As threat actors continuously challenge the cyber defences of organizations, companies are increasingly forced to focus on improving cybersecurity practices. However, even the best cybersecurity teams with the largest budgets find it hard to stay ahead of the evolving threat landscape. And with more technology in use, a growing reliance on cloud storage and the Internet of Things (IoT), there is a growing potential for sensitive data to be exposed to threats. 

As such it’s unsurprising that data breaches, in spite of increased cybersecurity spending, are becoming more common and more expensive to deal with. Employees need intelligent security practices and cyber habits and companies need to be armed with the latest technology and tools for early data breach detection to gain the upper hand when combatting this ever-changing threat.

Data Breaches Need to be Caught Early

The average cost of a data breach in 2020 according to the IBM / Ponemon Institute report was $3.86 million. However, there are plenty of examples where the costs have vastly exceeded this average, escalating into the hundreds of millions or even billions. For example, the Equifax data breach in 2017 cost Equifax $1.7 billion in the end. Another high profile example, Facebook eventually settled on a fine of $5 billion after it’s ‘privacy misstep’ involving Cambridge Analytica. This bill doesn’t include the additional costs and expenses that Facebook has accrued in the development and expansion of their cybersecurity and privacy departments nor does it account for the reputational damage it suffered.

While costs of these extremes are rare, data breaches in general are not. The IBM report goes on to analyse particular subsets of the data noting that the worst impacted is healthcare with an average data breach cost exceeding $7 million. And that the average time taken for an organization to identify and contain a data breach, was an astonishing 280 days, over 9 months. This is in spite of significant evidence that the speed of containment has a significant impact on the overall data beach cost, which if left unchecked can linger for years after the incident. 

How to Prevent Data Breaches

As with many of these things prevention is often the best policy. 

Data Breach Prevention #1: Have Clear Security Protocols 

Every employee should know, understand and be able to abide by strict security protocols to keep company data secure and thwart social engineering tactics. Having protocols is one of the best ways to help prevent data theft by ensuring unauthorized personnel do not have access to data. 

Data Breach Prevention #2: Safeguard Against Human Error

Many data breaches are the result of an employee error. This could be anything from downloading a document off of an illegitimate website, social engineering tactics or even outright blackmail. Employees should only have access to the information that is vital to their particular roles within the company. Those with higher level access should accordingly have higher levels of cyber security training and understanding.

Data Breach Prevention #3: Improved Password Protection

Having strong unique passwords is the first line of defence against any cyberattack. However, nobody, whether they are a high level executive not, is going to be able to remember a dozen or more 12 character passwords that use special characters, letters and numbers. Make sure that 2FA is enabled on all logins, and use a password manager (with 2FA enabled) to auto generate and save complex passwords and ensure the highest levels of password security are enabled.

Data Breach Prevention #4: Update Security Software Regularly

Companies should utilize a high quality antivirus software, anti-spyware program and firewall. Additionally, these programs should be regularly updated to keep them free from vulnerabilities. 

Data Breach Prevention #5:OSINT for Dark Web Forums

By monitoring dark web forums and other chat rooms you can learn of planned attacks, potential exploits and even find exploit kits being sold online. This will give you a good indication of the access methods which have been discovered allowing you to implement a patch quickly to prevent it.

The Tools for Early Detection of Data Breaches: LERTR

Having the right tools is vital if an organization wants to prevent or mitigate the threat of data breaches. Using an OSINT platform like Signal allows security teams to efficiently monitor the surface, deep, and dark web for details or indications of potential and past data beaches. For example, you might find exploit kits targeting a vulnerability specific to your company. This would allow you to prepare a patch for this vulnerability before it was exploited. 

Additionally, hackers might discuss strategies or plans around an upcoming data breach attempt on a dark web forum. Forewarned, you have a better chance of catching and preventing the attempt. However, prevention isn’t always possible. For those scenarios where you do face a data breach you want to discover it as quickly as possible to mitigate the potential damage and limit the costs.

To this end we have integrated with Webhose to advance our early data breach detection capabilities. Additionally, we have launched LERTR, a cyber specific OSINT platform. aa

Final Words

Data breaches are increasingly common and expensive. Effective preventative measures need to be put in place and maintained to limit threats. However, even the best defences can fall to a determined threat actor. As such organizations needs to ensure they have all the tools to not only prevent, but also to detect early and contain data breaches quickly should one occur.

Signal is a powerful OSINT tool which allows users to create searches using boolean logic enhanced with NLP, with which security teams can efficiently monitor online activity to detect threats as or even before they emerge.

What is Threat Intelligence?

Those very same technologies that have allowed globalization, which have brought us all closer together and enabled organizations and brands to achieve the current growth and success they enjoy today, have simultaneously brought with them increased risks. These risks come in the form of increased vulnerabilities and exploitable attack vectors for cyber attackers. Threat intelligence is all about gathering data and knowledge to combat and mitigate these threats. 

Threat intelligence provides organizations with information and context required to effectively predict and even prevent cyberattacks. Additionally, it helps inform security teams of the best practice for both preventative measures and response measures to ensure if there is a cyberattack the resulting costs are minimal. 

In short, threat intelligence is the gathering of evidence-based knowledge to inform action-oriented preventative and reactionary responses to an ever-evolving cyber threat landscape.

The Importance of Threat Intelligence

Threat actors are increasingly persistent, and their persistence pays off. Even the most dedicated professionals can’t help but struggle to keep abreast of every new cybersecurity development. New exploits are constantly being discovered or developed and strategies such as social engineering are increasing in complexity. Security teams need up to date data and intelligence on evolving threats if they are going to be able to develop effective responses.

Additionally, within the corporate world one of the key buzzwords of the last two decades has been “accessibility”. Accessibility to data means organizations have necessarily become reliant on digital processes and almost everything is stored on the cloud. Unfortunately, while accessibility is essential to developing efficient processes, and effectively using big data, it also increases the number of threat vectors that attackers can exploit. According to the IBM 2020 data breach report the longer a data breach goes undetected the more expensive it ends up being for the organization. Primarily then, threat intelligence gathered using tools like Signal OSINT can help organizations detect data breaches earlier, mitigating the eventual costs both reputational and monetary.

