they are growing. This problem has led to widespread interest in tailoring intelligence programs that provide insight into business problems and generate actionable outcomes.

For intelligence to drive a security program, organizations need 1) a vehicle to drive, 2) a direction to go, 3) a dedicated driver, and 4) an understanding of the terrain as well as the ability to look back, pivot and maneuver when obstacles are encountered.

The Vehicle: Defensive Security

Optimizing threat intelligence requires a defensive security team with the ability to recognize and respond to incidents, identify and patch vulnerabilities, and track and resolve risk.

Programs do not have to launch in a fully-matured state, because threat intelligence and the environment can be used to guide program development, facilitate continuous improvement, and achieve increasingly higher levels of maturity.

However, even from the beginning, it is critical to the development of a threat intelligence program that if and when an organization identifies a threat, they are able to mitigate or resolve the threat.

The Direction: Priority Intelligence Requirements

Initially identifying the direction a threat intelligence program will travel can be as simple as highlighting an organization’s key threats.

Priority Intelligence Requirements (PIR) assist in addressing key threats by providing a series of questions the threat intelligence team must answer.

No single program is suitable for all organizations. Different organizations will have different priorities. For example, if an organization has significant research and development or high value intellectual property, the first PIR may be to identify:

  • Who is interested in our data and what are their tactics, techniques and procedures?

However, if an organization is inundated with phishing emails related to wire fraud and their position in a supply chain, the first PIR may be to outline:

  • What are the key techniques utilized for wire fraud and supply chain takeover and the proactive steps required to reduce or mitigate the threat?

The Dedicated Driver: Full-Time Resource and Collaboration

A common mistake when developing a threat intelligence program is the failure to provide adequate resources and staffing. In many cases, organizations will assign a person the role in addition to other existing duties. Organizations often balk at hiring a full-time, experienced, threat intelligence analyst. This approach is likely to fail. Without dedicated focus, a part-time analyst will be pulled in too many directions to be able to accurately and effectively perform all of the necessary functions and establish a successful intelligence program.

This individual may lean on solutions like intelligence feeds that are noisy and lack context, preventing the development of actionable intelligence. Without actionable intelligence, it is difficult to justify a threat intelligence program.

Threat intelligence programs require a lot of diplomacy and collaboration. An experienced and successful threat intelligence analyst will be able to effectively communicate with an organization’s c-suite as well as technical and non-technical peers. Experienced analysts have the skills to provide consistently actionable intelligence. Just as importantly, they have the ability to communicate the reason, the process, and the desired outcomes to stakeholders across the organization.

The Terrain: Choosing the Right Supplemental Intelligence

Supplemental intelligence resources fill in gaps that a Threat Intelligence Program is not able to provide on it’s own.

For organizations beginning the process with one analyst, this may be a platform that assists in the collection of data, a targeted intelligence feed, or assistance from a managed intelligence services provider.

Of critical importance is an organization’s understanding of the unique terrain their company will traverse. This allows them to reinforce their intelligence program and prepare for incoming threats. For example, engaging with a threat intelligence company specializing in Advanced Persistent Threats and nation state actors may not be the right choice for a retail manufacturer, but it is imperative for critical infrastructure. Likewise, a medical facility without a clear understanding of ransomware and how to protect against the latest variants is missing knowledge that could allow them to prevent or mitigate attacks.

Based on the unique characteristics of each organization, it is important to reinforce any Threat Intelligence Program with supplemental intelligence and investigative expertise that maps directly to the threats they will likely encounter.

The Obstacles

Regardless of whether an organization is facing cyber-crime, nation state espionage, physical security threats, aggressive online hostiles, or threats targeting their supply chain, it’s critical to have investigative support that helps provide proper context.

The “how”, “why”, and potentially the “who” that inform actionable outcomes determine if a threat or vulnerability requires remediation.

Many threat intelligence providers can provide an early warning, but the investigative follow-through is where the value lies. The ability to rapidly confirm or deny whether a breach is in process can be the difference between success and failure.


Topics: Cybersecurity
Continue Reading
2 min read

Weaponization for Disinformation

By Zeshan Aziz on Nov 9, 2020 10:26:23 AM

Continuing our series on the adversarial mindset, we focus on how actors weaponize narratives for disinformation operations. 

