How to Organize and Classify Different Aspects of Cyber Threat Intelligence

Over the past few years, cyber threat intelligence has matured to cover many different aspects of business. What threat intelligence is and how people view and define it can vary quite a bit depending on the vendor providing the intelligence, the business unit consuming that intelligence, the deliverables expected of the intelligence, and the ultimate cyber risk management goals of the organization.

The evolution of threat intelligence has generally been a good thing for organizations, but it has also made it more difficult to wrap one’s head around the concept — particularly for those new to the subject. SurfWatch Labs chief security strategist Adam Meyer recently created a threat intelligence mind map to help show the different areas of threat intelligence and how they all tie together for organizations.

“It’s meant to give the individual looking at it kind of an overview of what cyber threat intelligence is,” said Meyer, who came on the latest Cyber Chat podcast to discuss the mind map and associated whitepaper. “If I was to start a cyber threat intelligence program, these are the components of what that program would be — at the high level.”

Adam Meyer’s threat intelligence mind map.

Meyer said he was looking to standardize some of the resources that have already been published in the intelligence community and other thought leadership, as well as bring together some important parts of threat intelligence that weren’t always discussed, such as the people and process behind intelligence.

For example, early adopters of threat intelligence often begin with the mindset of collect, collect, collect, Meyer said, but all that raw data doesn’t necessarily translate into better security.

“Their eyes glaze over and they start realizing, ‘While how am I supposed to process all this information now, and not only process it in general, but how do I process it in a timely fashion; how do I put context around it’ — all those people-and-process-centric type of things,” Meyer said.

As SurfWatch Labs noted in its recent whitepaper on the mind map, the starting point for most organizations should be strategic threat intelligence.

Download the free whitepaper, “How Cyber Threat Intelligence Fits Into Your Security Program”

“Strategic cyber threat intelligence can help to answer many of the big-picture cyber risk questions facing organizations,” the paper noted. “Those answers can help to inform every other aspect of an organization’s threat intelligence operation and help ensure that cybersecurity efforts and investments and aligning with business priorities.”

Meyer echoed that sentiment.

“Basically, it’s looking at who is the decision maker and why do they care,” Meyer said. “Your intelligence should be driving the answer to that question.”

With those high-level questions answered, organizations can dive more deeply into other interconnected areas of the mind map, and those risk areas — whether it’s technology or fraud or supply chains or other risk concerns — will likely continue to blend together in the future, Meyer said.

“There seems to be an increase in awareness of needing to bring things together, which is what drove me to create the mind map.”

For more on the using the Threat Intelligence Mind Map, download the whitepaper or listen to our Cyber Chat Podcast with Adam Meyer below:

Monitoring Your Digital Risk Footprint: Q&A with a Former CISO

The digital footprints of many organizations are expanding, and with that expansion comes more avenues of attack for cybercriminals to exploit. The past few years have seen organizations having to manage more devices, more social media channels, and more customer service features — in addition to the increased interconnection and sharing of data with partners, vendors, and various as-a-service tools.

That expanding level of presence is increasing the cyber risk facing organizations, said SurfWatch Labs chief security strategist Adam Meyer. Data breaches and service interruptions now often originate outside of an organization’s walls; nevertheless, it’s the connected organizations that tend to pay the biggest price.

“At the end of the day, if a third-party is supporting a major customer-centric business process, and they have a breach and your customers need to be notified — nine times out of ten it’s not that provider’s brand that’s going to get hammered,” Meyer said on the latest Cyber Chat Podcast. “It’s going to be your brand that has to deliver the bad news.”

That’s why organizations need to ensure that proper due diligence is in place around their whole digital risk footprint, Meyer said. In today’s environment that means having intelligence around events that may occur one or several steps down the digital supply chain — as well having a plan of action in place to respond to those threats as they arise.

On the Cyber Chat Podcast, Meyer discusses a variety of topics related to digital risk management, including:

  • How the digital footprints of organizations have changed over the past couple years.
  • Why IoT devices often bypass proper security management and what actions organizations should take in regards to those devices.
  • The problem of growing supply chains and how one breach can quickly spread to impact dozens of connected organizations.
  • How organizations should respond to the shifting landscape so that they can better manage their cyber risk.

