“Hi, Security. Should we worry about mean tweets?”

7 minute read

The security operations center (SOC) receives numerous reports from the CEO’s executive assistant about threatening emails. Around the same time, the physical security team observes people attempting to trespass on, and vandalize, company property. There are new social media profiles impersonating the CEO with fake quotes. The social media team sees a rise in replies to official company posts criticizing the CEO. The CEO has called their local police department due to protestors – some appearing to be threatening violence against the CEO and their family – at their home. It appears there is a coordinated effort to harm the CEO, but neither the company’s security nor communications teams were prepared.

About a month prior to the wave of threats and criminal activity, the CEO made a donation to a politician’s campaign. The politician who received the donation is well known as favoring many extreme policies and has drawn a lot of attention from the extremes on the other side of the political spectrum. In the U.S., political donations in the amount of $200 or more are made public (including the individual’s employer). This news drew a lot of attention to the company and its CEO. In the political climate in the U.S today, this is not a hypothetical scenario. Doxxing of donors to political campaigns has been happening for well over a decade.

In part 1 of this series I discussed how threat Intelligence improves brand protection outcomes. In part 2, I shared how domain protection enables a more proactive approach with a threat Intelligence. In the final blog in this series, I’ll discuss how threat Intelligence should be used to break down the silos protecting VIPs online and in real life, so a scenario like the one above doesn’t catch you or your company unprepared.

Get your copy of our Buyer’s Guide for Threat Intelligence here!

Protecting VIPs is Evolving

Most organizations still silo cyber and physical security domains. Often, social media monitoring is solely within a marketing department and only focused on customer sentiment. But, social media posts and chatter in closed forums can quickly escalate into actions in the physical domain. 

One well known example of online chatter creating a physical risk to an individual is when security blogger Brian Krebs was the victim of criminals sending him heroin and calling his local police department to report a hostage situation. “Swatting”, as these events are called, can have deadly consequences such as what occurred in Kansas in 2017. The lack of visibility and awareness across physical, cyber, and social media domains creates vulnerabilities that are exploited – intentionally or not – by threats.

Of course, impersonations of celebrities, military personnel, and executives are nothing new. However, the velocity at which fraudsters and other threat actors are reacting to current events is increasing due to lack of incentives at social media companies to prevent known public personalities from being impersonated. Case in point: within a couple weeks of Russia’s renewed illegal and unprovoked war in Ukraine, more than 200 accounts across multiple social media platforms had been created impersonating Ukrainian President Zelensky. Many fraudsters were using his likeness to steal from people wishing to contribute to Ukraine’s war efforts. 

More concerning than social media impersonations is how artificial intelligence technologies are being used to create fake audio and video. While many people, like my friend Chase Cunningham, use the technology to insert their faces into famous movies, other more nefarious actors are using deepfake technology to attempt to affect current events. Early in the war in Ukraine, someone created a video of Ukrainian President Zelensky instructing his army to surrender. It was a crude fake, not very deep at all, and doesn’t appear to have convinced any Ukrainians to lay down their arms. But the possibility of deepfake technology to affect current events is not very far off.

While deepfakes have the potential to be used for fraud or disinformation, doxxing of individuals – like executives – who have donated to a politician, a political action committee, or other political movement are increasingly at risk of their exercise of free speech being used to bully or intimidate them. More often, intimidation and threats to an individual based on their political speech is occurring online and offline. In early 2022, hacktivists breached an online charity platform and released the names and information of people who donated to the Freedom Convoy which had been protesting Canada’s vaccine mandates and other pandemic policies. The harassment quickly crossed the threshold from online to offline – forcing at least one small business owner to temporarily shut down their business over the harassment and threats of physical harm to their restaurant and staff.

Executive Protection Teams Need Threat Intelligence

As threats to executives and celebrities have evolved significantly in the past decade, the teams that protect their VIPs must evolve as well. Protection teams cannot rely on their own eyes and ears alone to observe threats surveilling their target. Malicious actors do not need to get very close to a potential target when there is so much data online that can be collected without leaving the house. It’s remarkably easy to build a pattern of life of a target based on all the information people willingly post online. While people often intentionally overshare, sometimes the sharing of information is unintended as was the case with fitness apps that can unintentionally leak sensitive location information. And, if you travel in a private jet attributable to you or your company, the government is also making your whereabouts public. The last example is the subject of Elon Musk’s beef with a young man who made a Twitter bot that posts the flight information of several executive jets.

With all that information freely available to threat actors, VIP protection teams need to use threat Intelligence to understand their client’s exposure and make better decisions for their safety and reputation. While open source intelligence techniques can enlighten many exposures or threats a protectee might have, there is a lot of chatter occurring in areas of the Internet most search engines cannot get to. Therefore, to comprehensively understand a person’s exposure and the threat landscape, protection teams must have placement and access to the Underground Economy and extremist forums to collect human intelligence. 

To gain placement and access to criminals and extremists is a long and risky process. As I mentioned in part 1 of this series, “It’s difficult and expensive to collect intelligence across the entire Underground Economy. Threat actors don’t let just anyone into their covert communications platforms – and they constantly adapt when forums and rooms get discovered or shut down.” 

Furthermore, without training on creating backstopped personas, language skills, and understanding of how to conceal one’s online activity, a person will likely, at best, waste valuable time or, at worst, increase the risk to their VIP by giving away indicators of the protected executive or celebrity. While I normally stress the value of an organization’s internal telemetry for producing threat intelligence, VIP protection teams shouldn’t rely solely on their own data or create their own personas to collect in the Underground Economy.

Threat Intelligence Improves Corporate Security

CISOs are increasingly getting larger mandates within the enterprise. Heidrick & Struggles 2021 Global CISO survey shows physical security (28%), enterprise crisis management (28%), and safety (18%) are reporting to them now. I see these numbers trending upward in the next few years as CISOs become more like Chief Security Officers focused holistically on protecting their employer’s and employees’ digital and physical assets.

With the expanding mandate, one of the best strategies for security chiefs to maintain situational awareness is via a threat intelligence-focused converged cyber and physical security program. Beyond situational awareness of threats – online and offline – intelligence-driven security programs operate more proactively and consistently make better, quicker decisions regarding threats to people and businesses. 

Building a Comprehensive Threat Intelligence Program

As we’ve described in the various scenarios in this blog series, threat intelligence is a critical foundation to any well-built security program. When complete, accurate, relevant, and timely intelligence is disseminated to security teams, staying one or two steps ahead of attackers becomes easier. Security leaders make better, faster decisions when threat intelligence is available to them.

Ready to get started? Download our Buyer’s Guide for Threat Intelligence to ensure cyber risks both inside and outside the perimeter are addressed.

See ZeroFox in action