The final reason that threat intelligence plays such a pivotal role in today’s security is the distinct lack of skilled cybersecurity professionals. Threat intelligence is a time-consuming business that requires a skilled deft hand to manage. The best threat intelligence solutions use machine learning to automate data collection, then filter and structure data from disparate sources to present only hyper-relevant information to a skilled security team for final analysis. The security team can then use this data to create effective actionable plans based on evidential knowledge. This approach optimizes the performance of both the cybersecurity professional and the intelligence tools being used.

Threat intelligence is actionable — it’s timely, provides context, and is able to be understood by the people in charge of making decisions.

Use Case Examples for Threat Intelligence 

Threat intelligence can be used in a diverse range of strategies which makes it an essential tool for security teams in any organization. It’s most immediate value is in helping prevent an attack by gathering intel on threats in real-time, however, it’s also useful for a broad scope of activities such as managing vulnerabilities, informing decision making, and responding to attacks as or after they happen.

Related: The Role of Threat Intelligence and Cybersecurity in Retail

Prevent an attack

From the time that a vulnerability is found to the time an exploit targeting that vulnerability is available for threat actors is shortening. Security professionals need to know about the vulnerability fast so that they can implement a patch and prevent it from being exploited.

Respond to a Data Breach

Data breaches are costly and often go unnoticed. With the right threat intelligence tools you can determine when a data breach happens fast and take suitable actions to mitigate the costs of any following repercussions.

Manage a Vulnerability

The approach of “patch everything, all the time” is impractical and will likely see organizations fall behind - leaving more serious vulnerabilities open for longer. Threat intelligence can help security teams effectively manage vulnerabilities by giving the salient data to allow them to prioritize patches based on actual risk. 

Risk Analysis

This leads on nicely from the last point. Threat intelligence can help security teams determine the actual risks associated with potential vulnerabilities or attacks by providing additional contextual information. For example, threat intelligence can help security professionals  answer the following questions:

• Which threat actors are using this attack, and do they target our industry?

• How often has this specific attack been observed recently by enterprises like ours?

• Which vulnerabilities does this attack exploit, and are those vulnerabilities present in our enterprise?

• What kind of damage, technical and financial, has this attack caused in enterprises like ours?

Fraud Prevention

Fraud can encompass anything from a fraudulent use of your brand, data, or even impersonation of your employees. For example, an individual might impersonate a doctor and sell fake versions of your prescription medication online.

Incident Response

Having the ability to gather and filter through threat intelligence from across the surface, deep, and dark web in real-time allows security teams to effectively and appropriately respond to incidents as they are happening.

How can Signal threat intelligence improve your organization’s security?

Signal allows our customers to analyze emerging global trends, detect threats in real-time, and then form appropriate security strategies to counter these potential threats as or even before they fully reveal themselves.

One of the key issues that security teams and analysts face is the sheer amount of noise that might surround their brand. Invariably much of this noise is irrelevant to their purposes, however, some of it will be bad. This is why Signal assists with advanced filters with boolean logic as well as features such as our emotional analysis tool.

Whether they like it or not, many organizations have been forced to adopt work from home practices to continue operating. Working from home isn’t new. In fact, between 2005 and 2017 the numbers of people that were able to work from home grew 156%. However, it has generally been seen as a bonus rather than a given and more traditional workplaces have been resistant. 

Despite the fact that 49% of office workers have never experienced working from home before, this experiment has largely been a success. Empowered with communication tools like Slack, Microsoft Teams, Google Hangouts. and Zoom, teams have had deep connectivity even from their own living rooms and many organizations have actually seen increased productivity.

Even so, the challenges of working from home are enormous and are invariably compounded by technological difficulties and poor home security practices.

Security teams, in particular, are feeling the pressure. With numerous workers now operating outside the corporate network security controls, new attack vectors have been opened up which are being exploited by cybercriminals.

Cybercriminals Taking Advantage of the Pandemic

Several security providers have put together data sets which show clear spikes in malicious activity since the beginning of the pandemic. McAfee created its own coronavirus dashboard which shows malicious detections quickly growing from the hundreds into the thousands over the last six months. The most common threat type has been Trojans with Spain and the US being clear outliers in the number of threats detected.

As of August, there were nearly 2 million malicious detections against over 5,500 unique organizations. McAfee go into detail about the families and types of attacks that they’ve seen a spike of cases in since the pandemic began.

WFH challenges for security teams

We’ve established that cybercriminals are taking advantage of the security breaches created by a sudden adoption of working from home but what is it exactly that makes working from home lees secure and what exactly are the security flaws threat actors are targeting?

Working from home doesn’t necessarily mean working from home, it could also mean working from anywhere and many workers have already figured that out. This means workers can (in theory) escape their houses and head out to cafes, restaurants, libraries or other public spaces with free WiFi networks. Zoom, with its virtual background feature, has incidentally supported this. The key issue with this is when workers operate on unsecured open networks. 

Ultimately security professionals have to try and ensure device security and data protection in the work from anywhere model - a challenge made significantly harder with over 50% of employees using their own devices during this period. IT teams have tried to make the security transition easier, with some 70% increasing VPN use among employees, however, 1 in 4 workers according to the Morphisec report were unfamiliar with their company’s security protocols.

This challenge for security professionals has resulted in the majority of security professionals seeing a sizeable increase in workload since their companies began corporatewide remote work. And while most of the transition to WFH went smoothly, respondents reported an increase of security incidents, with the top issues including a rise in malicious emails, non-compliant behavior by employees and an increase in software vulnerabilities.

What can be done to improve WFH security?

Security teams have had years to develop best practices for combating the ever-evolving cyber threat landscape. The sudden move to work from home though has shifted power away from them and brought a greater reliance onto workers who simply do not have the expertise to maintain proper cybersecurity protocols. 

Worryingly, 20% of workers said their IT team had not provided any tips as they shifted to working from home. This has opened exploitable attack vectors and introduced new challenges for security professionals. This though isn’t to say that there is nothing that can be done.

Step 1: Control the WFH Environment

This is all about educating employees about best practice and the reasons for these practices when working from home. For example, informing them not to use open networks.

Step 2: Control the WFH Computer

It’s a good idea to supply the computer being used so that you can install the proper security softwares and control access to sites which might offer security risks as well as maintaining control over permissions.

Step 3: Improve your Phishing Responses 

The crossover between home life and work life extends beyond the location. People are more likely to spend time on social media networks and working on private projects than they would be if they were in the office. This opens them up to more phishing campaigns so it’s important they know how to avoid falling for them.