Listen to the full Cyber Chat podcast below:

Greater Interconnectivity Means a Greater Level of Presence and in Turn More Risk

Technology advances continue to push boundaries — remember when a phone was just a phone?! More “smart” devices, more interconnectivity between businesses and customers, businesses and suppliers, businesses and partners … all of this speeds transactions and the way business is conducted. Information is shared, items are purchased — all with the click of a button these days.

Inherent in all this productivity goodness is that your digital presence is expanding across many channels that are outside the traditional company boundaries. With this expanding presence comes greater risk. It’s become much harder to have visibility of the level of risk your organization faces across the many digital channels. You of course have physical risks that have been around in the past, but now can be tied into cyber activity. You have cybercriminals (and potentially other types of adversaries) looking to exploit weaknesses for financial or competitive gains.  Social media. Your supply chain. Insider risks (whether malicious or negligent). On and on …

The more connections you have, the more presence you have, the more opportunity that exists for malicious actors. This isn’t to say close your business off from the world. That’s obviously not realistic and not a good way to do business. But there two essential things you can do to minimize this issue:

  1. Get an understanding of your level of presence and the level of risk associated to different areas. Having this intel sets the stage for how to stay on top of your risk and proactively address it.
  2. Identify people, processes and technology to help continuously monitor and manage these risks — so they don’t become larger issues for your business.

Some questions to pose to your organization as a starting point:

  • Who in the organization has accountability for digital risk? Corporate security? Info security? Risk management? Legal? Compliance? Executive suite and/or board level? Brand officer?
  • What about “smart” building devices? Who owns these?
  • What about “smart” devices brought in by your employees? How are these managed? And by whom?
  • How does digital risk play into the organization’s overall risk management process?
  • What processes are in place to limit the risk?
  • What processes are in place to address a threat?

This list isn’t exhaustive, but you get the idea of how you need to think about this issue.

We recently announced a strategic partnership with PlanetRisk to deliver comprehensive cybersecurity and enterprise risk analytics and visualization for Fortune 1000 and government customers. Together we’re hosting a live webinar discussion on How to Mitigate Risk from Your Expanding Digital Presence.

I look forward to seeing you on the webinar. For more information and to sign up for the webinar, visit:

Talking Strategic, Operational and Tactical Threat Intelligence

Cyber threat intelligence has become increasingly popular over the past few years. With that rise comes a variety of questions around the different types of intelligence that is available and how that intelligence can be best implemented by organizations looking to mitigate their cyber risk.

According to SurfWatch Labs chief security strategist Adam Meyer, there are three main types of threat intelligence — tactical, operational, and strategic — however, a focus has recently emerged on strategic threat intelligence.

“Strategic is where a lot of the business alignment can happen,” Meyer said this week on the Cyber Chat podcast. “You’re translating the capabilities out there, intentions out there, of adversaries — how they’re targeting things — and comparing it against you as an organization.”

That type of intelligence has proven to be a good starting point to answering a key question that organizational leaders may have: “Are we well-positioned for cyber risk or are we not? And if not, why not?”

On the Cyber Chat podcast, Meyer discusses a variety of topics related to cyber threat intelligence, including:

  • the difference between tactical, operational, and strategic threat intelligence,
  • how that intelligence can help manage an organization’s cyber risk,
  • what organizations should look for when evaluating threat intelligence,
  • and how threat intelligence will likely evolve in the coming years.

“The intent is to deliver finished and evaluated intelligence and put it on the desk of the decision maker. That helps them make better decisions,” Meyer said. “If you’re not doing that, you’re not technically in my book doing intelligence.”

Listen to the full Cyber Chat podcast below:

Do You Know Your Adversary?

Threat intelligence means a lot of different things to different people. Oftentimes organizations think of tactical information that helps defenders in their on-the-network battles with the bad guys. But, as Forrester Research recently noted in their report Achieve Early Success In Threat Intelligence With The Right Collection Strategy:

“Don’t fall into the trap of subscribing to tactical indicator feeds that you can just pump into your security information management and forget about.”

Tactical intel has it’s role and importance, but starting there can lead you down a rathole. To start off, you need to understand the big picture and then from there you need to understand your adversary, specifically:

  • Who is the actor, what is their motivation and intent, capability, and opportunity?
  • What is the threat campaign they are deploying? What is it targeting? How is it being carried out?
  • What are the associated events and supporting evidence that can be used to provide a level of confidence around the seriousness and impact of this threat to your business?
  • How can you reduce the adversary’s opportunity? What are the processes and/or tools to minimize this exposure?

