We’re seeing a vast increase in the breadth of cyber threat intelligence solutions in the market. As a community and as clients, it’s getting confusing. With 60 unique threat intelligence vendors and services currently listed by Gartner, and each vendor providing hundreds, if not thousands, of individual intelligence sources, it’s no wonder the market is struggling to work out where to start.
There is, however, one type of threat intelligence applicable and valuable to organisations of every industry and size – Brand Intelligence.
What is Brand Intelligence and why does it matter?
If you were to Google the term ‘Brand Intelligence’ or ‘Brand Protection’, you would be forgiven for believing it’s the concern of Marketing team, not IT. In reality, it spans both.
In the cyber sense, Brand Intelligence, or Brand Protection, is the monitoring of online digital platforms and channels to detect brand abuse, impersonation and mentions in the context of a cyber security threat – and taking actions to defend against it.
A brand-focused Threat Intelligence solution involves the collection and analysis of data from surface, deep, and dark web sources with a focus on identifying mentions of specific brand names and assets. Some of the most common use cases are the detection and response to domain abuse, stolen credentials and data, phishing websites and executive impersonations.
In my experience, the two pivotal characteristics of a Brand Intelligence solution are:
1 – The monitoring and response to cyber threat events occurring outside the network; and
2 – The safeguarding of cyber threats against a conceptual asset: Brand reputation.
The case for Brand Intelligence
There is an obvious and alarming uptick in the use of the reported brand abuse and impersonation as a technique to successfully compromise organisations with a large internet presence. Using established brands establishes a sense of legitimacy and trust in targets from the outset. This can be easily exploited beyond socially engineered content in user-targeted phishing emails.
What we’re often seeing at Equate Technologies, is threat actors using brand impersonation to facilitate fraudulent transactions and / or to gather sensitive information from an organisation’s customer base. When these attacks are successful, the impacts can be serious and far reaching, including compromised internal or external (customer) data, financial loss, erosion of client trust and significant reputational damage. You don’t have to look far to find this evidenced both in Australia and at a global level.
Beyond Brand Impersonation
The scope of Brand Intelligence goes beyond brand impersonation. The monitoring of brand intelligence data is inclusive of any mention of any brand or organisation that is likely to be in the context of a cyber security threat. Some of the most common use cases have discovered leaked credentials, typosquat domains, code leaks on repositories, or discussion of an organisation on dark web markets.
Real-time detection of these mentions enables pro-active response and risk mitigation before you hear about it from a third party – or worse in mainstream media. Being on the front-foot is everything when it comes to risk mitigation following a cyber-attack or data breach.
Where does Brand Intelligence sit in my cybersecurity strategy?
I like to think about Brand Intelligence in the context of the complete cyber intrusion chain. This really helps people to understand where it fits into their overarching cyber threat intelligence strategy.
When viewed through the lens of MITRE ATT&CK, Brand Intelligence is a capability that gives an organisation more options to Detect and Respond in the Resource Development phase of an attack. In this phase, the threat actor takes action to obtain resources and target an organisation, such as registering a new domain or purchasing stolen credentials or access.
Historically, any steps a threat actor took in preparation for a targeted attack (that didn’t involve interaction with your network) was deemed unactionable. Occasionally an IT administrator would ‘get lucky’ and accidently stumble across a misspelt domain name impersonating their organisation. Even then, this was not considered as real-time detection.
Disrupting the attack through pre-emptive insights
Brand Intelligence is our opportunity to disrupt this phase of cyber-attack. By placing monitoring capabilities on the wide variety of digital platforms used by threat actors to support their offensive operations, we can take pre-emptive action.
In addition, where significant reputational impact is a concern and domain requests can vary in effectiveness, a Security Operations Centre (SOC)as the first responder to Brand Intelligence alerts can quickly identify and mitigate the risk. And, while the specifics of a playbook may differ, depending on the scenario, it will almost certainly involve the proactive defence against, or retrospective investigation of, an identified threat.
How do I implement Brand Intelligence?
Ultimately, the value of Brand Intelligence is hinged on how well it can answer brand-related intelligence questions including:
By pro-actively tackling these insights, organisations can begin to re-calibrate the threat intelligence element of a cybersecurity strategy, and ensure pro-active management and mitigation of the risks you can see, and the risks you can’t.
Finally, consulting with experts will help to scope out what you need, which technology to use and how it can reduce and mitigate risk across your organisation – talk to our team for advice and support.