By providing critical information on threats and bad actors, open-source intelligence (OSINT) programs help organizations develop more proactive defense strategies, respond more effectively to risks, and augment situational awareness against threats. A subset of the threat landscape involves OSINT data collection and investigation. Intelligence has always been vital to security teams, but operationalizing it is a legitimate challenge many large companies still face. Increasingly, the momentum to evolve security to include OSINT comes in the form of advanced platforms, like Media Sonar, capable of supporting an organization’s ability to detect, investigate, and respond to threats.
A threat intelligence program, at its core, involves the continuous production of relevant, contextualized and actionable data. Organizations looking to advance the maturity of their security posture need to make threat intelligence actionable at all levels of the organization. The European Union Agency for Cybersecurity (ENISA) outlines the maturity levels of threat intelligence programs.
At an initial level, the threat intelligence process is more informal and OSINT collection is done reactively. The methods for capturing OSINT data at this level can be unpredictable and often come in the form of third-party provided information, whether it be specialized media, open threat intelligence feeds, or security vendor alerts. At this stage, organizations are primarily concerned with the technical and tactical elements of threat intelligence in its most rudimentary forms.
Technical Threat Intelligence involves the information and analysis of threats to technical network assets, including servers, endpoints, etc. In a threat intelligence program, this type plays a key role in responding to threats and closing security gaps.
Tactical Threat Intelligence provides security teams with information that aids in forming decisions and actions. In OSINT, it is focused on the tactics, techniques, and procedures of bad actors.
For organizations hoping to leverage OSINT at this stage, Media Sonar is a practicable entry point for approaching intelligence alerts related to points of interest (POIs) such as assets and bad actors. Much of this information is equally available through Open and Dark Web sources, and OSINT collection can be fine-tuned to address threats that are truly relevant and unique to an organization.
As organizations implement more robust controls over the methods and management of threat intelligence programs, more stakeholders will be involved. This will largely involve discussions related to the organization’s expected outcomes and requirements. The ways in which OSINT is used are still sporadic and reactive, but with increased actionability and the correlation of Internal data, such as IoCs (Indicators of Compromise), external information is key to the internal sharing and distribution process.
At this managed stage, the Media Sonar platform is useful for obtaining specific and actionable information related to entities including persons, email addresses, usernames, domains, IP addresses, etc. Security teams are able to receive alerts, investigate threats, and respond collaboratively in an informed manner. Investigations are made easier by leveraging a wide range of data sources within the platform. Security teams are able to retain their investigative work, making it possible to go back if a similar threat pops up again.
The next level, once better management controls have been adopted, considers thus a more systematic approach to the evaluation of results to ensure outcomes are aligned with those of stakeholders and the organization as a whole. This involves a greater correlation of data and information about the activities of bad actors on a more proactive basis. Threat intelligence at this level seeks to provide recommendations to stakeholders, allowing them to take action by integrating them automatically into their systems and processes. At this level, organizations gain better coverage over operational types of threat intelligence, and again OSINT plays a key role.
Operational Threat Intelligence focuses on flaws in the design of the organization’s technical infrastructure and helps plan proactive actions that the security team can take to mitigate it.
Media Sonar provides advanced Threat Models to monitor against an unlimited number of risks to an unlimited number of assets. This proactive intelligence can be tied to internal data through exports of raw data as well as executive reports, or disseminated through team-based alerts to meet the needs of specific departments. Analysis of data is possible using Pathfinder to trace the links between the data to show patterns and connections between assets, actors, and entities.
The last level considers the constant improvement of threat intelligence with the main focus on learning and optimization. The success results from the collaboration and effort from all stakeholders and the threat intelligence team
Strategic Threat Intelligence includes the information focused on threats related to the organization’s business, geography, and operating environment. This information is usually acted upon by senior management within the organization
For organizations at this level, Media Sonar goes one step further by pushing actionable alerts to centralized dashboards like SOAR or SIEM applications. Consolidating threat intelligence in one centralized place, and including OSINT data, ensures optimal efficiency and visibility for all involved. Media Sonar also includes audit logs to ensure compliance and transparency to meet the needs of organizations at this level.
What level are you?
Media Sonar is used by organizations at all levels of threat intelligence maturity from the initial stages until it is optimized. It is easy to use but flexible enough to meet the robust requirements of large organizations.