Step 4: Restrict Remote Access to Sensitive Documents and Data

Lockdown permissions and access to sensitive documents and data. If they really need access they can communicate this need with you directly and you can ensure it is done securely and safely. 

Step 5: Monitor Surface, Deep and Dark Web for Emerging Cyber-Threats

Use an OSINT tool like Signal to monitor for cyber threats, planned attacks and data breaches.

Step 6: Encourager VPN Usage

VPNs are a simple and easy way to improve security. It’s worth ensuring the company has a quality VPN service that doesn’t slow a users internet connection unnecessarily as this might persuade workers to turn it off.

Step 7: Don’t Allow Split-Tunnels

Split-tunnelling allows a user to access networks through both the encrypted VPN service and a potentially unsecure network simultaneously.

The Role of Threat Intelligence for Improving Work From Home Cybersecurity

One of the key benefits of using an OSINT solution like Signal is the ability to create customized searches with Boolean logic to uncover hyper-relevant threats in real-time with SMS and email alerts. 

Ways that this has been used in the past to improve cybersecurity include:

• Early detection of data breaches. The average cost of a data breach in 2020 is $3.86 million. The earlier you catch a data breach the faster you can take action to mitigate the associated financial and reputational damage.

• Discovery of new cyberattack strategies, exploit kits, phishing tactics which were talked about or for sale on the dark web.

• Organizations have uncovered attacks that are yet to be carried out. This is true for both physical attacks against an asset or person as well as cyberattacks. For example, details of a phishing strategy and the targets within the organization were discovered after being talked about in a darknet forum. 

• Monitor employee online activity. For example, this can allow security teams to identify employees who have been targeted and even blackmailed by cyber attackers for access to company data.

High profile executives and VIPs are more likely to receive threats of violence, be at the centre of negative online noise, and to be the target for both cyber and physical attacks. This, when paired with their busy schedules (which often involve travel), makes staying ahead of potential threats a particular challenge for their security teams. 

Attackers have a variety of reasons and goals for targeting executives and VIPs. It could be anything ranging from a reaction to company layoffs, to kidnapping for ransom. Whatever the reason though, security teams need to be able to spot the threats, understand the motives, and implement an effective response in a timely fashion.

In this article, we take a look at 6 key ways Signal OSINT is used today by customers to advance protection measures for high profile executives.

How Can Signal OSINT Improve your Executive Security?

Discover private information published online

There are several reasons that an individual might publish private information online. Often, it is in anger or as some form of revenge. The kind of information that has been found published online includes: names, email addresses and logins, physical address, details about an executives families, passport details, medical information, credit card and bank details, and SSN’s.

Having such information leaks opens up an executive to a wide range of potential threats. As a security professional, it is vital to know if and when there is a data breach so that the threat can be neutralized. The longer data is available online the more risk there is. For example, if card details are discovered online the bank can be contacted and the card cancelled.

Read: Detecting and Mitigating the Risks of Data Breaches 

Identify direct threats

Sometimes threat actors are more direct in the way they threaten executives. This could, for example, be a direct threat of violence through an email, instant messaging service or public forum like social media. While the majority of such threats come from so-called “keyboard warriors” there are some which will require further attention and action. 

For example, discussions might be uncovered on the dark web forum with details of a planned attack on an executive. With the prior knowledge of the attack action can be taken to reduce the associated risks.

One way to differentiate between someone that is simply venting their anger on a public forum and someone who genuinely might take action is to look for repetition of negative sentiment.

Emotional analysis

Emotional analysis gives data extra context which allows it to be better understood enabling a more effective and accurate response to the potential risks. 

It also allows you to differentiate between when a negative comment is simply that, a negative comment, or when it needs more serious attention, for example, it’s evolving into a physical threat.

Read: When Does Negative Sentiment Become a Threat? 

Misinformation is spreading about an executive

The spread of disinformation is problematic on a number of levels. For example, throughout COVID-19 misinformation has been spread regarding the virus, it’s root causes and best prevention practices. This has harmed efforts to curtail and control it. Another recent example is the role of misinformation in the 2016 US election. 

There are numerous reasons that individuals and organizations spread misinformation, it could be part of a phishing campaign or an international political assault, for example. Whatever the reason the results are almost always harmful. When an individual spreads misinformation around a CEO or other executive there are real ramifications for brand and reputation which need to be managed.

To combat misinformation organizations need to be equipped with the right tools and understand both what they’re looking for, and the reasons for spreading misinformation.

Disruptive events are planned which could prove a threat to executives.

Events such as protests planned at or near an office or manufacturing location could present logistical problems and delays as well as potentially devolve into riots which would represent a physical threat. Having intelligence on the events and any salient information regarding individuals or groups looking to create trouble will allow you to take appropriate precautionary measures and prevent a threat from escalating.

Travel risks

All travel comes with some inherent risk. However, it is more pronounced for executives who are at increased risk due to the regularity of their travel and high profile.

Additionally, events like extreme weather or terrorist action may make a destination unsafe. As such, having an OSINT solution such as Signal offering an early warning of any particular dangers will enable you to plan alternative routes and otherwise avoid high risk scenarios.

Read: 4 Aspects of Effective Executive Travel Risk Management 

Early warnings with real-time data

Using Signal you can create customized alerts filtered via specific keywords, phrases or even locations. We also have a built-in translation tool so that data can be searched across languages and automatically translated into your default language.

Additionally, you can run alerts through our emotional analysis tool to determine how much of a threat any particular alert is. Finally, get our optional Sapphire bolt-on and utilise our skilled data analysts to further refine your results. 

This approach allows your leave your intelligence gathering on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. All of this allows you to gather actionable intel in realtime.

Find out more about Executive Protect with Signal…

Social engineering is an attempt by attackers to fool or manipulate others into surrendering access details, credentials, banking information, or other sensitive data. Once access is gained the general goal is to gain money. 

Recently, for example, Twitter was subject to a high profile social engineering attack. Attackers manipulated several Twitter employees to gain access to the platforms admin accounts. Once they got access they used the admin privileges to post a tweet saying “All Bitcoin sent to our address below will be sent back to you doubled!”  They posted on a number of celebrity and company profiles including Apple, Bill Gates, Elon Musk and Joe Biden.

Twitter shut the attack down quickly but not before the attackers got away with an estimated $120,000 USD worth of Bitcoin.

Social engineering is a creative strategy for attackers to exploit human emotion and ego, generally for a financial reward. It often forms part of other strategies as well such as ransomware. 

