Threat Analyst Insights: Discovering the Value of Threat Intelligence From Social Media

November 16, 2018 • Krysta Horocofsky

Social media, in its simplest form, can be viewed as a networking tool that allows individuals to communicate with anyone across the globe, stay up to date on news and trending topics, and share content (and opinions) with one another. For threat researchers and analysts, however, social media is a little bit more than that — it can also be an additional source of valuable information regarding ongoing (and even future) threats.

Some examples of threat information that can be identified on social media include:

  • Threat actor communication
  • Networking and coordination
  • The sharing of vulnerabilities and exploits
  • User reporting and responses to suspicious cyber activity

Although the observation of such threat information can contribute viable context to an analyst’s research, there are a few challenges that need to be addressed when collecting and using information from social media before it can be transformed into actionable intelligence.

Privacy Rights Versus Security Concerns

Privacy is perhaps the biggest obstacle and area of concern when using social media as a source of cyber threat intelligence.

Opponents of the use of social media in threat intelligence argue that privacy should be upheld regardless of whether the information being collected is from private or public profiles, even though posts that come from public profiles are technically considered open source information.

Interestingly, the privacy policies of social media websites such as Facebook and Twitter only ensure privacy to a certain extent, stating that they uphold the right to access, collect, and share user account information if it is believed that such information or actions support illegal activities or could cause harm to oneself or the public. For those concerned about privacy, the question now becomes, “How often do law enforcement, intelligence communities, and social media officials actually monitor my account to detect such activity, and how much information is actually being collected?”

The answer to this question will vary depending on who is collecting that information. But without some degree of monitoring over social media environments, security is weakened and threat response becomes reactive rather than proactive. Because of this, there will always be a debate regarding whether the desire for privacy outweighs the need for security.

Validity and Reliability

Once the desired information is collected from social media, it is moved through the processing stage of the threat intelligence lifecycle. Before analysis and production, raw data collected from social media will undergo some preparation such as decryption, language translation, cultural context application, data reduction, and bias identification.

Unfortunately, the tools and techniques used during this stage are new and often struggle to meet evidence standards such as producing representative datasets, providing credible interpretation, and validating information to avoid fake data. The failure to meet these standards heightens the risk of producing false positives or false negatives. Additionally, because the nature of social media environments allows users to modify and delete content as they please, information posted and shared on social media should be treated as time sensitive in order to properly assess the reliability of information.

One way in which these challenges can be addressed is through information substantiation. In other words, when threat intelligence is produced from information found on social media, the new intelligence should be cross-referenced with existing intelligence to check for false data, tampered information, analyst biases, and any other possible impurities that may discredit its genuine value.

Is Intelligence Derived From Social Media Valuable?

When the challenges of social media collection are properly addressed to ensure privacy protection, validity, and reliability, the answer is yes — intelligence derived from social media can be extremely valuable. Information collected from social media, like all other information, needs to go through the processing and analysis stages of the threat intelligence lifecycle before yielding actionable results.

Once these stages are complete, the resulting intelligence can be used by decision makers to direct plans for threat prevention, mitigation, and recovery. The use of social media in developing threat intelligence for such decision-making processes is still evolving and as a result, privacy, validity, and reliability challenges are still prevalent. To address these challenges, a basis for regulation, standards, and oversight needs to be established to ensure the misuse of social media in threat intelligence does not occur.

The existence of these challenges does not devalue intelligence derived from social media, but instead suggests that such intelligence is most valuable when used to support pre-existing and ongoing assessments.

To learn more about how threat intelligence can bring value to your security strategy, request a personalized demo.

Krysta Horocofsky

Krysta Horocofsky is an associate cyber threat analyst at Recorded Future.