FTC Issues Alert on Earthquake Relief Email Scams

The Federal Trade Commission (FTC) has issued an alert warning users to be on the lookout for earthquake relief email scams.

In a post published on Wednesday, Colleen Tressler, a consumer education specialist at the FTC, highlights the growing need for aid following recent earthquakes in Japan and Ecuador.

Late last week, a series of strong earthquakes in Japan culminated in a 7.0-magnitude quake, killing nearly 50 people. Aftershocks as strong as 6.1 are still being felt by the survivors, who struggled with a shortage of food and water on Wednesday.

Last Saturday, a 7.8 magnitude earthquake struck Ecuador. At least 570 people were killed, with 155 people missing, 7,015 injured, and 25,000 currently placed in relief shelters. This is the worst natural disaster the country has seen in decades.

Many charities are now attempting to provide aid to the survivors. But as Tressler warns, those looking to donate should spend some time researching whether they are actually giving to a trusted organization.

“Unfortunately, legitimate charities face competition from fraudsters who either solicit for bogus charities or aren’t entirely honest about how a so-called charity will use your contribution,”

To help people avoid donating to fraudulent charities, the FTC has published the following list of tips:

• Donate only to reputable charities. People should avoid organizations that have sprung up overnight and that might not provide donors with the option to designate their gift of aid for a specific disaster.
• Never click on suspicious links or email attachments. If you know the sender personally, contact them by phone or in person to determine whether they actually sent you the link or attachment. Attackers might have hacked their account.
• Be wary of relief solicitations sent to you via social media or text message. It is safer to donate directly from a legitimate charity’s website.

TREASUREHUNT: A Custom POS Malware Tool

Threat Intelligence has observed the significant growth of point-of-sale (POS) malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control (CnC) server.

Although the PCI DSS rules changed in October 2015, leaving retailers who have not transitioned from existing “swipe” cards to EMV or “chip” enabled cards liable for card present fraud in more ways than before, many retailers are still in the process of transitioning to chip-enabled card technology. Criminals appear to be racing to infect POS systems in the United States before US retailers complete this transition. In 2015, more than a dozen new POS malware families were discovered. POS malware may be freely available, available for purchase, or custom-built for specific cyber criminals. Free tools are often a result of malware source code being leaked, and tend to be older and more easily detected by security software. POS malware available for purchase may be newly developed tools or modified versions of older tools. Then there is another class of POS malware that is developed for use exclusively by a particular threat group.

TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server. TREASUREHUNT would be implanted on a POS system through the use of previously stolen credentials or through brute forcing common passwords that allow access to poorly secured POS systems. When executed, TREASUREHUNT installs itself to the %APPDATA% directory and sets up a registry ‘run’ key for persistence.The malware will then initiate a beacon to a CnC server. The connection to the CnC server is via HTTP POST. The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server.When payment card data is found, it is sent back to the CnC server. The operators control the compromised systems and harvest stolen payment card information through a web interface located on the CnC server.

                 
                           All of the TREASUREHUNT samples identified so far contain the same compilation timestamp of 2014-10-19 07:14:39. This is likely an artifact of the builder rather than the time the samples were actually compiled.Using this data, TREASUREHUNT appears to have been first deployed in late 2014 and was seen throughout 2015 and into 2016.
The relatively sparse sample set may indicate that TREASUREHUNT is being deployed in a targeted manner rather than being propagated indiscriminately.

                    In the world of POS threats, there has been a rise in both underground offerings as well as new malware found in active use. The demand is likely due to the ongoing transition to EMV chip and PIN technology in the United States, which will eventually render these techniques largely useless. While some cybercriminals are looking ahead in an effort to develop ways to exploit chip and PIN (as well as near-field communication technologies), many cyber criminals are looking take advantage of memory scraping POS malware while it still works.
With an increasing number of major firms transitioning to the more secure chip-enabled cards, we expect to see cyber criminals increasingly turn their attention to smaller retailers and banks that may not be as prepared for the transition.

