The document discusses how predictive cyber intelligence can help organizations stay ahead of both cyber and physical security threats. It notes that investigations often find warning signs were missed by conventional defenses. The challenge is for organizations to detect potential threats early through tools like predictive cyber intelligence, which uses software and hardware to monitor public information for pre-incident indicators. This allows businesses to contain threats before damage occurs, whereas reactive security measures only address threats after the fact. The document provides examples of both cyberattacks and physical security risks organizations face and argues that predictive cyber intelligence can add important depth to defensive strategies.
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
AI-Cyber-Security-White-Papers-06-15-LR
1. Every day brings news of cyberattacks and physical
violence targeting businesses and public and private
institutions.Theseincidentsinevitablyraisequestions
about whether organizations are doing all they
can to protect people, property, and information.
Investigations reveal that there are often red flags
and warning signs leading up to incidents that
conventional security measures fail to detect.
Pre-Incident Indicators signaling potential danger
frequently appear on social media platforms, the
Internet, and the Darknet, an area of the Internet
that facilitates criminal communication and activity.
The challenge is for organizations to discover the
signs and contain threats before damage is done.
A growing number of organizations are now using
predictive cyber intelligence to go on the offensive
against a range of physical and information security
threats. With the help of professional risk assessment
analysts,whousesophisticatedintelligence-gathering
software and powerful hardware integration to
monitor public information, organizations can stay
ahead of threats that might slip past traditional
security defenses. With predictive cyber intelligence
functioning as an early warning system, in many
cases, businesses can prevent specific threats from
even reaching their defensive lines.
White Paper “Cyber Intelligence and Containment”
The Best Security Defense Includes
a Good Cyber Offense
3. White Paper
“Cyber Intelligence
and Containment”
Page 1 of 10
Does Your Organization Face Threats That Could Be
Predicted Through Cyber Intelligence?
The simple answer is yes. No organization is immune to threats that could be anticipated
through cyber intelligence. Businesses and institutions in every industrial sector are
targeted for attacks of all kinds, and size is no object. In 2014, 60% percent of all targeted
cyberattacks struck small- and medium-sized organizations.1
Below are examples illustrating the range of threats that can be predicted through cyber
intelligence-gathering and analysis.
Companies operating as part of the nation’s critical infrastructure are particularly at
risk of attack and have a heightened responsibility to mitigate threats, because attacks
against them impact national security. Not only are these companies at elevated risk but
also their providers of goods and services (supply chain), and their executives and other
personnel with special IT privileges or access.
Risk of Cyberattacks
Cyberattacks are escalating in number and in scale, according to reports from public and
private sources.
Symantec’s 2015 Internet Security Threat Report characterizes 2014 as “a year with far-
reaching vulnerabilities, faster attacks, files held for ransom, and far more malicious
code than in previous years.”2
The report shows a 23% increase in the number of
• Targeted attacks to steal
sensitive or confidential
information
• Data breaches from hacking,
accidental disclosures, or
device theft/loss
• E-crime to generate money,
involving malware, botnets,
ransomware, disruption of
website operations, etc.
• Social media scams and
mobile threats
• Phishing and spam
• Physical security breaches
• Physical harm or damage to
premises or property
• Physical injury to people
(employees, customers,
visitors, etc.)
• Civil disturbances
• Flash mob incidents
Cyber Threats Physical Threats
The Department
of Homeland
Security (DHS)
has identified
the following
15 industries
as “critical
infrastructure”:
• chemical
• communications
• critical
manufacturing
• dams
• defense
• emergency
services
• energy
• financial services
• food and
agriculture
• government
facilities
• healthcare and
public health
• information
technology
• nuclear reactors
and materials
• transportation
systems
• water and
wastewater
systems
4. White Paper
“Cyber Intelligence
and Containment”
Page 2 of 10
breaches in 2014, following a 62% increase in 2013.3
The scale of attacks is also on the
rise. For example, in 2013 alone, the average number of identities exposed per breach
climbed 261%.4
Attacks targeting critical infrastructure companies are the focus of the Industrial Control
Systems Cyber Emergency Response Team (ICS-CERT), operated by the Department
of Homeland Security. ISC-CERT incident response numbers reflect a sharp increase
in attacks against critical infrastructure operators from 2009 to 20115
. Attacks held
steady in 20126
followed by another significant jump in 20137
. Even with a slight drop in
2014, incident response numbers continue to show a 600% increase over the numbers
reported in 2010 8
.