In this article, we take a look at some of the more common forms and tactics of social engineering as well as exploring just how an organization can protect itself from such an attack.

What are the stages of a social engineering attack?

In general, social engineering attacks are implemented in three stages.

1. Research. Attackers perform research to identify potential targets as well as to determine what strategies might work best against these particular targets. Attackers will likely collect data off company websites, LinkedIn and other social media profiles and potentially even in-person.

2. Planning. Once the attackers know who they will be targeting and have an idea of the targets potential weaknesses, they have to put together a strategy that is likely to work. The attacker needs to design the strategy and specific messages they will use to exploit the target’s individual weaknesses. Sometimes discussions surrounding plans can be found on darknet forums.

3. Implementation. The first stage of execution of their prepared strategy is often sending messages through email, social media messaging or some other messaging platform. Depending on their approach the entire process could be automated, targeting a broad number of individuals, or it might be more personal with the attacker interacting personally with their victim. Generally, they are aiming to gain access to private accounts, uncover banking or credit card details, or to install malware.

6 of the Most Common Social Engineering Attack Strategies

1. Phishing and Spear Phishing.

Phishing messages are designed to get a victim’s attention with an alarming or curious message. They work on emotional triggers and often masquerade as well known brands making it seem like the messages come from a legitimate source.

Most phishing messages have a sense of urgency about them causing the victim to believe that something negative will happen if they don’t surrender their details. For example, they might pose as a banking institute and pretend to be a fraud notice asking them to log into their account immediately, however, the email actually links to a fake login page.

Spear phishing is similar but with a more targeted individualistic approach.

2. Baiting.

A baiting attack generally pretends to offer something that the victim would find useful, for example, a software update. However, instead of a useful update or new software, it is, in fact, a malicious file or malware. 

3. Scareware. 

Playing on the targets fear this approach seeks to persuade the target that there is already a malware installed on their computer, or perhaps seek to persuade them that they already have access to their email address. This attack will then persuade the target to pay a fee to remove the malware. 

4. Pretexting.

In a pretexting atack the attacker creates a fake identity and they use it to manipulate their victims into providing private information. For example, the attacker might pretend t be part of a third-party IT service provider. They would then ask for the users account details and password in order to assist them with a problem. 

5. Quid Pro Quo. 

Similar to baiting, a quid pro quo attack promises to perform an action which will benefit the target. For example, an attacker might call an individual in company who has a technical support inquiry and then pretend to help them. However, instead of actually helping them they get the individual to compromise the security of their own device.

6. Tailgating.

Tailgating is a physical type of social engineering. It enables criminals to gain physical access to a building or secure area. An example of how this might work would be the criminal following behind someone authorized to access an area, they ask the person ahead to simply hold the door for them assuming an air of innocence.

How to Prevent Social Engineering

One of the key reasons social engineering is so difficult to protect against is because of the variety of ways it can be implemented. Attackers can be incredibly creative and this can make it very hard to spot a social engineering attack. Additionally, security professionals have to contend with skilful manipulation of the human ego.

Social engineering attacks exploit human behaviour. They target peoples fears or concerns often with messaging that centres around urgency attempting to encourage victims to take action immediately before they figure out they are part of a social engineering attack. Key to prevention then is remaining suspicious of emails, voicemails, or instant messages through platforms such as Facebook. 

Additionally, security teams need to stay ahead of the attackers. They need to be aware of each variation of a particular social engineering attack. Using OSINT tools, for example, they can learn about current messaging and strategies being implemented as well as potential exploits. Allowing them to take actions to mitigate evolving and emerging threats.

Increased awareness and vigilance though is only the first step. These attacks are common because they are effective, and they are effective because they take advantage of inherently human traits. Changing this human behaviour though doesn’t happen overnight. An internal education strategy needs to be put in place to regularly inform and teach employees about current social engineering strategies in an effort to reduce the potential for any employee to fall prey to one. In these ways, security professionals can mitigate the potential risks that surround social engineering attacks.

Ransomware is big money and is a rapidly growing cyberattack strategy. The market has expanded massively since the advent of secure and untraceable payment methods such as Bitcoin. Emsisoft estimates that ransomware costs for US organizations in 2019 was in excess of $7.5 billion. Compare this to four years prior when in 2015 ransomware damages totalled around $300 million.

Some markets are particularly prone to ransomware attacks such as medical organizations and public services. And there have been several high profile cases involving these industries over the last few years. Attackers know that with lives literally on the line organizations in these fields are likely to simply pay the ransom to make the problem go away. Most recently Garmin technology company has been held to ransom with attackers using the WastedLocker ransomware seeking a ransom of USD$10 million.

In this article, we explore in detail what ransomware is, how cybercriminals utilize and what strategies organizations can employ to ensure they are protected from ransomware attacks.  

What is Ransomware?

Ransomware is a form of malware. It can take various forms but generally it functions in one of two ways:

• Crypto ransomware. This malware encrypts the files on a computer so that the user cannot access them.

• Locker ransomware. This malware locks the victim out of their device or out of particular files, preventing them from using it. 

One thing all ransomware attacks have in common is that the target won’t be able to regain access to their files unless they pay the attackers a hefty ransom to unlock the files.

Ransomware has grown in popularity over the last few years in the wake of cryptocurrencies which makes it safe to receive their ransom payments. The cost of a ransomware attack can range from a few hundred to thousands of dollars depending on who the target is and how valuable the attackers believe the files they have locked out of reach are. 

Probably the most common delivery system for ransomware is phishing scams. For examples, a virus masquerading as an email attachment can, once downloaded and opened, easily take over a victims computer. Another strategy is through social engineering which is growing in popularity with cybercriminals because of the better strike rate. A recent example of a successful social engineering attack was perpetrated against Twitter employees. Attackers were able to get aways with an estimated 12.85BTC, nearly US$120,000.

The encryption strategy for malware is the more common of the attacks. The result of this attack is that the victim will not be able to decrypt their files without a mathematical key known only to the attacker. The user will be presented with a message when they attempt to open their files saying that their documents are now inaccessible and will only be decrypted if the victim sends an untraceable cryptocurrency payment to the attacker’s wallet.

To encourage prompt payment attackers might masquerade as law enforcement and demand the payment as a fine. If the victim does have illegal or illicit files or programs on their device, such as pornography or pirated software or movies, then they may be more likely to pay without asking questions and without reporting the attack.

