Overcoming Five Preventive Intelligence Hurdles
Corporate assets aren't what they used to be in this age of digital transformation.
A modern enterprise's products and services increasingly exist online or in software code. Technology-based platform companies command enormous market capitalizations. Even physical goods have a digital dimension with the emergence of smart, connected products.
The COVID-19 pandemic, with its restrictions on in-person transactions, has further accelerated digitalization. Services from medical consultations to gym workout routines have gone online. In short, corporate assets are increasingly digital assets.
For security professionals, the boundaries they must defend are amorphous and fluid. Physical assets, of course, typically remain under the purview of corporate physical security management. But digital assets must be elevated to equivalent levels of oversight. With so many enterprises depending on digital technology for internal business processes, sales, and customer service, any disruption will damage a company’s brand, reputation, and relationships.
But it’s not all about business. Fast-moving and constantly evolving cyberattacks now put an enterprise’s customers in harm’s way. Ransomware attacks on hospitals, for example, can interrupt patient care. Tightly intertwined cyber–physical systems are at risk, from patient monitoring to industrial control.
This complex environment calls for the implementation of preventive intelligence, an approach that spans the online and physical worlds. Preventive intelligence delivers a 360-degree and integrated capability that allows companies to proactively protect digital assets and their ties to tangible physical assets, from buildings to machinery. It helps to proactively detect and analyze threats from across the online world, at all levels, in real-time. In addition, it enables security personnel to identify the connection to threat actors in the physical world so they can plan and implement proactive intervention strategies and tactics to mitigate developing risks. This last aspect is the area that many corporate security teams find challenging.
For example, a pharmaceutical company has developed a unique drug. The company would leverage preventative intelligence to ensure that it protects the formula of its drug; the manufacturing process, including production machinery and all digital assets used in drug production; facilities where the drug is manufactured; and its distribution and supply chain all the way to the customer.
If threat actors were planning something on the Dark Web, the pharmaceutical company would be proactively alerted that there is a threat, and it would move to obtain additional information and deanonymize those involved and their networks. The company would ensure its digital and physical assets are adequately protected, disrupt the threatening activities both physically and online, and bring in law enforcement agencies where necessary. The entire event would ideally be resolved with all company assets intact and protected.
But for an organization that has yet to come to grips with appropriate digital asset protection, preventive intelligence can prove out of reach. There are five main challenges corporate security teams must address to develop a preventive intelligence regimen.
Inaccurate Identification and Location of Key Digital Assets
A business can’t protect its digital assets if it lacks detailed information on what they are and where they exist. So, the first obstacle in the path of preventive intelligence is the ability to accurately identify these assets, which could include computer networks, databases, online digital services, and digital communication channels such as social media feeds belonging to the company and all its C-suite executives.
The more comprehensive the environment, the bigger the asset identification challenge. A corporate security operations center must proactively scan the company’s digital footprint to identify and locate new key digital assets, which could include online marketplaces, intellectual property, and, in the case of global organizations, international points of presence.
This process should also assess any weaknesses in cyber defenses—email accounts that could be compromised and network vulnerabilities, for example. Digital assets and attack surfaces are always in flux, so environmental scanning won’t succeed as a one-time effort. Organizations must continuously maintain this protective shield, especially at a time when digital services and online marketing campaigns rapidly proliferate. Those activities have become increasingly difficult to track, due to their distributed nature. The central IT department isn’t the only group that develops and manages digital aspects of the business.
According to Gartner Inc.'s forecast, 80 percent of technology products and services will be built by non-technology professionals by 2024. The rise of technology development beyond the traditional IT group means that corporate security personnel must be prepared to deal with business functions such as marketing expanding the digital domain. Newly created digital assets need immediate protection, whether they are new digital business services or social platform-based marketing campaigns. But that won’t happen if an organization lacks a systematic process for patrolling its digital footprint.
Lack of Early Warning System that Keeps Tabs on Multiple Online Platforms
The continuous scanning activity should shine a light on threats originating from a myriad of websites, online forums, and social platforms. This aspect of preventive intelligence serves as an early warning system for enterprises. The sheer number of digital venues, scattered as they are across the multiple layers of the Web, complicates matters. A security operations center needs to comb the familiar surface Web, the Deep Web, and the Dark Web to obtain a comprehensive view of the threat landscape.
Unfortunately, enterprises often fall short of achieving this perspective and leave themselves open to attacks from unseen corners of the internet. That’s particularly the case with the Dark Web, which requires a specialized platform to access and has become a marketplace for trading in illicit goods. Threat actors have taken to the Dark Web, where they enjoy a high degree of anonymity and use hard-to-track cryptocurrencies as the medium of exchange.
