Building an Enterprise Threat Intel Program
Elevating Threat Intelligence
As you build your security strategy, an enterprise intelligence program can be critical to your business’s continuity and continued growth. From incident monitoring to data-driven decision-making, the right intel can help you avoid cyber threats, aid due diligence, protect your people, and inform corporate strategy. While intelligence teams are nearly ubiquitous among the Fortune 500s, only the most elite teams have successfully integrated disparate intelligence functions to drive enterprise strategy.
In this ebook, we look at how five Fortune 500 intelligence leaders have built their teams and intel capability.
About the CYBER5
Hosted by Landon Winkelvoss, Co-Founder at Nisos, The CYBER5 is a podcast that showcases intelligence leaders from blue-chip companies to share their insights and experience in building world-class enterprise intelligence teams.
Meet the Moderator:
Landon Winkelvoss co-founded Nisos in 2015 and serves as its VP of Content. His vision as a founder was to deliver intelligence community-level digital insights to blue-chip companies to enable a stronger defense and more effective response against advanced cyberattacks, disinformation, threats to executives and physical assets, and abuse of digital platforms.
Prior to founding Nisos, he spent 10 years as a Technical Targeting Officer for the U.S. Intelligence Community, including multiple warzone deployments and overseas postings. Landon is a regular contributor to numerous publications on cyber intelligence and investigations including SecurityWeek, Dark Reading, and SC Magazine.
He is also the host of Know Your Adversary podcast which is designed to educate and highlight security best practices and notable cybercrime investigations.
Enterprise Stakeholder Management and the Use of Threat Intelligence
Insights from Valentina Soria, Executive Director and Head of Global Threat Intelligence for Morgan Stanley
In episode 68, we discuss leading a large-scale threat intelligence program in the financial institution space and how to make intelligence absorbable by multiple consumers. We also talk about how intelligence teams can build processes and technology at scale to increase investment costs to criminals.
How can intelligence provide value across the enterprise among different stakeholders?
“I think it’s interesting to think about the evolution of the intelligence field, from a pretty niche discipline focused on just threats . . . to a field that now serves the business across a spectrum of potentially disrupting events or incidents that could impact an organization’s assets, people, and operations.
You must think of intelligence across the various layers of applicability, from tactical to operational to strategic. At the tactical level, intelligence allows you to respond. The operational level allows you to prepare. At the strategic level, intel allows you to anticipate and really plan alternative courses of action.
What does that mean in practice? In addition to tracking and alerting on current threats, organizations should use intelligence to challenge conventional wisdom about what senior leadership should be concerned about.
Those three different layers allow you to identify and categorize the stakeholders across your enterprise. And really, no matter what the size of your intel team is, you should aim to serve a wide range of stakeholders by delivering a variety of products or intel outputs that really help drive actions.”
Who are the different consumers of intelligence inside and outside of a large enterprise? How do you tailor your intelligence for different audiences?
“In the most traditional sense of the word, consumers of intelligence are those who simply receive an intelligence assessment. And you still have some of those in large enterprises today. Think of your average employee who just really may be getting your daily or weekly intelligence digest that gets produced by your team.
In some organizations, intelligence teams may also be asked to help produce some newsletters or other situational awareness products for individual corporate clients, for example. But frankly, you have fewer and fewer recipients of those products who you would identify as passive consumers today.”
“And while you may still have written products that are purely informational, the bulk of any intelligence production portfolio tends to be tailored to the requirements of the given stakeholders. Such intelligence really needs to be timely, accurate, and actionable.”
“If it doesn’t inform or drive action for one or more of your stakeholders, that threat assessment loses that unique value. Then it’s similar to research; it’s just a different type of analytical expertise that you have to work with. I love to be able to write pages and pages on a subject that I really like. But it’s just not the type of output that I know is going to help drive some of the decision-making in my organization.
This is not how you would deliver that kind of very punchy and concise intelligence assessment that can really bring up the “so what” or the unique value add your stakeholders need to work with.”
How can an enterprise think about using intelligence to derive its own risk-based approach?
“I’ve been very lucky in my career as an intelligence professional to have worked for organizations that are really, really big and serious about the critical value of intel in enhancing the overall security posture of the organization and mitigating cyber risks and any sort of operational risk. And that is a game-changer because it allows you to be proactive . . . rather than wait to find out that you’ve been breached or impacted by an incident or an attack.”
“Having an intelligence-led risk framework means that you make a deliberate effort to understand the threat environment that your organization has to contend with, which means knowing what to focus on and how to better prioritize resources because that operational risk environment is very crowded these days.”
“Threat actors are continuously shrinking that time window, from vulnerability disclosure to exploitation, from initial compromise to malware deployment or actions and objectives. So, it’s important to also reduce the time window between identification, threat detection, and response and remediation efforts.”
“Intelligence allows you to really embrace a forward-leaning approach to managing risks. This is how enterprises should think of threat intel these days, no longer as a technical need function that sits in the back of a room and passively collects indicators of compromise and other road data.”
“More teams today are, for example, using the MITRE framework. They map the tactics, techniques, and procedures of advanced actors or those that may have a history of targeting their organizations or the sector. They can leverage that mapping to identify correct gaps in their prevention and detection… This is an example of proactive use of threat intel to mitigate risk against your most critical assets and one that allows an organization to prioritize resources to ensure appropriate coverage against the most relevant and impactful threats.”
How can an intelligence-led model scale while still being a risk mitigation function?
“You need to start small and build incrementally by securing more resources for what your leadership will start to view as an essential component of the risk management framework. The cyber threat intel maturity is a journey.”
“Organizations need to go through a journey of conscious growth in order to realize the real return on investment when it comes to intelligence capabilities. You have to be realistic about it. You have to take time to truly understand and evaluate your organization.”
“Don’t be afraid to be in listening mode for the first few months of your journey. Find the key coverage gaps, but also understand what hasn’t worked before. Build the right capability and complement existing ones, rather than build something that is redundant and not really necessary. It would be much easier at that point to justify that regular investment in your intelligence function and get more resources for the kind of work that they would want you to do.”
On how automation can help…
“Leverage technology to build automation into processes that were once heavily manual. If it doesn’t require interpretation, assessment, and critical thinking – consider automation. Those analytical resources should rather be focused on driving risk mitigation efforts and go beyond just detecting and blocking the latest mass phishing campaign.
You need to scale based on your resources, and you might need to be a little bit more selective. Frankly, the rule applies always; intelligence is really not about quantity; it’s about quality. It’s about that unique value add that you can bring to your stakeholders, and you can only achieve that if you really understand their information needs and their requirements.”
What role do metrics play in communicating the value of threat intelligence?
“It’s important to determine where the intelligence function can add more value and identify meaningful metrics to track the success and relate that return on investment to the leadership. And believe me, metrics can be tricky; I’m not a big fan of metrics. Unfortunately, I’m not a numbers person, but I understand how important they can be and how useful they can be for exactly this kind of discussion.
For years, the value of intelligence tended to be intangible or somehow hard to quantify. You can compare intelligence, for instance, to metrics that your SOC or your search team can turn around every month about the number of incidents and old issues remediated or how many vulnerabilities your vulnerability management team has been able to patch. In organizations where intelligence teams are strongly integrated with the response and recovery functions, intelligence inevitably drives some of those metrics.
It really all begins with mapping your stakeholders and whatever intelligence input you provide to them. That’s the only way you can truly understand whether what you are doing is adding value and how critical it is. When you get a request for input from your intelligence team, make sure that you are clear about the use case — the business justification.
This way, if something is not quantitatively measurable, you are still able to tell your leadership a good story of success and provide them with a measure of performance or effectiveness, which will eventually help you justify the sustained investment in your intelligence function. So how are you enabling or contributing to announcing certain processes or announcing certain controls? How are you informing your risk management practices?
So crucially, I think, in my view, your intelligence metrics should also reflect the information-sharing partnerships that your team participates in. This is something that is clearly unique to intelligence teams by default.
