Saturday, January 28, 2017

Lunch talk —Cyber Threat? Business Intelligence? Geopolitical?

I had lunch with a guy in Boston today --a smart dude, and as I ate my bento box and him his tuna
maki, we talked about some of the creative ways that I've been wanting to use cyber intelligence data for a long time.

As we brainstormed some of the options, and I told him stories of the kinds of things we're writing about,  He asked me... what do you actually do? Are you a cyber shop? Are you a geopolitical shop? Business Intelligence? 

I told him that I've been experimenting with ideas of running comparisons between a measure we call "Cyber Threat Indexing" (patent pending) and key performance indicators associated with running a business.  What's that mean? If you owned a manufacturing company you'd probably worry about the uptime of your manufacturing line, right?  So what if you Splunked (yeah, I'm using it as a verb!) the number of times your company was mentioned in the intelligence space with the output measures of uptime off of your manufacturing resource planning systems?

You might be able to show genuine business risk as they relate to cyber risk —right? This is a security holy grail stuff! As a CEO (albeit, of a small company), I know we do our best to protect the operation but wonder, how does our external threat profile match up to our attack footprint, and how does that translate to my ability to run the company?  

Why do we measure geopolitical risk he asks? Because where there's geopolitical risk there will always be a cyber risk. We monitored hackers stockpiling tools during the nuclear talks last year.  In this case, we monitored cyber risk and identified potential targets that could be seen as political retribution targets --our Wall Street Bankers (some of whom are our customers), and companies operating in the Middle East (also some customers).

The cyber risk to our members was real.  Motivation would be political retribution on opportunistic and targeted potential victims.  Our expectation was that targets would be chosen (by groups we were monitoring), and those targets would likely be those thought impactful —not because of simple compromise, but because they might send a message. Attacks never occurred, but if they had, our members would have already had the protections from our reporting. 

We monitored the manipulation of the Ukranian Presidential Election.

Why? Again, we had several Red Sky members who operate in the area. What'd we get? Cyber tools used in 2014 that hit the press in a big way over Christmas 2015... our members had proactive information on a tool used in the future against others (maybe them).

In all three cases, we used an all-source intelligence approach to understanding the cyber threat to our customers.
  • The first measures business process interruption as a result of cyber activities and risk.  
  • The second and third, we monitored geopolitical activity because although not exclusively cyber activities, there were massive cyber threats posed to our customers working in the areas. 

Are we a cyber threat intelligence shop? Absolutely. But we don't see things quite the way others do. If you're pulling lists of indicators of compromise (IOC), you're looking at every tree —examining each for potential compromise.

We are a cyber shop but we do it through "all source" intelligence processes,  not just from incident response data. We like to tell the story and then tell you how to identify and protect against it, not how do you indicators of the attack with no context as to what they're being used to find. How in the world do you know what's most important?

It's like that bento box! The whole is the sum of it's parts. IOCs are the parts, the sum is the context and the story. Call us. We can help.

Want to be part of our new mailing list? Subscribe here: https://tinyletter.com/arogers

Have a great weekend!
Jeff