In a previous blog post, we wrote about the reconnaissance steps that disinformation actors take prior to launching their operations, including recruitment of individuals with native language proficiency.

Continue Reading
3 min read

What is Coordinated Inauthentic Behavior?

By Zeshan Aziz on Nov 2, 2020 9:39:16 AM

Coordinated Inauthentic Behavior (CIB) is a common phrase heard in the news regarding disinformation, misinformation, and influence operations; but what exactly does it mean? 

First, let’s define our terms: inauthentic behavior, and coordinated

Continue Reading
3 min read

Analyzing a Trump Video for Deepfake Potential

By Justin Simms on Oct 28, 2020 10:19:49 AM

With the presidential election upon us, the looming threat of deepfake videos is most certainly on everyone's minds. 

While the threat of malicious use of this ever-evolving technology has not reached the point where most companies need to dedicate extensive resources into its detection and appropriate defenses, Nisos took a look at the current state of deepfake detection technologies.

Continue Reading
7 min read

Weaponization for Cyber-Enabled Fraud

By Jackie Hicks on Oct 26, 2020 10:46:26 AM

In our previous blog, we highlighted how fraudsters conduct reconnaissance for fraud activities. 

While banking malware, trojans, worms, and botnets such as Zeus Panda, Ramnit and Trickbot have typically been used to infect consumer PCs in order to collect personal data and online login credentials, including banking sites, not all weaponization is malware-related.

Continue Reading
4 min read

Weaponizing Tools for Computer Network Operations

By Landon Winkelvoss & Paul Morrissette on Oct 13, 2020 9:14:13 AM

Continuing in our series on the adversarial mindset, we focus on weaponization for computer network operations. Following the reconnaissance phase and identifying a target, an actor needs to gain a foothold in a network before determining how to monetize the access or remain “low and slow” to conduct additional collection, typically for espionage purposes.

Continue Reading
4 min read

How Adversaries Conduct Reconnaissance For Disinformation Operations

By Landon Winkelvoss and Matthew Brock on Oct 6, 2020 10:08:04 AM

Building on our series exploring the adversarial mindset, disinformation actors seek amplification of their content, regardless of whether their goal is financial, ideological, or political. Disinformation actors need venues to post their content that will be most likely to result in viral spread of their messages. Oftentimes, depending on the sophistication of the actors and the narrative they are trying to publicize, they might not even care if they are identified or not.

Continue Reading
3 min read

An Introduction to Honeypots

By Landon Winkelvoss on Oct 4, 2020 7:23:24 PM

In our latest blog series, we discuss how threat intelligence can be applied smarter for medium sized organizations with limited resources. We discuss ways to proactively detect threats beyond subscribing to information feeds that require a lot of resources to aggregate and ingest into SIEMs.

Continue Reading
3 min read

How Adversaries Conduct Reconnaissance For Fraud Operations

By Jackie Hicks on Sep 29, 2020 10:56:04 AM

Building on our series on the adversarial mindset, fraudsters will identify a target based on the ease and speed with which they are able to monetize their fraudulent activities.

Many of the reconnaissance steps involve a threat actor learning how a company conducts their business, and oftentimes,  fraudsters end up understanding the business almost as well as the company and its employees do.

Continue Reading
2 min read

Making Threat Intelligence Useful for Medium-Sized Enterprises

By Landon Winkelvoss on Sep 28, 2020 9:55:15 AM

Medium-sized enterprises that don’t have sophisticated security operations teams typically focus on the basic blocking and tackling of information security: policies around financial controls, incident response plans, data retention policies, disaster recovery around user access, lifecycle management policies.

Continue Reading
3 min read

How Adversaries Conduct Reconnaissance For Computer Network Operations

By Landon Winkelvoss & Mike Davis on Sep 23, 2020 10:28:44 AM

The adversarial mindset is the core that allows us to provide a world-class intelligence capability tailored to the needs of business. Many people ask what it means to have the adversarial mindset and how that differentiates Nisos. While it’s a complicated answer based on capability, we wanted to share some insights, from our first-hand experience, about how adversaries operate.

Continue Reading
2 min read

Six Considerations for Building a Cyber Threat Intelligence Program

By Landon Winkelvoss on Sep 21, 2020 9:37:01 AM

When evaluating cyber threat intelligence programs for enterprise, organizations should consider six critical topics before spending on data.

Continue Reading