Using Social Media (SOCMINT) in Threat Hunting

<p style="text-align: center;"><em>(Concepts and workflows developed by Chris Collins, Scott Poley, and Thomas Gorman)</em></p><p>Social Media is such a prominent activity in our online lives.  It allows its users to communicate and share information. It can also be abused for fraud, cybercrime, and the distribution of misinformation.</p><p>That being said, I have to ask the questions, “Can Social Media be effectively used to gather threat intelligence?”, “Can security teams effectively leverage Social Media Intelligence (SOCMINT), keeping false positives to a minimum?”, and “Can SOCMINT be considered another form of open-source threat intel (OSINT)?” </p><p>OSINT is a collection of intelligence that is open and available to anyone.  No subscription or authentication is required.</p><p>Examples of OSINT: Blogs, Vulnerability Feeds, RSS News Feeds, Exploit Databases, etc.  I listed examples of OSINT because there’s a common theme behind each of these focused threat classifications—the validation and qualification of the information before it is released publicly.  The author researchers a blog topic. The security tester acts as part of a bug bounty and then releases the details as part of a vulnerability feed. A journalist investigates news articles that might involve corporate breaches or exploits used in the breach.  Currently active exploits in the wild are collected.</p><p>In threat intelligence or threat hunting, context is everything.  There are a number of ways to collect or scrape raw data from social media.  Qualifying what is scraped is another story altogether. Gathering threat data from social media requires that the channel source can be validated and the data can then be processed, analyzed, and expanded with context.</p><p>In the workflow diagram below, both RSS news feeds and Twitter channels are monitored, and the data is collected using a free web-based applet called “If This, Then That” (IFTTT).  IFTTT allows subscribers to create chains of simple conditional statements that begin with monitoring web services for changes. The output of IFTTT sends an email to an orchestration platform, which, in turn, can be configured to conduct curation and formatting.  The output is then sent into Anomali ThreatStream for tracking, integration, and operationalization into the organization’s security controls (SIEM, FW, Proxy, etc.) and to support a trigger, action, response plan (TARP) workflow if one exists.</p><p><img alt="" src="https://cdn.filestackcontent.com/gBAhZ1JkSd24nj6I2kHV"/></p><p>* worklow developed by Chris Collins, Scott Poley and Thomas Gorman</p><p>So now you’re collecting SOCMINT, but what is needed to make it actionable?  There are 4 qualities to good threat intel:</p><ol><li>Complete - Is there enough information/context to make a decision?</li><li>Accurate - Is the expanded information/context enough to make a <strong>good</strong> decision?</li><li>Relevant - Is the intel related to me, my organization, and the mission?</li><li>Timely - Is the creation of intel soon enough to make a decision?</li></ol><p>What was once a challenge (the automated collection of threat data), is now standard practice, as outlined above.  The pieces of the collection and data normalization puzzle are readily available, many of them open-source. It’s the “timeliness” factor of the equation that puts security professionals and organizations to the test.</p><p>Thankfully, Threat Intelligence Management Platforms like <a href="https://www.anomali.com/products" target="_blank">Anomali</a> allow threat hunters and researchers that ability to collect third-party context on IOC’s, timelines, historical analysis and capture it in one location so that it’s available for SOC teams to make <strong>good</strong> decisions.</p><p>As teams become more versed in this process of collection, curation, reviewing and managing threat data, it becomes polished, finished intelligence that has accuracy and depth, allowing organizations to move in an anticipatory direction and make educated decisions, all in the name of risk mitigation.</p><p>The concepts and workflows introduced here will be presented in detail during the "Automating Open Source Intel (OSI)" and "Assessing Threat Information and Sources" session at <a href="https://www.anomali.com/detect-20" target="_blank">Detect '19</a> conference. </p>