CYBER THREAT INTELLIGENCE REPORT

2020CYBER THREATINTELLIGENCEREPORT

INTRODUCTIONCyber Threat Intelligence (CTI) isn’t the exclusive domain of specialized organizations anymore. It isevolving into a pillar of security and public safety functions across all industries and organizations of allsizes, worldwide.Yet many CTI practitioners - the analysts, researchers and threathunters who collect and manage OpenSource Intelligence (OSINT) gleaned from the open, deep and Dark Web - report a lack of training,tools and internal oversight.This is the most significant take-away from our 2020 Cyber Threat Intelligence Report. It is based on asurvey among 338 CTI practitioners. About 85% of them told us they have received little or no trainingfor their work. Other highlights from this report include: 34% of respondents didn’t have any prior experience with OSINT-related research; 83% of cyber threat intelligence analysts use a web browser as their primary tool for conductingresearch; 55% use the Dark Web regularly as part of their OSINT activities; 38% of respondents do not use managed attribution to mask or hide their identity.CTI missions are critical to ensure public and corporate safety and security. Online, CTI practitioners areexposed to web-borne exploits, targeted attacks, and counterintelligence efforts.Overall, the findings in this report underline that organizations lacking adequate research frameworksand oversight of the online activities of their analysts risk compliance violations, legal and financialdamages, and reputational harm.This 2020 Cyber Threat Intelligence Report, which reflects the dynamics of an evolving field,provides a rare glimpse into the world of cyber threat intelligence and OSINT collection online. It hasbeen produced by Cybersecurity Insiders, the 400,000 member information security community,to explore how organizations are leveraging cyber threat intelligence and OSINT to improve theiroverall security posture.Many thanks to Authentic8 for supporting this important research project. We hope you will find thisreport informative and helpful as you are building and expanding your CTI efforts.Thank you,Holger SchulzeHolger SchulzeCEO and FounderCybersecurity Insiders2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders2

OSINT EXPERIENCEThreat scenarios, adversaries, awareness of available tools, and compliance requirements forhandling sensitive data can vary greatly between different sectors and industries. Surprisingly, onethird of respondents had no prior experience doing OSINT type of research before starting theircurrent job (34%). The largest group of researchers comes from the intelligence community (42%)and the military (21%).Prior to your current role, where did you have experience with OSINT-related activity?34%No prior experience42%Intelligence community21%Military18%Fraud research at acommercial company10%Law enforcementOther 14%2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders3

LACK OF OSINT TRAININGInformation and preparation is key to efficient CTI. How does your organization ensure practitionersare up-to-date on de-anonymization techniques, attribution risks, and regulatory requirements?A staggering 85% of respondents received little or no training in OSINT techniques and risks.Were you trained by your current employer in OSINT techniques and risks?85%received little or no trainingin OSINT techniques and risks.41%None44%A little bit but nothing formal10%Completed formal training,conducted by a team member10%Completed formal training,conducted by third-party vendorOther 10%2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders4

OSINT TRAINING REQUIREMENTCTI practitioners are at the front lines of a dynamic threatscape. Collected OSINT may be subjectto evolving data protection regulations on state and federal levels. Still, the majority of respondents(77%) report they are not receiving recurring OSINT training or certification as part of their role.Is there a recurring OSINT training or certification requirement as part of your role?77%NO4%Yes, annual trainingis provided2%Yes, training is periodic,several times per year2020 CYBER THREAT INTELLIGENCE REPORT17%Yes, training is regularand ongoingAll Rights Reserved. 2020 Cybersecurity Insiders5

BROWSING FOROPEN SOURCE INTELLIGENCEOSINT is data collected from publicly available sources to be used in an intelligence context. In theintelligence community, the term “open” refers to overt, publicly available sources (as opposed tocovert or clandestine sources). The survey reveals that 83% of firms perform open source intel as partof their cyber threat intelligence (CTI) workflow. A total of 50% of analysts spend half their time ormore in a browser performing research.What portion of your OSINT activity is spent in the web browser?83%of firms perform open sourceintel as part of their cyber threatintelligence (CTI) workflow2020 CYBER THREAT INTELLIGENCE REPORT17%Rarely33%About a quarterof my time22%About halfof my time14%About three-quartersof my time14%The majorityof my timeAll Rights Reserved. 2020 Cybersecurity Insiders6

FORMAL OSINT GUIDELINESWithout guidance for CTI practitioners on what data and resources are legitimate targets for collection/inspection, and on how to engage counterparts, organizations incur the risk of legal and reputationaldamages. More than half of CTI researchers are given no formal guidelines on what they can accessor how to interact with counterparties.Do you have formal guidelines on what you can access or how you interact with counterparties?42%54%NOYES4%other2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders7