12 Ransomware Examples from the Last Decade

Ransomware has been around for decades. However, it was only after the advent of cryptocurrencies that it began being a favoured strategy for cybercriminals. Cryptocurrencies allow for them to collect untraceable completely anonymous payments. Some of the worst offenders have been:

• CryptoLocker is an older malware threat, and while it isn’t in broad circulation anymore during it’s peak it infected some half a million machines. Cryptolocker is a Trojan horse that infects a device computer and then searches the computer as well as additional connected media including; external hardrives, cloud storage, and USB sticks, for files to encrypt. 

• TeslaCrypt is a variation or copycat of CryptoLocker. TeslaCrypt started by using social engineering to infiltrate devices and later used phishing emails as well. It heavily targeted gaming files and saw numerous upgrade improvements during its reign of terror.

• SimpleLocker was another CyrptoLocker styled malware. However, it’s key difference was that it focused it’s targeting on Android devices.

• WannaCry is a ransomware worm. What this means is that it spreads autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.

• NotPetya also used the EternalBlue exploit. It is thought to be part of a Russion-directed cyberattack against the Ukraine. However, it expanded autonomously to infect a broad range of organizations.

• Leakerlocker was first discovered in 2017 and targeted Android devices. Rather than encrypt files, it threatens to share your private data and browsing history unless you pay the ransom.

• WYSIWYE, stands for “What You See Is What You Encrypt”. Discovered in 2017, this ransomware scans the web for open Remote Desktop Protocol (RDP) servers. It then allows for a customized attack with an interface through which it can be configured according to the attacker’s preferences.

• SamSam has been around since 2015 and has affected devices in a number of waves of attacks. It utilizes vulnerabilities in remote desktop protocols (RDP), Java-based web servers, file transfer protocol (FTP) servers or brute force against weak passwords It would then spread to numerous devices. It primarily targeted public services and healthcare effectively bringing entire organizations to halt.

• Ryuk first appeared in 2018. It is specifically used to target enterprise environments. It is often used in combination with other malware like TrickBot for distribution.

• Maze was first discover in 2019. The MAZE ransomware has been used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise.

• GandCrab currently holds a large portion of the ransomware market and may well be the most lucrative ransomware ever. Its developers, which sold the program to cybercriminals, claim more than $2 billion in victim payouts as of July 2019.

• Thanos is a Ransomware-as-a-Service (RaaS) operation which allows affiliates to customize their own ransomware through a builder offered by the developer. It was first discovered by security professionals being talked about on a Russian darknet forum. It is the first to use the RIPlace technique, which can bypass many anti-ransomware methods.  

Dealing with Ransomware

Prevention is always the best policy when it comes to dealing with cyber attacks. Using tools such as Signal you can stay up to date with the most common strategies and one step ahead of cybercriminals. However, if you become the victim of a ransomware attack, it is advisable not to pay the ransom. If you do so there is now guarantee that the cybercriminal will return your data, they are thieves after all. Additionally, it fuels the profitability of the ransomware business making future attacks more likely. So what can you do?

Decryption

For many ransomwares, especially the older ones there are decryption tools which have been developed. The first step then is to contact your internet security vendor and determine if decryption is possible. If this initial strategy fails you can visit nomoreransom.org. The No More Ransom site is an industry-wide initiative designed to help all victims of ransomware.

Recovery

It’s good practice to back-up your data regularly on both external hard drives as well as on cloud storage. If you have done this it becomes possible to simply recover the data which is currently being held hostage. There are of course some scenarios where this won’t be possible, for example, if the malicious actor is threatening to share private information rather than having simply encrypted your device.

Preventing Ransomware Attacks

Good security practices will help prevent you from falling victim to ransomware. These defensive steps will additionally help protect you against other generic cyber attacks. 

Four basic steps that every organization should take to mitigate the threat of cyber attacks are:

• Keep all operating systems up to date and patched. Doing this will ensure that there are few potential vulnerabilities that malicious actors can exploit.

• Do not allow a software admin privileges unless you are confident in its safety and know exactly what it is and what it does.

• Ensure you have an active and up to date anti-virus software installed on all devices. This will allow you to detect and block malicious programs like ransomware as they arrive.

• And, as we said in the section above, back up all your files regularly. This last point won’t help protect against ransomware or other malware but can help mitigate the damages that your organization might suffer.

The Role of OSINT in Defending Against Ransomware

While open source intelligence tools can’t prevent ransomware, they can help organizations mitigate the potential damages. 

Securing the supply chain

Supply chains can stretch across continents with potentially hundreds of suppliers and manufacturers all around the world bearing responsibility. Should any single part or resource be in short supply, then assembly lines can be brought to a halt resulting in costly delays at the very least. 

There are numerous threats to the supply chain, one of which is malware and in particular regard to this article, ransomware. A key example of this is when the shipping giant Maersk had their IT systems taken out by a malware NotPetya. This resulted in their IT systems being down for days and many deliveries being delayed despite Herculean logistical efforts by the company. 

Using OSINT tools you can learn whether an organization on your supply chain has been affected by ransomware in real-time which will allow you to take the necessary actions to mitigate the damage this has as their production or logistics is slowed.

Industry Targeting

It’s not unusual for malware to exploit weaknesses which are specific to an industry. For example, the Healthcare industry is particularly susceptible to ransomware as a delay in returning their operations to normal could result in patients deaths. Indeed a leading medical-research institution working on a cure for Covid-19 were forced to pay hackers a $1.14m USD ransom because of a ransomware attack.

Using OSINT tools you can monitor your own specific industry to determine what strategies and exploits are currently being used by cybercriminals against like companies. Determining this will allow you to take extra and specific precautions to fend off similar attacks which could potentially be turned on you.

Detect New Ransomware and Strategies

Cybercriminals are continuously evolving and updating their strategies and the ransomware that go with them. We are unlikely to see the end of this development. 

By using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.

There are good reasons why the fictional characters like Varys (Game of Thrones) are so influential in their respective worlds. The more information you have the more you can tailor and optimise strategies for your preferred outcome. However, whereas Varys has to contend with political scheming, assassination attempts and dragons, the modern (and real) world has a much broader plethora of potential attack vectors, many of which were unimaginable just 20 years ago.

Thankfully for security professionals, the broadening net of threats exists in a symbiotic relationship with intelligence sources and security tools. What this means is that while, yes, there are now more threats to contend with, there are also more solutions and tools. For example, artificial intelligence (AI) enables Centaur approaches that far exceed human or machine only results. 