201420132012
156
253
312
Number of Breaches Per Year
201420132012201120102009
9
41
198 198
256 245
ICS-CERT Incident Response Activity
5. White Paper
“Cyber Intelligence
and Containment”
Page 3 of 10
Analysis of data collected through the Symantec Global Intelligence Network reveals 7
trends that emerged in 20149
:
• Attackers are moving faster, defenses are not
• Attackers are streamlining and upgrading their techniques, while companies
struggle to fight old tactics
• Cyberattackers are leapfrogging defenses in ways companies lack insight
to anticipate
• Malware used in mass attacks increases and adapts
• Digital extortion on the rise: 45 times more people had their devices held hostage
in 2014
• Cybercriminals are leveraging social networks and apps to do their dirty work
• Internet of Things is not a new problem, but an ongoing one
According to the Symantec report, “if there is one thing that can be said about the threat
landscape, and Internet security as a whole, it is that the only constant is change.”10
The evolving nature of cyber threats complicates the challenge of information
security management. Symantec’s report offers a number of best practice guidelines
for businesses, with this suggestion at the top of the list: “Employ defense in-depth
strategies. Emphasize multiple, overlapping, and mutually supportive defensive systems
to guard against single-point failures in any specific technology or protection method.” 11
Predictive cyber intelligence adds critical depth and breadth to a business’s defense
strategy. Unlike intrusion protection systems, firewalls, antivirus and website malware
protection, and other essential elements of a strong defense, predictive cyber
intelligence empowers organizations to be proactive instead of reactionary by providing
the information and insights they need to get ahead of threats.
Risk of Physical Attacks
Security is an estimated $350.51 billion per year industry in the U.S., according to
“The United States Security Industry” report, published in 2013 by ASIS International
(ASIS) and the Institute of Finance & Management (IOFM). At over $350 billion, security
industry spending exceeds that of both the U.S. truck and transportation industry ($275
billion) and the hotel/motel industry ($219 billion).12
This is a telling indicator of the
perception of risk among businesses today. Operational security expenditures suggest
that despite an increasing focus on cyber security threats, physical security risks remain
a dominant concern.
If $350+ billion in
security spending
is any indication,
physical and cyber
security risks are
a serious concern
for American
businesses.
6. White Paper
“Cyber Intelligence
and Containment”
Page 4 of 10
More than one in three organizations represented in the ASIS-IOFM report plan to
increase spending on guard services in the upcoming year. Nearly all plan to spend the
same or more on IT security.13
As security spending continues to rise, security executives are under more pressure than
ever to demonstrate return on security investment. The shifting threat landscape poses
a multitude of challenges:
• Security focus is expanding to include intangible assets, such as intellectual
property and brand reputation
• Mobile workforce is creating security challenges, with companies having little or
no control over locations where employees are working
• Companies need external employees, associates, partners, and supply chain
providers to accept shared responsibilities for security
• Security executives must understand the capabilities of new technology and
devices and use them strategically
• Businesses are looking to security more often as a strategic advisor and resource
for communicating risk
“Ultimately, chief security officers — like all species — must adapt or die,” concludes
a Security Management magazine article summarizing the findings of the ASIS-IOFM
report. “As the report notes, ‘if top security leaders fail to promote a more business-
like, strategic risk management approach to security, then the strategic thinking will be
handed to others.’”14
Expenditures
Private Sector
Operational Security $200+ billion
IT Security $80+ billion
Subtotal $281+ billion
Federal Government
Homeland Security $69+ billion
Subtotal $69+ billion
Total $350+ billion
7. White Paper
“Cyber Intelligence
and Containment”
Page 5 of 10
As security executives scramble to keep pace in a dynamic industry, many are
incorporating predictive cyber intelligence into their security management arsenals as
part of a progressive strategic risk management approach. It’s one of many vital layers of
defense but the only one capable of detecting a variety of threats well before traditional
security measures would. Informed by advance intelligence, security executives can
harden physical security elements, strengthen operations procedures, and optimize the
use of electronic security systems to contain or mitigate threats.
Predictive Cyber Intelligence
Attacks rarely happen spontaneously. There are typically weeks, months, even years
of organization, preparation, and groundwork. Often, there are related inquiries,
discussions, and/or posts on the Internet, the Darknet, and social media platforms. These
risk indicators can be discovered through highly focused searches with advanced cyber
monitoring technology and access to conventional and unconventional online resources.
“We utilize techniques and methods to access the Darknet, an area of the Internet
that most people cannot access,” explains William M. Besse, CHS-V, vice president of
the Consulting, Investigations and International division at Andrews International, an
affiliate of U.S. Security Associates. Besse describes the Darknet in simplified terms as an
exclusive Internet for criminals, hackers, child pornographers, and people selling black
market information and products, ranging from pharmaceuticals and illegal drugs to
films, music, and beyond.
