The advantages of threat intelligence

6th April 2020

It would be difficult to argue against the idea there now exists a convergence between the worlds of cyber and physical security. Providers of physical security and the authors of security reviews should be aware of this coming together and be prepared to offer solutions to clients that are practical and effective. Through the use of Open Source Intelligence (OSINT) and Operational Threat Intelligence, providers can offer a more holistic solution that meets the requirements of keeping a business sufficiently protected from threat actors that pose a physical threat to an organisation’s people and assets. However, a survey by Ponemon Institute has identified gaps in this field. While 82% of respondents to the survey recognised the importance of having a detailed profile of their adversaries, only 42% believed they were effective at detecting external threats. The term ‘open source’ refers to information that is easily available for public consumption. While search engines such as Google are able to provide large amounts of information, they are far from the only sources available. In fact former Google CEO, Eric Schmidt has argued that over 99% of the internet is hidden from tools such as google. Despite this, much of the ‘Deep Web’ can still be seen as open source as it is available to the public through tools such as Tor. The trade-off to having access to these huge amounts of data is that while you may be able to access what you need, you have to find it in a never ending flood of potential data points.

 

“Access to this type of information can afford an attacker’s eye view to the defender and an opportunity to mitigate or close highlighted gaps’

 

In the context of a Security Risk Assessment, OSINT can be utilised in two different streams of equally valuable information. Firstly it can be used to identify potential weakness in what information is ‘out there’, freely accessible on the internet, relating to an organisation’s business locations, its senior leaders and identifying potential accidental leaks of sensitive information on social media. Access to this type of information can afford an attacker’s eye view to the defender and an opportunity to mitigate or close highlighted gaps. The second stream of information relates to identifying who the potential threat actors are, their capability and what they may be saying. This second stream can be better characterised as Operational Threat Intelligence and defined as information relating to ‘specific attacks or campaigns. It helps defenders understand the nature, intent and timing of a specific attack and also provides insight into the nature and sophistication of the group(s) responsible’.

As part of any Security Risk Assessment, the identification of the most valuable assets and threats to them forms part of the foundation the assessment is built on. Consideration should be given to which are the most prevalent threats and how does an organisation build a picture of those threats. It is here that the utility of Operational Threat Intelligence can be seen. In many cases, however, only partial context can be obtained. While it is true to say more sophisticated threat actors – such as transnational organised crime groups, hacktivists and terrorist organisations – will use equally sophisticated methods of encrypted communication unlikely to be compromised outside of government agencies, private organisations do have an opportunity to exploit information more readily available from politically or ideologically motivated protest groups.

 

“Even at its most basic level OSINT and Operational Threat Intelligence can be valuable in identifying external threats”

 

Even at its most basic level OSINT and Operational Threat Intelligence can be valuable in identifying external threats. While an analyst may intercept a threatening tweet – which on its own may not be a cause for alarm – it may be viewed more seriously if linked to a group known to be acting against a specific industry or organisation. This type of threat intelligence can be used to good effect, as seen during the 2019 Extinction Rebellion (XR) protests in London. Throughout the protest period XR and its many splinter groups openly ‘advertised’ what action they were about to undertake and where. This allowed analysts to send notifications to security teams – whether being directly targeted by the group or just in the vicinity of a protest – giving them time to take preventative action to protect people and assets under their charge.

This type of research can also be used by the authors of Security Risk assessments before they even set foot in a client’s building. The use of OSINT and Threat Intelligence can assist in the identification of threats, potentially turning ‘unknown unknowns’ into ‘known knowns’. By understanding the context and the source of threats through the use of OSINT and Operational Threat Intelligence, security professionals can offer added value to a client’s security strategy by providing a service line that may assist physical security teams in the prevention or mitigation of threat actors achieving their goals in an ever changing security landscape.

 

A version of this piece appeared in the International Security Journal