Threat Intelligence and Brand Monitoring

One thing that nearly every department in your organization is concerned with is monitoring for references to your organization on the internet, such as brand reputation, cybersecurity threats, intellectual property rights, threats of harm against life or property, etc. But, what are your options?

[This is a work in progress in which we intend to keep updated with additional concerns and solutions. Feedback is welcome!]

Negative reviews, brandjacking, trademark abuse, phishing sites targeting your members/ employees, fake social media accounts, confidential company data, etc. are things that no organization wants to see online. In order to track potential threats to an organization and brand, one needs to monitor social media, code repositories, hacker and carder forums, domain name registrations, paste sites, password dumps, closed/ member-only sources, etc.

Should you be concerned about this at all? IMO, and regardless if you’re a 1-person or 1 million-person organization, the answer is, yes! What are your options? Should you pay a Threat Intelligence and Brand Monitoring provider for their services or roll your own?

Vendor Solution

The quick and easy, but not necessarily the cheapest, the solution is to pay for an established monitoring service. Simply search for “threat intelligence and brand monitoring”, which will produce some of the following provider names:

• Blueliv
• DigitalStakeout
• Fireeye
• IntelFinder (most affordable)
• LookingGlass
• MarkMonitor
• RecodedFuture
• Riskiq
• SecureWorks
• etc.

Note: Although we collectively have a working knowledge with a few of these, we, in no way, endorse them…this is simply a list from a Google search.

Things you may want to look for in a vendor solution include:

• Monitoring of –
  • social media platforms – linkedin, instagram, twitter, etc.
  • code repos – github, gitlab, etc.
  • paste sites – pastebin, pasted, etc.
  • file upload sites – sharefile, sfile, etc.
  • forums – public and closed/ member-only
  • certificate transparency logs
  • domain name registrations
  • app stores – Google Play, App Store, 3rd-party
  • “the dark web” – *.onion, carding & hacking marketplaces, etc.
  • malware configuration files (ex. for clickjacking)
  • password dumps
  • etc.
• Monitoring for –
  • threats of physical violence
  • negative reviews
  • brandjacking
  • trademark abuse
  • phishing sites targeting your employees or members
  • [sub]domain hijacking and takeover
  • similar domain registrations (ex. IDN homographs, typos, etc.)
  • fake social media accounts
  • deepfakes
  • confidential company data
  • leaked internal code (accidental or breached)
  • credentials (passwords, password hashes, service account names, etc.)
  • trojanized apps (ex. mobile apps)
  • custom breadcrumbs (i.e. cyber deceptions)
  • key 3rd party partners and suppliers
  • fraud (i.e. bank card BINs)
  • etc.
• Provided Features –
  • near real-time alerts – reporting that is delayed for days is better than nothing, but not much better
  • prioritized alerts – your time is limited, what items should you address first, how old is the data being alerted on, etc.
  • customized priorities – you might want the ability to override default weights for alerting, be it permanently, or during special occasions where your concern is greater in a certain area
  • detailed reporting – you will likely carry out internal Digital Forensics and Incident Response (DFIR) actions based on some reports
  • deduplication – you don’t want to see the same alert multiple times over a long period of time when all alerts originated from a single piece of data
  • search capability – if you, or a 3rd party, find something, you’ll want the ability to determine if the solution already found it
  • take-down of infringing domains, websites, accounts, content (active and cached), etc. – an alert without an action is only half the solution
  • recommendations – for things you should do to prevent whatever was discovered in the future
  • pipeline monitoring – periodic unique injects into the sources being monitored to ensure the entire pipeline is working as expected
  • provides references to clients in your industry – you should absolutely call them
  • etc.

Roll Your Own

Now, what about rolling your own? This is the part I plan to build out over time, but will start small.

Something as simple as a Google Alert RSS feed for “yourdomainname.com”, with a little automation and a white list can work great for even mid-sized businesses. The “new” content being discovered (by the search engine crawlers) on the WWW is not necessarily that much on any single day. On then other end of the spectrum would be paid API subscriptions that allow for more powerful and bulk searching.