In most cases, intelligence teams are the gatekeepers of those relationships with industry partners, government partners, and so on. So, they really understand and know how to leverage the sort of relationships to be proactive about the threat environment. And it’s not just a tick of the box exercise where you say, ‘Yes, I’m part of my ISOC, and I’m fine.’”
“You need to make sure that your team pushes the intel to the rest of the organization. . . and any early warning gets shared in those forums before it becomes public knowledge, and then everybody can read about it in the newspaper.”
What are rational metrics to apply?
“The best ones are the combination of what you can measure quantitatively and those qualitative contributions. It’s hard to measure what intelligence teams in general do. If you are well integrated with other response functions in the defensive team capability, you can demonstrate how some of the intelligence that you provide delivers value. Whether you’re dealing with raw data that you gather from feeds, from partners, from the sector, or just from your analysis, it is crucial to understand if it is contributing to earlier or quicker assessment or more effective detection of malicious events in your network. Or, is it helping expedite the patching of critical vulnerabilities because you’ve provided evidence and information that points to the specific vulnerability being exploited in the wild, how, and by whom.
These are some of the more quantitative examples if you support the fraud function. Of course, that also goes with the number of fraud events or fraud attempts that you have helped block or prevent somehow, but also things that you have discovered through your intelligence monitoring capability that you fired to those teams.
On the qualitative side, it’s about how the analysis of your team helps the leadership to understand better or better navigate the complexity of the threat environment. It could be related to a specific geographical location and some of the challenges of operating there. It could be about a specific understanding of what getting into business in a certain type of industry or vertical could mean and what the organization should think about as mitigating measures.”
How can this be helpful for small and medium-sized businesses that need help further down the supply chain?
“It’s tough. It’s not easy. It’s a journey, and not everybody can have an infinite number of resources. So, it’s really about the mindset and the framework and how you think about intelligence. You need to embrace a holistic view of intelligence and project that view to the whole organization as management of business risk.
It’s not just about an information-gathering function informing your risk mitigation strategies. It doesn’t necessarily mean that you need to cover 10 different domains. This principle applies even to really niche intelligence functions that are focused just on cyber, physical, or fraud. The idea of informing the business at a tactical, operational, and strategic level and connecting the dots is important so that leadership can understand the threat environment and think about it proactively.”
“If your resources are limited? Be smart about it. Try to automate as much as you can at the tactical level and leverage your analysts to provide context. Convey that part of a certain threat of an incident or a vulnerability to your upper management and to the other teams that are expected to act on that intel to mitigate the threat.”
“Most importantly, make sure that you are connected and plugged into relevant information-sharing communities. Especially when your resources are really limited, those partnerships are a true force multiplier, giving you access to a trove of information resources, and outputs that you may otherwise miss, or not be able really to produce yourself because your coverage is limited or stretched pretty thin.”
“You have to really develop and embrace that multidimensional strategy to make your intelligence function truly critical for your organization to the point where they can’t really make it without it anymore.”
How can businesses get savvy at information sharing with more limited resources?
“When you have only two or three or four analysts, it’s tough to be able to cover everything. There are a lot of sector-specific partnerships and information-sharing forums. Of course, in the U.S., there are many resources that are pushed by government partners, CISA, and others that really you should be subscribed to.
You can’t necessarily have eyes on everything and anything. But that’s why what I said earlier about making sure that you’re plugged into those communities. That can be the force multiplier because they essentially expand the scope and the reach of your team who can only deal with so much information at the same time, right?
Also, be smart about how you leverage a lot of the analytical OSINT capabilities that are out there. You don’t necessarily have to reinvent the wheel when explaining a fact, an event, or an incident. You can reuse the information that many research companies and intelligence companies out there push out on their blogs and similar channels.”
“What is going to make the difference is applying that layer of analysis that makes it relevant to your own organization. So, if anything, make sure that your team spends a little bit more time truly understanding your environment, because that is going to make the difference to the information that comes from the outside.”
“Everybody can read websites these days, and everybody does that, but they may not necessarily have the knowledge and the ability to relay the significance of what they read to your organization. That’s the right balance to find between leveraging what’s available out there, not reinventing the wheel, and putting in the effort to truly understand what will be meaningful and significant for your organization.”
Interview 2:
Building a Security Team and Using Intelligence to Inform the Proper Risk Strategy
Josh Brown, Chief Information Security Officer (CISO), H&R Block
In episode 66, we talk with Josh Brown about how to build an informed security team that can collect intelligence and establish a proper risk strategy. Josh explains how he went about building a team for H&R Block and the importance of anchoring security strategy to how the company is driving revenue.
What does the business of security mean to you?
“First of all, I love, love, love, love this topic. I think this is critical. There’s not enough thought put into a lot of security programs in terms of answering that fundamental question: what is the business of security? What’s the role of security in a business as part of the business? And how do you make sure that you’re fulfilling that function?”
“The business of security can be distilled down to something very simple, which is that security is there to help the business make well-informed, risk-based decisions. You cannot do that except accidentally unless you have a deep understanding of how the business functions and its risks.”
“All of the things that we normally talk about, for example, security capabilities and whether you’re being proactive or reactive and how mature you are, cannot be separated from what the business is there to deliver. Security is there to provide guardrails for the business. One of the phrases we use internally is we try to create safe spaces for the business to try dangerous things.
When the first car was rolled off the assembly lines from the Ford plant, it didn’t have brakes. Brakes weren’t added until later because cars needed to go faster, which was dangerous. And so, we reframe the relationship of a security team to the rest of the business. And I think an important thing, too, is to realize that it’s not, ‘we’re going to do what the business wants to do’ It’s ‘you’re part of the business; you’re helping inform those decisions.’
We’re there to provide some structure. And yes, people talk a lot about the trade-off between security and all the options that people want to do, all the things they want to do in the way they want to do them. Yes, we are going to constrain the set of all possible options. That doesn’t mean that we’re not ultimately there to help the business innovate, we also help it be more agile.”
“We’re trying to take away the options that really shouldn’t be on the table because they pose unacceptable risks to the business.”
How do you develop security personnel who genuinely know the details so they can form legitimate risk?
“One of the things I did when I joined H&R Block, was get myself mentors outside of the IT group, across the company. I got three or four different mentors from the product side of the house, from the legal side of the house, et cetera, and looked for mentors from my past that could help me get ready for this role.”
“I’m one person. So I knew what I had to do to get myself ready and get comfortable with the business. But the real question is, what do you do about your security personnel?”
“A big piece of this that’s actually pretty damn challenging right now is security personnel are in such high demand, with 500,000 unfilled security jobs in the U.S. alone. The experienced people are in extremely high demand, and there’s a lot of churn across the industry. You can’t magic up more security people; we have to make them. We have to help people in careers, and I think part of that can be solved by a program that Block has put together recently called Accelerate.
The idea is, let’s open junior talent pipelines to local colleges and universities. It’s essentially a paid internship program that brings people in at an associate level, expects no expertise, no actual experience in the role, and works together with them as a cohort through several different positions in the company. And what you end up with on the other side is you have somebody who’s got exposure to the business, not just understanding roughly how the business works, but now has personal contacts in different areas across the business. Also, the company now has a cohort of other associates at the same level, that have the same experience and can pick and choose where they apply their skills.
We’ve done this for a while with our Security Operations Center. We have a 10-to-12-week onboarding process, and by the end of that, the person knows not only how to do the role, we know if they’re going to be successful or not, at least at a high level. And we really are hiring for intelligence and people skills at this point, which means all the rest of it can be taught. Those are the things you can’t teach. You can’t teach somebody how not to be a sociopath. You can’t teach somebody those soft skills that are just a lot harder to pick up than technical skills. Business skills, I think, grow with a person over time.”
“So, is it important necessarily for a brand new starting SOC analyst to have a deep understanding of how the business works? Well, no. But if that person stays on and works? They’re going to learn some of that just through osmosis through their peers.”
How do you get a 360 view of risk?
