Date: 8 July, 2016
Author: Lincoln Kaffenberger
In Part 1, we discussed how social media based threats can impact organizations in ways many do not yet fully appreciate. The reputation and cybersecurity risks exist today and many organizations have little to no detection or prevention capability. In Part 2, we will discuss what organizations should do about this threat and how Cyber Threat Intelligence (CTI) can help identify and neutralize the social media based threats.
The CTI has an important role to play here. CTI teams should actively and passively monitor for impersonations, account hijackings, URLs in posts or comments that lead to malware, and reconnaissance activity as these can be indicators of adversary intent and capabilities. CTI teams should partner with anyone in the organization that is working with social media such as the communications or public affairs departments. Chances are, they are already aware of a number of impersonations and/or threats.
CTI teams need the right people, processes, and technology to effectively monitor social media for threats. CTI analysts responsible for this mission need to understand their organization very well, have a strong ability to understand other languages and cultures to understand the context of statements in social media, and have strong familiarity with various social media. Outside of the CTI team, there need to be identified stakeholders who support this effort and will take action when notified of a threat. To that end, there need to be established processes for all pertinent threat scenarios. For technology, many companies offer solutions that have the ability to continuously scan and monitor social media for various threat scenarios. Any tool that fulfills this mission must be able to handle the massive amount of data that is available on social media, possess the ability to search and do analysis in the tool, store data points for later analysis, share with other analysts, and, ideally, facilitate takedowns of certain social media sites or content that are clearly impersonating an organization’s brand and personnel.
What is the minimum?
For CTI, the following are the very minimum things that a CTI section should do regarding social media threats:
- Know what your organization’s social media assets are and who owns them. This means doing an assessment early on to know what official social media assets exist that officially represent the organization. It’s important also to know if the communications, marketing, public affairs, or HR departments own these profiles and how they are being secured. Who has access to alter the profile? Who can post content? Who is monitoring traffic? Similarly, the profiles for the organization’s VIPs – the C-suite / Secretary level personnel are very important to track as they are high value targets for impersonations.
- Know what other uncontrolled social media assets exist. In addition to the official and high value profiles, the other profiles that either do or could be considered as ‘officially representing the organization’ should also be tracked and monitored by the CTI team as their hijacking or impersonation can cause increased damage since it rarely (if ever) gets official attention.
- Establish a baseline for activity to detect account hijacking. What is the average traffic like from and to this profile? What content is normal and what is anomalous? Knowing these are important to quickly identifying a hijacked or impersonated account.
- Review (or establish) the appropriate use policy. Many organizations have an appropriate use policy in place that states what is acceptable and unacceptable use on social media. Few however find the right balance between being user-friendly and draconian. CTI can help organizations assess the organization specific threats and likelihood of the potential threat scenarios which help craft sound policy.
- Monitor for changes. CTI teams should monitor their social media assets of interest. Monitoring is best done by establishing automated searches and then alerts that result from changes or spikes in activity. It is important for a CTI team to, at this point, have a good list of contacts in the event or a hijacking or impersonation. Additionally, it is important for the CTI team to know how to execute a take down on all the various social media providers. While all the major providers have an advertised method for requesting a takedown of an imposter account, this process is not always timely or easy. CTI can show real value here if they have contacts within the various social media providers to assist when possible and speed up the process.
Social media is a powerful medium for communication but organizations must be aware of the threats and risk inherent in social media to fully take advantage of the communication opportunities.
What are your experiences with CTI and social media threats? Let us know on Twitter and social media with the hashtag #INSAblog.
About the Author: Lincoln works as an information technology professional in the financial sector. He has over a decade of experience helping organizations understand the threats they face and make informed, risk based decisions.
INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.
About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.