Facilitate the convergence of physical security and cybersecurity with open source intelligence

Facilitate the convergence of physical security and cybersecurity with open source intelligence

The desire to merge aspects of physical and cyber security is nothing new, especially in mature companies that are proactively expanding their security capabilities. Since many aspects of physical security are connected to the Internet, companies have started building fusion centers that combine disciplines. By doing so, they can converge cyber and physical security, close gaps in coverage, and scale security to protect facilities and hundreds of thousands of employees. The key to this convergence lies in open source intelligence and how it can enrich many aspects of a physical security program.

Expanding the definition of open source intelligence

Many aspects of open source intelligence are similar or equivalent to traditional all-source intelligence methodologies seen in the intelligence cycle. Two main categories of data sets to map are traditional open source intelligence and non-traditional open source intelligence. Traditional open source intelligence datasets encompass qualitative and quantitative collection and analysis of unclassified public sources that provide context, such as archives, business records, dating sites, and the dark web. Non-traditional open source intelligence datasets include the human, signals, and image intelligence equivalents in OSINT, based on anything from threat actor engagement on social media to external telemetry (netflow, passive DNS, cookies) and photos from social networks used to identify locations.

Defining the key capabilities of a cyber threat intelligence program

Before we delve into how cyber threat intelligence benefits a physical security program, let’s identify a list of some of the services, products, and analytics that a CTI program could address. The following services have significant overlap with physical security programs:

● Adversary infrastructure analysis

● Attribution analysis

● Dark web tracking

● Search for insider threats

● Threat research for the identification and correlation of malicious actors and external data sets

● Production of intelligence reports

● Intelligence sharing (external to the organization)

● Tracking the intentions and capabilities of threat actors

Other CTI services generally do not overlap with physical security and remain the responsibility of cybersecurity teams. These services include malware and reverse engineering analysis, vulnerability research, and indicator analysis (enrichment, pivoting, and correlation with historical reports).

Definition of overlap with CTI and physical security programs

Security teams are now leveraging open source intelligence and cyber threat intelligence to provide critical information to physical security professionals. The physical and corporate security programs of these teams typically consist of the following disciplines, with use cases that are at the core of the convergence of the cybersecurity and physical security disciplines:

● Executive protection and physical asset protection

○ OSINT and dark web monitoring to identify fake social media accounts that misrepresent or target executives, employees, negative sentiment, protests, and planned attacks on physical assets.

○ Tracking the intentions and capabilities of threat actors trying to degrade a company’s brand

○ Adversarial infrastructure and spearphishing identification attribution analysis against executives, intellectual property, facilities or employees.

○ Intelligence sharing with federal or industry partners to disrupt threats and threat actors

○ Monitoring open or closed source forums to identify collusion from internal and external threat actors

○ Heat maps to identify crime rates and potential risks for foreign physical locations or future locations

● Travel security

○ OSINT and social media geolocation monitoring to determine disturbances, negative sentiments, or hostilities that could delay or disrupt travel plans

○ Tracking staff travel patterns that may pose a risk to executives or facilities

○ Intelligence sharing with federal or industry partners if an executive or employee is in jeopardy and needs to be removed

● Regulatory/environmental risk specific to the business

○ OSINT and dark web monitoring to identify vendors doing business with foreign nationals or high-risk nation-states

○ Attribution analysis to identify people who present a regulatory or environmental risk to the business

○ Analysis of the press and foreign media on the regulatory and environmental risk for the business

● Geopolitical risk

○ Foreign press and media analysis of ongoing tensions between state and nation affecting business

○ Adversarial infrastructure analysis of disinformation threats on hostile government platforms targeting innocent civilians who are employed by a company

○ Threat research to find and correlate malicious actors with external data sets

● Global investigations

○ Collaboration between investigators, general counsel, and human resources to inform enforcement and policies that reduce risk.

○ Threat network disruption through legal action

○ Actor identification through public disclosure, attribution, sharing with law enforcement and policy makers

○ Inform industry companies and investigators, and warn victims.

It is becoming increasingly clear that the physical and information security disciplines have major overlaps. Using OSINT to review coverage gaps and identify issues is no small project and can take up to 18 months to complete according to GSOC and cyber threat intelligence professionals. However, when executed correctly, open source intelligence is not only a critical enabler in today’s risk management landscape, but also a key decision and collaboration tool for business unit stakeholders.

Related: OSINT alone is NOT equal to threat intelligence

watch counter

Landon Winkelvoss is co-founder and vice president of security strategy at Nisos.

Previous columns by Landon Winkelvoss:

Leave a Comment