“Let’s say to understand the business well, you have to look at sources of intelligence. Some of these we create ourselves as we look across transactional data of our different lines of business. I have a fraud team that looks very closely at tax fraud. We use, of course, all the buzzwords, AI, machine learning, and things like that to suss out anomalous activity on tax filing just the same way you would do it with looking at anomalous activity on your user segment of the network, for example. We also participate in several of the well-known institutions or entities that help get you actionable intelligence.”
“I have a mixed view of threat intelligence in general, largely because even if you get to a vertical like financial services, there’s a huge difference between what a bank, an investment company, and what H&R Block does.”
“Are there some similarities? Of course, there are. But from a threat intelligence perspective, a threat actor group could be targeting a bank, and it’s not going to be relevant to us because that’s just not what we do. Similarly, if you know a foreign national or a threat actor group was targeting a tax preparation company, that wouldn’t be as valuable information for a bank.
So, we participate in a local fusion center in Kansas City with the public-private interface there with law enforcement. And we also were the first non-bank entity to be accepted into the FSI SAC, the financial services ISAC. So, we have kind of a two-way flow of data with that group in terms of understanding what risks are out there and figuring out how to tailor those to our particular part of the fintech and financial services segments.
I think overall, this is a huge problem in our industry pertaining to how the technical people understand how the business operates, what the business cares about, what the business tolerance for risk is, helping the business actually understand what it means to accept a risk rather than mitigate it. Getting actionable intelligence rather than just buying a service and saying, ‘well, we’ve got a threat intelligence service, we’re done.’ Huge problems have to be addressed.”
Is difficulty contextualizing risk a leadership issue within the cybersecurity space, or simply a lack of cross-functional teams working together? Or both?
“I do think it’s both. It’s definitely a leadership problem. Enough leaders are not making sure that their employees are well-positioned for whatever role they’re hoping to get in their career, whether it’s at the same company or not, for people to advance. Of course, there are differences between individual contributors and people leaders. In general, if people leaders want to continue to advance, they’re going to have to develop some business acumen, whether that’s financial aspects, learning how to forecast how to make budgets, or how to do cost-benefit analyses.”
“The key is for the business to understand that security challenges are actual business challenges, not just technology challenges. This is a two-way street.”
“So as much as security people need to learn from and about the business, the business needs to learn from and about information security. It’s everyone’s problem. And it’s not just we put these people in the cubicles on the third floor, and sometimes we turn the lights on if they’ve been well behaved. You know, it’s not. It’s security getting seats at the boardroom, at the executive table. And to do that, you can’t just be speaking tech speak. You can’t just be speaking the way we on the infosec team would speak to each other. You have to speak the language of the business. You have to meet them where they are.
I think it absolutely is a leadership problem. That’s where it has to start. We have to set that example, and I hope my team sees me meet with legal, HR or production, and all different parts of the business. I’m very active, encouraging participation in some of our cross-functional group committees like the Diversity, Inclusion, and Belonging Committee, for example. We’re trying to make sure that we have mentorships, both security people, mentoring non-security people, and other parts of the business mentoring security people.
It’s certainly going to be dependent on the business that you’re in and your role within the business, but everybody needs to have at least a baseline understanding of how the business makes money and what its view is on risk. Otherwise, you’re screaming into the void. They’re not going to understand what you’re trying to do to help them, and you’re not going to understand what you’re trying to do to help them, because you don’t know what they need.”
How valuable is intel about attacks against other businesses in your ecosystem?
“It’s not that it’s bad data. It’s good to know that there are rumblings of an attack on financial services, but how do I make that actionable? What is it that my stock analysts need to look for? Should we be looking on the dark web for evidence of compromised accounts? Looking at these kinds of intelligence helps us avoid events that cause the business to lose money.”
How do you use intelligence to focus on business line threats that are specific to the business losing money?
“I’ll give you a concrete example. Tax filing season just opened up, and like I said, we have a tax fraud team and we have switched SIEM providers in the last 18 months or so. We’ve moved to a next-generation SIEM platform, and for the first time, we started feeding our tax fraud data into that platform because my view is they’re all threats, right? And we should be trying to develop the most holistic view of risks and threats that we can. Within the first couple of weeks, we were able to basically diffuse what is a big data problem when you talk about millions and millions of tax returns being filed. We’re much more able now to quickly pick up on patterns of anomalous behavior.
Is this something that is human-readable? I mean, in theory, yeah. But if you want to look at a spreadsheet with several million lines in it, you know, be my guest. It’s way easier and more effective and efficient to say, ‘OK, we know we’ve got 50 years of data on what tax filing looks like.’ It’s very easy having that data to benchmark what actionable intelligence would look like, right? You know, we see this number of returns typically in the first week that filing is open. If you suddenly see, you know, 10 times that amount coming from an IP range in China, that’s a problem. And so, being able to flag those things and react extremely quickly to them is where the power of automation and, you know, machine learning and some of that tooling comes into place. I think that’s how you get past the general threats.”
How important is information sharing in intelligence?
“Information sharing, in general, has really started to come into its own through the fusion centers, ISACs, and the like. If you look at indicators of compromise, they get released publicly by law enforcement, sometimes by the federal government or the Internet Storm Center. It’s hands-on, breaches of shared service providers. For example, once they’ve identified those IOCs and get them out there, then you can actually take those and make them relevant to you by feeding them into your SIEM, feeding them into your visibility platforms, whatever they are.”
“But I think as private entities, we have to not just be on the receiving end of that data. We have to be sharing what we see in our own instances back out to the community.”
“I don’t think anybody on the white hat side of things thinks we’re winning. We’ve been getting beat down by our adversaries for years. There’s the fact that our adversaries only have to be right once, and we have to be right all the time. There’s the fact that we operate under constraints like time and money and people, and the adversaries don’t.
But ultimately, they can attack any of us, and if one of our competitors or even just a business down the street that has no relation to our company is getting attacked by the same people, we have no idea we need to get the threat. Intelligence feeds are bidirectional so that companies with large and mature enough security organizations can contribute back to that and make it better for all of us.”
How important is information sharing in intelligence?
“Information sharing, in general, has really started to come into its own through the fusion centers, ISACs, and the like. If you look at indicators of compromise, they get released publicly by law enforcement, sometimes by the federal government or the Internet Storm Center. It’s hands-on, breaches of shared service providers. For example, once they’ve identified those IOCs and get them out there, then you can actually take those and make them relevant to you by feeding them into your SIEM, feeding them into your visibility platforms, whatever they are.”
“But I think as private entities, we have to not just be on the receiving end of that data. We have to be sharing what we see in our own instances back out to the community.”
“I don’t think anybody on the white hat side of things thinks we’re winning. We’ve been getting beat down by our adversaries for years. There’s the fact that our adversaries only have to be right once, and we have to be right all the time. There’s the fact that we operate under constraints like time and money and people, and the adversaries don’t.
But ultimately, they can attack any of us, and if one of our competitors or even just a business down the street that has no relation to our company is getting attacked by the same people, we have no idea we need to get the threat. Intelligence feeds are bidirectional so that companies with large and mature enough security organizations can contribute back to that and make it better for all of us.”
How have you built the system, the machine, and the automation that can really handle those types of problems at scale?
“I’m not going to pretend that this is something that I’ve solved, and I don’t worry about it every single day. Any security leader worth their salt has trouble sleeping a lot. We have over 10 thousand retail locations, so physical attacks are obviously a concern.
We’ve created our information systems in such a way as to mitigate the risk of any single location. Having any sort of a physical event, that doesn’t mean I don’t care about them. I absolutely do. But with ten thousand locations, everything from civil unrest that we’ve seen over the last few years, particularly to potentially targeted attacks, there’s a wide variety of concerns there. Fraud is a constant problem, and of course, what we’ve seen just in the last 18 months, everything from Cronos most recently, which was not a supply chain attack, except in the sense that so many companies relied on Cronos for their punch cards, right? And if that’s a critical service to you being able to pay your employees, now you’ve got a problem with your supply chain.
