By Phil Buck | Senior Threat Intelligence Analyst at Nettitude
On a 24-hour basis, the Nettitude Security Operations Centre are monitoring our client’s digital environments for potential and current acting threats, in which our trained analyst experts are ready to detect and respond to alerts within a client environment. Through a threat- intelligence led approach, our teams use a number of tools and techniques, from deploying honeytraps, to reverse engineering malware, and monitoring our threat intelligence feeds, these activities are all in the typical day of our SOC team members. However, you may be surprised to hear that we also use social media as a tool to gather intelligence on potential threat actors.
Now that your ears have pricked up, continue reading our latest blog post to find out how social media is used as a viable source of threat intelligence!
What is Social Media Intelligence?
Social Media Intelligence (SOCMINT) refers to the techniques and technologies that allow individuals, companies or governments to monitor social media networking sites, such as Facebook, Twitter and Instagram as well as professional networking sites such as LinkedIn. This can include monitoring of content, such as messages or images posted, and other data, which is generated when someone uses any of the aforementioned sites. This information involves person-to-person, person-to-group, group-to-group, and includes interactions that are both public and private.
In 2018, it was assessed that the average person spent 144 minutes per day on social networking sites, an increase of 62.5% from 2012. Whilst this number is impressive, it does not suggest that users are spending that time each day uploading content to social media. That said, there will be individuals and groups doing just that. It is this information, seemingly trivial to the untrained eye, that is appealing to researchers and analysts alike.
The National Police Chiefs Council (NPCC) stated in 2015 that open source intelligence is
“Publicly available information (i.e., any member of the public could lawfully obtain the information by request or observation). It includes books, newspapers, journals, TV and radio broadcasts, newswires, Internet, and newsgroups, mapping, imagery, photographs, commercial subscription databases and grey literature (conference proceedings and institute reports).”
How is Social Media Intelligence used?
Whilst SOCMINT is generally used to verify information or generate new research leads, there are occasions where it provides a vital piece of information that ultimately leads to a compromise of the clients’ corporate network. One such event took place as part of a recent engagement.
Nettitude researchers will utilise and exploit a variety of intelligence sources during SOCMINT engagements, to include Open Source Intelligence (OSINT), Human Intelligence (HUMINT) and Technical Intelligence (TECHINT), the latter of which focuses on malware samples and logs that a client may provide. During a SOCMINT operation, Nettitude researches several key business functions in order to identify employees that could be targeted in a spear phishing campaign. Human resources, recruitment and sales employees are primary targets, mainly due to their frequent interactions with third parties and members of the public.
Industries with surveillance capabilities
There are two industries creating surveillance capabilities in social media intelligence: the surveillance industry and the marketing industry. Both industries are creating services and capabilities for both public and private sector users.
Several companies exist that provide SOCMINT and OSINT search tools in order to make searching for individuals and companies much easier. Aware Online and Intel Techniques are two such companies that allow pre-built searches to be carried out against information such as usernames, email addresses and documentation. Then there is Datasift, a company that claims to use data from a multitude of social media and other platforms to provide unique insights from human data.
In addition, a project titled ‘Managing ‘Threats’: Uses of Social Media for Policing Domestic Extremism and Disorder in the UK’ divulged that Police SOCMINT capabilities revolved around the use of marketing tools in order to minimise costs. Some of the tools they use are familiar to everyday users, such as Tweetdeck and Hootsuite, with revelation being that some of the tools that they use ‘can do nothing more than Google.’
Is social media surveillance illegal?
The use of social media intelligence can be an intrusion into people’s privacy and therefore must comply with the international principles of legality, necessity, and proportionality. Whilst it is publicly available information, international human rights standards apply, specifically Article 8 of the European Convention on Human Rights, which details the ‘right to respect for private and family life, home and correspondence.’
The European Court on Human Rights has long held that “there is a zone of interaction of a person with others, even in a public context, which may fall within the scope of private life”. For example, commenting on the use of CCTV, the Court concluded that a recording of a public place was not in violation of Article 8 of the Convention as the same scene could be viewed by members of the public in the same physical space. However, “issues may arise once any systemic or permanent record comes into existence of such material from the public domain.”
Social media sites are a fantastic space. They allow people from all over the world to connect, share ideas and post content. What they also do is present a treasure trove of information to researchers. People generate profiles on numerous social media sites, and in doing so, create a larger online presence of themselves. Inevitably, certain sites will fall by the wayside and become less popular, however the content that they have uploaded to those sites remains. This information can then be cross-referenced with current social media profiles in order to create an overview of that individual. A task that makes it easier to cross reference sites is when people use the same profile picture across multiple social media profiles.
Overall, companies that rely on social media intelligence as part of their business models need to develop strong and auditable rules and procedures, including requiring authorisation when conducting social media intelligence and a record of activity, so that those conducting SOCMINT can be held accountable. These are certainly rules and procedures that Nettitude adhere to as part of their Threat Intelligence activities.
For more information on our social media intelligence engagements, please get in touch with your local team.