Regardless of which sources you decided to pull from, or if you chose to go with paid API subscriptions, you WILL have to build automation (i.e. tons of scripting) on your end. Assuming your employees don’t work for free, this will still cost you.

Here are a few ideas to get you started with [mostly] free resources:

• Data breaches
  • https://haveibeenpwned.com/
  • https://scylla.sh
  • https://ghostproject.fr
• Code Repos
  • https://gitlab.com/search?utf8=✓&search=example.org&group_id=&project_id=&repository_ref=
  • https://github.com/search
  • Others: Bitbucket, SourceForge, Launchpad, Google Cloud Source Repo, etc.
  • Federated search: https://searchcode.com/api/
• Search Engines
  • https://www.google.com/alerts
  • https://www.bing.com/news/search?q=example.org&qft=sortbydate%3d%221%22&format=RSS
  • keywords/phrases to monitor:
    • “companyName”
    • “companyWebsite.com” -site:companyWebsite.com
    • “com.companyWebsite” # example, if you host web/API services and/or to monitor for leaked internal code
    • “email1@exmaple.org” OR “email2@exmaple.org” OR [etc.]
    • “@example.org” # depending on the search engine, this may not work well
    • [ip address(es)]
    • [deception/breadcrumb] # this obviously requires that breadcrumbs are deployed in your environment
    • bank card BINs
    • other internal, but non-sensitive, values that should never be seen publicly – ex. internal usernames (maybe), server names, etc.
• Internet Device Search Engines
  • https://censys.io/
  • https://www.shodan.io/
• Paste Sites
  • https://haveibeenpwned.com/Pastes
  • https://netbootcamp.org
  • https://twitter.com/dumpmon?lang=en
  • https://www.pastemonitor.com/
  • many dozens of sites such as pastebin, tinypaste, hastebin, etc.
• Certificate Transparency logs
  • Option A: Depending on the services you use for creating certificates or hosting your web site, one or more of your current providers may include this monitoring and alerting service. It will typically be called something such as ”Certificate Transparency Monitoring” and is often included for no additional cost.
  • Option B: Sign-up for a monitoring service
    • Free: https://support.cloudflare.com/hc/en-us/articles/360031379012-Understanding-Certificate-Transparency-Monitoring
    • Free: https://developers.facebook.com/tools/ct/
      • Oddly enough, this has proven to be one of the best free options available. They will even send alerts for sub-string matches of a monitored domain (ex. penconsultants.com.attacker.site).
    • Free (reports sent from browsers, not CT logs): https://report-uri.com/products/certificate_transparency_monitoring
    • Paid: https://sslmate.com/certspotter
  • Option C: Download or create a simple script that monitors and alerts
    • https://github.com/SSLMate/certspotter
• Industry-Specific Sources
  • Information Sharing and Analysis Centers (ISACs)
    • FS-ISAC (Financial Services) and ND-ISAC (National Defense) are two we have working knowledge of
    • Additional organizations: https://www.nationalisacs.org/member-isacs-3
  • Information Sharing and Analysis Organizations (ISAOs)
    • Organizations: https://www.isao.org/information-sharing-groups/
• More To Come

Combo Solution

In our experience, the best solution is typically a combination of both. You will never find a vendor that does EVERYTHING you want. If you do, your requirements are much too low.

Consider going with a vendor solution and supplement it with things they do not yet offer, but things you think are important. Obviously, you’ll want to push them to do it first, if possible, or at least commit to providing it soon. Even if you code up the solution and give it to them, it’s better than you maintaining it. Just make sure you retain your rights to that solution so you can give it to the next vendor….because no one stays with the same vendor forever.

Updates:

• 2019-01-21: Original release
• 2022-03-07: typo corrections, added ISAC (thanks Andrew Boyd!), etc.

The featured image is a derivative work from the following images:
> geralt @ pixabay: https://pixabay.com/photos/things-together-communication-2923050/