Top Five Hacker Tools Every CISO Should Understand

As the role of the CISO continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job. Nonetheless, CISOs need to keep abreast of the latest tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

“The following is list of tools every CISO should be on top of, and it was very hard to narrow it down to these few items with so many valuable tools out there,” Ouchn said. “My choices were driven by a combination of the tool’s value and their ease of use.”

ARMITAGE

“Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, I will focus on Armitage an open source effort to bring user-friendly interface to Metasploit,” Ouchn said.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. The compromised devices are depicted with a lightning round. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture. In fact, the framework has several capabilities to exploit vulnerabilities in almost any type of layer to therefore infiltrate (by pivoting) systems to reach the network’s nerve center. Armitage should definitely be part of the CISO’s Arsenal and his internal Red Tiger team.”

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it. Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication. HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered. A CISO should certainly incorporate this password cracking tool in his arsenal because it allows to check the complexity of the company password policy. Of course, the complexity of a password is not the only criterion for a well-constructed policy, as there are a plethora of criteria: Duration, length, entropy, etc… So HashCat is a must have for any CISO.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way“. he grip is instantaneous. It is written in Python and runs on all platforms. CISOs should need only to supply the WiFi interface they use and it does the job, verifying that the corporate wireless networks are configured according to the applicable Security Policy, and better yet, it can be used to identify any open and accessible network that can potentially be harmful in terms of Phishing. Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way for a CISO to validate the security of wireless networks.

WIRESHARK

“Known for many years as Ethereal, Wireshark is probably the best tool when it comes to sniffing for and collecting data over a network. On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface. WireShark allows a CISO to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user. “Beyond the sniffing features, WireShark is also a great way to validate the network filtering policy. When placed near filtering devices, it can detect the protocols and communication flow in use. WireShark should be considered by any conscious CISO to validate the filtering policy and the need for encryption.

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool. It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.This will confirm the users security perception within the company and validate the best Awareness Policy to deploy. The SET tool is very well maintained.

Threat Intelligence Tweaks That’ll Take Your Security to the Next Level

Addictive, isn’t it?
Hunting threats. Remediating vulnerabilities. Tirelessly staying abreast of the latest Threat intelligence, And as your knowledge grows, you realize how much more you could be doing to keep your organization safe. So now that you have the fundamentals covered, what’s next?
With these three Threat intelligence tweaks, you can take your cyber security from the basics to the world-class level.

Sharpen Your Claws With Internal Hunting

Think of your security mechanisms like an army in peacetime. Just because nothing much seems to be happening right now, doesn’t mean you should sit back and wait.
Internal hunting is the process of aggressively tracking and eliminating threats. This includes things like device and network mapping, distinguishing between good and bad behavior, searching for anomalies, and setting up/monitoring honeypots.
This type of proactive security work has a whole host of benefits, including:

• Enhanced contextual threat intelligence.
• Better visibility of potential weaknesses.
• Early and accurate threat detection.
• Opportunity to control and minimize damage from unexpected threats.
• Improved defenses against identified threats.
• The ability to avoid fines and bad publicity.

And on the face of it, these proactive activities seem like sensible security measures, which of course they are.
But there’s more to it than that.
During times of peace, armies don’t simply conduct exercises with the aim of maintaining skills in shooting, building clearance, and so on. They do it because it stops the troops from becoming soft and lazy.
When a war breaks out, you don’t just need soldiers with well-practiced skills, you need them to be mentally ready.
The same is true of your information security teams.
By engaging in internal hunting, your security teams will constantly hone and develop their skills. This is exactly what threat actors are doing, so why let your defenses fall behind?
They’ll also learn to work effectively as a team. People inevitably have strengths and weaknesses, which can be brought to the fore through enhanced teamwork and information sharing.
Last, and perhaps most difficult to quantify, is the tangible evidence of return on investment (ROI) to the organization. Executive teams are increasingly becoming aware of how damaging a successful breach can be, but very few security or threat intelligence activities can be reliably be measured in terms of ROI.
On the other hand, the success of an internal hunting operation is eminently measurable, and bound to be well received.