SolarWinds obviously was the big wake-up call. Our board is really concerned about the supply chain and third parties. We have a pretty robust supplier risk management program. But even until relatively recently, because of the number of suppliers that you’re vetting, it’s very difficult to build and staff a team where you could be auditing your most critical suppliers constantly. And I think, frankly, those suppliers wouldn’t put up with that. I mean, if you’ve ever gone to a big supplier like Microsoft or Google or whatever and said, ‘Hey, could you fill out this security questionnaire for us?’ They’re going to tell you to go pound sand.
So, what do we do there? Well, happily, this is an area where we have a process pretty locked down. We know the questions we ask based on the data or what kind of access you’re getting. We have very specific criteria that you have to meet to be an approved supplier for us. But I think what’s happening in the marketplace is a reaction to this realization of the importance of supply chain security and third-party risk.”
What tools have empowered your team to be more effective with Intelligence?
“We implemented a cyber risk monitoring platform . . . in the last year. We loaded all of our Tier one suppliers into it. And I can tell you when the Log4j thing happened recently, it was so helpful to be able to quickly go and run a report and say, ‘All right, these are the tier-one suppliers that are showing as having a log forge outstanding as a vulnerability. Let’s go review all the contracts and see what kind of data they’re touching, whether this is an actual concern for us or not.’”
“Then we can follow up in a targeted way. Instead of treating all your vendors the same, all your supply lines the same, you can actually target based on given threats and risks. And that means you’re being much more surgical in the way you deploy your resources.”
“But, you know, as far as the CIA confidentiality, integrity, availability area, I think the shift for things happening and being important from a risk perspective outside the traditional firewall. You know, that’s really been growing over the last at least the last decade. Covid accelerated the work from anywhere movement and that has accelerated the spread of where our people are and frankly, where our data is.
Cloud services exacerbate that problem as well. My view for a while has been that we have to focus our controls as close to the data as we can. And what that means now is the perimeter is dissolved. We have micro perimeters, which are really just individuals. So, the security barrier is really all the way down at the identity level. So, we need to be tracking at the identity level what access looks like, and what authorization looks like. It’s taken a consolidated problem and made it a distributed problem.”
“There are technologies that are emerging to help deal with this, but it really is a mind shift that was going on in the industry, and it’s in the last 24 months, it’s become much more real.”
Interview 3:
Use of Intelligence for Corporate Security Programs
Ray O’Hara, Executive Vice President for Allied Universal
In episode 56, we discuss the use of intelligence for corporate security programs, usually overseen by a Chief Security Officer (CSO). We talk about some of the challenges this role faces and how intelligence can be actionable to mitigate those risks.
How have you seen the impact of intelligence in addressing risks as a chief security officer?
“Risk drives our daily activities and whether the risk is low, medium, or high. Whatever that risk is to the business, where they operate around the world, what they do, and what they manufacture, it’s really the business manager’s decision to understand what risks are facing him or her in the organization that they work in. Security’s function, really, in my view, is to bring that risk to the table, whatever that is, what options are to mitigate that risk if you need to mitigate it. But the business manager needs to be informed that he or she has that decision because they own the business and we’re advisers to the business now.
I know a lot of people won’t always agree with that, but when you think about it, I can mitigate, and you could mitigate. But really, it’s the business manager’s decision to understand whether they want to spend the money that may be needed to do that, or if they want to ensure that risk isn’t passed by or to the third party. Or they want to just understand that the risk exists, that they’re going to work around it and work with it. When I think about risk today, that’s what I think about.
Over the last several years, we’ve really transformed it into enterprise security risk management. The security function in the distant past was fences and cameras and alarms and all of that. But then, when you start thinking about the holistic risk of the organization, it involves a lot of people that touch risk. They may not recognize that they do.”
What are the different intelligence sources that are important to a chief security officer?
“You know, we could wake up every morning and read 10 or 15 pages of material about what’s happening in the world, but it doesn’t have anything to do with your organization, and it’s a waste of time. So, what we see today as a great benefit is that intelligence analysts who are dedicated to the organization, their business around the world, their partners around the world, their competitors around the world, and their suppliers around the world. So, you have the whole picture of what’s happening in your industry that’s important to you and potentially could be a risk factor that should be dealt with. I see today a lot of opportunities to be better at that.
If we think about, just think about, the supply chain for a moment. There are 40 some vessels sitting in the Port of Los Angeles waiting to divert and unload, and it’s probably going to take on average 10 days for each one of them once they get a call to pull in. So, if you’re a supply chain, material is sitting there, or it got diverted to another port that you hadn’t prepared for, then you have potential customer impact of not getting the material that they’re waiting for.
And it was actually funny yesterday, I didn’t go back and fact-check this, but there was a talking head that I saw that was talking about the same thing about the supply chain and the ships in the Port of Los Angeles. She made the comment that ‘nobody knows what’s in those containers.’ So, you don’t even know if your Christmas goods are coming that you ordered from China. And I thought to myself, how could that be true, that there’s no manifest report on the ship? But I’ll give her the benefit of the doubt because I didn’t bother to fact-check it.”
What role do you see an open-source intelligence provider playing?
“In my view, the CSO really is a statistician following a plan that’s been developed and approved by the board. It supports the company’s vision and strategy. So, I think at that point it comes down to how could I be the most efficient at this that I can be? And you certainly can’t build everything that you would need, at least in many, if not most, organizations today. So, you have to have trusted partners that can help you.”
“For example, the social media issue is all over the place and I don’t think there’s anyone individually that could monitor social media activities that would support the strategy of the company by themselves. I think you have to have partners to help you with that.”
“It’s like in the older days of technical security countermeasures, you know, checking for bugs and what have you. You can’t afford to get the equipment, keep it validated, train people to do it, and then move them around the world to effectively operate a TCM program. So, you have to outsource that, or at least you should outsource that.
Then you have experts that stay on top of what the issues are every day. As the medium changes, they change with it. There’s a great deal of interest in social media today and what people are saying about organizations and so forth and so on. It is just too voluminous, in my view, for a person or persons to do that without some technical support and some software support that helps synthesize that information. Get that boiled down to, ‘OK, what do we have today that actually impacts the company?’”
“It might be interesting if it impacts a lot of people in the world. If it doesn’t impact, the company shouldn’t be bothered with it.”
How have you seen open-source intelligence, including social media analysis and technical digital investigations, play a role in addressing risk for the chief security officer? How has that kind of evolved over the last five years?
“There’s only so much of this that you really should do yourself if you do any. For example, we do training for our intel analysts on a regular basis, and even though some of them may have some formal intel background in whatever they did in a different life, now we’re dealing with intel about a business and the business community that the business happens to be part of.
So, it’s a little bit different than a direct terrorism-related issue that impacts the world at the organization, and the company, and the U.S. government and others like that. This is where I think you have to be very efficient and make sure that you have the right tools in place and your business knows that you have those right tools available to help it with a critical issue somewhere in the world where you can do the front-end research or have it done and turn it around in a reasonable amount of time in a document that reads easily for a business manager.”
What are some effective use cases for open-source intel that you’ve seen?
“Market entry comes to mind. You know, ‘we’re going to expand our business, we’re going to build a manufacturing plant somewhere in the world.’ Columbia, Brazil, or somewhere else. Getting the intel on that; what that community is doing and who the community is, whether their assets are there, what other competitors might be there, what the labor pool looks like, and so on and so forth. That’s critically important to the business. From the security function standpoint, that’s where the value is. That’s why we do what we do, and hopefully, we have that audience in those situations.”
“I think today a lot about social media because people want to know what people are saying about the company or individuals of the company. That’s a great tool to be able to come back and say, ‘they’re saying nothing.’ You know, there might be some kind of a threat or what have you, but oftentimes today you will look at social media first to see what’s there because it’s somewhat relatively simple.
Certainly, it’s not a Google search or a Facebook search or something like that, but there’s enough open-source information that’s readily available that can get you started in the right direction as to whether or not you actually have a problem or not. I think this is where your partners are critically important, as I mentioned earlier, to have them on your team, have them understand your company and what the culture is in your company and what it is that we’re actually looking for.
