Distilling & Democratising External Cyber Threat Intelligence

We need to be aware about how cybercriminals can expose your digital assets by hijacking your brand, and take the measures to help preserve your customer trust and loyalty.

The phenomena of the external cyber threat intelligence market is relatively new, coming to the fore only about five, less than 10 years ago. Today, we are seeing more players, be they from stand-alone solutions or from offshoots from a product (e.g. through an endpoint, firewall or other security solutions).

Q: As a business leader, how do you know which threats matter and how important are they when you plan out your organisation’s cyber security requirements? How would you describe cyber threat intelligence and its importance?

As the name implies, external cyber threat intelligence (or TI for short) seeks to provide enterprise tech users with up-front intelligence about threats that may pertain to their IT network, service and assets, so they can ensure in place the appropriate defenses, or minimise the vulnerabilities or exposures, as best as they can, to mitigate the risks therein.

These specifically are threats external to the enterprise IT infrastructure – we call it ‘outside the wire’. It is not so much a direct ‘brute force’ hacking of the IT network or servers etc. Rather, it’s about the organisation’s digital footprint and digital assets – including its web site, IP addresses, pieces of data that is sitting somewhere outside, even defending the organisation’s brand, and also the digital elements and identities of their VIPs (key officers – Chairman, C-Level, board of directors, senior management).

Q: How does ‘defending the organisation’s brand?’ involve cyber-security, or vice versa?

Cybercriminals today use your brand against you. For instance, they can impersonate your social media accounts, develop rogue mobile apps, sell stolen and counterfeit products, and hijack your brand to run scams.

External visibility and control over these brand threats are critical to safeguarding your valuable portfolio of trademarks, logos, and products. So, the organization needs to be able to protect what’s theirs. But it goes one step further – they also need to protect their customers, and perhaps also some of their key digital ecosystem partners.

It’s not just your organisation they want. Hackers impersonate your brand to steal your customers’ data – to sell, abuse, impersonate etc.

You need to know about brand hijacking attempts, and take the measures to bring down the rogue sites – and help organisations preserve customer trust and loyalty.

At the same time, there are malicious apps and scams that needs to be dismantled. Companies have to detect, prioritise, and take down external threats to their brand across the clear, deep, and dark web – eliminate fake mobile apps, knockoff scams, brand misuse, the spread of misinformation and leaked intellectual property.

Q: What about phishing? The damage from phishing is often not well known or misunderstood.

Of course when we talk about cyber threats, we also need to look at phishing. We have to prevent phishing early in the attack chain. We must not ‘bait the hook’.

Phishing remains the easiest, most popular, and most reliable technique for threat actors to trick vulnerable employees and customers into revealing sensitive data. It’s critical to identify potential phishing attacks as early as possible to shut them down before human assets become attack vectors.

There are steps organisations can take, one of the most critical is being able to identify early signs of phishing weaponisation.

I know it’s starting to sound more scary, but you need to monitor for common phishing tactics — domain spoofing, look-alike domains, typosquatting, homoglyphs, and more — that use countless permutations of your legitimate domains and subdomains.

These are all obvious tricks of the perpetrator – but we keep getting hit. Act on early warnings.

You need to be able to continuously track suspicious domain xChanges - monitor and correlate changes to domain attributes, including Whois info, MX and/or A record changes, IP reputation, and SSL certificate updates, to gain the full context and risk behind suspicious domains. You must keep a close eye on domains.

Organisations leverage the external cyber TI service provider’s remediation team and robust ecosystem of partners to accelerate rogue domain takedown requests, block domains on perimeter devices, and shut down phishing attacks before they’re launched. The provider nowadays in turn needs to collaborate with trusted industry experts and value-add partners to make this happen.

Any advantage you can gain over your cyber adversaries is worth having. External TI can help you identify new cyber threats early, but this intelligence is only useful if you know how you’re impacted and can act quickly.

The first step in this journey is to find out if – and where – you’re exposed. You need immediate visibility into how your organisation is being targeted based on assessing your domain for threats that lurk across the clear, deep, and dark web.

