Leveraging social media in advanced threat intelligence

social media threat intelligence

In this podcast recorded at Black Hat USA 2017, Christian Lees, CISO at InfoArmor, discusses how leveraging social media helps to understand the motives and threat landscape from threat actors.

social media threat intelligence

Here’s a transcript of the podcast for your convenience.

My name is Christian Lees, I’m the CISO of InfoArmor, also in charge of data feeds. Recently we spent a lot of time working on our social media platform. We really like to use this kind of platform for customers and partners to do attribution and kind of contextual awareness.

The approach we’ve taken on this is kind of applying our advanced threat intelligence behind a threat actor study, recognition of the threat actors out there and what they’re capable of. We have the ability to categorize a significant amount of threat actors. Today we categorize nearly 2000 threat actors. We can watch these threat actors within the social media platform and data store all of this information.

Once we have this data store, this enables our partners, our customers to mine this platform of predisposed information, looking for significant threats and the ability to have all of the awareness of the metadata around that. Not only that, but we can also follow the URLs within these tweets, harvesting the actual files found within these conversations on the social media platform. We can take those files and index them fully, making them fully clear text searchable, or detonate those files looking for malicious type of payloads.

The magic, in my opinion, of the platform is the ability to do complex regular expressions and extract the data that you’re mining. And we can do this in not only a historical manner, but in a near real-time fashion. Data storing, we can dump this into a full elastic environment, again making it really kind of autonomous or customized to your needs.

The metadata itself also applies itself to the story: who gets the story first? You’re going to be able to get the people that retweeted it, you can get the people that follow it, etc. There’s a significant amount of data that follows with this. We can also take and create specific rules around the type of data that we hash. We can look for specific MD5 hashes, we can look for specific SQL inserts, etc. It’s really kind of customizable and adaptable to the environment that you need.

The social media platform itself of course offers this environment that is being popularized by threat actors, being able to have that full recognizance data, but it’s also an opportunity to have kind of brand awareness: what are individuals talking about your brand within the social media platform? So it’s really important to have that. Of course, threat intelligence side of it, but you also have the ability to gleam that operational intelligence and redistribute the value of that product into other parts of the organization.

I would invite subscribers, I would invite curious users to swing by the InfoArmor website and get ahold of us, and reach out and learn more about it!