Besse’s team helps clients around the world identify threats found on the Darknet, the
Internet, and social media sites, with a proprietary system called Cyber Intelligence
Protection and Containment Scan (CIPACS). CIPACS proactively scans an organization’s
threat landscape for any physical security or information security threats that may be on
the horizon.
The system monitors underground chat channels, hacker boards, regular Internet chat
rooms and discussion threads, social media postings, and other online sources for
keywords such as a company name, employee name, or product name. Intelligence
analysts examine the collected data and determine if a real threat exists or is potentially
developing, based on the magnitude and context of online chatter.
Besse’s team has been retained to provide predictive cyber intelligence for clients
ranging from Fortune 500 companies to city governments, educational institutions,
political candidates, and high-profile/high-net-worth individuals. Besse lists the types of
threats his team routinely detects:
• Computer intrusions or data thefts
• Current hacks or attempts to exploit past successes
Darknet
internetweeks
organization
years
months
preparation
groundwork
inquiries
discussions
posts
risk
focused
social media
indicators
searches
cyber
illegal
searches
advanced
monitoring
online
technology
resources
black market
information
hackers
keywords
threats
chatter
analystsmethods
criminals
8. White Paper
“Cyber Intelligence
and Containment”
Page 6 of 10
• Breaches of privacy or confidentiality
• Intent to physically harm a person or physically damage a facility
• Negative sentiment about an industry, company, special event, or individual
• Activist group plans to protest or disrupt business operations
• Organization of flash mobs
• Signs a civil disturbance might follow a controversial event or legal decision
• Red flags that students, employees, or others may become violent
• Activity and whereabouts of celebrity/VIP stalkers
“We can and do provide protective cyber intelligence in anticipation of specific threats,”
Besse acknowledges, “but we are suggesting that some organizations incorporate this
resource into their security and risk management programs on an ongoing basis. It’s the
only way to stay ahead of many threats that are out there today.”
Besse says his team delivers reports on cyber intelligence findings and analyses to
clients daily, weekly, or monthly, depending on circumstances. Reports indicate what
is being discussed, including actual posts, and provide recommendations to help clients
remediate potential risks.
Protective intelligence solutions are scalable to fit the needs and budgets of organizations
of any size, in any sector. From a budget perspective, Besse notes that predictive cyber
intelligence is much more affordable than the security, litigation, productivity, and
reputation costs arising out of an incident that could have been predicted and contained.
Cyber intelligence can be used not only to detect threats but also to gauge public
sentiment about anything from products to political issues. An entertainment company
might work with a cyber intelligence partner to conduct public sentiment analysis
about a soon-to-be-released film or album. A political candidate might engage a cyber
intelligence partner to gauge what the sentiment is about him or her, or to find out what
people are saying about topics like education, immigration, abortion, or taxes.
Is Cyber Intelligence Part of Your Due Diligence?
There is no black and white answer, but many business leaders are evaluating the return
on investment and deciding “better safe than sorry.”
Most security professionals recommend companies develop their security and risk
management programs based on a combination of applicable regulatory, professional,
and industrial standards and best practices. There are many different frameworks of
guidelines and recommendations and no one-size-fits-all security and risk management
solution. Further complicating matters, as threats evolve, so do the regulations and
suggestions for mitigating risk. In many cases, frameworks are established not to provide
Predictive
cyber intelligence
is much more
affordable than
the potential
costs arising out
of an incident.
9. White Paper
“Cyber Intelligence
and Containment”
Page 7 of 10
standards but to encourage companies to consider their risk profiles and take effective
steps to harden their defenses, detect threats in advance, and mitigate the impact of
security breaches.
Following is a sampling of the various frameworks with which companies may need to
align their security programs.
a. General Duty Clause of the Occupational Safety and Health Act of 1970 https://www.osha.
gov/pls/oshaweb/owadisp.show_document?p_id=3359&p_table=oshact
b. Workplace Violence Prevention and Intervention American National Standard, published
by the American Society for Industrial Security (ASIS) and the Society for Human
Resources Management (SHRM) http://www.shrm.org/hrstandards/documents/
wvpi%20std.pdf
c. National Infrastructure Protection Plan (NIPP 2013): Partnering for Critical Infrastructure
Security and Resilience, published by the Department of Homeland Security https://www.
dhs.gov/national-infrastructure-protection-plan
d. National Institute of Standards and Technology (NIST) Framework for Improving Critical
Infrastructure Cybersecurity (February 12, 2014), published by the Department of
Commerce http://www.nist.gov/cyberframework/upload/cybersecurity-framework-
021214-final.pdf
e. GAO-12-361, March 2012 / Threats to IT Supply Chain, published by the U.S. Government
Accounting Office (GAO) http://www.gao.gov/assets/590/589568.pdf
AccordingtoD.C.Page,seniorvicepresidentofU.S.SecurityAssociates’consultinggroup,
in many cases, an organization is best-served by engaging a security and risk management
consulting firm to help navigate the challenges of establishing a security program
consistent with regulations, guidelines, and best practices. Page says, “An experienced
consultant can help a business answer the question of what security should be doing
and then help to formulate security solutions that mitigate liability, align with business
goals, and deliver a clear return on investment.” When all things are considered, many
business leaders are reaching the conclusion that predictive cyber intelligence is a
worthwhile investment.