Q: What does external threat protection and digital footprint protection entail?

Firstly – you identify and lock down leaked sensitive information, and you instantly retrieve the leaked data.

Data leakage is one of the most significant threats to companies because it gives threat actors instant access to sensitive data or internal systems. If credentials or confidential data are leaked online, including in public repositories like GitHub, it’s critical to identify, validate, and remediate the exposure as quickly as possible.

Secondly, you discover and reset exposed employee credentials and similarly lock them down.

Instantly discover and automatically lock down your leaked credentials on the clear, deep, and dark web using our continuous monitoring engine, extensive leaked credential database, and automated mitigation capabilities, including our unique integration with Active Directory.

Thirdly, you identify, secure and restore documents.

Continuously monitor black markets, closed hacker forums, paste sites, public repositories, and more to identify sensitive documents, secrets such as API keys, and new data dumps. Obtain data samples from threat actors, validate data legitimacy, and track down sources of leakage or data theft.

Finally, you can protect your customers by uncovering their compromised customer accounts. Monitor exposed or leaked credentials that may compromise customer PII, financial assets, or loyalty program rewards.

Q: What is the vision about democratising threat intelligence

The idea is to is find an external intelligence solutions and services that is easily accessible for organisations of any type or size, by synthesising complex signals captured from across the clear, deep, and dark web into contextualised, prioritised, and actionable intelligence.

Hence, “democratizing” of external cyber threat intelligence (TI) by enabling organisations of any type or size to gain the full benefits of external TI, no matter the scope or sophistication of their program. TI need not be this big, scary monolithic thing that only big enterprises and governments can benefit from.

Despite all the heightened awareness and need, our world is still chronically short of cyber security professionals. Democratising TI highlights simplicity of use and automating takedowns and remediations, which help smaller companies to quickly adopt TI solutions and services too, and thus help reduce their cyber risk to themselves and the overall ecosystem they play in, especially in today’s crazy world where hackers are attacking supply-chain partners and business eco-system members to get into their targeted company from.

Q: When we speak of cyber security, TI or digital transformation, it's hard not to take into account the pandemic or the ‘new normal'.

As organisations move to remote work environments and face staff and budget cuts, they have to protect their businesses from threat actors looking to take advantage of the disruptions caused by the then-COVID pandemic, and even today when although the lockdown has since eased, there are still jitteriness and disrupted work patterns and workflows from back then still prevailing today, as we find our footing for the new normal.

They must be able to cover external threats across PaaS, SaaS, and IaaS. The ‘new normal’ requires new intelligence scenarios, which intelligence discovery capabilities need to be extended to include confidential documents, credentials from botnets, GitHub mentions, and many more.

They also have to accelerate their vulnerability prioritisation capabilities with bidirectional integrations and improve platform automation. Through extensive technology integrations, organisations will be better able to streamline their vendor risk assessments.

Author Bio

Anthony Lim

MAISP

Fellow, Cybersecurity, Governance & Fintech, Singapore University of Social Sciences

Anthony is a pioneer of cyber-security and governance in Singapore and the Asia Pacific region, with over 25 years’ professional experience, as a business leader, consultant, advocate, instructor and auditor.

He has managed some national-level cybersecurity readiness assessment projects in Singapore and the region and was a co-author of an acclaimed international cloud security professional certification. He has held inaugural senior regional business executive appointments at Check Point, IBM and CA (now Broadcom), and was also client CISO at Fortinet and NCS. He has been active in industry association circles for nearly 2 decades, and is currently Advocate at (ISC)2 Singapore Chapter.

Anthony is an adjunct instructor and module developer for some tertiary academic & professional institutions. He has presented and provided content at many government, business, industry and academic seminars, committees, executive roundtables, workshops, trainings and media (print, broadcast, internet, including CNA, CNBC, Bloomberg, BBC) in Singapore, the region, and also for NATO, at Washington DC, Stanford University, ITU, Guangzhou Knowledge CIty and TsingHua University. He is a life alumni member of the University of Illinois, Urbana-Champaign.