So, we’re not going to drive a lot of information that doesn’t really apply. We keep that pretty narrow. Today, we have a great scope of work and a great deliverable that everybody agrees to so that we have the basis for going forward and doing the work.”
“Open-source, as you mentioned, does play a role there, but if not 100 percent of the role. And then the next level is the darknet and the mysteries of the darknet and so forth.”
Global Consumer Brand Turns to Nisos to Assess Market Expansion Risks
When a global consumer service provider was scouting their next international expansion target, they turned to Nisos to help them assess security and safety of the cities in consideration. Given our expertise in working with internet, geopolitical, and local country crime data Nisos was tasked with assessing the potential risk each city could pose to the client.
Nisos analysts built tools to aggregate, geo-fence, and analyze geographic and temporal crime patterns across 10 locations. Using Qgis to create custom shapefiles, Tableau for visualization, and open-source crime reporting, Nisos produced an interactive crime map to ease pattern identification.
For lower crime areas, Nisos provided time-of-day assessments that estimated the likelihood of crimes occurring at specific times during day. In more crime dense cities, where crimes were consistent at all hours, Nisos recommended the client completely avoid any neighborhoods where police-involved shootings, murder, and aggravated assaults made up a combined 70% of all violent crime.
The Client used our assessments to make more informed decisions about which markets to enter, and launched in several cities and neighborhoods Nisos highlighted with lower crime risks.
Who would generally be tasked to handle negative sentiment in social media in the open-source between the CSO and the CISO?
“Well, definitely on the CSO side, usually you might see a little bit of activity by the CISO, but if the CSO and the CISO have partnered together, then it doesn’t really matter where it comes from because they’re both on the same team. And they both should have the same goal in mind of just rectifying whatever the issue is and minimizing exposure.
It’s important for the CSO to be a strong strategy person and regularly meet with his or her counterparts in the organization at the ESRM, so if someone is touching risk in another part of the organization, then they are talking together. We used to call this the risk committee or something like that. But really, today, because the organizations are so broad, those other stakeholders in risk should have a say at the table.”
What integrations have you seen within enterprise tooling that makes it relevant and timely for a longer period of time?
“At the beginning of the day, the CSO really has to have the stage set and have the game plan developed for all kinds of contingencies. And what I find unfortunate in some cases today is that I hear about an issue. . . . and we don’t necessarily involve the business at the early stage. I think that’s a mistake, because the business is really what’s at risk here and not the individual. Not the business units, it’s the business itself . . . from a branding standpoint.
We know from history that there have been some serious issues that have developed because we went down the wrong path a couple of times. It’s always easy on Monday to say, ‘well, they shouldn’t have done that.’ Well, you know, that’s the end of the game. If they shouldn’t have done it, they shouldn’t have done it, and they should have stood up and said, ‘No, we’re not going to be able to do this.’ So, keeping data that is sensitive about others and individuals and what you have. Does that really belong in the business community, or does that belong somewhere else?”
How have you seen chief security officers put resources toward operationalizing intelligence?
“Well, I think it’s really about that relationship with the business at the highest level. If there are things that need to be monitored that are beneficial to the business and not a violation of anybody’s ethics or anything else, then they should be monitored. But I think the business needs to have that understanding of ‘that’s what we’re going to do.’
Social media is the easiest to explain today if we have a threat, a termination threat, and maybe it’s a little bit advanced, you know, maybe there’s a firearm involved in the discussion, and what have you. Maybe we want to put a plan together to monitor that person’s social media activity for a week or two or whatever the time frame is. But I really don’t think the security function should be doing that without the input of the business and, in some cases, the general counsel, so that we know that we’re doing it and we know potentially what an outcome might be.
It’s really interesting sometimes to say, ‘OK, let’s just assume that this is true, then what are we going to do about it?’ We’re putting this back on the business and saying, ‘OK, let’s just assume that it is, that Joe is doing what we thought Joe was doing, and it’s a detriment to the business.’ Is it a violation of the law? Can we turn it over to law enforcement and have them take it? And then the answer today, as you know, is that’s probably not an answer that’s going to work too well.
But the business is the one that’s at risk, so you have to inform the general counsel or the C-suite, or whomever the sponsor is on board so that there are no surprises. And if we go out and we look, and we find that ‘well, Joe isn’t really doing this anymore. It appears that he’s moved on from that activity.’ And are we done with that? Yeah, probably. But it wouldn’t be a bad idea to go monitor Joe a little bit periodically to make sure that he actually is done with it. So, we’re kind of checking both ends of the spectrum there.”
Interview 4:
Defining Metrics for Attribution in Cyber Threat Intelligence and Investigations
Sean O’Connor, Head of Global Cyber Threat Intelligence for Equinix
In episode 63, we discuss attribution in the cyber threat intelligence and investigation space and what the private sector can learn from public sector intelligence programs. We also discuss different levels of attribution, the outcomes, and the disruption campaigns that are needed to make an impact on cybercriminals around the world.
What can the private sector learn from the public sector with regard to intelligence analysis and understanding adversaries?
“The private sector has already learned quite a lot from the public sector, and for those who haven’t, there’s so much that we can look at from the public sector and take away from that and then apply it within the private sector. You look at things like the intelligence lifecycle created by the CIA, which, you know, we then adopted into the threat intelligence lifecycle or the cyber threat intelligence lifecycle. Or you look at the MITRE attack framework, which was inspired by the counterterrorism kill chain model, which would identify terrorists’ tactics, techniques, and procedures. And if that sounds familiar, good. That’s essentially the MITRE attack framework.
Also, you’ve got things like the cyber kill chain, which was developed by Lockheed Martin that shows us the lifecycle of an attack, and could also look at how the public sector has helped us to become better through doing better analysis through things like structured analytic techniques. We can thank Richard Kerr of the CIA for this. These different analytic techniques allow us to produce better products by ensuring that we produce unbiased intelligence assessments.”
“You also look at things like the private-sector hiring more and more intelligence-based talent from the public sector, which just kind of shows organic growth or organic adoption of public sector training and methodologies.”
“So, there are a number of things that the public sector has taught the private sector already. For those who haven’t listened within the private sector yet, there’s just so much information that you can glean from the public sector through those frameworks or through different analytic techniques through just the life cycle in general.
We’ve learned that going from peers and collecting priority intelligence requirements as part of your initial part of that lifecycle, going to collection, going to exploitation or analysis, going to dissemination, and then going to review or feedback from each of those stakeholders is helpful.
There’s already been so much that the public sector has taught the private sector and kind of how that’s evolved or been adopted by the private sector to essentially have a whole new purpose for you, which is to serve the business.”
What are the different levels of attribution needed when really defining the risk to the business?
“From a threat intelligence perspective, I think attribution is extremely important to the business within our own internal environment, as well as monitoring for emerging threats external to our environment.”
“Let’s focus on the internal for a minute. If we don’t know who’s targeted us in the past, then how are we ever going to learn to defend against them in the future?”
“Or let’s look at how we define risk to the business. A good example, especially with Log4j in recent weeks using zero-days as an example. A simple question from strategic stakeholders might be, ‘OK, well, what is the impact to the business?’
Well, do we have vulnerable systems within our environment or the specific APT group or campaign that’s currently using this zero-day in the wild? What sectors are they targeting, or what regions are the victims located? All of these can become factors when we look at defining that overall risk to the business. As far as how critical this is, do we need to prioritize patching for this zero-day over other patching that rolls together with defining that risk?”
When is it necessary that you go beyond the how and the why and start to focus on the WHO?
“So, let’s say we have an initial access broker who is known to sell or even be an affiliate of specific ransomware groups operating in Russian cybercriminal forums like access or exploit. Let’s say we’re a big energy company, and this initial access broker is advertising access to an oil or energy company that kind of fits our M.O. or what our company is and where we’re located.
