Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
In an industry prone to going overboard with fear-based marketing, the cyber threat intelligence (CTI) community has a refreshing emphasis on questioning assumptions. CTI teams will often deploy a variety of structured analytical techniques to ensure their assessments are as objective as possible. This involves a variety of processes, including developing alternative competing hypotheses (ACH), organizing structured debates within teams, and open brainstorming sessions to ensure analysts keep an open mind.
However, while structured analytical techniques play an important role in CTI, it should also be acknowledged that they are not always appropriate.
For one, they are often too time-intensive.
Gathering a security team together to brainstorm competing hypotheses comes at a clear opportunity cost. The cyber security industry’s chronic skill shortage means that analysts rarely have the time for these exercises on a day-to-day basis. For most organizations, structured analytical techniques are a luxury rather than a necessity, and only used for answering the most important and strategic questions facing an organization. These analytical techniques are perfect for establishing if a government is secretly hoarding nuclear weapons or whether a new APT campaign is linked to a foreign government. They are less appropriate, however, for unpacking the fifth data breach story of the day.
Likewise, the Internet is never short of conspiracy theories and many claims about the threat landscape can be dismissed outright. Here, analytical techniques are simply inefficient (i.e. you probably don’t need an ACH to refute whether Kylie Jenner is an agent of the Iranian government).
Many of these analytical techniques were also written decades ago. Their continued reference is largely to their credit, and highlights the perennial risks posed from phenomena such as groupthink, and an analyst’s inherent cognitive biases. Despite their continued relevance, however, there is much less consideration on how these sources of bias translate today.
Crucially, cyber threat intelligence tradecraft risks sitting at a disconnect. While there is a wealth of analytical techniques that are ideal for solving some of the most knotty questions facing the industry, we are less prepared for understanding and overcoming day-to-day and nascent sources of bias. This blog seeks to rebalance intelligence tradecraft discussions by highlighting some of the less glamorous everyday sources of bias that are too often overlooked.
The online cyber security community provides a tremendous resource for anyone involved in the industry. Social media provides a platform to share knowledge and is often a source of mentorship for junior analysts. Twitter can act as a great equalizer, providing anyone in the industry with the opportunity to learn from some of the leaders in the field. Where else can a junior analyst learn from the likes of Alex Stamos (a former Facebook CISO), Katie Nickels (MITRE ATT&CK threat intelligence lead), and Rob Joyce (a senior National Security Agency figure and former White House cyber advisor). Social media is also a useful tool for CTI. Analysts can track developments and breaking stories as they occur in real-time (often accompanied by commentary from subject-matter experts). Many researchers also share various technical indicators with the broader community.
Yet, analysts basing their intelligence assessments on the hot takes of the Twitter and LinkedIn thought leader army play a dangerous game. While many cyber security professionals offer genuine added value through these platforms, there is also plenty of needless drama, hype, and even bigotry. It is also entirely possible for leading experts in the field to be wrong.
During my time as an analyst at Digital Shadows (now ReliaQuest), I have worked with colleagues that both follow the InfoSec Twittersphere and those that don’t. Here, I have often found that it is analysts who aren’t plugged into social media that come up with the most interesting and perceptive assessments. We therefore need to be acutely aware of the slippery groupthink dynamics that these platforms can bring.
Social Media Bias Mitigation Advice:
The constantly changing nature of the threat landscape is one of the things that makes CTI so interesting. Tracking and forecasting emerging threats is an essential component of the job and allows organizations to both proactively anticipate and respond to tomorrow’s attacks.
Yet, there is also an inbuilt bias in the industry as public reporting naturally focuses on emerging threats. This is because they are by far the most interesting and make ideal public relations fodder.
Analysts therefore risk placing far too much emphasis on what is new and exciting. For all the concern over AI-powered cyber attacks, deep fake social engineering, and quantum-powered attacks, there is actually very little evidence that these issues pose a substantial threat in practice. Hype about them can also skew and distort the threat that they pose. For example, despite all the hype over how deep fakes could be used in elections, the empirical evidence suggests the actual victims from the technology are women involved in non-consensual pornography.
Source: https://twitter.com/josephfcox/status/1181190087972806656
Unlike James Bond, the villains in cyber security are rarely exotic. While unpatched vulnerabilities, exposed ElasticSearch servers, and routine phishing emails might not offer quite the same pizzazz, they are far more likely to be the source of an organization’s pain. There is therefore a need to reorientate CTI to focus on practical advice, no matter how repetitive and mundane.
Novelty Bias Mitigation Advice:
There is often a significant difference between cyber security stories reported in the news, and those that represent a threat to organizations. This is understandable as journalists are not CTI analysts. They report stories of interest to the general public, not those working in a security operation center.
Similar to novelty bias outlined above, mainstream news outlets can therefore inject a great deal of noise into public reporting. A recent distributed denial of service (DDoS) attack on the UK’s Labour Party was quickly shrugged off by the security community, but was a story guaranteed to attract eyeballs and clicks from the public during a general election (who doesn’t love a cyber attack election conspiracy after all?).
CTI analysts must therefore guard against the trap of assuming cyber attacks that make headline news pose a significant threat.
Yet, it is intelligence consumers that are the most likely demographic to fall for headline bias. Almost any CTI analyst will have responded to a request for intelligence after a senior executive has read a dubiously-reported cyber story during their commute.
Although tempting to sneer at questions about the cyber threat posed by killer quantum blockchains, CTI analysts need to act with humility. They should accept that headlines can present a distorted view of the threat landscape and that many of their intelligence consumers will be ignorant about cyber security. Educating non-specialists on the threat landscape is therefore an essential component of the job, and an area where analysts can be hugely influential in helping organizations to focus on the right problems.
Headline Bias Mitigation Advice:
Governments are now far less shy in calling out malicious cyber activity. Hardly a week goes by without a government indicting hackers or publishing their malware samples. The UK Government has even made naming and shaming cyber perpetrators a central pillar of its broader cyber deterrence strategy.
On the other hand, many of these claims are made with little to no evidence. Public attribution claims are often underpinned by various political and economic agendas. This means that CTI analysts should be careful in taking these attribution statements at face value.
Yet, the issue presents a difficult balancing act. Evidence-less claims should not be completely dismissed either. Ultimately, analysts should still be able to make judgement calls and take these claims with an element of good faith. A lot of the governments making these statements possess some of the most sophisticated signals intelligence agencies in the world, making them some of the meanest kids on the block. If anyone can get away with attributing cyber attacks without providing direct evidence, it is arguably them.
Take My Word For It Mitigation Advice:
Today’s sources of information throw up age-old problems with bias in intelligence. An analyst’s social media following can easily sway them towards groupthink while it is tempting to blindly trust attribution statements made by recognized authorities. While many of these challenges are certainly new, the structured analytical techniques developed in previous eras cannot solve them alone. Instead, there is a need to reorientate CTI towards establishing a better understanding of how the day-to-day sources of information that we interact with influence us.