The challenges of open source threat assessments can be avoided by subscribing to a persistent threat monitoring service, writes Chris Proctor, Senior Associate Security Consultant with Beca Applied Technologies.
I’ve always had a problem with security threat assessments. Probably not a great thing for a security practitioner to say, however, there it is.
My concerns primarily relate to the lack of information sources available to corporate organisations, the lack of analytical expertise to effectively translate what little information there might be into actionable security threat intelligence and the static nature of threat assessments.
Read it in the digital edition…
The Information Issue
Let’s explore the first of those issues – the lack of relevant information to inform the first part of the threat equation – capability and intent.
This isn’t really an issue if you are within the trusted environment of central government and associated agencies as there is a clear route to high level, classified intelligence from a range of sources. It does become a significant issue if you are outside that circle or operating in the commercial environment. The sources typically available to you include:
- National Threat Levels – rather anaemic reporting of generic national threats with no real way to apply this to your particular environment.
- NZ Police Crime Snapshot – a very general view of crime in the wider neighbourhood in which your organisation is located. Again, there is little or no way to tie this to your own operations. What is the real worth of knowing that serious assaults in your geographic area have increased by 7.8% over last year?
- Wider organisational threats – you can look at the wider threats posed to your organisation as a whole and then try and apply them specifically to a location, person or asset.
- Neighbourhood scanning – reviewing what is in the neighbourhood is a good way of identifying potential threat actors and collateral threats but is unlikely to provide you with information on any specific threats to your organisation.
- Review of past incidents – this can provide you with a feel of how vulnerabilities have been exploited in the past but, hopefully, you will have addressed those vulnerabilities so past incidents may not really reflect future threats. The quality of internal security incident reporting can be variable and insufficient to draw reliable conclusions.
- ‘Googling’ – everyone’s go-to intelligence source. As a tool, it may provide some information that will be of use to you, but remember – it is information, not intelligence. It’s what you do with it that makes the difference.
- Local contacts – your security manager or consultant might have contacts within the trusted environment mentioned earlier who they can still ‘tap up’ for information. The privacy, legality and usability of such information must always be considered. This information and how it was obtained might actually adversely affect your threat-scape.
All in all, these sources provide a broad brush view of the threats you face. With such a vague, mainly uncontextualised information set, how can you derive insightful and actionable intelligence?
The Analysis Issue
My other bugbear is analysis. Information on its own does not provide you with any real benefit. It’s the ‘so what’ that really adds value.
That’s why it is critical to view the information collected through an analyst’s lens. Information becomes the ‘feedstock’ for the analytical process and that process is not a simple one. It’s an objective, reasoned approach aimed at combining seemingly unrelated pieces of information into a cohesive picture and developing new perspectives.
The New Zealand Institute of Intelligence Professionals (NZIIP) Intelligence Practitioners Handbook is a fantastic source of information on a range of divergent and convergent structured analysis techniques that most trained intelligence analysts will be familiar with. It is only by the application of such techniques in a measured way that true intelligence can be gleaned.
It makes sense therefore that, in order to deliver any form of meaningful security threat assessment, you need to have a trained and experienced analyst on board to help you make sense of the information you are able to gather.
Critical to view information collected through an analyst’s lens.
The Point in Time Issue
Thinking about most security projects, when does a security threat assessment take place? Normally, right at the start and then, depending on the security maturity of the organisation, it might get reviewed on an annual or biennial basis thereafter.
So, for up to two years, the only likely indicator an organisation might get that their threat landscape has changed is when a security incident takes place. Hardly a proactive approach. For some organisations, it never gets reviewed but rather sits as part of the risk governance documentation and is used when a new project or audit is initiated.
You can sense my frustration – a security threat assessment is only valid at the moment it is completed. From that moment on, the threat landscape evolves – threat vectors change, threat actors enhance their capabilities, and the organisation’s aims, values and operational ways of working may also change, all leaving the threat assessment floundering in their wake.
A solution
That then is the problem set that we looked to address. How could we inject energy and impetus into the threat assessment process, elevating it from a point in time effort to a dynamic and enduring, behind the scenes activity that adds value and provides the risk/security leadership of an organisation with a timely view of their security threats, enabling proactive decision making rather than reactive responses?
The solution – a targeted, open-source enabled persistent threat monitoring service.
Understanding that, in these network-enabled times, threats can emerge as posts, chatter or threads online in forums or social media, news posts or other online sources, we set out to find a way to harvest this information and turn it into actionable insights. Not an easy undertaking as the surface web, available to the average user through a search engine such as Google, makes up only 10% of the world wide web.
Given that the surface web contains over 4.5 billion web pages, and the deep web is 400-500 times that size, how do you know what to look for, and where to look for it…?
Privacy
Given that privacy is on everyone’s mind at the moment, one of the first things we did was to explore the legal and ethical implications of open-source intelligence collection and analysis. The definition of open source that we have chosen is the methodical collection and exploitation of information from free, publicly available, and legally accessible sources to fulfil a specific intelligence requirement.
Publicly available information does not require clandestine collection techniques to obtain. It is obtained through means that meet the copyright, commercial and privacy requirements. We have mapped our service against our obligations under the Privacy Act 2020 and have undergone successful legal and privacy scrutiny.
Our Solution
In short, by using world leading open-source intelligence gathering and analysis tools, we will create and manage bespoke information searches across publicly available social media and internet sources including the World Wide Web, dark and deep web to identify potential or actual threats against our clients’ organisations.
Our highly experienced analysts will engage with clients to identify potential threat triggers, targets and vectors and will develop insightful tripwire and periodic reporting criteria, delivering actionable insights and threat information in a timely manner.
How it works
Direction
It all starts off with us sitting down with our clients and understanding the threat vectors and potential threat actors that are causing them concern. We’ll work with the client to understand their specific threat intelligence requirements, how often they require updating, and the threshold for our tripwire, or immediate, reporting option.
Collection
Our intelligence analysts will take this insight and convert it into a collection plan – what we are looking for, where we might find it and how we go about constructing searches to extract it.
Processing
Our analysts will collate and evaluate the information – seeking to remove the ‘noise’ and ensure the currency and relevance of the information. Then comes the magic – application of analytical techniques and processes to extract the ‘so what’ out of the information, turning it into actionable intelligence.
Dissemination
This final phase sees the intelligence being passed to our clients in the form and periodicity that they have requested. We will also look to deliver critical intelligence (such as imminent protest activity or intent to commit a harm act) as soon as we get it – something we’re calling ‘Tripwire’ reporting.
As with all circular models, this is a never-ending loop. The dissemination phase includes a review process to ensure that we are collecting the right type of information, that the intelligence meets the clients’ requirements, and that the client’s situation has not changed. Ultimately, we envisage that our Persistent Threat Monitoring service will provide significant value to organisations, regardless of their role or market sector by delivering peace of mind and value for money via a subscription service that delivers savings.