Typically, those advertisements will include things like revenue of the business, geolocation of the business, and a little bit of information about the business. Then typically, once you get to DMs or private messaging with that initial access broker, you can glean a little bit more information from them.”
“From an attribution perspective or from a stakeholder perspective, really, what’s important there is the conclusion of our investigation into this. Is this us? If it’s not us, who is it? What is our assessment of who this is?”
“Obviously, because this is still an initial access broker that’s active within our sector, as well as maybe even the regions that we operate out of, this is somebody that we want to map to our business or threat model, essentially. It’s definitely somebody that would be on our radar, even if it isn’t us, and we conclude that it’s not us in that specific advertisement. From a tracking standpoint, who is targeting our industry or who is targeting us that’s extremely important.”
When is it necessary that you go beyond the how and the why and start to focus on the WHO?
“So, let’s say we have an initial access broker who is known to sell or even be an affiliate of specific ransomware groups operating in Russian cybercriminal forums like access or exploit. Let’s say we’re a big energy company, and this initial access broker is advertising access to an oil or energy company that kind of fits our M.O. or what our company is and where we’re located.
Typically, those advertisements will include things like revenue of the business, geolocation of the business, and a little bit of information about the business. Then typically, once you get to DMs or private messaging with that initial access broker, you can glean a little bit more information from them.”
“From an attribution perspective or from a stakeholder perspective, really, what’s important there is the conclusion of our investigation into this. Is this us? If it’s not us, who is it? What is our assessment of who this is?”
“Obviously, because this is still an initial access broker that’s active within our sector, as well as maybe even the regions that we operate out of, this is somebody that we want to map to our business or threat model, essentially. It’s definitely somebody that would be on our radar, even if it isn’t us, and we conclude that it’s not us in that specific advertisement. From a tracking standpoint, who is targeting our industry or who is targeting us that’s extremely important.”
When is that level of attribution needed, and then how do you make that actionable?
“A few good examples of attribution that are actionable are looking at things internally. Let’s look at our phishing telemetry, or let’s look at endpoint telemetry, and identify which groups are actors or actively targeting our organization. Then we could pivot off these details. Let’s say we’ve got these five groups through our phishing telemetry that are the ones that are targeting us the most over the last year. We can pivot off that and get more granular and look at the most common tactics, techniques, and procedures that are used by these actors.”
“Now with this information, we can say to the SOC or the CERT, ‘let’s create custom rules or detections for these most common techniques that are used by the most observed actors that are targeting our environment internally.’”
“We can also do things externally, looking at the external threat landscape and mapping threats that essentially matter to our organization. So, let’s say we’re not a big energy company anymore. Let’s say we’re a financial services organization, and say we have all this ransomware victim data, which is not that difficult to get by looking at the victimology of all these different ransomware groups that have data leak sites.
So, let’s look at all the groups that have historically targeted the financial sector and which ransomware groups have done this in the last 30 days. Okay, so now let’s do a targeted threat hunt for some of the types that are associated with these, say top three or top five ransomware groups. We can now say that we have hunted for some of the most active threats that are targeting our industry.
We can even go so far as to help the SOC create custom detections that monitor for these behavioral indicators that are associated with these threats that are so active within our industry. That’s just one example at a tactical or operational level of how you can use that kind of intelligence.”
“From an attribution perspective or from a stakeholder perspective, really, what’s important there is the conclusion of our investigation into this. Is this us? If it’s not us, who is it? What is our assessment of who this is?”
“Obviously, because this is still an initial access broker that’s active within our sector, as well as maybe even the regions that we operate out of, this is somebody that we want to map to our business or threat model, essentially. It’s definitely somebody that would be on our radar, even if it isn’t us, and we conclude that it’s not us in that specific advertisement. From a tracking standpoint, who is targeting our industry or who is targeting us that’s extremely important.”
When is it appropriate to disrupt a threat actor that is targeting you?
“You’ve got to be really careful with disruption, especially at the enterprise level, but it is obviously important. But, it needs to be done at the right time. If you look at this from an incident response perspective, it’s kind of like remediating in the sense that if you don’t have all the facts or all the information at the time of remediation. Will that adversary still remain in your environment after you remediate? This is why the intelligence collection process is so important, but the same can be said for disruption.
Look at examples like Emotet or Clop ransomware — or even TrickBot. What that shows us is that if you don’t take down the entire infrastructure or if you haven’t arrested every member of that specific group, they’re likely going to return, and you’re basically just playing whack a mole at that point. So, disruption is extremely important, but you need to make sure that it’s done at the right time.
What some enterprises do, and it’s mostly cyber threat intelligence (CTI) service-based vendors, is promote that they have top threat information and then share that through a blog post because, you know, ‘sales.’ But, you need to strategically do that from a disruption standpoint if you want it to be meaningful. So, less of the sales-based blog posts that share that kind of information and more of the strategic thinking of ‘how can we do something that’s actually going to put a dent in this operation or this cybercriminal operation?’”
Are there aspects of the public sector that we can take into account of that collection base mentality to keep collecting and collecting until the disruption point can happen?
“As an example, some of the best disruption campaigns from the private sector that have occurred have been because of successful information sharing. That’s one thing that the public sector is starting to do more of in partnership with the private sector, and there’s one thing that the private sector is starting to do more of within other entities within the private sector. The reason is that we don’t all have full visibility. Even the NSA doesn’t have full visibility, which is why information sharing is so important.
However, if something’s TLP Red, something needs to be TLP. Read if something should not be shared publicly or should not be shared just for the sake of sharing that needs to be respected. Or else we’re not going to have a successful disruption of a cybercriminal or a nation-state operation.
But some of the most successful disruption campaigns from the private sector have occurred through information sharing. I don’t want to name vendors, but a lot of vendors are coming together, working together, and sharing all the telemetry that they have through their customers. Through that combined visibility, they’re able to successfully disrupt, at least temporarily, a cybercriminal operation.”
How have you found measuring that impact is most successful?
“Have we been breached? How many incidents related to the specific threats have we observed? What’s interesting about cybersecurity is that it’s not about what you’ve done to successfully defend. Typically, you’re measured by the bad things that have happened. You don’t normally see all the good things, so it becomes difficult to measure that.
However, working with those who work within risk absolutely helps you to measure those successes. But typically, most people just see the failures that occur, unfortunately.”
How do you define impact with attribution to different stakeholders throughout the business?
“Cyber threat intelligence is a service-based discipline, and typically what I do is I’ll let the stakeholders define what is important to them through priority intelligence requirements or ERS or peers. I will go to them before I even start collecting and before my team even starts collecting and ask them what is important to them.
The physical security stakeholder is probably going to be more concerned about physical intrusions or infiltrations through physical mediums, like using thumb drives like Wicked Panda APT Group. That’s a really good example of one that has historically gone in and physically infiltrated using physical mediums such as thumb drives. Say you have an ICS (industrial control system) stakeholder, threat groups who are known to target ICS, and no organizations. Obviously, historic victimology will allow us to do things like threat model for that particular stakeholder. An example is the Lyceum APT Group. They have historically targeted ICS OT organizations in the Middle East. So, if I have a stakeholder or a customer that is located in the Middle East that fits that industry, that’s probably a threat group that I would keep an eye on and probably provide intel every now and then, where relevant and timely to that particular stakeholder.
But really, I don’t define it until I get that feedback or that initial requirement or need from each of those stakeholders. So, through that peer process, which is the very first part of the intelligence or the threat intelligence lifecycle.
To answer your question, I think it’s important to let the stakeholder define that, and where they can’t define it, or they don’t understand it, you try and explain, you try and hold their hand and explain it to them in a way that they can understand so that you’re not just collecting nonsense or you’re not collecting non-actionable intelligence.”
How much do intelligence experts need to understand the granularity of how the company is making money and be able to translate their intel for different audiences?
“It’s extremely crucial for any intelligence analyst to understand that because otherwise, you’re not going to know your audience. I wouldn’t throw indicators of compromise over to a senior director or a VP and expect them to be receptive to what I just sent them or even understand what I just said to them. They want a very high-level overview of why we care and how it impacts the business.