In this article, we take a look at how Open Source Intelligence (OSINT) can be and is being used to arm security teams with the ability to gather and analyse vast quantities of data and then enact effective plans to mitigate damage and even prevent threats. 

What is OSINT?

OSINT, as the name suggests, is data gathered from all publicly (openly) available data sources. These data sources could be anything from government records or archives, online discussion forums, blogs, social media posts, or the comments on those posts. 

OSINT allows you to collect data from all of those sources at once, and because of the sheer amount of information that is shared and discussed continuously on every fathomable topic, it is an incredibly powerful tool. There are billions of historical records and millions more being posted every day. You can use OSINT to identify physical threat made against your organization or executives, discover data breaches, uncover terrorist plots and even get breaking news as it is happening.

In many situations, expert data analysts with OSINT tools can identify malicious actors and discover relationships, information which can be used to enhance a privacy and security plan.

How Organizations use OSINT

The need for organizations to employ OSINT as part of their corporate security processes is becoming increasingly more evident. Interestingly though the use of OSINT has been neither formalised nor widely adopted. It often takes a particular scenario to unfold before they even consider it. 

A common example is a data breach. According to the Ponemon Institute’s 2018 Cost of a Data Breach Study, the average amount of time for a company to detect a data breach was 197 days. More often than not, the organization was not the first to know either. Utilising OSINT allows you to learn of data breaches as soon as discussions begin online, for example, the hacker offers up your data for sale.

This is just one way in which OSINT is used by businesses. The use of intelligence is immensely versatile. You can detect physical threats to assets or staff, determine travel risks, discover brand hazards, secure your social media channels and cybersecurity and more.

Despite the versatility of applications for OSINT tools it still often takes a worst-case scenario for an organization to decide to finally employ OSINT solutions.  

Applications of OSINT as Cyber Intelligence

Most people freely share a large amount of data about themselves. In fact, in this day and age, it’s hard not to share your data. For example, almost everyone has a phone number, this phone number is likely connected with your name, address, date of birth, and email address. It might even be linked with your broadband connection and subsequently your IP address. 

As an example, in 2019 T-mobile had a significant data breach. Thankfully, it appears they spotted and responded quickly, but not before some 1 million records were exposed. They were able to mitigate the damage but not prevent it. Other companies have historically been less quick to respond such as TerraCom and YourTel America who had to pay out $3.5 million USD collectively in damages in 2015 after their data breaches. Organizations also need to remember how everyday activities expose other forms of data such as shopping habits through credit card usage and location through fitness apps. 

Intelligence isn’t just important for detecting breaches or hacks. It is also vital if organizations want to protect their staff from physical threats or from being exploited via phishing scams. For example, a company’s employees will likely all have social media accounts such as a LinkedIn account which details their roles and responsibilities. This information can be paired with information from other social profiles or information shared online and can, when used properly, become valuable intelligence on how an organization runs, who’s responsible for what, and even who a malicious actor should target.

Because of the various methods that security teams can use intelligence to protect a businesses interests having a dedicated team, armed with powerful OSINT tools like Signal, could save them from serious reputational and financial damages.

Examples of threats that Signal OSINT can detect and help protect against

• Counterfeit or stolen property listed online - for example, counterfeit drugs.

• Employee conduct, threats and harassment on social media.

• Frustrated, angry or threatening customer correspondence.

• Merger, acquisition & organizational partnership discussions - this could be important for ensuring smooth operation of the supply chain, for example.

• Sensitive information publicly disclosed – accidentally or intentionally.

• Inaccurate, harmful or out of date information.

• Presence of fake websites, fake invoices or scams targeting customers, staff or the organization - for example, a phishing website made to look like a banking institutes website and designed to encourage users to enter their password combination. 

• Credentials from data breach & compromised accounts belonging the organization.

• Unsavoury relationships, membership or pending court action related to the organization.

The Results of Employing Powerful OSINT Tools

Experienced hackers and cybercriminals will understand the public nature of the channels and as such are likely to attempt to avoid actions that expose their intentions. However, OSINT doesn’t stop at the surface web, tools like Signal can give analysts and security teams access to data from sources such as the dark and deep web and even private dark web forums as well as more obscure surface websites. 

The purpose of OSINT research is to provide teams with a thorough foundation of knowledge. Teams can subsequently use these insights to develop actionable plans to either prevent a threat from fully emerging, or minimise the damages of a current or recent attack.

One of the key issues that security teams and analysts face is the sheer amount of noise which might surround their brand. Invariably much of this noise is irrelevant to their purposes, however, some of it will be bad. This is why Signal assists with advanced filters applying boolean logic as well as features such as our emotional analysis tool.

A supply chain risk can vary broadly, from volatile global politics to natural disasters, from terrorism to DDoS attacks or data breaches. A disruption anywhere along the supply chain could have serious ramifications for business continuity potentially costing an organisation millions. Additionally, the size and scale of operations means that there are often numerous vulnerabilities. 

Open Source Intelligence (OSINT) is an invaluable tool for both security teams and supply chain managers. It allows them to gain oversight over often vast and complex supply chains, monitor risks and threats, and gather real-time data that is essential for coordinating an effective response. 

Many supply chain risks and threats are in association with fears around break downs within logistics operations or supplier disruptions. Additional concerns also relate to financial and legal exposures, uneven market demand for product, mounting competition, and natural disasters.

Protecting Business Continuity from Supply Chain Risks

Even as product complexity expands supply chains continue to stretch into developing countries where labour and natural resources are plenty, but the infrastructure is undeveloped or insufficient. Meanwhile, advanced planning and sourcing practices which aim to maximize efficiency and minimize costs, stretch operations to a point of fragility. 

Any disruption can result in organizations and consumers worldwide feeling the impact via loss of suppliers, delayed or destroyed goods, product release delays, and ultimately, customer dissatisfaction and brand damage.

To mitigate the damage of potential threats, both physical and cyber, specific resources need to be designated with the goal of maintaining business continuity in the face of disruptions. One of the most essential resources for security teams and supply chain managers alike is relevant insights and intelligence to assist in assessing potential supply pitfalls. 

Key Supply Chain Disruptions to Monitor with OSINT

Traffic

Even something as seemingly mundane as traffic can cause havoc with supply chain management as supply chains are heavily reliant on good transportation networks. Security professionals and supply chain managers need to know fast if key transportation networks are endangered.

