Visibility: Know Who's Talking About You
Businesses need to be aware of information targeting their products and services. While much of this capability may be ensconced in product marketing and management groups, infosec teams should be involved as well. Because disinformation can be part of a targeted campaign that includes other type of exploitation, disinformation can be an early sign that a business is being targeted by adversaries, says Mike Wyatt, principal for the cyber risk services and identity management practice at consultancy Deloitte.
"Every company needs a risk-sensing capability," he says. "The goal is that if something does pop up, there is the ability to act quickly."
And attackers can work quickly. In its experiment, Recorded Future found that generating disinformation took only a few days — much less time than establishing a credible presence online for their "legitimate" business. The problem is that the malicious marketing specialists have their infrastructure prepared and ready to spread disinformation quickly.
"The threat actors that we hired were still able to create the profiles and articles within a few days, and these profiles had thousands of followers," says Recorded Future's Sannikov. "So, obviously, the accounts that are used for this are probably a network of existing accounts that they can use to propagate information."
Identity: Create a Trusted and Secure Channel
During a crisis, companies also need a legitimate channel to send out communications to customers and media. Losing control of an official channel can be devastating for a firm. Not only do the attackers get a legitimate channel to use for disinformation, they minimize a business' ability to respond.
For that reason, companies should consider such communications channels to be critical assets to be heavily monitored and secure such accounts with multiple factors.
"There has to be an effort to lock down these accounts so that anyone associated with the company cannot have their accounts compromised and used by the attackers," Deloitte's Wyatt says.
The importance of trusted accounts will become even greater as new technologies make identity much harder to secure and disinformation more convincing. Deep-fake videos, for example, can lend credence to disinformation and lead to immense reputational data. In August, using deep-fake technology, criminals re-created the voice of a UK energy firm's CEO to demand the transfer of £220,000, or about US $290,000, the company's insurance firm told The Wall Street Journal.
Policy and Practice: Game It Out
Where security teams really can make a difference, however, is in the creation of policy and in hosting exercises to practice response, Deloitte's Wyatt says. Thinking about disinformation attacks prior to an actual incident can significantly reduce the damage done.
"There needs to be a crisis response plan," Wyatt says. "We see when an organization does not have a plan in place, the mistakes made because of the lack of thinking of all the facets of an incident can really amplify the damage of the situation, as opposed to minimizing the impact."
Another reason to regularly practice responding to such incidents is because a typical disinformation threat includes a variety of business groups — from security to legal and from public relations to product marketing. Getting each of those groups working together and establishing a playbook before an actual incident is critical.
And those are skills the security team already has, Wyatt says.
"We already do this for cyber-risks," he says. "And we strongly encourage from the C-suite down that everyone be involved in these drills. Because when you do a simulation, you create the pressure that is there in a real event, and they get some muscle memory in how to respond."