On Wednesday, April 26 at 1pm ET, please join us for a threat intelligence discussion and see a live demonstration of SurfWatch Threat Analyst, which recently received 5 out of 5 stars from SC Magazine. Adam Meyer, our Chief Security Strategist and head of the SurfWatch analyst team (and formerly a CISO with the 2nd largest transportation system in the US) will lead this discussion and demonstration.

Register now at:

Cybersecurity Rant Part Deux – The Threats Aren’t As Complex As We Make Them Out to Be

Last summer, after being inundated with false claims from fellow security vendors, I let loose in a “cybersecurity rant” blog. As we approach RSA, the FUD dial is being turned up again and instead of just throwing up my hands and yelling “GREAT SCOTT!” I thought it would be healthier to air my frustrations with the goal of us focusing on what’s really important.

If you read a lot of what comes out in the news or from the cybersecurity vendor community, there is an overwhelming focus on the sophistication of threats. Having been in this space for 10+ years I’ve been guilty of playing into this FUD as well. Certainly some of this does exist, but as my colleague Adam Meyer recently wrote in a SecurityWeek article if we look at what the intel is telling us, many of the cyber threats we face are, in fact, not sophisticated at all.

Ransomware, extortion, exploit kits, data breaches, DDoS attacks and more. These are some of the hot threat trends from the past year and moving into 2017. But when looking at these threats and how many of them are actually carried out, the intel points to security basics running amok. Patching software, enforcing better credentials management, backing up important data on a regular basis, segmenting your networks so that attackers don’t have freedom of movement once they break in, etc. This is all stuff that has been talked about for years. It’s not new. And yet, the same things keep happening over and over again.

Let’s use passwords as an example. It’s always a balance of security vs. usability when it comes to passwords, but more often than not usability wins out at the risk of poor security. Many big breaches from the last year were driven by used previously stolen credentials. So if my password is Sam123 and I’ve used it across my business email, personal banking, etc. and my credentials are compromised in one place, they’re compromised in the other place as well (unless I change ’em up). Pretty basic right?

It’s human nature to look for that shiny new whiz-bang toy that does something cool as opposed to the basic toy that isn’t fancy, but just works. I’m not saying we shouldn’t worry about the more sophisticated and targeted threats, but before tackling these challenges, why do we as an industry keep overlooking fundamental basics.

Working for a company that delivers cyber threat intelligence, I’m quite fortunate because I have access to a wealth of intel and an experienced analyst team. I’m constantly learning not only about threats, but the path those threats take in order to wreak havoc. It’s what we refer to here as the adversary’s “avenue of approach.”

There are always variances in how a threat works its way into/through an organization, but the common denominator is that it always exploits the organization’s level of presence — whether through an employee who’s active on social media, poor credentials, poor patch management, a supplier with weak security practices who has access into your network, etc. etc. etc.

At the end of the day I’m just a marketer with some industry awareness and expertise, not a cyber expert. I can’t code. So while some of this to me is still complex, overall we’re not talking about sophisticated security practices … we’re talking about the fundamentals.

As a sports junkie, I’ll wrap this up with a baseball analogy …

In baseball, to win the game you must score more runs than the other team. Trying to hit home runs is one way, but the more guys you get on base, the more runs you can score. Keeping it simple and making good contact results in a greater likelihood that you will get a base hit. Do that consistently, and you’ll score plenty of runs. My point here is instead of swinging for the fences, if we focus on what’s in front of us, we’ll be in pretty good shape and change outcomes for the better.

2017 Cyber Forecast: Threat Intel Will Play Major Role in Helping Organizations Manage Risk

There are a lot of cybersecurity trends to reflect on as we kick off the new year — the growth of ransomware and extortion, the emergence IoT-powered botnets, the evolving cybercriminal landscape — but I believe the biggest risk trend to watch in 2017 may revolve around how organizations react to dealing with those new threats as their attack surface continues to expand.

The digital presence of many companies has extended on a variety of fronts, including social media, customer engagement, marketing, payment transactions, partners, suppliers and more. That increased exposure clearly has benefits for organizations. However, it also makes it difficult for organizations to track, evaluate and take action against the constant barrage of the growing threats — many of which are at least one step removed from the direct control of internal security teams.