But the surface Web also provides seemingly limitless communications channels. In the case of ransomware, threat actors can use those channels—and their Deep and Dark Web counterparts—to exchange information, coordinate campaigns, and, eventually, communicate with attacked organizations to coordinate the ransomware payment.
Taking proactive steps to learn about and map the sites that threat actors could use to launch such an attack could help security teams prepare their defenses to head off problems.
In general, the ability to scan online platforms for signs of trouble can improve a company’s security stance. To do this, an organization can create a list of keywords that security personnel can use to search the Internet. That list might include the company’s name, the names of its core brands, domain information, and the locations of its offices, stores, plants, and warehouses. Cross-referencing those names and locations with the names of threat groups, threat actors, and types of attacks can yield actionable intelligence.
Inability to Deanonymize Threat Actors
Threat actors maintain a good deal of anonymity in the Dark Web, using proxies to cover their digital tracks and crypto wallets that operate outside the control of central banks. But threat actors also attempt to mask their identities on the surface Web, employing multiple handles and conjuring fake social asset profiles. Businesses that lack deanonymization skills can’t provide information that could help social platforms shut down accounts or facilitate law enforcement investigations.
However, a security organization that conducts a continuous sweep of the surface, Deep, and Dark Web layers can uncover identities. Even savvy threat actors may leave a trail of digital breadcrumbs as they travel the internet’s multiple strata. A Dark Web marketplace dealing with stolen credit cards, for instance, could be associated with a social asset on the surface level. Threat actor deanonymization involves making connections among pieces of information gathered from these searches.
Inability to Quickly Locate Compromised Digital Assets
Even a proactive, well-prepared organization can experience a breach. When that happens, the security team must switch from proactive defense to the location of compromised digital assets. They must be prepared to locate compromised digital assets across the expanses of the internet so they can help their organization recover as rapidly as possible. The list of items a threat actor could exfiltrate ranges from trade secrets and intellectual property to consumer credit card data and customer databases.
The monetary and reputational damage of such attacks grows rapidly over time. The initial data leak can spawn additional attacks against a company.
Organizations that react slowly to a data breach could end up with an incident order of magnitude more costly than necessary had they acted immediately and known where to locate their assets. A recovery plan should play a prominent role in a digital asset protection program, so the identification and recovery of compromised data are as quick and easy as possible.
Of course, a security operations center steeped in proactive intelligence will be in a better position to identify threatening online chatter around a brand before an attack takes place.
Weak Event Resolution
Speed is also paramount when it comes to event resolution. A leaked password could enable a threat actor to hijack a social media asset and induce unsuspecting consumers to donate money to his or her account. Or threat actors might launch a fake domain designed to mimic a legitimate site—a financial services firm’s online presence, for example—and use the bogus site to lure customers and take their credentials.
In such instances, the security team should aim to minimize the damage to the brand and its consumers. Weak event resolution—which often stems from reactive security—translates into slow response time and greater harm. In contrast, strong event resolution uses continuous scanning to rapidly identify fake social asset accounts or phony websites. Automated methods, meanwhile, can extract account ownership details, generate requests to suspend accounts or take down sites, and send the forms to the appropriate service providers. These scalable, automated approaches reduce the time to resolution.
Dealing with Asymmetrical Conflict
Corporate security teams face an asymmetrical conflict as they defend their digital assets. Threat actors range from highly educated cyberattackers to relatively unskilled people using ransomware-as-a-service offerings. So, while some attacks increase in sophistication, others increase in frequency as the barriers to entry drop lower.
Against that backdrop, organizations need a security policy that extends beyond the conventional network perimeter to include digital assets that surface across a company’s various lines of business. Well-defined and structured processes put that policy into motion. But security professionals also need tools to provide a force multiplier when dealing with the numerous—and expanding—threats lurking in the vast online world.
Automation, coupled with artificial intelligence, offers a force multiplier that can scan thousands of websites and social asset accounts, tackle the big data challenge, and zero in on the most critical bits of information. Sound policy, skilled personnel, and appropriate tooling will put a security operations center on the path to preventive intelligence.
Eyal Bachar serves as North America managing director for Cobwebs Technologies. He is a seasoned professional with more than 25 years of experience in technology driving actionable intelligence and global corporate management in the defense, law enforcement, and cyber industries. Contact him at [email protected]