MASKING ONLINE ACTIVITYCTI research attributable to the originating organization carries inherent risks. It may alertcounterparties to an investigation, preclude researchers from accessing certain resources, diluteresearch results, and turn analysts and their organization into targets - for counterintelligence,doxing/public embarrassment on social media, pin-pointed malware attacks, or worse. More thana third of respondents (38%) do not use managed attribution tools to mask or hide their identity.Do you utilize any attribution management tools to mask your online identity/persona?56%38%NOYES6% otherMore than half of respondents (56%) are venturing into the Dark Web as part of their OSINT activity10 or more times each month.How often do you venture into the Dark Web as part of your OSINT activity?56%2020 CYBER THREAT INTELLIGENCE REPORT12%Every day - it is my primary focus16%1-10 times per week - it is part of my role28%11-20 times per month - dependent on requirements44%NeverAll Rights Reserved. 2020 Cybersecurity Insiders8

COLLECTION PERSONASIs your CTI effort missing the bigger picture? Are your team members only seeing what counterparties,adversaries, or bot networks want them to see, based on their specific online profile and tracking/fingerprinting? Comprehensive OSINT collection requires the removal of such limitations. Whenasked whether they are able to create and run multiple collection personas concurrently, more thanhalf (53%) say they cannot do so.Are you able to create and run multiple collection personas concurrently?47%YES2020 CYBER THREAT INTELLIGENCE REPORT53%NOAll Rights Reserved. 2020 Cybersecurity Insiders9

PLATFORM CONFIGURATIONCrisis developments, threat actors and malware markets transcend borders. An investigation canquickly lead you abroad. Disclosing your own location, network, or language through your browser caneasily compromise a mission. CTI professionals need capabilities to blend in online with the “locals”,on every level. Over 40% of respondents confirm they cannot configure platform parameters specificto their local environment.Can you configure your platform parameters specific to the local environment you’re researching?54%YES41%NO4% Other2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders10

ATTRIBUTION MANAGEMENTAn adequate research framework empowers CTI researchers to select egress nodes in sync with agiven online persona, to avoid inconsistencies easily spotted by counterparties. Still, nearly half cannotmanage attribution through geographically distributed egress nodes (46%).Are you able to manage attribution through geographically distributed egress nodes?51%YES46%NO3% Other2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders11

DATA HANDLINGOrganizations need to ensure that suspicious or malicious content is stored safely, and only inaccordance with applicable laws and compliance requirements. When data is collected and preserved,more than half of respondents store the data in their local environment.When accessing suspicious or malicious content, sometimes collected material needs to be preserved.How is the collected data handled?56%27%Stored in a localenvironment insegregatedstorage poolsData is flattenedprior to storageto eliminatemaliciouscontent23%Data must bestored in itsnative format16%Stored off-siteon 3rd partycloud resourcesOther 9%2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders12

COLLABORATIONTop-performing CTI analysts are team players and thrive on collaboration. Is your organization playingto that strength and leveraging the power of collaborative tools? Only 17% implement a redundantanalyst program for continuity and oversight, and 35% collaborate on best practices.Do you collaborate with other members of your research team or other team members?35%Yes, on general best practices21%Yes, investigators share caseloads17%Yes, we implement a redundant analystprogram for continuity and oversight19%No, we each own our casework individually8%2020 CYBER THREAT INTELLIGENCE REPORTNo, our organization stressesinformation containmentAll Rights Reserved. 2020 Cybersecurity Insiders13

AUDITING ANALYST ACTIVITYOrganization have been blindsided by analysts gone rogue and inflicting massive financial, legal, andreputational damages. Surprisingly, 29% report there are no oversight procedures in place to makesure that tools are not being abused by analysts. Another 35% report their supervisor audits theiractivity. A plurality of respondents are audited by the compliance team (41%).Who audits your activity as an analyst?41%35%29%18%ComplianceteamNo oneSupervisorLegalOther 6%2020 CYBER THREAT INTELLIGENCE REPORTAll Rights Reserved. 2020 Cybersecurity Insiders14

ANALYST ACTIVITY REVIEWSWhile 20% say there is no audit process, another 42% report that audits are not a regular occurrence.Does your organization implement formal, regular reviews of analyst activity?2020 CYBER THREAT INTELLIGENCE REPORT10%Yes, analysts must defend their processesas cases progress28%Yes, analysts are responsible for theiractivity and are subject to regular review28%Not regular, but random audits may occur14%Not regular, but as part of any incidentresponse process20%No, our organization does not audit orreview analyst activityAll Rights Reserved. 2020 Cybersecurity Insiders15

METHODOLOGY & DEMOGRAPHICSThis report is based on the results of a comprehensive online survey of 338 IT and cybersecurityprofessionals in the US, conducted in March 2020 to identify the latest enterprise adoption trends,challenges, gaps and solution preferences related to Cyber Threat Itelligence. The respondents rangefrom technical executives to IT security practitioners, representing a balanced cross-section oforganizations of varying sizes across multiple industries.C AR EER LE VEL20%SpecialistVice President17%15%ConsultantManager/SupervisorProject ManagerOther13%12%CTO, CIO, CISO, CMO, CFO, COO8%Director4% 2%9%Owner/CEO/PresidentD EPARTM ENT55%IT SecurityIT Operations22%OperationsSalesEngineering5%4% 2%12%OtherCO M PAN Y S IZE19%Fewer than 1022%10-99100-49911%500-9992020 CYBER THREAT INTELLIGENCE %12%More than 50,000All Rights Reserved. 2020 Cybersecurity Insiders16