Part 1 – How cyber threat intelligence can reduce risk in social media
Date: 7 June, 2016
Authors: Lincoln Kaffenberger and Jennifer Marinaro
Social media is a phenomenal medium for communicating with large, new, and diverse audiences. It’s rapid growth and expansion over the past decade and a half have created new opportunities for organizations to get their message out and reach a broader audience. But amidst the opportunities, social media poses a number of cybersecurity and reputation risks. Cybersecurity threats include targeted ‘social phishing’ and malware; reputation risks include account impersonations and account hijacking.
Social phishing is an attempt to obtain an individual’s personal information through a corrupt link or other form of electronic communication. In the past, phishing attacks typically came through e-mail; however, they are now also perpetrated through social media private messages and wall posts. Malware, on the other hand, is a fraudulent software that is downloaded onto a user’s device in order to perpetrate malicious attacks. On social media, malware generally comes through a person clicking on a URL which links to a website that contains malware. Links to malware can be disguised as ‘click-bait’ articles posted on Facebook, or shared through Twitter and Instagram.
Reputation risk in social media is a newer threat, in which a hacker impersonates someone or compromises a person’s account, relying on the intrinsic trust of that person’s followers to orchestrate an attack. These types of attacks can be executed by overtaking a public figure’s or government entity’s professional social media page or accounts. While some of these risks like phishing and malware have been used for years, these attacks have taken on a new life with the advent of different social media platforms.
Three years ago, the Associated Press (AP) Twitter account was hacked, and the attackers released a tweet claiming that the White House had been bombed, and President Obama was seriously injured. This single tweet sent the stock market into a downward spiral, causing a 1% drop in the S&P 500 within moments of the tweet being published. The Twitter account was hacked less than an hour after a number of AP employees received an “impressively disguised phishing email.” While the phishing scheme was not perpetrated through social media, gaining access to the AP’s Twitter account was the end goal of the attack. Not only did this attack discredit and cause embarrassment for the AP, but it also had a wider negative impact on the U.S. economy and stock markets.
A significant cyber-attack that utilized both social engineering and malware is the “Newscaster” campaign, which ran undetected from 2011 until 2014. In this campaign, hackers created fake, albeit legitimate, personas on various social media websites, and began friending and interacting with U.S. military members, defense contractors, and government personnel. The hackers, thought to be from Iran, posed as journalists, and after connecting with contacts on social media sites sent the victims emails with malware attached. Though unsophisticated when compared to other recent cyber-attacks, the campaign operated under the radar and was successful in obtaining and exfiltrating data. Connecting on social media with people who appeared to be authentic journalists put thousands of U.S. employees and contractors at risk for cyber-attacks and loss of personal and professional data.
Social engineering attacks can also come in several different forms. In 2015, the U.S. Central Command’s Twitter account was taken over by ISIS sympathizers, publishing several tweets that included warnings from ISIS, and other pro ISIS propaganda. Also, Admiral James Stavridis, NATO’s Supreme Allied Commander Europe, was targeted in 2012 when attackers created several fake Facebook profiles, luring his friends and colleagues into “liking” the fake account, and obtaining personal data once they did. Both of the attacks described above used social media to manipulate basic human psychology, which ultimately led to a successful cyber-attack on government officials and organizations.
All of the above examples illustrate just how diverse and intrusive cyber-attacks on social media platforms can be. Organizations face attacks not only through traditional vectors like email, but also through their LinkedIn, Facebook, and other social media profiles. With social media and technology in general changing at a rapid pace, cybersecurity must keep up and stay one step ahead of potential hackers. One way organizations accomplish this is to take a threat-centric approach with cyber threat intelligence (CTI). CTI allows organizations to proactively identify threat actors and threat vectors before these social media threats manifest and alert the appropriate people in the organization to avoid or mitigate the threat.
Cyber threat intelligence is a new but growing discipline and social media threat monitoring is a critical subset of a broader threat monitoring function CTI teams perform. Social media threat monitoring can provide you with instant alerts when one of your organization’s or personnel’s accounts are hijacked, detect social phishing and posts or tweets sent to your accounts with malicious links. CTI can also help protect your organization’s brand by identifying other accounts that are impersonating your people or using your brand. Social media threat monitoring can also help identify risks from your organization. By monitoring for people posting content that indicates violent intentions, explicit or profane content, or disparaging remarks about your organization, the CTI team can possibly identify insider threats before they fully carry out an attack or cause reputation damage.
Social media will continue to become a bigger part of every organization’s operations. Organizations must understand the threats and take proactive measures to detect and prevent them. A strong cyber threat intelligence program will help your organization understand and get out ahead of these new and diverse threats.
In part 2, we will discuss what that can look like for organizations.
What are your experiences with threats in social media? Let us know on Twitter and social media with the hashtag #INSAblog and #threatintel.
About the Authors: Lincoln works as an information technology professional in the financial sector. He has over a decade of experience helping organizations understand the threats they face and make informed, risk based decisions.
Jennifer is a legal professional and graduate student studying criminology, focusing on threats as they exist in cyberspace.
INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.
About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.