“CISO, We Have a (Brand) Problem”

“CISO, We Have a (Brand) Problem”
7 minute read

One day, a security professional gets contacted by their social media management team, with a  message that says something like, “People are creating social media accounts with our brand names. It’s a problem, but our social media management / analysis / advertising vendors don’t help with this – neither do the social platforms themselves. I need you to take care of it.” It’s a frustrating experience many security pros share. 

In many cases, this event became the security pro’s introduction to threat intelligence and external cybersecurity whether they knew it or not.

Brand Security is Evolving

In cybersecurity terms, “brand” is relatively new – what once was seen as a marketing challenge has rapidly grown into a legitimate security issue. Now, when we talk about brand protection, it’s not limited to managing how people talk about you, it’s also about criminals pretending to be you. When scammers and criminals attempt to get in between you and your customers, the potential for harm is exponentially greater. The damage is more immediate, and because there’s an adversary, you have an opponent actively fighting against you, motivated to steal your data, information, and ultimately, dollars. Because threats to your brand are increasingly complex, the tools to protect your brand must be able to meet the challenge. 

Back to our example – The security team identifies a reputable vendor specializing in brand protection (say for example, ZeroFox). Together, the team and their security partner have successfully found and taken down imitation social media profiles and malicious content that bad actors created, protecting their brand names and/or trademarks from the significant damage imposters cause. The specifics vary – adversaries may be creating and selling counterfeit goods; other times the fraudsters are harvesting your customers’ user information; and sometimes they are using your brand to push false narratives. In the worst case scenario, they are hacking into your organization’s account to accomplish their objectives. Still, the outcome is more or less the same. 

Social media impersonations tangibly harm your brand. And while there’s little contrast in what motivates adversaries, there’s significant variations in the tactics they use. So when it comes to protecting your brand and your customers from these threats, it’s not uncommon to have more questions than answers. This is why the next step in your threat intelligence journey is so important. 

Threat Intelligence is a Must to Protect Brands

Social media isn’t the only medium where cybercriminals abuse brands and trademarks. The Underground Economy is massive and constantly expanding. Criminals and fraudsters communicate using a variety of channels such as Discord, Telegram, WhatsApp, ICQ, and even IRC (yes Gen Xers, some of our earliest communications tools are still out there). Like corporate IT specialists, criminals also hate administering servers, and many have turned to cloud-based services to scale their operations. 

It’s difficult and expensive to collect intelligence across the entire Underground Economy. Threat actors don’t let just anyone into their covert communications platforms – and they constantly adapt when forums and rooms get discovered or shut down. Furthermore, your stakeholders – marketing leaders, security leaders, the C-suite, etc. – likely aren’t satisfied by mere alerts to abusive content or stolen intellectual property – and neither are you. Even when your security partner (ahem, like ZeroFox) takes down the impersonations, without gaining insights and context around them, it can become like a game of Whack-a-Mole, striking down each imitation account, knowing another could pop up at any time.

You probably have several questions running through your mind, including: 

  • Who is behind these impersonations of our brand? 
  • How are they doing this – and what else might they be doing?
  • Why are they targeting us and our customers?
  • How can we stop them?
  • How can we protect ourselves and our customers from more attacks? 

Threat intelligence goes beyond alerting stakeholders to a new impersonation. It goes beyond individual takedowns. It involves clustering related activity and modeling how criminals and fraudsters create personas and pages to target a brand.

Seeing the Bigger Picture

Think about cyber intelligence in three main categories – strategic, operational, and tactical.

Tactical intelligence – which enables individual brand defenders and protectors to make better decisions, more efficiently – sets the foundation for both strategic and operational intelligence. 

Those individual events and alerts are needed to cluster activity and model a threat actor’s intent and capabilities. Continuously monitoring content, applications, and social media impersonations for abuse or brand defamation can identify the lowest level scammers all the way to state threat actors attempting to harm critical infrastructure. 

Social media impersonation can impact an organization and its people in different ways, at all levels. Impersonation fraud has spiked throughout the COVID-19 pandemic, as scammers capitalize on confusion and concerns around shifts in the economy. According to the FTC, in 2021, consumers lost $5.8 billion to scams and fraud. Of these losses, consumers reported $2.3 billion were due to imposter scams.

Brand Protection – First Steps in a Threat Intelligence Journey

When that brand impersonation alert or harmful social media post provokes questions from you or your leadership, it helps to partner with an intelligence provider who can answer these time-sensitive Requests for Information (RFIs). The right partner is also valuable when unforeseen events could impact your business operations. For example, if hacktivists begin amplifying a false narrative about your company you will need expert analysis to determine if your PR should engage or ignore them.

We often get questions like this from our customers:

  • How can I defend my brand if [a belligerent online user] targets my company? 
  • Who is continually impersonating my brand? 
  • How are they impersonating my brand? 
  • Is this narrative about my brand accurate or false? 
  • What can I do to protect my customers and our reputation? 

A single alert is simply the first piece of information in a deep investigation. Let’s say a brand protection product alerts on a social media post promoting the sale of a phishing kit, which includes critical assets imitating tech company, ACME Technologies. Fundamentally, a brand protection service would take down the social media post promoting the sale of the kit – but not the kit itself. 

You could stop at the takedown, but that kit is still for sale and the operator is likely targeting other companies. Threat intelligence enables deeper brand protection, getting beyond the singular takedown. It can help identify and address the phishing kit’s distribution channels and distributors, product brokers, and operators.

This type of investigation is best handled by external operators familiar with the threats and with the training and tools to manage the unique risks of communicating directly with threat actors. Browsing threat actor infrastructure is risky and potential victims tend to react emotionally,and although that’s understandable, it’s also counterproductive.

When your CISO and executive team expect immediate answers, there is no time to credibly create a new persona and develop the placement and access to those criminal covert communications. Whether you need fully managed threat intelligence or on-demand investigations support, an external cybersecurity intelligence partner can help. They should be able to quickly and thoroughly answer your RFI or provide indirect access to raw criminal conversations for your full-time intelligence analysts.

How to Sell TI Value to Your C-Suite

There is always resistance to spend more on a capability that is hard to measure – like threat intelligence. However with some certainty, we can quantify the losses from fraudulent marketplaces selling counterfeit goods. Each fraudulent marketplace identified and disrupted pays for itself. 

We’ve covered this but it bears repeating – false narratives damage a brand if handled poorly – and the time and cost to restore consumer trust and brand reputation can devastate businesses. Discontinuing a product or leaving a market over a false narrative costs millions of dollars. Responding incorrectly to impersonations will cost you more than just a thorough investigation into the roots and authenticity of a disinformation campaign. Further, threat intelligence will reduce losses from fraud and phishing while helping PR teams respond smarter to false narratives about the brand. 

Threat Intelligence Benefits your Entire Brand

CISOs are increasingly responsible for protecting their organization’s ‘trustworthiness’ in the marketplace. Customers and employees want to believe they are only receiving legitimate communications from authentic organizations. You may not see the impersonators, but that doesn’t mean consumers won’t. Put simply, threat intelligence provides more visibility into how your brand lives outside your corporate perimeter to ensure customer and employee trust. 

If you’ve been alerted to yet another brand impersonation and you find yourself with more questions than answers, it’s time to start thinking about how additional threat intelligence insights could help not only your security team – but help your entire organization. 

Tags: Brand IntelligenceBrand ProtectionThreat Intelligence

See ZeroFox in action