That theme was evident in SurfWatch Labs’ new report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack. Our threat intelligence analysts have observed and evaluated data connected to hundreds of incidents that emanated from outside of organizations’ walls over the past year, including:

  • accidental exposure of sensitive data by third-party vendors
  • shoddy cybersecurity practices causing breaches at vendors that house organizations’ data
  • vulnerabilities in software libraries or other business tools being exploited to gain access to an organization
  • vendor access being compromised to steal sensitive data
  • credentials exposed in third-party breaches causing new data breaches due to password reuse

It’s clear that organizations are struggling with these expanding threats. Not only are organizations at risk from threats trying to break down their front door, those threats are increasingly coming through side doors, back doors, windows — any opening that provides the path of least resistance. For example, a 2016 survey of more than 600 decision makers found that an average of 89 vendors accessed a company’s network each week and that more than three-quarters of the respondents believed their company will experience a serious information breach within the next two years due to those third parties.

SurfWatch Labs’ annual cyber threat report echoed that concern, finding that the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“Cybercrime is increasingly interconnected, and issues at one organization quickly moved through the supply chain to impact connected organizations in 2016,” the report noted. “That interconnectedness is evident in the growing pool of already compromised information being leveraged by threat actors, the expanding number of compromised devices and avenues to exploit compromised data, and the way in which data breaches and discovered vulnerabilities ripple outwards – sometimes several layers deep through multiple vendors – to touch unexpecting organizations.”

That interconnectedness is pushing organizations to try to gain more context around the growing number of threats so they can better prioritize actions. As I wrote in a previous blog, organizations are spending more money than ever around cybersecurity, yet they are not necessarily becoming more secure.

Cyber threat intelligence can help to peel back that layer of uncertainty and guide those tough cybersecurity decisions by answering questions such as:

  • What is the biggest cyber threat facing my organization and what steps can be taken to mitigate that risk?
  • Which threats are active within my industry and impacting similar organizations?
  • Have any vendors or suppliers suffered a data breach that may impact my organization in the future?
  • Is any information related to my organization being sold on the dark web?
  • Is my organization at risk from employee credentials exposed via third-party breaches?
  • What new and old vulnerabilities are currently being exploited by threat actors?
  • And other questions unique to your organization …

That context is what many decision makers say is lacking within their own organizations. Going back to that 2016 survey of key decision makers — more than half of them believed that threats around vendor access were not taken seriously and almost three quarters believed that the process of selecting a third-party vendor may overlook key risks.

A smart and thoughtful approach to cybersecurity that provides the necessary context can help to both shine a light on those new risks and filter out the excess chatter so your organization can focus on practical and relevant solutions that have an immediate impact on your cyber risk.

Cyber threat intelligence came a long way in 2016, but many organizations remain overwhelmed by the number of cyber threats and are continuing to experience data breaches. Expect the use of relevant and practical cyber threat intelligence to see continued growth in 2017 as organizations more to address their blind spots and more effectively manage their cyber risk.

Cybersecurity Budgets: Does More Money Equal More Secure?

I’ve read report after report showing that security budgets were increasing, yet the number of breaches at companies of all sizes also continues to climb. This leads me to believe that somewhere there is a breakdown in how cybersecurity programs are being run — where allocating more spend and focus on cybersecurity oftentimes does NOT actually produce better outcomes.

There is an abundance of information out there that backs this up — this isn’t just me pontificating. Here are some highlights:

On security budgets increasing:

On cybersecurity issues increasing:

I think this can all be summed up best in a report by Morgan Stanley from this summer called Cyber Security: Time for a Paradigm Shift, where they stated:

“Companies are spending more to safeguard their digital assets, but cybercrimes are still growing in frequency and severity. What’s needed now isn’t more security, but better security.”

Now to be clear, this is not meant to serve as a doom and gloom piece. Certainly, there are pockets of goodness here and there and a lot of people are working hard on many good efforts, but holistically, the state of cyber security still has a long road ahead of it. And the question becomes how can we ensure that as we spend more effort and budget on cybersecurity, that we are at the very least impacting the cybersecurity outcome in a similar level of uptick?

I recognize that my own observation is just my perception, which is based on what I personally read and do each day. As such I wanted to get some additional input from my peers, so I did some crowdsourcing through LinkedIn:

We all see the news reports regarding how security budgets are increasing each year but yet for some reason nothing ever seems to get better. Why is that? I have my own specific thoughts on the question but wanted to share and see if anyone had an answer of their own.”