It needs to be translated into a language that they can understand and that they can then either present to the board or make some kind of a business decision on if ransomware is the top threat or if phishing is the top initial access vector. These are types of things that we can translate to that strategic stakeholder so that they can make a business decision to say, ‘Well, maybe I should invest more in phishing intelligence or phishing security, or maybe I should invest more in ways to detect or mitigate ransomware operators,’ but that needs to be translated in a language that they understand. We can’t just say, ‘X Y Z Threat Group operates ransomware, and we have high confidence that they target this industry. These are the IOCs and TPS associated with this group or with this operation,’ and then expect a strategic stakeholder to take that and understand it. Things need to be taken and translated into their language.
As far as knowing your audience, most SOC analysts that see a “pewpew map,” typically scoff or laugh at it. Because the pewpew map is not for the SOC analyst, it’s for the executive that’s walking by and or maybe a salesperson who’s walking by with a potential customer and trying to show off their SOC. Pewpew maps are typically just a visual depiction of, ‘what the SOC is doing or the threats that are being observed.’ They are not necessarily for the tactical or operational folks within the SOC.
I like to use that as an example of knowing your audience. I’ve talked to some CISOs and VIPs and that message really speaks to the business, and I think it’s just a good message to continually articulate that even the threat intelligence folks can really speak to the business.
One of the things that’s really unique about threat intelligence is that as a service-based role we have to understand the needs of each of our stakeholders. CISOs or the executives or the board level may consume our intelligence at a strategic level. At the operational level . . . it’s a CERT, C-CERT, the SOC, or the vulnerability management team. At the tactical level, typically it’s the SOC analysts that are on the ground and battling every day.
Understanding each need of each of those stakeholders gives us that kind of unique perspective of what’s important to each of those stakeholders and what’s important to the business. Also, it trains us to be able to translate different deliverables or different products for each of those stakeholders. If this is going to the SOC, it’s probably going to look completely different than a report like a merger and acquisition recon report that’s going to executives. If it’s just tactical indicators like IOCs and stuff, those are just probably going to be fed through the SOC. Whereas, you know, the board doesn’t need to know that kind of information. It probably looks like Spanish to them. It gives us a unique perspective, but that’s why it’s crucial to have that understanding of what each individual stakeholder’s needs are.”
Do you think that Intel belongs in the SOC, or do you think it has a greater role throughout the business?
“I’m really happy that you asked me that question. I personally believe that threat intel should be like a floating team. And what I mean by that is if we’re under the SOC as an example, we’re mostly going to be detection-oriented. We’re going to be focused on ways that we can detect different threats and focus on things like that and focus on IOCs, et cetera.
Whereas if we’re under the CERT, we’re probably going to be reactive. If we fall under vulnerability management, we’re probably going to be mostly focused on zero-day exploits. If we operate more as a floating team, where we go from stakeholder to stakeholder and we kind of just sit under our own umbrella leadership, whether it’s under the CSO or wherever, then we have so many different opportunities to get a better understanding of the needs . . . of different teams and different departments that aren’t necessarily security.
There are different things that we could provide services to, but because of that, it gives us more visibility into not just the business, but the threat landscape as it applies to each of our individual stakeholders. Whereas if I’m on the vulnerability management team, as an example, I’m mostly going to be focused on zero-day exploits and different vulnerabilities to the business that are currently being exploited in the wild.”
“So, I think it’s really important for intelligence to float around and operate independently.”
How does that transition ultimately need to take place?
“A lot of it, unfortunately, is going to be growing pains or trial and error if they see that something doesn’t work, whether the CTI team is in the SOC or the CTI team is under a specific team, and then something happens, whether it’s an incident or something else like that, and they say, ‘Well, why didn’t we get this?’ ‘Well, it’s because the CTI team is mostly focused around this particular area instead of every particular area.’ ‘Why didn’t we track this geopolitical event that impacts the uptime of our services?’ ‘ Well, because they were under incident response and these geopolitical events aren’t weren’t being tracked, and that technically wasn’t an incident it was an external global geopolitical event that occurred.’
If CTI is focused on the external and internal landscapes and has multiple stakeholders, then we probably would have caught or tracked that geopolitical event. So, it’s really going to be trial and error for those who don’t currently adopt that model. Again, it’s probably the needs of the business. If the needs of the business translate to the CTI team should be in the SOC, well, then that probably works best for them.”
On the need for a Corporate Head of Intelligence role…
“I envision, whether it’s a chief intelligence officer or chief threat intelligence officer, it will become more widely accepted over the next decade. Especially if that intelligence is not just focused on cyber threats but focused on competitive intelligence and other things that could potentially be translated into threat intelligence, I see that sort of sitting underneath the CEO, in most cases. I envision threat intelligence sitting underneath the CEO, so that is where it makes the most sense at this current time, but again, it’s all about the needs of the business.”
How does that transition ultimately need to take place?
“A lot of it, unfortunately, is going to be growing pains or trial and error if they see that something doesn’t work, whether the CTI team is in the SOC or the CTI team is under a specific team, and then something happens, whether it’s an incident or something else like that, and they say, ‘Well, why didn’t we get this?’ ‘Well, it’s because the CTI team is mostly focused around this particular area instead of every particular area.’ ‘Why didn’t we track this geopolitical event that impacts the uptime of our services?’ ‘ Well, because they were under incident response and these geopolitical events aren’t weren’t being tracked, and that technically wasn’t an incident it was an external global geopolitical event that occurred.’
If CTI is focused on the external and internal landscapes and has multiple stakeholders, then we probably would have caught or tracked that geopolitical event. So, it’s really going to be trial and error for those who don’t currently adopt that model. Again, it’s probably the needs of the business. If the needs of the business translate to the CTI team should be in the SOC, well, then that probably works best for them.”
On the need for a Corporate Head of Intelligence role…
“I envision, whether it’s a chief intelligence officer or chief threat intelligence officer, it will become more widely accepted over the next decade. Especially if that intelligence is not just focused on cyber threats but focused on competitive intelligence and other things that could potentially be translated into threat intelligence, I see that sort of sitting underneath the CEO, in most cases. I envision threat intelligence sitting underneath the CEO, so that is where it makes the most sense at this current time, but again, it’s all about the needs of the business.”
Interview 5:
Building an Intelligence Program to Protect Executives
John Marshall, Senior Intelligence Analyst at Okta
In episode 64, we discussed building a threat intelligence program to protect executives, particularly on nuances of being a “solution-side security company.” We discuss a risk-based approach for protecting executives and the data that’s important to aggregate and analyze. We also talk about success metrics for intelligence analysis when building an executive protection program.
Walk us through building an intelligence program from soup to nuts when you’re talking about protecting executives for a company. What does a 90-day plan look like?
“It’s not really as straightforward as it is in the military, is it? You don’t really know what tech billionaires don’t know or what they do know about the security realm. They know cybersecurity very well because this is the place where they grew up, the place where they came of age. Most younger people know about that type of security.
When it comes to actual tech executives, I think the first and most important thing is the connection to the executives. You have to be able to have someone in your chain of command that has their ear, which I think is imperative. That provides your priority intelligence requirements. If you have good priority intelligence requirements, that will give you your way forward and allow you to create that 90-day plan.
I will say this again and again when it comes to building something from scratch, and that’s to have a plan of actions and milestones. It’s a word that we throw around in the military a lot, but it is invaluable in the civilian community to do POA&M. Where are you going? What are you doing, and how are you going to get there? I think that those two are kind of built on one another.
It has to be a tiered approach. You have to look strategically first, then operationally, and then tactically. The Strategic Big Picture is making sure that people who work for you understand that this isn’t the military and that you’re focused on three main things: the security of the people, the security, and the places.
