Today, cyber threats come in a variety of forms. Whether intended to disrupt an organization's business activities or steal valuable company or customer data, hacks, phishing attacks (a form of internet fraud targeting credit card and social security numbers, user IDs and bank account passwords) and data breaches, are part of the new business reality.
Because of the nature of some attacks (hackers are often very good at covering their tracks), many go undetected for long periods of time. The 2015 Data Breach Investigations Report from Verizon shows that more than 80 percent of attacks are able to compromise a system in just a few days, while less than 30 percent of attacks are discovered in the same time period. The gap between an attack and its eventual discovery is growing, which means that organizations (and their customers and employees) remain exposed and vulnerable to the consequences of such attacks.
For financial institutions, the information security implications of this new reality go beyond mere firewall and intrusion detection technologies. Instead, new approaches like forensic analysis that enable an in-depth understanding of previous events in order to prevent future attacks or information open-source intelligence (OSINT) to decrease this gap or even anticipate new attacks, will require team members who are more like three-letter agency analysts than pure software engineers.
While OSINT is not new, it is surprisingly not widely used outside the realm of government agencies. When it is employed inside the enterprise, it is primarily used to protect physical assets, monitor reputation, or analyze innovation trends. It is rarely part of a cyber security strategy. This is a mistake. Even very simple information analysis techniques, such as monitoring social media or the deep web in real time for hacking activities that mention your organization, partners or competitors, can help organizations be more proactive in dealing with cyber threats by reducing the time it takes to detect them before they become attacks.
Today’s Cyber Threats Require a Multi-Level Approach
Recent advancements in technologies for threat intelligence and security and event management mean that a variety of options are available. However, technology alone is not enough. Included in the overall corporate intelligence strategy, OSINT can support a multilevel approach for cyber threat intelligence and can be used specifically to support targeted activities, for example:
- Reveal ongoing threats. Working with an established set of targets, you can filter relevant open sources to identify questionable activity.
- Create a threat assessment from the cyber attacker’s point of view to expose vulnerabilities in security or in other business or supply chain interests that a hacker could use to their advantage.
Given the enormous and growing amount of information available, you will want to utilize an advanced approach that can replicate human understanding and human intelligence in filtering out what does and does not matter.
Let us look at a sample OSINT operation in action. “ACME Ltd” would start by acquiring as many relevant internet sources as possible by filtering traditional search engine alerts (starting from simple patterns like "ACME hack" "getting ACME email," etc.), and adding other relevant sources. All of this content would then be added into an advanced analysis platform that includes a rich set of intelligent criteria to filter what is relevant in real time using text analytics or cognitive computing features, for example. Oddly enough, hackers often boast about their conquests on social media, and have been known to use public forums to share URLs that have been breached and that remain unprotected.
Similarly, you would also want to search for some common hacking request patterns such as: “inurl: ACME.com ‘login:*’ ‘password= *’ filetype:xls” or “site:www.ACME.com inurl: administrator_login.asp,” as well as instances of insiders (employees, vendors or partners) sharing confidential company or project-specific information in forums, comments or social media posts.
OSINT is not just for detecting cyber threats, nor only for large organizations. A national financial institution may implement a more comprehensive open source intelligence program that focuses on cyber threats, but also monitors key stakeholders, supply chain partners and third-party suppliers, executives and more, to protect brand reputation and minimize supply chain disruptions. OSINT can also be a core component of anti-money laundering (AML) compliance activities. Perhaps surprisingly, OSINT is also especially effective for two very well-known activities: know your customer (KYC) and enhanced due diligence (EDD).
For financial service institutions, KYC compliance requires that companies regularly scan the internet for any data that might indicate corruption or risks related to their customers or potential investment assets. Implementing a structured OSINT process for cybersecurity purposes, as described above, will also significantly benefit pure AML compliance by ensuring real time monitoring, instead of the traditional quarterly analysis on a predefined list of names, and a larger, more dynamic scope of sources, which are typical of a structured OSINT process.
At the same time, organizations whose budget cannot support a full cyber solution can still benefit from similar techniques as part of a broader risk mitigation strategy to address a specific threat area, for example.
When it comes to protecting against cyber security risks, there is no one-size-fits-all solution. Where traditional approaches fail in protecting against an ever-evolving threat environment, the best is one, at a minimum, that allows you to take advantage of information that is readily available to shift your strategy from reactive to proactive. A multi-level approach that uses OSINT for threat mitigation can be applied for a range of uses (and for a variety of budgets), from a comprehensive solution, to one that bridges the gaps in a traditional risk approach or used to spot-target specific areas. Finally, although there are plenty of options for outsourcing OSINT, the value an organization gains by acquiring skills in this area as part of a tool developed and managed in house will significantly outweigh the complexity of implementing it, and add significant value today and tomorrow.