A wide range of opinions followed as to why cybersecurity continues to be a challenge and where we as a community need to focus our efforts.  The responses (summarized and paraphrased) to date have been interesting to say the least:

  • A handful of opinions appeared to point some attribution to cybersecurity vendors. My interpretation of those comments is that the vendor-driven FUD has generated a sense of urgency for organizations to purchase specific solutions and therefore fatten the vendor pockets — or at a minimum create a very complex marketplace which presents a challenge to those trying to navigate it.
  • Several opinions revolved around the idea that although budgets have risen, the volume and sophistication of threats are either out-pacing or out-maneuvering those security professionals who are trying bring more resources to bear.  
  • A handful of opinions appeared to state that security departments are underfunded and have an uphill battle for additional resources as security is generally viewed as a cost center as opposed to a revenue generator. Additionally, one individual stated that a potential area to look at is what budget is being used to cover past investments, therefore allowing fewer resources to be applied to emerging risks and in turn giving the appearance or possibility of a gap.
  • Poor leadership was mentioned several times, with comments stating that there are those that promote waste and will buy any new flashy thing that hits the street and that ensures that investments are not as strategic as touted to be.
  • I also had a few individuals who seem to disagree with the question and stated I was irresponsible or I was performing a disservice for even asking such a thing.  

The crux of all the input, with the exception of few outliers, revolves around a more simplified question of are we allocating “resources” to all the proper areas? Well, I think the answer to this really depends on your reality, which is ultimately your perception based on your experiences.

Everything you see or hear or experience in any way at all is specific to you. You create a universe by perceiving it, so everything in the universe you perceive is specific to you.” – Douglas Adams

I raise the perception/reality point to highlight that the responses to my Linkedin question are based on individuals’ experiences. Some folks have worked for or alongside poor leaders, have had poor experiences with vendors, or have had to do the budget defense drills. Some apparently don’t even see an issue and took offense to the question. These perceptions are also what drive a lot of these research reports that I listed above. Many of these are survey-based and while the survey structure and questions I am sure follow best practices for research processes, these surveys are being answered by people whose perceptions are their own reality.

My perception is based on my current role as head of the SurfWatch threat analyst team and from my previous role as CISO for a major transportation authority as well as a similar position for a DoD entity, where I tried to take an outcome-based model as much as reason dictates. Outcomes can be measured, they can be defended, and they can give you insight. Theoretically, if I apply more resources to a given defined problem the outcomes should change in some manner either good or bad. If the outcome does not change after putting more focus on that area, then I am going to start questioning a few things:

  1. Was the problem defined correctly?
  2. Was the problem measured correctly?
  3. Were the resources applied correctly?

Following these three key questions are a few more that hopefully prompt you to think about changing your perception/reality:

Problem Definition: The Art of The Plausible

  1. Do you use some type of analytical process to identify threats to your organization? And I don’t mean you base it off of news chatter, I mean you use a defined set of analytic inputs and analysis to determine what is true and what is not.
  2. If you have, have you analyzed what an actor’s capabilities and intentions are?
  3. If you do know what their capabilities and intentions are, have analyzed their tactics, techniques and procedures?

Problem Measurement: The Art of The Possible

  1. Have you observed using both internal and external data collection efforts any indications of previously defined threats or new undefined threats?
  2. What is your false positive rate for observing defined and undefined threats? Meaning you detected a threat, but investigation determined the threat to be untrue.
  3. What is your false negative rate? Meaning you did not detect a threat and post incident analysis determined the threat to be true.

Resources Applied To The Problem: The Art of Reality

  1. If you lead a cyber program, do you have a list of defined products and services that you deliver to the organization?
  2. Do you know what the exact budget allocation for labor and material is for every single one of those products and services?
  3. Have you defined policy, process and procedures for each one of those products and services?
  4. Can you identify what products and services specifically are applied to a defined threat?

The bottom line here is I believe that security spend is increasing and that many people and organizations are working hard and doing good things. But I also believe that we do not use intelligence enough to help define the problem area. If we can measure the problem, we know what resource to apply to it to change an outcome for the better. Instead, generally speaking we as a community deploy capabilities based on what we perceive to be the problem and hope that the outcome does not change for the worse.

As a former CISO, I have personally used intelligence-driven, analytical processes to identify what is true and then apply resources to address the “known knowns.” It takes diligence and determination, but by leveraging intel to drive our cybersecurity strategy, we can start to see a light at the end of what can be a long, dark tunnel.