Realize Nobody Sees Everything — And Act Accordingly

When you start to take threat intelligence seriously, there’s one fact that should always be kept firmly in mind.
Nobody sees everything. Not even the NSA.
And knowing this, you’ll be able to approach vendors with realistic expectations. Their solutions can provide strategic threat intelligence, but they probably aren’t going to provide information about specific events within your network.
And this is not to say that you should avoid open source intelligence (OSINT) platforms. They provide a great deal of value, and will enable you to make informed, contextual decisions about both proactive and reactive security activities.
But what it does mean is that, under the right circumstances, an internal effort to create a proprietary threat intelligence capability can be an excellent use of resources.
Do you have a need that isn’t serviced by the market? Then perhaps it’s time to solve your own problem.
Imagine, for instance, that you develop a crawler to analyze the (Web) page code of the organization’s top 5,000 daily Internet destinations. Each day this crawler will provide tangible data points, which over time become an extremely effective mechanism for identifying drive-by attacks, or other anomalous activity.
This is the sort of valuable threat intelligence that you’ll never receive from an off-the-shelf solution, but which could potentially help you prevent (or minimize the impact of) future breaches.
Not only that, if you develop the solution in-house, you’ll be honing skillsets that could become extremely handy in the future.

Use Real-World Scenarios

Running real-world, or proof of concept (POC) exercises is truly a sign of next-level security.
You may technically be prepared for certain threat actor tactics, techniques, and procedures (TTPs), but until you’ve done it in practice you never really know.
That’s where your red team comes in.
The idea is to employ real-world TTPs in a controlled environment to see what affect they would have in your environment. And when you start doing this, you might be surprised by the results.
That malware you thought you were safe from? Turns out that when deployed in your environment it has a completely unexpected side effect that you might not be prepared to resolve.
By engaging in rigorous red team testing procedures, you can identify these little surprises ahead of time, and greatly improve your organization’s defensive capability.
Now, of course, building these real-world scenarios and measuring the effectiveness of your defensive controls requires time and resources. If you want real results, this is not something that can be dumped on already-busy security professionals.
But if you really want to develop a world-class security facility, rigorously and routinely testing your defensive capabilities is an absolute must.

Proactive Beats Reactive Every Time

You’ve noticed, no doubt, that each of the approaches suggested above is highly proactive.
And there’s a good reason for that.
Threat actor TTPs continue to evolve, and simply building a wall around your assets is no longer enough to keep them out. If you want to defend against determined, skilled attackers, you’re going to need to start thinking the way they do.
If you can manage to do that reliably, you’re a long way towards fielding a truly world-class cyber security facility.

Using Global Threat Intelligence to Improve Security Analysis Inside the Perimeter

One of the critical drivers that led us to create the Threat Indicator Confidence model was our realization that at the core of all security technologies is a goal to stop threats from manifesting. As a result, we believe that focusing on innovation and technologies designed around threats will naturally address all aspects of a threat’s life cycle.
How did we become threat centric? By characterizing threats we investigated how they are created, behave, and morph, as well as how they are distributed and manifested in target environments. Focusing on these aspects allowed us to deliver technologies that could provide threat detection and mitigation not solely based on Indicators of Compromise (IOC), but also on the full set of available intelligence.
Understanding what Internet threats are targeting your organization is a key part of the overall threat picture. Ideally, threats are stopped before becoming activated inside your perimeter but that is not always possible. A critical aspect of being threat centric is the ability to detect and mitigate threats that may have already breached the interior of your network.
Correlating network telemetry from inside the perimeter using network switches and routers that can collect telemetry data provides the security operations team a vital insight into threats. It’s important to note that today’s perimeter is a constantly changing boundary based on application and network virtualization occurring with cloud services and other externally available services.
Below are some steps to consider when correlating threat intelligence with network telemetry.