For example, if a freight hub such as Hong Kong International Airport which sees nearly 3.7 million tons of freight through its gates each year were to encounter a serious disruption the ramifications would be far reaching. It’s not just physical disruptions though that teams need to monitor as cyber attacks can have equally far-reaching consequences.

Weather

It’s hard to predict where and when a tornado, hurricane, severe thunderstorm, or debilitating snowstorm will hit. However, in certain parts of the world such as Southeast Asia, these severe weather events occur more seasonally. 

For example, in 2015, the top 4 typhoon events in Southeast Asia caused an aggregate of over $33.5B in damages, more than 138 days of recovery time, and impacted nearly 7,000 supplier sites. In response to the increased risk of extreme weather events organizations must confront the complexity of their operations and improve visibility to go beyond just their immediate vendors. 

Only when an organisation has a complete picture that incorporates the variety of potential risks and has invested in specific responses and contingency plans can it adapt as needed to mitigate the impact of extreme weather events and maintain strength in the marketplace.

Mergers and acquisitions

A single organisation may work with hundreds of independent suppliers from all over the globe. It’s important to have clear oversight of their operational capabilities as well as retaining an awareness of how global events such as extreme weather or in this scenario a merger or acquisition might affect their output. 

What organisations cannot do is assume the best case scenario. Like other threats mentioned in this article, this supply chain risk is exacerbated by the scope of the operation. A single delayed part, for example, could bring assembly lines to a halt causing a build-up of undelivered orders ultimately resulting in dissatisfied customers and a long-term loss of revenue. 

With potentially hundreds of suppliers and thousands of parts it’s not practical to maintain frequent communications with every single supplier, nor is it possible to manually oversee the entirety of the supply chain. 

Fire and the Unexpected Physical Disruptions

While some events can be predicted and planned against, others can’t. A fire in a warehouse for example. Or as we have seen recently COVID-19 which has caused havoc across supply lines with factories either temporarily shutting down or reducing the scale of their operations with limited workforces.

Such unexpected crises can have a big impact causing costly delays. Organisations need up to date and real-time information on all their respective suppliers if they are to react fast and mitigate the potential financial impact of these supply chain risks.

Cyber Threats

There are multiple threat vectors that cyber attackers could target. And as operations get more complex and they focus increasingly on utilising technology for increased efficiency, these vulnerabilities become progressively more concerning. Attacks could take the form of anything from customer data breach, to leaked information pertaining to sensitive company data or even as in the case of Maersk, a rogue malware completely taking down an organisations IT systems.

Related: Securing the Supply Chain: The Role of OSINT in Logistics

Conclusion

New demands and pressures are constantly stretching supply chains and forcing supply chain managers and security teams to adapt. The stakes are high and security is a critical factor. Major concerns such as an unstable global economy, aggressive market competition, extreme weather conditions, demand volatility, and production failures place revenue growth, reputation and overall business operations at great risk. 

Understanding the nature of potential vulnerabilities and keeping current on disturbances that can impact processes can help teams better handle and mitigate problems related to global supplier concerns, brand protection, and financial risks.

Open Source Intelligence monitoring solutions like Signal enables teams to gain a clear oversight of the entirety of their logistical operations. This means they have details of potential disruptions or cyber-attacks before, or as, they are happening, allowing security teams and supply chain managers to implement their contingency plans in a timely fashion and prevent unnecessary financial losses.

In an increasingly digital world, there is scope for fake news publishers to make a huge social impact as well as large profits through the spread of disinformation. Accordingly, this is a problem that has and will continue to grow. The spread is compounded by our very human natures which compel us to engage with inflammatory content and often share before we’ve had time to fact-check and verify.

The spread of disinformation is problematic on a number of levels, it can impact a brands image, spread harmful or misleading medical information - as we’ve seen throughout COVID-19, or even undermine democracy itself as was seen in the 2016 US elections. Ultimately, to combat misinformation organizations need to be equipped with the right tools and understand both what they’re looking for, and the reasons for spreading misinformation.

The High Cost of Fake News

There are serious potential ramifications for the unchecked proliferation of misinformation which can impact both B2C and B2B organizations. For example, a competitor or disgruntled customer or employee could hire or create a fake news publisher to damage your brand image for purposes of revenge or to gain a competitive market advantage. 

These adversarial news generation sites could easily generate a huge amount of very believable content, syndicate across a number of channels, and promote heavily through social media, potentially through the use of bots. Overwhelmed companies would face a significant challenge when developing a response to counteract these examples of bad “press” and it would be necessary for those targeted organizations to have real-time actionable data at their fingertips.

How do you Spot a Bot?

Anonymity

Real people sharing real stories will have full accounts, normally with a photo of themselves. These people will have friends, followers, family and likely engage largely with their friends content. The opposite is fairly true for bots. Bots, by their very nature don’t have identities which often results in bot accounts appearing to have a highly anonymous approach.

This could be evidenced in the lack of information they share, or perhaps they use a generic profile picture like a well-known landmark.

Activity

The frequency of their postings as well as how successful those posts are are good indicators of a bot. For example, you might come across an account with only one post and no followers yet that post has thousands of shares.

Content

The people that create bots have an agenda. Whether that’s to drive traffic to a website, generate income, spread political disinformation, etc. Whatever, their reason, the bots will be used to achieve it which means all their posts will have a common theme such as inflammatory political context.

Stolen photo

It’s not uncommon for bots to steal profile pictures. A quick test can be running their profile picture through Google image finder to find the real owner of the image.

Related: Responding to Global Crises like COVID-19 with Increased Situational Awareness

A quick checklist for botnet detection

Bot accounts used in one network or campaign usually have several of the below listed features in common:

• Multiple accounts with similar names or handles;

• Accounts were created on the same date;

• Each account is posting to the same sites, or even the exact same links;

• The same phrasing or grammatical error appears across each accounts;

• They all follow each other and/ or share each other posts;

• They use the same tool for link shortening;

• The bios have similarities;

• Profile pictures are generic or identifiably not them (easily searchable through Google).

Obviously, just because some accounts have similarities doesn’t mean they are all bots, however, it should certainly raise some eyebrows in suspicion especially if you have  four or five accounts with several of these signs.

Fake Accounts vs. Account Takeovers

We outline above a few of the tell-tale signs of a bot. There is an additional tactic that is commonly used to amplify the distribution of fake or inflammatory content and this is through an account takeover. 