Forewarned Is Forearmed
One of the primary missions of security is to present corporate leaders with the
information they need to make informed decisions about which risks to counter and
which to tolerate or insure against. Predictive cyber intelligence supports this mission.
It’s an early warning system wired into the vast online frontier. Similar to an alarm
system, predictive cyber intelligence alerts an organization to potential threats. From
there, corporate leaders can determine an appropriate course of action to contain the
threat or mitigate its impact.
10. White Paper
“Cyber Intelligence
and Containment”
Page 8 of 10
Multiple, integrated layers of defense are key to a strong security posture. Layers of
physical security include facility and property design elements, security procedures, and
electronic security systems. Layers of information security include intrusion detection
and protection systems, updated firewalls, and malware protection. Predictive cyber
intelligence is another layer of protection and is unique in its capacity to detect threats
that are still in the planning stages.
When business leaders weigh the value of advance knowledge versus the cost of residual
risk, most agree that protective cyber intelligence provides a sound return on investment.
If forewarned is forearmed, in contemporary security and risk management programs,
the best defense includes a good cyber offense.
11. White Paper
“Cyber Intelligence
and Containment”
Page 9 of 10
ABOUT Andrews international, llc
Andrews International (AI) is headquartered in Los Angeles, California and provides security and risk
mitigation services throughout the United States and internationally. AI’s Consulting, Investigations &
International (CI&I) Division provides threat assessments, threat management, and monitoring services
to provide predictive preventive intelligence. As individuals and as a team, AI’s CI&I professionals are in
demand for threat monitoring, assessment, training and interventions throughout the U.S. and around the
globe. CI&I team members have traveled to hundreds of client sites to conduct surveys, develop workplace
violence prevention programs and present training, and they are consulted hundreds of times every year
on risks of potential violence.
C&I Headquarters
66 West Flagler Street, Suite 401
Miami, FL 33130
(305) 373-8488
12. White Paper
“Cyber Intelligence
and Containment”
Page 10 of 10
CITATIONS
1
“2015 Internet Security Threat Report,” Symantec, April 2015, Volume 20, 7, accessed May 27, 2015,
http://www.symantec.com/security_response/publications/threatreport.jsp.
2
Ibid., 5.
3
Ibid., 78.
4
Ibid., 79.
5
“ICS-CERT Incident Response Summary Report: 2009-2011,” U.S. Department of Homeland Security,
2, accessed May 27, 2015, https://ics-cert.us-cert.gov/ICS-CERT-Incident-Response-Summary-2009-2011.
6
“ISC-CERT Operational Review: Fiscal Year 2012,” U.S. Department of Homeland Security ICS-CERT
Monitor, October, November, December 2012, 5, accessed May 27, 2015, https://ics-cert.us-cert.gov/sites/
default/files/ICS-CERT_Monthly_Monitor_Oct-Dec2012_2.pdf.
7
“Trends in Incident Response in 2013,” U.S. Department of Homeland Security ICS-CERT Monitor,
October, November, December 2013, 1, accessed May 27, 2015, https://ics-cert.us-cert.gov/sites/default/
files/Monitors/ICS-CERT_Monitor_Oct-Dec2013.pdf.
8
“Incident Response/Vulnerability Coordination 2014,” U.S. Department of Homeland Security ICS-CERT
Monitor, September 2014-February 2015, 1, accessed May 27, 2015, https://ics-cert.us-cert.gov/sites/
default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf.
9
Symantec, 5-8.
10
Ibid., 5.
11
Ibid., 104.
12
“Executive Summary – The United States Security Industry,” ASIS International and the Institute of Finance
& Management, 2013, 2, accessed May 27, 2015, https://www.asisonline.org/Documents/ASIS%20
IOFM%20Executive%20Summary%208.23.13.%20final.pdf
13
Ibid., 4.
14
Sherry Harowitz, “Assessing the State of the Security Industry,” Security Management, September 2013,
accessed May 27, 2015, https://sm.asisonline.org/Pages/assessing-state-security-industry-0012695.aspx
13. Andrews International, LLC
28001 Smyth Drive, Suite 106, Valencia, CA 91355
T: 661.775.8400 F: 661.775.8794
Corporate: 866.594.0454
www.andrewsinternational.com
06-15