Step 1: Assess Organizational Threat Posture

Are any of my internal assets communicating with sites on the Internet that have been identified as having an elevated threat confidence score (i.e. higher risk)?
Your network telemetry data should be able to provide information such as what sites internal hosts are communicating with, protocols, ports, URLs, byte counts for each flow, and time of communication. By correlating the telemetry data with global threat intelligence that identifies IP addresses and domain names of malicious sites, an overall picture of the threats occurring in an organization’s environment is formed. Without the context that global threat intelligence provides, you are left with many questions of those communications.If any internal asset is found to be communicating with elevated threat confidence sites, move on to these next steps.

Step 2: Identify Potential Compromised Assets

What threat intelligence is available on the external site regarding its malicious behavior? Is it a command & control (C2) server? Is it a web server hosting malware? What protocols did the internal asset access that site using?
As shown below, the internal host (in blue) was communicating with a site site (in red) that was acting as a C2 server for a known botnet. The threat intelligence provides information on that site as well as an elevated threat indicator confidence score.

Step 3: Understand the Full Context of Communication Between the Compromised Asset and the Internet

Were other external sites communicated with after the initial communication with the compromised site? Are there any indications of what those other sites do?

By investigating the sequence of flows it may be possible to understand the nature of the threat.

Step 4: Identify Any Data Exfiltration or Impact on the Compromised Asset

How much traffic has been sent and received between that asset and the identified site?
Was there a large amount of data communicated? Were there small amounts of long-running sessions? Who initiated the connections (user datagram protocol [UDP], transmission control protocol [TCP], etc.) and were there any obvious holes in external firewalls?
When did this traffic start, and end?
Is this threat active or has it only been active in the past? A critical aspect of threat detection is having the capability to do both real-time and historical analysis of threat intelligence.
Threat intelligence about the global Internet is most likely different from what you discovered in the past 30 or 60 days. Is there intelligence that shows previous communication from an internal asset to the potentially malicious site?

Step 5: Identify the Spread of Any Threat Within the Perimeter

For an identified internal host, with whom are they communicating internally? Did that communication occur before or after the identified risky communications?
After identifying that an internal asset has been compromised, security operations teams must understand the extent of the threat to plan a response. This includes understanding if an infected asset could have spread their infection to other internal assets.
Having a global perspective of all communications from internal assets to the Internet and correlating that with threat intelligence, a threat analyst can determine if there were any other internal assets communicating with those sites.

Step 6: Repeat Steps 2-5 for Each Compromised Asset

Here’s an example of the power of global threat intelligence correlation.

Impact of Threat Intelligence Correlation

For an organization with 1,000-networked assets, global threat intelligence can reduce threat analysis across the network telemetry from 115,000,000 flows down to 180,000 flows for an 8-hour period, a 99.999% reduction in traffic inspection based on threat correlation with threat intelligence and enhanced by Threat Indicator Confidence.
Without knowledge of global threat intelligence and internal perimeter telemetry, the threat team is left to assess all flows that communicate with the global Internet. This can be a significant task, and without some automation to identify relevant threats, will likely result in analysts being unable to identify threats.

Six Ways to Enhance Physical Security with Open Source Threat Intelligence

As hacking incidents such as the U.S. government’s office of presonal management data breach continue to dominate the news, many companies are taking note and ramping up their cybersecurity protocols. However, what is often overlooked is the online or cyber component of an organization’s physical security strategy, including executive protection. The role of threat intelligence here can be just as critical as it is in the more headline-grabbing areas of cyber risk.

Scoping Your Intelligence Needs
Priorities and responsibilities will vary based on your organization, but a typical physical security portfolio will often include:

·        Disaster preparedness

·        Emergency response and evacuation

·        Employee safety

·        Environmental risks

·        Executive protection

·        Facility security

·        Investigations

·        Infrastructure/Asset protection

·        Physical access control

·        Situational awareness

The first step in evaluating the value and applicability of threat intelligence stems from defining your priorities and assessing your risk profile in different areas. For example, energy producers may have significant concerns around assets and employees in far-flung locations, whereas a hedge fund might be primarily focused on the physical safety of a few key individuals and their families. Understanding your priorities, and allocating resources correctly, is a key first step to understanding where and how to best apply open source threat intelligence.

