The desire to merge aspects of physical and cyber security is nothing new, especially in maturing enterprises that are proactively extending their security capabilities. Since many aspects of physical security are connected to the internet, enterprises have started to build fusion centers that combine disciplines. By doing so, they are able to converge cyber and physical security, close gaps in coverage, and scale security to protect facilities and hundreds of thousands of employees. The key to this convergence lies in open-source intelligence and how it can enrich many aspects of a physical security program.
Broadening the Definition of Open Source Intelligence
Many aspects of open source intelligence are similar or equivalent to traditional all-source intelligence methodologies seen in the intelligence cycle. Two main categories of datasets to map are traditional open source intelligence and non-traditional open source intelligence. Traditional open source intelligence datasets encompass the qualitative and quantitative collection and analysis of public, non-classified sources that deliver context such as archives, business records, dating sites and dark web. Non-traditional open source intelligence datasets include the human, signals, and imagery intelligence equivalents in OSINT– based on anything from threat actor engagement on social media to external telemetry (netflow, passive DNS, cookies) to social media photos used to pinpoint locations.
Defining the Key Capabilities of a Cyber Threat Intelligence Program
Before we dig into how cyber threat intelligence benefits a physical security program, let’s identify a list of some of the services, products, and analyses that a CTI program might address. The following services have significant overlap with physical security programs:
● Adversary infrastructure analysis
● Attribution analysis
● Dark Web tracking
● Internal threat hunting
● Threat research for identification and correlation of malicious actors and external datasets
● Intelligence report production
● Intelligence sharing (external to the organization)
● Tracking threat actors’ intentions and capabilities
Other CTI services generally do not overlap with physical security and remain the responsibility of cyber security teams. These services include malware analysis & reverse engineering, vulnerabilities research, and indicator analysis (enrichment, pivoting, and correlating to historical reporting).
Defining Overlap with CTI and Physical Security Programs
Security teams are now leveraging open source intelligence and cyber threat intelligence to provide critical information to physical security practitioners. The physical and corporate security programs of these teams generally consist of the following disciplines, with use cases that are at the center of the convergence of cyber and physical security disciplines:
● Executive Protection and Physical Asset Protection
○ OSINT and dark web monitoring to identify fake social media accounts misrepresenting or targeting executives, employees, negative sentiment, protests, and planned attacks against physical assets.
○ Tracking threat actors’ intentions and capabilities attempting to degrade a company’s brand
○ Adversary infrastructure and attribution analysis of identifying spearphishing against executives, intellectual property, facilities, or employees.
○ Intelligence sharing with federal or industry partners to disrupt threats and threat actors
○ Monitoring of open or closed source forums to identify the collusion of internal and external threat actors
○ Heat maps to identify crime rates and potential risks to foreign physical locations or future locations
● Travel Security
○ OSINT and social media geolocation monitoring to determine unrest, negative sentiment, or hostilities that could delay or disrupt travel plans
○ Tracking Travel patterns of personnel that may pose risk to executives or facilities
○ Intelligence sharing with federal or industry partners if an executive or employee is in danger and needs to be removed
● Regulatory/Environmental Risk Specific to Business
○ OSINT and dark web monitoring to identify vendors doing business with high-risk foreign nationals or nation-states
○ Attribution analysis to identify individuals presenting a regulatory or environmental risk to the business
○ Foreign press and media analysis of regulatory and environmental risk to the business
● Geo-Political Risk
○ Foreign press and media analysis of ongoing nation-state tensions that impact business
○ Adversary infrastructure analysis of disinformation threats on platforms of hostile governments targeted innocent civilians who are employees of an enterprise
○ Threat research to find and correlate malicious actors with external datasets
● Global Investigations
○ Collaboration between investigators, general counsel, and human resources to inform enforcement and policies that reduce risk.
○ Disruption of threat network through legal action
○ Identification of actors through public release, attribution, sharing with law enforcement and policymakers
○ Informing industry enterprises and researchers, and warning victims
It is more and more clear that physical and information security disciplines have large overlaps. The use of OSINT to review coverage gaps and identify problems is not a small project and can take up to 18 months to complete according to GSOC and cyber threat intelligence professionals. However, when executed properly, open source intelligence is not only a critical enabler in today’s risk management landscape, but also a key decision and collaboration tool for business unit stakeholders.