Threat Intelligence 101

What is Social Media Threat Intelligence?

Posted: 10th June 2024
By: Esteban Borges

Social media is a networking tool where you can talk to anyone in the world, stay up to date on news and trends and share content (and opinions). For threat researchers and analysts, social media is a bit more than that — it’s an extra source of information on ongoing (and future) threats including social media threats. By monitoring social media continuously, they can identify threats such as lookalike domains and social engineering tactics that traditional security tools miss.

Open Source and Social Media Threat Intelligence for Social Media Threat Monitoring

Open-source Threat Intelligence (OSINT) and social media threat intelligence is required for threat management. Monitoring social media platforms is key to finding potential threats, visibility of your organization’s digital footprint, early detection of security threats, incident response and brand value and integrity. OSINT is collecting and analyzing publicly available data from various sources including websites, forums, databases and especially social media.

What is Social Media Threat Intelligence?

Social media threat intelligence is the process of collecting and analyzing information from social media platforms to find potential security threats and vulnerabilities. Implementing strong security measures is key to addressing these threats and vulnerabilities. It helps organizations detect and respond to digital risks such as cyber attacks, data breaches and social engineering tactics in real-time.

Social media threat intelligence is a subset of OSINT and focuses on data from social media platforms.

With millions of users, social media posts are a treasure trove of real-time information. Analysts monitor these platforms to track threat actor communications, detect early signs of coordinated attacks and gather insights on emerging vulnerabilities. This real-time data allows organizations to respond quickly to potential threats and improve their overall security posture.

Why Social Media Matters in Threat Intelligence

Social media platforms are a treasure trove of information that can give early warnings on emerging threats. Social media plays a crucial role in threat monitoring, intelligence gathering, and preemptive action against various types of threats such as cyber threats, violence, insider threats, and mass shooting threats. As of 2024, there are 5.04 billion social media users worldwide, 62.3% of the global population. The user base grew by 5.6% in the past year, 266 million new users, which is a lot of data for cyber threat monitoring. That’s why social media is open-source intelligence.

Different threat actors use social media to communicate, coordinate attacks, share vulnerabilities and even boast about their exploits. And that’s where social media threat intelligence comes in. For example, during the planning stage of an attack, threat actors may discuss their plans or share exploit tools on forums and social media groups. Data leaks are also one of the threats that organizations face.

With this information, analysts can find threats before they happen and organizations can take proactive measures to mitigate risks. Social media monitoring helps in finding and investigating security risks such as insider threats, active shooter threats, suicide attempts and other violent incidents. Social media is key to monitoring threats on social media, providing real-time updates on ongoing threats and helping organizations respond to incidents as they happen.

Some examples of threat information that can be found on social media:

  • Threat actor communication
  • Networking and coordination
  • Sharing of vulnerabilities and exploits
  • User reporting and responses to suspicious cyber activity

While observing this threat information can add value to an analyst’s research, there are a few challenges to consider when collecting and using information from social media before it can be turned into intelligence.

Privacy vs Security

Privacy is the biggest obstacle and concern when using social media as a threat monitoring source.

Critics of social media threat monitoring say that privacy should be respected even if the information is from private or public profiles, although posts from public profiles are technically open-source information.

Interestingly, the privacy policies of social media websites like Facebook and Twitter only guarantee privacy up to a point, stating that they can access, collect and share user account information if they believe that information or actions support illegal activities or could harm oneself or the public.

For those who are concerned about privacy, the question now is, “How often do law enforcement, intelligence agencies and social media officials monitor my account to detect this activity and how much information are they collecting?”

The answer to this will vary depending on who is collecting that information. But without some level of social media monitoring, security is compromised and threat response is reactive not proactive. So there will always be a debate on whether privacy trumps security.

Adding social media threat monitoring to a security operations center (SOC) can help find threats, respond faster during incidents and keep staff, customers and property safe.

Ethical Issues

Ethical issues also come into play especially when monitoring social media. Security professionals have a big role to play in ethically using social media for threat assessment, ensuring that data collection and analysis support informed decisions while respecting privacy rights. When using social media threat intelligence ethical considerations are key to ensure privacy rights and civil liberties are respected.

Organizations must follow legal and ethical standards to not infringe on individual rights. This means getting necessary permissions and being transparent and justifiable in social media threat monitoring.

The challenge is in collecting intelligence from social media threat monitoring while maintaining the integrity and trust of social media users.

Validity and Reliability of Social Media Data

Once the information is collected from social media channels, it goes through the processing stage of the threat intelligence lifecycle. Before analysis and production, raw data collected from social media will go through some preparation such as decryption, language translation, cultural context application, data reduction and bias identification.

But the OSINT tools and techniques used during this stage are new and don’t meet evidence standards such as producing representative datasets, providing credible interpretation and validating information to avoid fake data. Failure to meet these standards increases the risk of false positives or false negatives.

Accurate threat detection is key to social media data reliability. Securing and monitoring social media accounts and social platforms is key to data reliability and protection.

Also since social media platforms allow users to modify or delete content from their posts as they please, information posted and shared on social media should be treated as time-sensitive to properly assess the information.

One way to address these challenges is through information substantiation. In other words when threat intelligence is produced from information found on social media, the new intelligence should be cross-referenced with existing intelligence to check for false data, tampered information, analyst biases and any other impurities that may discredit its value.

Social Media Information Challenges

When the challenges of social media threat monitoring and collection are addressed to protect privacy, validity and reliability then yes — intelligence from social media posts can be very valuable. Monitoring social media sites for threat actor mentions, data breaches and proactively mitigating online threats is hard but necessary to prevent account credentials loss and customer trust violation. Any information collected from social media threat monitoring like all other information needs to go through the processing and analysis stage of the security intelligence lifecycle before it becomes actionable.

Once these stages are done the intelligence can be used by decision makers to direct plans for threat management, prevention, mitigation and recovery. Using social media for threat intelligence for decision making is still evolving and as such privacy, validity and reliability challenges still exist. To address these challenges a basis for regulation, standards and oversight needs to be established to prevent misuse of social media.

The existence of these challenges doesn’t devalue intelligence from social media but rather it means that intelligence from social media is most valuable when used to support existing and ongoing assessments.

Social Media Threat Intelligence Strategy

Social media is a valuable source for cybersecurity that can help organizations detect and prevent risks. There are challenges on privacy, validity and reliability but advanced analytical tools and ethical practices can address these.

By harnessing the power of social media, security teams can turn raw data into intelligence and improve their security operations and stay ahead of threats. The key is to balance security needs and ethical considerations so social media for threat intelligence is effective and responsible.

To learn more about how Recorded Future Threat Intelligence can bring value to your cybersecurity strategy and security teams, request a custom demo.

Esteban Borges
Esteban Borges

Esteban is a seasoned security researcher and IT professional with over 20 years of experience, specializing in hardening systems and networks, leading blue team operations, and conducting thorough attack surface analysis to bolster cybersecurity defenses. He's also a skilled marketing expert, specializing in content strategy, technical SEO, and conversion rate optimization. His career includes roles as Security Researcher and Head of Marketing at SecurityTrails, before joining the team at Recorded Future.