Types of Open Source Data
There are many types of open source data, ranging from global news, search accessible sites, and social media, to the deep and dark web. Information can also be gathered via public record and aggregator sites, through government data feeds, and non-web sources such as Internet relay chatrooms (IRC).

Let’s take a moment to discuss some details here, as there is much confusion about what exactly defines the deep web and the dark web. By our definition, these are not the same thing at all, though they are sometimes treated interchangeably. The deep web, while hard to find unless you know the specific URL of your destination, is publicly accessible. It houses what some estimates say are up to 75 percent of public web content that is open but is not indexed by search engines. The dark web, also known as Darknet, is one step beyond that, and can only be reached with specific tools such as a special browser or client software. This includes Tor/.Onion sites, and I2P. The dark web is the hardest for white hats – computer security experts – to monitor.

Six Things You Can Do Right Now
Once you’ve determined your organization’s needs and which sources are best for intelligence gathering, it’s time to put that information to work. Here are some best practices for implementing threat intelligence to enhance your physical security program:

1. Assess online exposure – What are your employees’ online footprints? Where are the biggest areas for potential issues? For example, do you have key executives who are very active on social media?

2. Claim online real estate – Don’t be like carly fiorina. Register personal domain names of key executives, as well as brand names in relevant generic top-level domain and country-code top-level domain extensions before a threat actor or detractor does.

3. Expunge personal data – Hide or remove online personal data that may appear on sites like Spokeo or social media accounts that might be open to anyone to view.

4. Limit sharing – Check device and account settings to minimize data you may be unintentionally providing to the public, such as geolocation data for photos, or sharing detailed personal information such as travel plans on social media.

5. Educate executives and their families – Family members, especially teens, are the most common source of problems for executives. In one case, a well-known CEO’s security precautions were foiled by their teen daughter’s postings on Instagram, which revealed where the family was vacationing to a wide audience.

6. Visualize the data – Represent your intelligence in an understandable and easy-to-digest form. This could be via maps in your Security Operation Center, or through an online platform that incorporates multiple data feeds and sources.

With all of the different sources available for information gathering, both on and off the Internet, companies need tools that help them efficiently aggregate, asses, and comprehend all of the data. Cyveillance’s Cyber Threat Center provides an easy-to-use platform that combines all of the necessary tools for physical and cyber security threat intelligence.

4 Rules for Successful Threat Intelligence Teams

Threat intelligence is quickly becoming a core element of risk management for many enterprises.

To truly understand risk, though, the enterprise must grasp and have the capability to handle emerging information security threats to its environment. Other areas of risk — financial risk, operational risk, geopolitical risk, risk of natural disasters — have been part of organizations’ risk management plans since time immemorial; it’s only these last few years that information security has bubbled to the top, and now companies are starting to put weight behind security threat intelligence programs.

Putting a team in place to manage threat intelligence, however, isn’t as easy as other, more established areas of information security. First, it’s newer, and second, organizations might not yet have the right skills and tools in-house. With that in mind, we’ve identified four simple rules that will help organizations build and maintain a successful threat intelligence team.

( The rules are simple, but we do realize that implementation is not!)

Tailor Your Talent

It goes without saying that any team — threat intelligence or otherwise — is run by people, so hiring the right people with the right skills is critical. In some cases organizations can groom threat intelligence staff from within, from security operation center (SOC) teams to incident responders. Central skills like log management, networking expertise, and technical research (scouring through blogs, pastes, code, and forums) often come after years of professional information security experience.

Certain parts of threat analysis, however, necessitate distinct and practiced skill sets. Intelligence analysis, correlating and making predictions about threats based on (sometimes seemingly disparate) data, requires highly developed research and analytical skills and pattern recognition.

When building or adding to your threat intelligence team, especially concerning external hires, personalities matter.

