In the wake of the tragic events that unfolded on Capitol Hill on January 6, 2021, it is now clear that abundant warning signs existed to alert lawmakers and law enforcement that a dangerous storm was brewing. It is uncommon for threats of this nature to be so blatantly forecasted. Yet, not enough people did. On December 21, 2020, writer and political analyst Arieh Kovler tweeted, “On January 6, armed Trumpist militias will be rallying in [D.C.], at Trump’s orders. It’s highly likely that they’ll try to storm the capitol after it certifies Joe Biden’s win. I don’t think this has sunk in yet.”
Now that so much of the world has turned to social media, and with the proliferation of so many various platforms, it has become increasingly difficult to monitor where threats broadcast themselves, particularly when so many discovery platforms are keyword based. If a threat actor makes a post that slips past your keyword threat matrix, it will slip through your detection. Your security teams and corporate leadership will be caught off guard by the threat you will later discover was forecast right in front of your very eyes. It didn’t pop up out of nowhere; unfortunately, you just missed it.
In just the past few weeks, the US Capitol was physically breached by individuals whom many in the US Government are calling insurrectionists. Meanwhile, the data within servers of countless companies and many US Government agencies were swallowed up in the wake of the SolarWinds breach. Let’s not forget the number of corporate breaches, ransomware attacks, and other cyber events that seemingly occur on a weekly basis these days.
The US has seen an unprecedented level of incursion into its most protected institutions, and while we’re still dealing with the fallout from these events, we will undoubtedly and sadly see more cyber intrusions and physical attacks occur. Whether we can stay ahead of these future incidents is another story.
If You Can’t See the Entire Web, You Can’t See Anything
Corporate security and intelligence teams know that threat actors wish to use the platforms where their message can reach the most people. Thus, by keeping their focus on major platforms such as Twitter, Facebook, Instagram, and the like, security and intelligence teams are likely to catch most of the physical threats directed at corporate America and the US Government. However, as we are now seeing Twitter stamp out QAnon followers from its platform, and Parler received notice from Amazon that it will no longer host its platform on its servers, these groups will be forced to turn to lesser-known platforms for their communications, planning, and threats.
According to LifeRaft, a threat intelligence platform provider, many Parler users are now moving over to Gab.com, a social media platform “known for openly accepting the kinds of rhetoric denounced by other social media and big tech companies, under the notion of free speech and the First Amendment Right of the US Constitution.”
A post on social media platform Gab describes onboarding 600,000 new users in one day, as observed by LifeRaft’s Navigator.
Gab.com is commonly recognized as the platform where the suspected Pittsburgh synagogue shooter, Robert Bowers, published anti-Semitic comments before he allegedly killed 11 people and wounded many others at the Tree of Life synagogue.”
Current Approaches Aren’t Good Enough Anymore.
Where companies could previously get by with basic—or even free— monitoring tools, this scenario underscores the importance of having internet-wide visibility to maintain a handle on where threats persist across cyberspace. Whether the threat is cyber or physical in nature, threats originating online are real. As more and more users migrate to lesser-known corners of the internet, the dark web, end-to-end encrypted platforms, and FTP sites for downloading information, corporate security teams will find themselves in the dark when it comes to maintaining visibility into them.
Corporate security and intelligence teams often rely on social media monitoring feeds, proprietary data, news tickers, data from their SIEM or endpoints, as well as industry-specific intelligence they may subscribe to in order to stay on top of emerging trends and relevant security threats. Some of their data feeds may include open source scrapes of websites, social media collection from varied sources, some deep web coverage of forums and blogs, paste sites, and possibly some dark web collection. Rarely do they find all this information in one place. Rather, they often turn to multiple tools that typically do not share information or talk to one another.
Threat Intel is Only As Good as How It’s Correlated
Evaluating these systems for their ability to surface real events of interests or threats takes time, patience, and skill. However, the real trick is tying all of that information together in a way that gives security teams actionable intelligence that is timely and relevant and further requires subject matter-expert analysts to make sense of what their data collection is telling them. They will typically triage these events, seek to corroborate what they are seeing, and if deemed credible, they will escalate the information up the chain for leadership awareness.
Typically, their data sources are static. The collection they have is what they have. When threat actors move to new platforms, these teams may not even know that a transition has occurred, especially if they are dealing with so much data they cannot manage their visibility authoritatively.
Most commonly, the signal goes silent or dark. If this loss of signal is detected, the analyst must now evaluate what it means. Is the threat gone or mitigated? Is the silence accidental or purposeful? Or, did it move to another medium where the team does not have coverage and thus has no ability to track the threat? This should be a concern of law enforcement and corporate security teams as these groups are squeezed tighter and tighter in the wake of the response to the Capitol building incursion.
Handling the Next Attack
How do teams stay ahead of the curve? Security teams must ensure they possess the tools and expertise to maintain internet-wide visibility, and they are not afraid to spend proactively to prevent threats. Some tools exist, such as LifeRaft’s Navigator, that provide visibility across lesser-known platforms, and these vendors stay on top of emerging technologies and methods of communication and incorporate that collection into their datasets at the pace of helping companies stay proactive against threats from both the cyber and the physical realm.
Companies also need to be keenly aware of what their attack surface looks like to threat actors. This understanding is critical to getting ahead of potential gaps in corporate security posture from a cyber, data, and physical security standpoint. The expertise to manage that data is just as important. Companies who endeavor to stay ahead of the game, protect themselves from these threats, and hope to avoid picking up the pieces after an attack has occurred will need to hire the right level of talent—trained intelligence experts—to operate these tools and maximize their intelligence value.
The next Capitol Hill-like scenario, especially according to the threats made on multiple platforms over the previous few days, could occur in the not too distant future, and just not against US Government targets. The question is whether the US Government and companies which find themselves in these crosshairs will have the necessary visibility to see their attackers coming ahead of time.
Get started with RiskIQ today to learn how our Internet Intelligence Graph can give your team the visibility it needs to track and address threats across the web.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...