For this approach botnet operators perform credential stuffing attacks on social media accounts and then use the accounts they gain access to, to share information through direct messaging or by sharing content. Additionally, a compromised account could theoretically mean sensitive information is exposed and executives or organizations as a whole could suffer reputational damage or financial loss.

Standard security protocols, such as having unique passwords for all your online accounts, should help individuals avoid becoming victims of these tactics. 

The Importance of Verifying Information

The best way to check the accuracy of a source is to check it against another source.

However, this does raise another question. What if those other sources, those source which are supposed to independently verify the truth are working with the information source you’re fact-checking. Or what if the facts in the source are. largely correct but the story is spun to support one side of an argument. This might ring with scepticism and conspiracy, however, it is a point worth making, with whom do you place your faith and at what point do you stop questioning the validity of information?

Identifying Click-bait

Click-bait titles are purposefully crafted to evoke a powerful response from the readers. The reason for this is it encourages people to share the post, often without even reading the text. Less reputable news sites are occasionally guilty of this tactic, twisting the truth in their titles to get a response and increase their reach. However, it is also a tactic employed by botnet operators to maximise the reach of fake news. Signs that this might be the case are as follows:

• Does it evoke a strong emotional reaction?

• Is the story utterly ridiculous - or does it perfectly confirm your beliefs?

• Are you going to spend money because of it?

• Does it make you want to share it?

What’s the Bigger Context

Understanding the context behind a piece of news can help you determine how much, if any, of the story is true as well as lead you to a better understanding of what the publishers end goal is.

• Who’s providing the information?

• What’s the scale of the story?

• If there’s an “outrage,” are people actually upset?

• How do different news outlets present the same story?

Understand their Angle

Just because something is misleading or even incorrect doesn’t mean it’s without use especially in a security context. In fact, understanding the reason behind the content might give insight into potentially harmful tactics targeting your organization and better allow you to create an effective response.

When determining what their angle is ask the following questions:

• Are important facts getting left out or distorted?

• What’s the larger narrative?

• What if you are actually wrong? Your previous opinion on a subject might have been formed by a different piece of fake news.

• Why did they share this story?

Determining Truth from Fiction Online with Signal OSINT

How companies utilize technology and adapt to the shifting threat landscape will determine how effectively they are able to mitigate the threat of disinformation.

Signal enables organizations to monitor and manage large amounts of data from a plethora of different data sources across the surface, deep, and dark web. This, paired with advanced filters and boolean logic means that security teams are empowered to identify disinformation, discover patterns and botnets, and practically respond to these potential and evolving threats. 

Additionally, Signal enables security teams to detect data leaks. This data may be used in credential stuffing attacks and poses a severe security risk. Identifying data leaks early is essential for mitigating the threat of credential stuffing and in this case preventing harmful misinformation from being spread through or by an organizations workforce.

It is estimated that cybercrime will cost organization a combined amount of upwards of $6 trillion a year. Cybercriminals are getting smarter and to defend networks, predict threats, and protect staff, organizations need increased access to timely intelligence. 

Effective information security requires smarter detection techniques which is why many organizations are incorporating AI-driven solutions and products to enable their security teams. However, even with AI assistance the sheer amount of data to assess is encumbering. Signal offers a multi-faceted approach that incorporates filters using boolean logic, AI analysis, and a human hand.

Getting Actionable Insights in Real-Time

In threat intelligence having timely data means everything! Having hyper-relevant intelligence as or even before events are unfolding could mean the difference of several zero’s. By contrast, acting upon old threat insights that maybe have dated can be counter-productive, or even undermine the purpose of the intelligence.

Automation and AI tools can make all the difference when it comes to constantly collecting fresh data. A threat intelligence platform such as Signal which harnesses automation and AI tools massively expands the potential data sources and amount of data that an organisation is able to effectively and efficiently monitor. As well as enabling security teams to sift through all that data and detect anomalous and potentially dangerous activity.

Reacting fast is vital to mitigating threats, but what is even more effective is preempting potential attacks enabling security teams to take preventative measures. For example, using a dark web scan a security team might discover an exploit package for sale targeting a previously unknown vulnerability. Discovering this exploit pack allows the security team to patch the vulnerability before hackers have a chance to take advantage of it.

Automation isn’t Everything

Machines can save you time and in that way they save you money. The combination of AI and Automation when scanning the surface, deep and dark web allows your security team to have more eyes on more data sources. This is vitally important especially today when cyber skills are scarce and data growth so overwhelming. This combination helps prevent analysts from being utterly swamped by endless admin work and allows them to deliver true value to their role.

That being said. Machines can only do so much by themselves (at least for the foreseeable future. People remain fundamentally better at understanding insights from potentially vague context and who are able to deliver an effective response.

Acting fast as we have already mentioned is incredibly important. But just throwing machine learning at the threat intelligence problem isn’t nearly enough. The perfect blend combines rapid and large-scale initial gathering and analysis by machines that then hand-off to their human team-mates to apply strategic intellect while the data is still fresh.

Security professionals have to think how cybercriminals think: machines (e.g. botnets) to do the heavy lifting and a sprinkling of human intervention to execute as successfully as possible.

Injecting Human Intelligence into Automated Threat intelligence

The key to superior threat intelligence accuracy and timing is to leverage automation whilst simultaneously injecting human expertise. You don’t want to be wasting your human resources by making skilled data security analysts wade through piles of admin. Nor do you want those analysts to miss potential anomalous data because your automated system disregarded a seemingly meaningless information package which later turned out to be a viable threat. 

Signal allows you to create filtered searches using Boolean logic scanning your chosen data sources and understanding potential location information. These searches can additionally be run through our emotional analysis tool Spotlight. 

There is one more problem though. Getting the balance of human and automation right is essential if you want to derive an effective threat intelligence system at a competitive cost.

To solve this problem we have launched our Sapphire program. Sapphire is an optional bolt-on which enables Signal customers to leverage our skilled in-house data analysts to further refine their results allowing their in-house security personnel to spend time on delivering real value.

Final Words

As can be seen from the description above, Signal is not an “AI application” in the commonly understood way. Instead, it’s a system where we use AI techniques and automation in multiple places to create a tool which in the right hands creates an extremely capable intelligence solution.

Even though machines and software will continue to evolve with dazzling speed, the complexity of threat analysis means there will be plenty of challenging opportunities for human analysts for a very, very long time.