Controlling What You Can Control: Using the Threat Triangle to Gain Focus

With cyber-attacks on the rise and organizations looking for more effective ways to fend off malicious actors, cyber threat intelligence has emerged as a buzzword in cybersecurity. Unfortunately, some of the information being marketed as cyber threat intelligence isn’t backed up by much actual intelligence; rather, it’s just another threat feed to be added to the already large pile of data that needs to be evaluated.

Part of the problem with good threat intelligence, I recently wrote, is that it’s time consuming. Effective cyber threat intelligence shouldn’t just add to the ever-growing list of concerns facing your organization, it should provide actionable insight into how to best focus security resources to achieve solutions. Evaluating those specific threats, determining their relevance and coming up with practical solutions unique to your organization is hard work.

threat_triangleThere are many ways to evaluate threats, but I tend to revert to my Navy training when thinking about the cybersecurity of our customers. Our rules of engagement dictated evaluating threats from three avenues: the capability, intent and opportunity to cause harm.

Taken individually, each has seen an overall increase over the past few years. Taken together, the add up to what Europol recently characterized as the relentless growth of cybercrime.

Let’s briefly take a look at each pillar:

  • Capability of Threat Actors: As SurfWatch Labs noted in its recent report, officials have estimated that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services can put sophisticated cybercrime tools at the fingertips of a vast pool of actors. Europol agreed, writing in its report that “the boundaries between cybercriminals,  Advanced  Persistent  Threat  (APT)  style  actors  and other groups continue to blur.” Clearly the capability of threat actors continues to evolve, putting more organizations at higher risk.
  • Intent of Threat Actors: Cybercrime tends to be driven by either profit or the desire to cause harm to an organization. The growth of dark web marketplaces, the widespread adoption of successful tactics such as ransomware, and the increased focus on cybercrime by the media, government officials and regulators has widened actors’ abilities to monetize cybercrime and directly impact an organization’s brand and bottom line.
  • Opportunity for Threat Actors: A recent study found that 89 third-party vendors access a typical company’s IT system each week. In addition, the technology footprint of organizations continues to grow as more as-a-service solutions are implemented to increase productivity and more digital services are offered to customers. This provides threat actors with an expanding number of avenues that can be exploited — some of which are not directly under your control.

Despite this widely reported growth in the capability, intent and opportunity of threat actors, many individuals still feel as though they will never be targeted. A study released last month from the National Institute of Standards and Technology found that many people still hold the view that cybercrime will never happen to them and that data security is someone else’s responsibility. People feel overwhelmed by cyber threats, and as a result, they engage in risky behavior.

Simplifying Security, Control What You Can Control

The good news is that out of those three aspects used to evaluate cyber threats, organizations essentially have control over only one: opportunity. The capability and intent of threat actors are largely external to your organization; however, a real and measurable impact can be made when it comes to limiting the opportunities for cyber-attacks.

Unfortunately, many organizations have not done enough to close the opportunity window on cyber-attacks. That was a central theme of SurfWatch Labs mid-year report: despite claims of “sophisticated” attacks, the bulk of cybercrime observed has exploited well-known attack vectors. Europol’s September report also found that organizations were not helping themselves — in many cases providing ample opportunity for cybercriminals to exploit.

“A large part of the problem relates to poor digital security standards and practice by businesses and individuals,” Europol noted. “A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.”

This brings us back to the importance of evaluated cyber threat intelligence. Cyber threat intelligence should directly address that opportunity and provide solutions to close — or at least to severely limit — cybercriminal avenues of attack. What vulnerabilities are being actively exploited in your industry? What social engineering techniques are being leveraged in similar campaigns? How are threat actors monetizing the information and what is the potential impact if our organization faces a similar breach?

The answers to questions like these are a large part of the hard work that is the intelligence portion of cyber threat intelligence. Those answers can help to shine a light on paths that may significantly reduce your organization’s potential cyber risk.

Cyber threat intelligence, if done right, can help to limit the opportunity for threat actors to cause harm. This renders their capability less capable and their intent harder to pull off — at least against your organization.

Learning from Cybercriminals: Using Public Tools for Threat Intelligence

Effective cyber threat intelligence is largely about gaining proper context around the risks facing your organization. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, there are three pillars when it comes to evaluating those cyber threats: capability, intent and opportunity.

Threat_Triangle.pngThe first two, the capability and intent of threat actors, are mostly external aspects that you have no control over, but the third pillar, the opportunity for actors to exploit your organization, is something that can be controlled, evaluated and improved upon.

