When it comes to protecting organization’s corporate cybersecurity, there are several fronts. Two of them, however, are particularly important: first, monitoring the human factor, which is often the main trigger for cyberattacks or data leaks. The second is applying intelligence to all processes so that advanced cyberdefense isn’t reactive, but instead is based on proactive actions. José Manuel Díaz-Caneja knows this all too well. His is an expert in intelligence analysis and professor for the Cyberintelligence Master’s program at the Cybersecurity campus of UFV. We spoke to him to find out about the current state of cyberdefense in companies, and the challenges that still lie ahead.

What role does cyberintelligence play in the current cybersecurity landscape?

The term cyberintelligence always shows up when people talk about cybersecurity. Most of the time, it seems to be limited exclusively to technical analysis of cyberthreats, with the aim of using it to improve an organization’s cybersecurity. That is, a reactive concept, totally defensive.

José Manuel Díaz-Caneja
José Manuel Díaz-Caneja

If we were to define cyberintelligence as intelligence developed on the basis of information obtained in cyberspace and which helps an organization’s decision-making and planning processes, we would see how its field of action would become much wider. In this case, the aim would no longer be just to contribute to the defense of an organization; it would also have a more offensive and more proactive component. This would then make it easier to take advantage of the opportunities offered by cyberspace.

Cyberintelligence needs to facilitate the creation of strategic and predictive cyberthreat alerts based on indicators. The aim is to prevent and stop, or at least mitigate, the associated risks.

Internal threats are one of the main risks faced by organizations. What are the most frequent?

At the moment, the most frequent are accidents, such as sending information to the wrong email address, not spotting phishing attacks, or errors caused by misconfigurations in IT systems. However, intentional actions are becoming more frequent, due, in part, to the fact that it is often easier to corrupt an employee than to carry out sophisticated cyberattacks to bring down a system.

An example of this is SIM swapping. Why waste efforts on social engineering attacks when it is easier to compromise the employee in a phone shop in order to copy customers’ private data and make a duplicate of the SIM card? This is also the case when it comes to revealing sensitive company information.

The problem with intentional internal attacks is that organizations are often unaware of how many employees have privileges to access sensitive information.

What measures should organizations implement to prepare themselves to deal with these internal threats? What does business counterintelligence entail exactly?

First of all, the organization must consider several important questions:

  • What does our organization need to protect?
  • What are our competitors/adversaries (or foreign government agencies) trying to discover about us and why?
  • How are they trying to do this? What capabilities do they have? Are they using a technical approach or are they trying to bribe our employees?
  • What can we do, and what are we doing, to reduce their chances of doing it? What legitimate denial and deception tactics could we use to protect our information? What about our patents and R&D ideas?

If an organization is unable to answer the first two questions clearly and precisely, it will be unable to answer the last two. In this case, it would result in the organization adopting inefficient security measures to protect itself.

To avoid this, organizations must apply a counterintelligence approach. To this end, they need to work on three specific areas: recruitment; training and awareness; and monitoring and supervision. A first, fundamental step, is to recruit the right people, whose profiles adjust to the access privileges they are going to have. Secondly, training them and raising their awareness of security issues is key, not only in things like how to identify a cyberattack, but also in detecting suspicious behavior in their workmates who may be acting strangely. This involves implementing the discreetest possible procedures for employees to be able to report any supposedly unusual activity.

Finally, organizations must implement a monitoring and investigation program to act as a deterrent. This, however, shouldn’t focus exclusively on technical aspects; it should also be used to find out as much as possible about people in key positions in the organization. It is important to be aware of the fact that an insider is often not some high-up in the organization, but rather just the opposite. They are people who occupy middle or low level positions and, for different reasons, are unhappy.

We’re used to hearing people talk about intelligence processes with regards to government intelligence. What advantages does it have when applied to any other kind of organization?

The aim of intelligence, in the broadest sense, is to reduce uncertainty and generate knowledge, providing appropriate, relevant, and, where possible, predictive, products. This way, they can provide support in decision making processes and in planning. These are processes that require proactivity and anticipation to stop the organization from getting a nasty surprise.

Intelligence isn’t about getting it right. Rather, it is about reducing the chances of getting it wrong. This should be transversal throughout the whole organization. It is often the case that the only effect it has is to reorganize internal information exchange and decision-making processes. It is also important to highlight the fact that, in order for it to work, it must involve everyone in the organization.

What, in your opinion, are the main threats that companies are facing at the moment?

Paraphrasing what the National Security Strategy 2017 says, espionage is one the main threats for many companies. Its aim is to get hold of competitors’ information that would help the perpetrator to gain market predominance at a lower cost. If we look at companies whose work is on projects linked to national security, we see that espionage activities can reveal strategic capacities linked, for example, to defending or protecting critical infrastructure.

The year is coming to an end. What cybersecurity trends to you think will mark the coming decade?

The use of cyberspace to carry out all kinds of activities is here to stay. This means that the trend in cybersecurity will be to keep advancing developments that allow us to protect individuals and organizations in a more efficient way.

However, there’s no use in building protective walls based exclusively on hardware and software. History shows that all walls either have back doors or can be breached. This is why we need to provide 360º security. Before this can happen, more imaginative technological proposals need to be added, based on deception, which stop or hinder cyberattacks and, above all, improve early detection alert systems.

All of this involves bearing in mind the fact that, behind every computer, be they attacker or defender, is a person whose aim is often to provoke real-world effects.

This is why linking the identification of cyberthreats exclusively to cyberintelligence isn’t realistic. The information we need to be able to attribute a cyberattack cannot be obtained from cyberspace, and we need to get it from other intelligence disciplines.