How to Overcome the Pitfalls of Poor Organizational Intelligence

Sept. 10, 2021
What security teams need to get ahead as the threat landscape continues to expand

Corporate security teams face a critical juncture. Today, the array of threats posed to disrupt businesses only intensifies, while the systems and methods organizations use to assess the potential for trouble often fail to keep pace. The result is incomplete intelligence gathering, lack of visibility into the exact nature of threats, and increased risk exposure.

The current list of threats ranges from continuously evolving cyberattacks and business espionage to geopolitical instability and terrorism. Natural disasters, extreme weather, and the ongoing novel coronavirus pandemic compound matter. Threat actors, for example, have launched ransomware attacks against hospitals, knowing their vulnerability amid expanding patient caseloads due to COVID-19. Against this backdrop, corporate security personnel must safeguard senior executives, employees, intellectual property (IP), supply chains, and brand status to name a few corporate assets.

It's a daunting challenge. Lives, property, and corporate reputation are all at risk when an enterprise's ability to properly evaluate and respond to threats is impaired. Indeed, many corporate risk mitigation approaches struggle to deal with the constantly shifting threat landscape.

Limits of Current Methods and Tools

The problem stems, in part, from outmoded investigative methodologies. Organizations naturally settle on practices that have worked in the past. They may limit their threat scanning to a limited number of social media platforms, for example. Such narrowly focused inquiries, however, fail to account for fast-moving changes in web-based platforms, forums, and chat groups. Users discouraged from posting inflammatory messages on one mainstream platform will frequently move to lesser-known, alternative platforms.  

But the social media platforms – and their millions of users – found on the surface web are just the beginning. Corporate security teams must also keep tabs on information sources and repositories housed in the deep web and the dark web, both of which are not indexed by conventional search engines. Those web layers contain a multitude of data that could threaten a business. The dark web, in particular, harbors numerous sites and markets trafficking in login credentials, trade secrets, email addresses, credit card numbers, and tools for engaging in cyberattacks. Dark web forums, which suddenly surface and just as rapidly disappear, can also contain information relevant to a corporate security investigation.

In short, the organization still dependent on social media channels for threat assessment needs to broaden its horizons.

Another important weakness hampering corporate security: investigative tools with limited functionality. Threat intelligence platforms, offered by third-party service providers, serve as the default investigative systems for many corporate security operations. Such a platform is designed to alert a security analyst about a threat, but it doesn't provide much assistance with vetting threats or creating an effective response.

In addition, relying on a single intelligence service provider also limits an analyst's ability to tap additional sources to validate a threat and determine its scope. Organizations that can't readily determine the severity of a threat, run the risk of over-reacting and assigning too many resources to the response or, conversely, underestimating the threat and devoting too few. A disproportional response is the direct result of a one-dimensional notification. So, while a threat intelligence platform provides a useful service, it's only one part of the threat identification and response toolkit.

What Organizations Need to Run an Investigation

An investigative platform should, ideally, cover all parts of the intelligence cycle, from planning and data collection to processing and analysis. A system that spans all those components, providing end-to-end automation, forges the critical linkage between notification and response.

Other platform qualities to consider include breadth of monitoring. Analysts should be able to define the scope of monitoring based on their own parameters, which could include geolocation data, hashtags, keywords (such as the names of executives, brands, or other corporate assets), and advanced Boolean operators. Monitoring should also cast the widest possible net across the surface web, deep web, and dark web, pulling in data from social media platforms, forums, and news sites among other sources.

The wider the reach, the better organizations can protect their assets. Thorough monitoring can help determine whether threat actors are using the company's brand for nefarious purposes on a dark website or transferring its intellectual property.

Monitoring will eventually generate alerts, which security analysts must be able to access whether they are staffing the intelligence platform or away from it. Analysts won't be attending to the console at all hours waiting for an alert to pop up, so a platform must provide alternative notifications – via email, for example.

The platform must also help analysts quickly determine the extent of the threat, and whether it has met their threshold for launching an investigation. As noted, the ability to verify a threat notification against other sources of information makes for a well-informed and proportional response.

Roles for Artificial Intelligence

Those attributes when combined with artificial intelligence (AI) provide the basis for a modern web intelligence (WEBINT) platform.

Once an investigation begins, security analysts face the task of analyzing potentially staggering amounts of data.  Here, is where AI becomes a necessity for an effective intelligence platform. AI helps with aggregating different pieces of information relevant to the investigation. This data gathering step enables analysts to see a much bigger picture than they could be using manual data collection methods. What's more, manual approaches can take weeks, if not months, to yield actionable intelligence. Organizations protecting a wealth of assets don't have the luxury of waiting that long. Platforms infused with AI, in contrast, can handle many data aggregation tasks in a matter of minutes.

AI algorithms also play a role in creating custom search parameters, guiding the hunt for data based on a security analyst's criteria. The AI capability also correlates disparate pieces of data that help unmask threat actors through de-anonymization and identity resolution. Importantly, the experience and intuition of the individual analyst is never abandoned during the investigative process. AI and the related fields of machine learning and natural language processing augment, rather than replace, the analyst.

Integration is another important characteristic of a WEBINT platform. Analysts shouldn't need to pivot from desktop to desktop or window to window to vet alerts and analyze data. A single-pane-of-glass approach, in contrast, provides for much more efficient and timely investigations.