The security of the brand is not necessarily protecting the brand but monitoring reactions to the brand. That’s what you do. So, PR people and marketing people protect the brand and put the brand name out there. But we’re the ones who are going to monitor it and find out what people are saying about it, and then with all those things in place, you need good platforms to onboard people with, whether that’s collecting current events, private investigation, travel tracking for your executives, or a company-wide messaging system that you can actually reach out and grab somebody and talk to people in the company with.
Altogether, these five things are the most important things in building a what you would call a security program from the ground up for a new program.”
How do you think about using intelligence to formulate that risk-based approach to executives?
“I think that this is a really great way to approach something when you have that connection to an executive so you can get that boots-on-the-ground feel with someone in the office, or someone close to the office to find out what is actually important. I know Okta focuses on its people. We are a cloud security company that provides a single sign-on, log-in anywhere, and work from anywhere business model. For that to happen, we can’t always be focused on the places where the headquarters are, so we have to be focused on the people.
So, it’s presenting things to the executives that are going to keep your people safe and keep them in the know. Being in the know can mean being informed on the weather side, on the civil disturbance side, on whether there are protests or riots at a location, on the natural disaster side, earthquakes, tsunamis, or anything of that nature. It could be knowing things from the current events side, or other things that may or may not affect someone who’s doing software engineering for you that’s close to the Ukraine Russian border.”
“These are the things that will go into that first 90-day plan, finding out not only where everybody is, but where are the large groups of folks, and how can you best protect them? What assets do you have or not have? Or what assets would be better platform-wise to protect those people? How can we make sure that they can get to work every day, make sure that they can log in every day, and make sure that they are safe and sound?”
Nisos Investigates Online Threats and Risks to Executives
When a big tech companies’ executive leadership started receiving violent threats from an unknown threat actor, they turned to Nisos to help assess the risk. The client’s executive protection team needed to understand if the threats, made with the benefit of anonymity online, originated from someone who posed a serious threat.
From the original threatening Twitter handle, Nisos mapped the social media presence of the adversary to establish an online profile that would aid analysts in identification. Nisos established that the threat actor controlled numerous social media accounts including a suspended Twitter account meant to impersonate Client’s CEO and was active on a separate private social media account fixated on the foreign leader.
Using these social media profiles, Nisos identified the threat actor, revealing a substantial amount of PII including addresses, phone numbers, vehicle information, and more. Nisos analysts obtained sensitive arrest records indicating the individual did not have a history of violence.
Using our analysis, the client was able to limit additional spend and resource allocation to pursue the threat, operating with confidence that the threat actor was not likely to translate online bluster into to real-world actions.
When trying to assess a potential target of attack or target of opportunity, how are you getting to those answers quickly?
“This is one of those things that’s much different than in the military. In the military, you have different intelligence functions that you can call on. Whether it’s a common event hasn’t signaled HUMINT, but it kind of muddies the waters a little bit because you have experts in every field. Then you have to go when you get consensus, and you have to take from that a little bit. And that’s what makes a really good, all-sourced intelligence professional, right?
For the civilian community, I think the two main key things, and the most important things to watch when it comes to targets that could impact our targets of opportunity are background searches and social media, especially as a military intelligence professional. I was not ready to count on social media as much as I actually do because people in the 21st century, you know, we as a people, really enjoy posting what happens in our day-to-day lives. And that really establishes a fantastic pattern of life for almost anybody who’s willing to watch. I mean, this could go anywhere from the big three, Twitter, Facebook, and Instagram, to places like Blind or LinkedIn.
If somebody’s posting one thing constantly and then all of a sudden, they start posting another, that’s usually because they change jobs. But if they didn’t change jobs, what else has changed in their life? Did they get divorced? Did they lose a family member? Did they lose someone close to them? Are they suffering from some sort of mental illness? Do they require medical assistance? We can grab so many little tidbits of information from the pictures somebody posts. I think that those are essential to establishing that pattern of life and identifying who should be targeted, who should not be targeted, and what kind of security threat they may pose.”
How do you establish if someone is part of a targeted attack and not just somebody that’s malcontent, and how would that change your approach to response?
“That’s when law enforcement gets involved, and obviously, that’s the one thing that we lack that the military does not; the ability to feed it to an action arm, to an appropriate action arm. We can feed whatever we need to law enforcement, and that’s hands down.
Obviously, we have ways of saving what we need to save, and when we perform background searches, regardless of the platform that it’s performed on, all that information gets turned over to the proper authorities. And then, of course, we have messaging apps, whether it’s something like Everbridge, Send Word Now or World Few, that we can utilize to actually reach out to that executive hands down and say, ‘Hey, are you here? We need to find you. Where are you at? Because this could be happening, and this is why it’s happening, and this is why it could be dangerous.
Now that being said, usually, things don’t really go that way, do they? When you think about it, there are usually signs leading up to that incident… that paper bag, that rock that gets thrown through a window. Whether that’s escalatory rhetoric on someplace like Blind where most people think that they’re an anonymous user, or commenting on Okta, or Twitter, or Facebook, or any number of other publicly traded companies.
But it’s there. It’s the internet, and the internet doesn’t delete anything, and it never forgets. Sooner or later, that rhetoric will escalate to something public because people want to be seen. People want to be seen as taking that action, and that’s really what we’re counting on.”
What is important data to be used, and how do you turn that into intelligence?
“It’s really important for someone, especially if they have a background in military intelligence, to kind of put everything through the intelligence cycle. The intelligence cycle is not difficult; it’s five steps: plan, collect, exploit, analyze, and disseminate.
It’s being able to focus long enough on whatever task is at hand to realize that this has an impact on whatever agency works for now, whether that’s anything from the private sector tech company to a public sector natural disaster reaction force like FEMA. . . . If you had that good plan of actions and milestones; what you’re supposed to do, when you’re supposed to be doing it, who you’re supposed to be doing it for, then these kinds of things fall into place for themselves.
The priority intelligence requirement is not just an acronym, and it’s not just a pretty word. It is a marching order for lack of a better term. It is our bread and butter. I believe that if you can respond to at least one or more of your peers throughout the day and answer some of that mail for the people above you, then I think that, in my respect, it kind of looks like success.”
What does success look like every day, and how do you measure that?
“I think success looks like being able to pinpoint the right type of event, regardless of what kind of event that is, whether it’s a target of opportunity, whether it’s an ongoing threat, whether it’s a pandemic, whether it’s a natural disaster and make sure you bring that information. . . if I can liken that back to the department that I support, then to me, whether that’s on a small scale it is a success.
As an example I helped one person get out of a traffic jam because traffic was backed up on the highway. It was a boring day, and I sent a text out that said, ‘Hey, watch out. There’s a car fire on the 267; take another route.’ Some guy comes into the office and says, ‘Hey man, that saved me 15 minutes. Thanks!’
That’s, to me, great success. Another one is a company retreat, and there’s a hurricane blowing through. We need to get those company personnel out of there before that hurricane hits. That’s huge. There could be anywhere between five and however many executives there are in your company, going to that retreat. To me, that’s an even bigger success, but on the sliding scale of size. But regardless, it’s still a win.”
How do you track all of these successes when there are fewer metrics available?
“I don’t know if a lot of people, a lot of military folks, keep these anymore, but we used to have something that was called a love me binder, and it was all your wins. I think it’s important not only to save your wins, but save your losses too because then you can actually get something that you can learn from, and you can get something that you can do better because of the intelligence cycle. What can I do better next time? How can I get this faster? How can I get it to more people, even if it’s one minute, 10 minutes, 20 minutes, or 24-hours quicker? How does this equate to my next event that could pop up?
That continual improvement is one of those things that I always harp to anybody that I’m mentoring. Keep your wins because you’re going to need those when somebody asks what you do. Security is one of those things that doesn’t make you any money. There’s no return; I mean, we’re not creating anything. It’s not a moneymaker, but it’s not a black hole, either, because we provide a service. It’s an important service because we are keeping those people who make the money safe, we are keeping them at their computers and their jobs, and we are keeping them whole and interested in the company that they work for. So, I think that tracking your wins and your losses for continual improvement’s sake is critical to any security professional’s cycle of what they should be doing.”