Connect with us

Hi, what are you looking for?


Incident Response

Achieving Positive Outcomes With Multi-Domain Cyber and Open Source Intelligence

The Many Faces of Threat Intelligence: Part 2

The Many Faces of Threat Intelligence: Part 2

In my previous article, “The Many Faces of Threat Intelligence: Part 1”, I outlined six common enterprise threat intelligence domains and their associated use cases: 1) Cyber Threat Intelligence 2) Reputation Intelligence 3) Fraud Intelligence 4) Platform Intelligence 5) Protective Intelligence and 6) Third-Party Intelligence. In this article, I will discuss the capabilities needed to achieve positive outcomes to the problems faced in those domains. These capabilities range from open osource research to more technical tradecraft, including active reconnaissance which is often seen in early-stage application testing. Intelligence and investigations with incomplete or poorly defined findings are not likely to be useful to business stakeholders, so it’s important to identify and understand the benchmarks that ensure success for mature security programs. 

What is Open Source Intelligence

Many think open source intelligence is just another name for better googling. They are wrong. Many think threat intelligence is just identifying indicators of compromise (IoCs) and generating alerts when they appear. They are also wrong. Good open source and threat intelligence are derived from three core capabilities:

1) Technical Signature Analysis: The use of external telemetry and raw technical data that brings context to adversary infrastructure (cyber, disinformation, surveillance for hire, threats to executives, etc). This type of analysis combines targeted reconnaissance of the online presence of a person, company, application, or website with various types of publicly available or vendor-based telemetry. More advanced intelligence teams combine aspects of application testing (see OWASP Top 10), attack surface monitoring, and intelligence context to understand not only what is possible (as seen in vulnerability management), but also what is actually happening. Most people would be surprised at the types of leaks that can occur when application penetration testing of the infrastructure does not occur. 

2) Threat Actor Engagement: Backstopped personas and infrastructure to engage actors in social media, closed, and dark web forums. Often referred to informally as digital human intelligence (HUMINT), creating personas that appear authentic and withstand scrutiny is critical to success. The ability to move from forums to isolated chats (in Telegram or What’s App, for example) is key to gaining access, engaging with threat actors and groups, and ultimately understanding the nuances of sophisticated TTPs. 

3) Open Source Intelligence Research: Quantitative and qualitative collection of public, non-classified sources such as, but not limited to, people sites, dating sites, domain registries, third party repositories, social media networks, instant messaging, foreign press, and known exploits. Successful open source researchers don’t live in a world of domains, IPs addresses, and malware strings. They live in a world of seemingly anonymous phone numbers, email addresses, device IDs, and user agent strings. This in-depth investigation and analysis allow them to do the seemingly impossible, including the personal attribution and unmasking of e-crime actors and fraudsters, enabling companies to take criminal or civil action when appropriate or necessary. 

Advertisement. Scroll to continue reading.

What Are Positive Outcomes

The phrase “what, so what, and now what?” is commonly heard when discussing and reviewing intelligence assessments. Enterprise security practitioners aim to deter adversaries by implementing strong risk identification and mitigation capabilities for employees and customers. These controls go a long way toward increasing adversary costs and effort and as a result deterring attacks. But world-class research and technical tradecraft are ineffective unless desired outcomes have been defined by business stakeholders, including representatives of legal, engineering, human resources, and information technology departments. Mature security teams often identify the following concerns as the starting place for outcomes:

● Protect consumers, employees, and vendors on their platforms and applications from bad actors doing bad things. 

● Proactively make the business environment safer from persistent actors. 

● Increasing the cost to the adversary, to create risk and assurance of consequences that influence adversarial behavior. 

In order to achieve those outcomes, they often take the following approaches to disrupt their adversaries:

● Disrupt the network: Working with the cryptocurrency or hosting providers to remove marketplace infrastructure.

● Blow their cover: Publicly exposing criminals to deter future crime.

● Attribute: Removing the anonymity of the fraud actors and criminal conspirators.

● Share with law enforcement and policymakers: Collaborating with these teams to determine the amount of loss, resulting in prosecution.

● Share with the industry: Implementing technical controls, policies, and procedures around applications. 

● Share with researchers: Engaging the perpetrator and the perpetrator’s associates to facilitate cooperation without legal recourse. 

● Warn victims: Reaching out to consumers and employees to inform them of malicious activity.

The actions and outcomes described in this article are both necessary and complementary to any enterprise. These actions will help protect enterprise businesses and their products and services while ensuring a fair marketplace for themselves and their customers.

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...