Existing teams might feel threatened by new staff who appear to be “taking over” roles and responsibilities. Disgruntled employees are not productive employees. Thus, when forming or adding to the threat intelligence team, pay close attention to the “soft skills” of candidates.

Make sure that teammates can not only all “play nicely in the sandbox,” but that you, as a manager, are communicating frequently, clearly, and honestly about expectations. The interaction and workflow between teams should be pre-planned, and data sharing should facilitate easy integration for the teams responsible for making security verdicts.

Architect Your Infrastructure

Threat intelligence vendors provide strategic intelligence, but organizations should consider building in-house proprietary capabilities that deliver consistent, relevant, and actionable threat data.

Proprietary threat intelligence platforms (TIPs) have the advantage of being tailored to the organization’s specific needs, and often come with a smaller price tag than commercial, off-the-shelf solutions. These custom-engineered solutions should integrate with external vendor systems to automatically collect, store, process, and correlate external data with internal telemetry such as security logs, DNS logs, Web proxy logs, Netflow, and IDS/IPS.

Of course, building powerful proprietary capabilities requires an experienced data architect.

This individual is responsible for designing fast and nimble data structures with which external tools integrate seamlessly and bi-directionally. The data architect should understand not only the technical needs of the organization, but he or she should be involved in a continuous two-way feedback loop with the SOC, vulnerability management, incident response, project management, customer-facing fraud (where applicable), and red teams. This collaborative process facilitates control changes and allows the architect to deliver threat data in a format and on a timeline appropriate for each group.

Notably, threat analysts should never spend time manually processing operational data, and the architect fills that important role of providing the data upon which the analyst draws conclusions that ultimately decrease strategic business risk.

Enable Business Profitability

The goal of every threat intelligence program should be to find emerging threats before they impact the business. Reducing the number of direct threats drives down risk, which in turn increases profitability. Threat intelligence teams must therefore know what the business identifies as levers of profitability in order to prioritize the identification and dissection of threat events and sources.

At the center of profitability are the business’s strategic assets (customers, employees, infrastructure, applications, vendors). Protecting strategic assets is priority number one, and defensive controls need to be managed as threats emerge.

To ensure protection for key assets, threat analysts must be able to examine the larger threat picture and identify such things as general industry threats, trends, attacker TTPs (tactics, techniques, and procedures), and commodity malware. While an attack on one industry organization, for instance, might not result in a direct threat to your own organization, knowing that several enterprises have been been victims of a similar type of attack could indicate the need for hardened internal controls.

The ability to see the larger trends and drill down to direct threats against strategic assets means the threat intelligence team must understand what data it has available internally and what data it needs to source. Information gathering for an unknown purpose other than vague future applicability is a waste of resources, so set your sights on the information directly tied to the business and its levers of profitability.

Communicate Continuously

Enabling business profitability requires an understanding of the business’s goals and roadmap.

To effectively set the roadmap, the executive layer also needs insight into current and future threats. If, for example, the business wants to acquire a partner but the partner is currently being targeted by hacktivist groups for what they deem unfair business practices, the executive team should have that intelligence before determining a market valuation and extending an offer. During a vendor evaluation, as another example, it is important to know if industry-specific malware, like BlackEnergy or Zeus, is emerging. Aligning one’s business with a risky proposition is not a decision to be taken lightly.

Executives need to hear from the threat intelligence team how and why some of those threats translate to risk, and then learn if and how the risk of those threats can be mitigated. Organizational threats will always exist, and it’s up to the business to decide its risk tolerance. Threat teams can aid the process by keeping executives informed but not spreading FUD (fear, uncertainty, and doubt). Delivering the message should be approached in a thoughtful, practical manner; do not overwhelm executives with technical details they neither care about nor understand. Their eyes are on the bottom line, and threat intelligence should be provided that supports moving in an upwards trajectory.

Conclusion

With these four pillars in mind, organizations can run an effective Threat Intelligence Team which contributes to the success of the business. People and tools are important parts of the process, but equally important are cross-functional collaboration and communication.