Since our adversaries are not on the same playing field as we are, perhaps it's time to rethink the rules of the game or how much we choose to participate. For example, recent ransomware events and media headlines have prompted me to contemplate the practice of publicly promoting cyber-threat intelligence findings and to what extent these publications interfere with operational security practices and client interests.
What is the hierarchy of value? Are there trade-offs that are worth it? How do we reconcile the need to demonstrate our expertise and value with keeping our clients and researchers safe?
Ransomware groups, for example, watch intelligence firms and researchers very closely. They know us by name, watch how we write and talk about them, and look for patterns about how we interact with them in the underground. When security professionals release research findings about these cybercriminals, guess what those groups do? That's right, they read it! Some cyber actors react with, "Ahh, this is what they know about us … time to pivot!"
I would like to begin a conversation for fellow cyber-intelligence professionals and researchers. How can we be more sophisticated in our approach in how we handle incredibly powerful knowledge about the cyber underground? How can we navigate marketing a worthy product that blesses the world, but channel a bit more of the "say less" hesitation that people who come out of working in government have toward outward-facing research?
Getting involved in ransomware negotiations and dealing with ransomware groups in their native language and culture in the interest of security are serious operations. Real people are putting their actual lives on the line in some cases. As security professionals, we could do a better job articulating and implementing guard rails that would preserve operational security and protect researchers and clients alike.
Two Sides of The Research Coin
In a world where headlines matter, where society has a short attention span (myself included), and where there are so many things competing for our attention, is it prudent to publish what we know about our adversaries for the masses? I argue that it probably isn't; but I may just be a former government stick-in-the-mud and could be convinced otherwise.
I absolutely know there are reasons why researchers publish what they know, and do so fast. First, it scares the heck out of the bad guys. It may even disrupt what they are trying to accomplish (if only a little). Second, it's usually really cool research, and maybe no one else is writing about it. Organizations have a right to flex their capabilities to the market, be first to uncover something big, and stand out against competitors.
As a cyber-intelligence professional, there are competing interest groups within my soul. So, what do we do when there is positive pressure and righteous desire to crush it for your company, your clients, and your researchers? Marketing teams have a job to do, too! There is real tension between the need for operational security, and the business desires of organizations working to uncover the inner workings of cybercriminals for the benefit of others.
The Hierarchy of Value
When new intelligence is published, in addition to my researchers operating in the underground, I often think of the security teams at small and midsize businesses dealing with unglamorous day-to-day security threats often out of their reach. I see multiple benefits to keeping our intelligence closer to the chest, siphoned off to be shared exclusively with customers and organizations that are in dire need of targeted, actionable security support.
First, we are keeping the people out there doing the disruption and analysis safer. Hitting our adversaries in the wallet by disrupting a multibillion-dollar industry will certainly cause a reaction. Making matters more difficult, many researchers work in parts of the world that don't value the rule of law that we do. The types of access to cybercrime activity that intelligence firms have are thanks to researchers who trust that firm and feel protected. We can't take that trust for granted.
Second, organizations rely on cyber-intelligence professionals as part of their cybersecurity programs. We need to continue delivering for them each day while addressing new and emerging threats. Rushing to market because we want to be first to make a headline doesn't necessarily serve the organizations that rely on us.
So, what is the hierarchy of value when it comes to prioritizing and valuing research, profit, business goals, and operational security? I am hoping to spark conversation and encourage fellow researchers to shift their mindset. Before you go to print so quickly with that finding, is it worth it? Is it worth potentially putting people at risk to publish something cool? That is an operational call.
While we continue to compete with our adversaries, one of the most important steps to take is knowing your own "hierarchy of value" by outlining the most prudent way to protect your operational security and your proprietary accesses, while protecting your business brand and your clients.