Many organizations apply cyber threat intelligence (CTI) solely in limited ways that serve the functionality of its namesake -- that is, they appropriate all CTI-related operations solely to cybersecurity and IT teams for use in addressing cyber threats. The problem is that this approach is far too narrow given the threat landscape and the types of risks that organizations are now facing. While threats to an organization’s cybersecurity, systems, and technical infrastructure are critical and do require immediate attention and mitigation, these aren’t the only areas that threats emerging from the Deep & Dark Web are affecting.
Just because CTI may reveal a threat that originated from the Internet does not mean that such a threat’s scope of influence will remain restricted to all things cyber. A comprehensive, cross-functional approach that applies intelligence across an enterprise is even more crucial given the increasing number of threats and indicators that extend beyond the cyber domain -- such as those pertaining to physical security and, more specifically, executive protection.
So, what happens when a threat originating on the Internet becomes one that threatens an executive’s physical safety? Although these threats can take various forms and pose dangers of varying levels, they all can be quite complex to address and mitigate without visibility into the Deep & Dark Web. Here are a few recent examples:
• Cyber and/or physical targeting of mobile devices. The mobile devices that enable most executives to stay connected and store sensitive data are desirable targets for threat actors. Financially-motivated actors have known been to target seemingly high-value mobile devices by either physical theft or cyber compromise to access the device owner’s personal financial information and critical business data. In many cases, threat actors will sell corporate data and trade secrets to competitors or even nation states seeking a larger market share or a favored economic or political advantage. For executives, the compromise of such information can lead to damaged personal and brand reputation, loss of competitive advantage, threats to physical safety posed by disgruntled stakeholders, or worse.
• Terrorism. The threat of terrorism requires significant consideration for executives with plans to travel abroad and/or attend high-profile public events. One recent example pertains to threats surrounding the 2016 Rio Olympics, when terrorist groups such as ISIS took to numerous cyber outlets ranging from private Deep & Dark Web forums and the encrypted social media app Telegram to Twitter to publicize their intentions of launching terror attacks in Brazil during the games. While such threats fortunately never materialized, they serve to illustrate how terrorists’ use of technology and operations on the Internet can lead to threats endangering physical safety.
• Large-scale cyber attacks. It should come as no surprise that cyber attacks including ransomware, DDoS, or large-scale fraud schemes can wreak havoc on a brand’s reputation, which in turn can cause harm to sales, stakeholders to become disgruntled, and high-profile executives to become the target of unwanted attention, ridicule, and threats. While cybersecurity and IT teams may bear the bulk of the responsibility in preventing such attacks from occurring, prevention may not always possible. As such, if a large-scale cyber attack or breach becomes public knowledge, the entire organization -- especially key executives -- may face an increased risk to their business functions.
While the three threats above are best addressed and mitigated by analyzing and applying intelligence in a manner that fosters collaboration across the enterprise, such a strategy is rarely operationalized, and, as a result, many executive protection teams are unknowingly not as prepared or informed as they could be.
To further illustrate my point, let’s look at some common differences between public- and private-sector executive protection programs.
While those in the public-sector are often lauded for their comprehensive efficacy, efficiency, and precision, many private-sector programs tend to lag. One reason for this discrepancy is that most public-sector programs receive support from and collaborate with public-sector intelligence agencies, which provide them with a more comprehensive picture into all relevant threats -- cyber or physical -- that could potentially endanger an executive or agency. However, many private-sector programs are rarely afforded such visibility due to a lack of information-sharing between executive protection and other business functions. Since cybersecurity and IT are often the only private-sector business functions with any sort of visibility into the Deep & Dark Web, if these teams receive no direction or reason to seek out threats originating on the internet that could potentially inform an executive’s protection, they are unlikely to do so.
As a hypothetical example, let’s say that the CEO of a Fortune 100 retailer will travel abroad to Asia to represent her company at a high-profile public event. In preparation for her trip, her executive protection team has conducted extensive research into the safety of the surrounding area, mapped out emergency evacuation routes, and constructed a well-equipped team of physical security professionals ready to protect her.
Meanwhile, a cyber intelligence analyst on the company’s cybersecurity team has been tasked with researching an English-speaking hacktivist group that has recently defaced a series of websites linked to leading North American retailers. While monitoring a Deep Web forum known to be frequented by hacktivists, the analyst notices that a well-known member of an international hacktivist group has authored several posts about plans to launch a cyber attack in an effort to shut down the power supply of an upcoming high-profile public event in Asia. Indeed, such intelligence could absolutely be of high interest to the CEO’s executive protection team to understand the CEO’s risk profile better. But, since the cyber intelligence analyst was unaware of the CEO’s upcoming trip, he did not consider the information relevant to the executive protection team or any other business function at his organization for that matter. Evidently, despite the executive protection team’s exhaustive research and preparation to ensure the CEO’s safety during her upcoming trip, lack of visibility into the threats emerging from the Deep & Dark Web means that the team was not as prepared as they could have been.
While cyber threat intelligence can undoubtedly be integral to bolstering an organization’s physical security, the current landscape prevents numerous challenges that continue to prevent many organizations from reaping the full value of their CTI. In today’s day and age of unprecedented technological advancements and threat actors capable of evading even the most robust security measures, few organizations are fully aware of all ways in which they are vulnerable to the risks presented by increasingly-advanced cyber and physical threats.
This lack of awareness can be especially detrimental to executive protection teams because failing to acknowledge relevant threats means that the team cannot accurately assess and address the executive’s overall risk. As such, it is crucial for executive protection and physical security teams not only to leverage cyber threat intelligence to gain visibility into all relevant cyber and physical threats but also ensure open collaboration and information sharing with all business functions to address threats and mitigate risk across the enterprise.