Malicious actors are relentless when it comes to finding information on that opportunity, and organizations need to use that same relentlessness when searching for potential weaknesses in their cybersecurity, according to a recent report from SurfWatch Labs.

“Knowing where attackers get their information and how they use it is an important piece of your overall cybersecurity strategy,” noted the paper, Top Sources of Information for Cyber Criminals: Where the Bad Guys Go to Conduct Research on Their Targets.

Over the past few months on this blog, we’ve profiled some of the top cyber threats and items for sale on various dark web marketplaces, but not all malicious activity occurs on this “underground web.” Much of it can be found wide out in the open — using simple tools and services that are available to anyone. Here are the top three public websites and tools used by malicious actors, as described in the paper, and how they can help those actors find the opportunity to attack your organization.

1. Shodan

Shodan was originally launched in 2009 by developer John Matherly and bills itself as “the world’s first search engine for Internet-connected devices.” This simple idea has grown from a basic list of IPs and ports to maps showing where devices are located to screenshots taken from these devices (including webcams, unsecured servers and workstations). The original focus for Matherly’s scans was to highlight the growing problem of the “Internet of Things,” but his research also uncovered industrial control systems, wide open computer systems, unsecured security cameras and more.


Researchers using Shodan frequently find publicly-exposed data that leads to breach notifications. Just one example is MacKeeper security researcher Chris Vickery discovering personal information from child tracking platform uKnowKids earlier this year.

“One of the uKnowKids databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data,” Vickery wrote. “There’s no way for me to know for sure how long this data was exposed to the public internet, although the information collected by suggests that the database had been up for at least 48 days.”

uKnowKids CEO Steve Woda reacted by describing Vickery as a hacker whose method “puts customer data and intellectual property at risk.” However, malicious actors can just as easily utilize Shodan to find opportunity for attacks.

As SurfWatch Labs’ paper summarized: “If it’s online, Shodan will find it. The lesson to be learned from this site, without a doubt, is secure something before it goes online.”

2. VirusTotal

VirusTotal describes itself as “a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.” But that simple tagline masks a deeper set of capabilities.


Security researchers have previously suspected that malicious actors use VirusTotal as a tool to help test and hone malware before sending it out in the wild, and in 2014 researcher Brandon Dixon confirmed those suspicions by discovering several hacking groups using the tool, including two nation-state groups.

Dixon said nation-state actors using a free online service to fine-tune their attacks was ironic and unexpected, but that speaks to the usefulness of VirusTotal.

“The power behind VirusTotal is how it adds and saves the metadata and behaviors of the files it analyzes,” noted SurfWatch Labs’ paper. “You can use the domain search to look at the IP history of the domain and get the current WHOIS for the domain, but VirusTotal will also show you a list of every time it detected something malicious on the site, as well as list all of the samples that attempted to communicate with the searched for domain.”

In addition to organizations using VirusTotal to help identify if they’ve been previously targeted, VirusTotal should be seen as a baseline site that can be used for detecting and analyzing suspicious and malicious files.

3. Your Own Company Website

The best way to get information about a particular company is often directly from the source: your own company website. Company websites can provide a treasure trove of information that can be leveraged by attackers to target a specific organization. This includes names of VIPs, email addresses of company executives and other employees, photographs, links to LinkedIn profiles and other social media, and more.

But beyond the surface level, there may be even more valuable information, as the paper explained:

Are you hosting any PDFs for people to download? Word documents, or PowerPoint presentations? Did you remember to remove potential metadata from those documents that could potentially contain additional names, email addresses, usernames, or software versions of the program used to create it? Some pretty simple Google searches (just type “ filetype:pdf” into the google search box) can reveal much more information that you may not have been aware you were “leaking.”

These types of leaks can lead to costly data breaches.


Free tools and services such as the ones described above provide malicious actors with valuable insight into the opportunity for cyber-attacks, and they are certainly one of the first places those actors turn to gather information on your organization. To make matters worse, all of this information can be discovered with minimal effort or expertise.

The good news is that those same tools can be used to gather cyber threat intelligence and to ensure that you are performing the same level of diligence as the threat actors who are trying to harm your organization.

Download SurfWatch Labs Top Sources of Information for Cyber Criminals: Where the Bad Guys Go to Conduct Research on Their Targets for more information.