How times change. Thirty years ago, the task of recruiting someone for intelligence purposes involved a lot of legwork and a lot of vulnerability for the operative. Now the process is a whole lot simpler thanks to the internet and, more importantly, the ubiquity of social media. These two topics — intelligence and social media — were front and center last week at the ASIS Global Security Exchange in Las Vegas, where I had the honor of participating in a panel discussion on how social media is affecting threat intelligence. In an age when social media is so pervasive, protecting oneself or one's organization requires a total understanding of how such platforms can be used for attack. Only then is it possible to mount a defense.
Social media applications and devices connected to the internet have dramatically increased the area vulnerable to hostile actors intent on targeting organizations and individuals for fraud, espionage or physical attack. Such applications are useful to assailants, but they do not replace the rest of the steps in the attack cycle, such as selecting a target, planning and executing an assault. This means that those planning harm remain vulnerable to detection — but only if people are looking for them. Understanding the limits of social media in relation to the attack cycle permits defenders to zero in on assailants' vulnerabilities.
First Things First
In assessing the effects of social media on threat intelligence, it is important to understand that the technology, like any other tool or weapon, is inherently neutral. A person can use an online platform to aid or degrade an organization just as much as a soldier can wield a sword to either attack or parry. As in all such cases, however, one must acquaint oneself with the offensive capabilities of a weapon before learning how to deploy it defensively.
In terms of social media, that means that anyone seeking to understand the threats posed by the platforms — as well as the opportunities they present — must first become familiar with how they operate. Sadly, some people who are directing efforts to monitor social media have never used it. Social media (and the dark web, for that matter) remain a mystery to some people, which leaves them vulnerable to snake oil salesmen who will make impossible claims while selling social media monitoring solutions. Don't get me wrong; there are some good tools out there for such monitoring, but all have limitations and none is a magic bullet that can serve all functions across all platforms — no matter what salespeople may claim.
Expanding the Attack Surface
One of social media's largest impacts (obviously in conjunction with the internet) is that it has dramatically expanded the "attack surface" — the breadth of the physical and, perhaps more significantly, the "virtual points" where an organization or individual is vulnerable. In the 1980s, if adversaries wanted to recruit a person inside your organization to gain information — say Joe in information technology — they had to conduct most of their recruitment cycle — namely, spotting, assessing and pitching — close to your location. If the operative was at a remote location, it was fairly difficult to identify who was in IT and, more importantly, who was vulnerable to recruitment.
Granted, some accomplished hackers and intelligence officers operating three decades ago were more than capable of using social engineering and other techniques from afar to identify people in target departments, but it was generally an exhausting and time-consuming endeavor. And even if such recruiters had zeroed in on a few candidates, they still had to determine the best person to approach, had to develop a relationship with him or her and, ultimately, had to make a pitch while in more or less plain view, opening them up to the risk of detection.
Today, homing in on a potential target is as simple as conducting a quick search on social media platforms such as LinkedIn, viewing an organizational chart on the targeted company's website or searching for other mentions of the person's name and function on an array of other internet sites. Once operatives have compiled a list of persons of interest, a quick perusal of the targets' social media accounts can provide indicators regarding who is vulnerable to recruitment. Personal issues such as financial difficulties, marital problems, discontent with work, and alcohol or drug abuse are not difficult to spot when people vent on social media, and nearly all social media users have seen incidents of people posting information that could assist someone looking to compromise them — if they haven't posted such information themselves. That's why it's always critical to be conscious of what one is posting on the internet for the world to see.
In today's world, it is possible to conduct the entire cyberattack cycle through social media, as North Korean hackers have proved. The Mia Ash case, in which Iranian hackers successfully conducted a virtual honey trap operation, is another excellent example. In other attacks, hackers have used information gleaned from social media to assist their spear-phishing attacks, while assailants use information obtained on social media to help facilitate physical attacks.
The attack surface has increased considerably to include smartphones, computers, cars or other employee-owned devices that corporate IT security has no ability to monitor. In other words, the threat area now extends well beyond the company's firewalls.
Today, homing in on a potential target is as simple as conducting a quick search on social media platforms such as LinkedIn or viewing an organizational chart on the targeted company's website.
But this expansion of vulnerable information can also prove useful for defensive purposes. By monitoring social media, companies and organizations can become aware of people who utter threats or otherwise indicate that they could pose a physical or reputational threat, allowing them to alert law enforcement, security personnel and employees. And these potential threats don't just come from an external source. By monitoring social media, organizations can become aware of their own employees who make threats or provide clues that they are becoming mentally unstable or vulnerable to recruitment.
Other threats to business continuity such as labor strikes and activist protests are also often organized on social media. Because of this, identifying and monitoring the social media accounts of key organizers can provide a great deal of actionable intelligence. Again, social media monitoring tools are helpful in this defensive role, because they can comb through massive amounts of data. In the end, however, they still require a human to direct them at the best sources, sort through the results and place them in context. And at the same time, real people also serve an important role in tweaking the search settings on such tools to further refine what the tools are seeking and monitoring.
To the Past, Present and Future
Back at the panel in Las Vegas, the moderator asked whether we thought social media was most useful for studying past attacks, monitoring current threats or forecasting future issues. I emphatically answered "all of the above." As many cases have demonstrated, looking back at social media posts has often proved useful at helping to identify the motive behind an attack. Of course at Stratfor, we are very focused on how attacks unfold as an assailant progresses along his attack cycle, and we believe that studying past assaults facilitates efforts to identify current threats. Beyond that, expanding the investigation of the tradecraft used in past attacks to include social media can help analysts determine trends and identify or forecast emerging threats.
Social media has become an integral part of global culture — and not just in the United States or the West. I've seen impoverished people who do not have running water in their homes, but they do have smartphones and use any number of social media applications. Such applications are only going to become more pervasive, and those seeking to protect their organizations against criminals, terrorists, spies and other malefactors must understand social media and learn to properly use it to their advantage in their defensive efforts.