Month: October 2016

“Ask anybody to name the riskiest cyber locations in the world, and chances are they’d be able to name about ten. The answers would be fairly consistent across the [information security] people you ask; but what about the other hundred and eighty-two countries out there?”

This question was posed by Lincoln Kaffenberger, a cyber security professional working at an international financial services company, during a recent webinar with Recorded Future. Kaffenberger and his team are highly focused on location-specific threat intelligence because of the company’s international operations, and also because “where you are matters.”

Organizations such as Kaffenberger’s face threats from geographically dispersed threat actor groups, as well as challenges posed by certain international governments which permit lawful communication monitoring.

Understanding the Risk of Business Travel

With offices in over 100 countries throughout the world, and employees from those locations traveling constantly, the organization has concerns about the devices used by employees during their travels and the security of the information on those devices. Sharing information about the company’s cyber threat intelligence methodology, Kaffenberger explained:

• Why location matters when it comes to an organization’s cyber risk.
• A framework for learning and measuring the specific cyber risk by physical location.
• A methodology for measuring threats and risks in a way that’s empirical and standardized.
• How Recorded Future helps them do this more quickly than before.

Kaffenberger said that, the company needed to quickly gain specific knowledge of the threats in different countries, so they could adequately prepare. Through a carefully crafted threat intelligence program incorporating Recorded Future, they were able to:

• Lower cyber risk outside of the headquarters.
• Raise awareness within the user population.
• Provide situation-specific advice and tools to use to help lower risk.

Defining a Threat Assessment Methodology

Threat intelligence — as opposed to threat data, which sometimes masquerades as “intelligence” — allows companies to identify the highest-risk threats and prepare. It’s important to understand the risk in geographies that aren’t necessarily in the “top ten,” but still put the company’s data and employees at risk.

Kaffenberger explained that the first step is to assess the situation in a given country:

• What are the political, economic, and sociological conditions?
• What is the infrastructure like? Where are the fiber lines connected? How do they connect to the broader internet? What countries are my traffic potentially traveling through? What natural hazards exist?

Then his team gauges location-specific threat actors:

• What threat actors operate in that country or have affected that country?
• What special security forces operate locally?

Next the team measures the level of threat based on each threat actor group’s intent and capability. It’s a complex, challenging problem, to be sure, but Kaffenberger says it’s absolutely worth the effort, as the team has become more accurate in its threat assessments, helping lower risk to the organization, and allowing employees to work more productively and securely around the world.

After gathering and analyzing all of this critical data, Kaffenberger and his team use it to generate a threat assessment. This is where Kaffenberger and his team use Recorded Future. The Intel Cards, he says, “in a quick snapshot, give me real-time information about that threat.”

An example Recorded Future Intel Card for a threat actor.

The detail and drill-down information provides a very quick way to determine if an actor is relevant.

Once a threat assessment has been completed, Kaffenberger and his team create a risk scenario for government monitoring, APTs, hacktivists, and cyber-crime. Combining internal telemetry and external data, like that from Recorded Future, the team is able to evaluate various scenarios that might exist when the company is operating in or an executive is traveling through an at-risk geography.

Combining Internal and External Sources

The internal information gathered comes from a detailed questionnaire that allows the threat intelligence group to imagine various scenarios. They carefully consider who’s traveling where, what information the employee has or has access to that is sensitive, operations, the nature of the relationships with persons at the organizations with whom the employee is doing business, procedures, the duration of the engagement, etc. Doing so “gives us a lot of context so we can build accurate risk scenarios,” says Kaffenberger.

Building on the scenarios, the team assesses the likelihood based on the threat actors’ intentions and capabilities to execute, and then the controls the company has internally that may prevent that scenario from happening. Once they’ve mapped the actors’ actions to controls that prevent threats, the team considers the impact on the information if that scenario occurs and the impact on the organization and then maps to controls to mitigate the threats. Threat intelligence informs risk strategies, so through this detailed process, Kaffenberger and his team allow the business to operate more efficiently. They have been able to develop a consistent, standardized, and empirical process that contributes to the continued growth of the organization as a whole.

A Holistic Threat Intelligence Program

A threat program isn’t one piece or stream of data, and Kaffenberger relies on a number of tools and skilled analysts. Recorded Future is an important part of the strategy. The team uses Recorded Future to generate a quick review of groups of actors in a concerning location, set queries, then filter down through queries to view more specific information on threat actors, actors’ tactics and techniques, and where geographically the actors are operating.

Analysts can pivot from an Intel Card to six different data visualizations for additional insight.

Events related to RedHack are displayed on a timeline for chronological analysis.

The Intel Cards provide additional information associated with threat vectors and methods, which allows Kaffenberger and team to aggregate all relevant information, use it for searching or further research, and display all activity on a timeline — by severity, geography, or other type in which they might be interested.

Kaffenberger says Recorded Future is “a great way to get a good snapshot in time, a very quick assessment of how things are going.” Because of how the information is stored in Recorded Future, he can also check back at intervals to learn about changes or updates. Importantly, because security does not operate in a vacuum, the threat team can hand off intelligence gained from Recorded Future to the SOC (security operations center) so analysts can monitor for any changes and quickly contextualize the information when a change has taken place

In closing, Kaffenberger said that recorded Future is a real time saver when it comes to managing their complex threat intelligence program: “When we looked at what it would take to analyze all the countries that we care about, it would take us about three to five years. Using two people, assuming about two months to get all the information for a country, Recorded Future, for an initial assessment, cuts that time down to just two hours or less.”