Not to be overlooked, an intelligence platform must also protect the identity of the security analysts conducting the investigation, especially if they are probing the dark web. Threat actors have set traps to lure investigators, so the platform needs to possess non-attributable production layers and robust cybersecurity enablement.

Finally, there may come a point when a corporate security team needs to turn over an investigation to law enforcement officers. An evidence collection platform within the overarching WEBINT platform becomes an important feature for preserving data for use in police investigations and any resulting litigation. Since dark websites come and go, organizations need the ability to capture and silo off the relevant data before it disappears.

Benefits of a Modern Intelligence Platform 

A modern WEBINT platform helps organizations conduct targeted searches, cover a wide range of information sources on all layers of the web, and accelerate investigations. Those are the general advantages of the technology, but there are specific benefits as well:

  • Expanded situational awareness

Legacy platforms offer limited coverage and limited ability to assess threats and discern their impact. Security analysts end up working with an obstructed view of the threat environment. The modern platform, however, provides a wide-angle view of the threat and offers analytical capabilities that help security organizations comprehend the environment and take appropriate actions.

  • Improved KYC compliance

Financial institutions must comply with know-your-customer (KYC) requirements or risk fines and reputational harm.  Client identification and verification are pivotal tasks under KYC. An up-to-date intelligence platform supports those customers' due diligence activities.

  • Better vetting of employees and business partners

Due diligence isn't restricted to customers. A WEBINT platform can help security teams conduct more thorough background checks on employees and partnering candidates. This benefit can prove particularly helpful for organizations employing people in countries where local HR rules and practices aren't as stringent.

  • Sharper internal investigations

Internal investigations – sexual harassment and digital stalking, for instance – can also benefit from a comprehensive intelligence platform. A solid platform and a bit of tradecraft can keep organizations on the front foot and mitigate the risk of litigation.

  • Higher visibility into wayward IP

A WEBINT platform with cybersecurity capabilities can also help corporate security teams keep tabs on IP and uncover source code dumps or data leaks. Confirming that a breach has occurred is, of course, the first step toward containment and incident response.

Representative Use Cases

With those benefits in mind, let's drill down into specific intelligence platform use cases:

  • Assessing attacks through social media

As soon as a terror attack or natural disaster occurs, a lot of social media chatter is generated long before traditional news media outlets commence coverage. Irrespective of whether it is hurricanes, floods, wildfires, active shooter events, or terror attacks, citizens take to social media to share videos, images, and other first-person accounts as well as asking for help or giving status updates.

It is at this juncture that corporate security teams would be proactively alerted about the incident as their AI-powered web intelligence capabilities pick up the event occurrence from monitored social media channels. They would then immediately start tracking events and their impacts. The objective would be to determine the immediate and future threats their employees, properties, and assets could face from the critical event. The use of automated AI-driven web intelligence would help them analyze massive amounts of data very quickly. Based on the data obtained they could determine whether employees should evacuate or shelter in place, what threat buildings and infrastructure could face, and what impact the event may have on their supply chains.

  • Uncovering doxing campaigns and Data Breeches

Threat actors engage with all levels of the web to gather personal data on individuals – from government officials to company executives. Such sensitive data may be posted on difficult-to-access deep and dark websites. An intelligence platform able to scan those areas can alert corporate security teams to a doxing campaign, allowing them to get on top of the potential for violent acts against targeted individuals.

Consider the incidents where email addresses, passwords, and the proprietary source code for a particular piece of technology critical to determining the security of assets and devices were dumped on specific open-source coding sites. The threat actors identified where the information came from yet the corporate security team was oblivious to the events as they unfolded. Only once they were made aware by third parties did they try and mitigate the damage, but it was too late.

Had the corporate security team had the technology in place that alerted them the minute corporate intellectual capital was exposed they could have proactively moved to resolve the issue and associated risks. Key to the resolution process would have been the ability to deanonymize the threat actor, find where the exposed assets were being placed, taking them down before any additional damage was done, and then collecting all the necessary data and handing it over to the authorities for further investigation and prosecution.

  • Reporting on suspicious activity for FinCEN

The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, recently issued a human-trafficking advisory for financial services firms. The document provides guidance for covered institutions on identifying transactions that could indicate human trafficking. For example, FinCEN encourages organizations to cross-check customers making transactions in different geographic regions within the U.S. against "travel and transactions in and to foreign countries that are significant conduits for human trafficking." A WEBINT platform can help financial institutions uncover those types of connections and enable suspicious activity reporting.

 Conclusion: Gaining an Edge Through Web Intelligence

Cyberattacks, political strife, natural disasters – and sometimes multi-modal threats – create an unpredictable environment for the enterprise. Investing in a modern WEBINT platform, integrated with AI capabilities, can help security teams quickly and decisively evaluate and respond to threats. And when such platforms are used to vet business associates or verify customer identities, they let organizations avoid problems before they occur.

Enterprise security managers and corporate risk officers should take the time to assess their investigative techniques and supporting technologies. Are they up to the rigors of the current threat environment? If not, perhaps it's time to upgrade. A company's well-being may depend on it.

About the author: Johnmichael O'Hare is the sales and business development director of Cobwebs Technologies (www.cobwebs.com). He is the former Commander of the Vice, Intelligence, and Narcotics Division for the Hartford (Connecticut) Police Department. Contact him on [email protected]