Prioritizing Threat Actors: 3 Steps to Uncovering and Concentrating on Your Most Significant Risks
Learn how to sift through the noise and focus on the threats likely to significantly impact your organization.
The ever-expanding threat landscape and data scattered across numerous locations present an increasingly daunting task for corporate security teams to discern meaningful signals amid the din. Striking a balance is crucial, as focusing on every threat signal equally is impractical on many levels. As the saying goes, When everything is a priority, nothing is.
But how can you avoid getting lost in the vast sea of unknown threats and confidently determine which pose a legitimate risk to your organization versus those that are unlikely to take shape? Between your team being deeply engrossed in investigative research, and stretched thin from monitoring a continuously growing list of existing Persons of Interest (POIs) and file management, how can you ensure that emerging threats are noticed?
The Growing Challenge of Accurate Prioritization
Threats can surface in many places — by phone, email, or on one of the seemingly endless online forums or social media platforms. The sheer volume of threats combined with the complexity of the landscape has made prioritization incredibly difficult.
As the landscape becomes more convoluted, so does the research to determine where any issue falls on the risk matrix. Scouring through credentialed databases and poring over court records is labor-intensive and costs precious time that teams should be spending reacting to and mitigating potential issues. Yet, creating an effective action plan is only possible with a more complete understanding of the risk.
For example, suppose the security team at a large technology company receives a notification that someone threatened the CEO. The threat, made via a public post on a social media platform, is just one of the hundreds of threatening messages and posts that have surfaced across X, Facebook, Reddit, and more. And while it’s vital to take all threats seriously, they don’t all share the same risk. So, how can the security team determine where this latest threat falls on the priority list?
When it comes to prioritizing threat actors, the best way to streamline the process is by gathering information, conducting a thorough threat assessment, and determining risk.
Gather Information on Persons of Interest (POI)
Considering the current state of the world, making assumptions solely based on a threat is not viable. It’s essential to understand the threat actor. Threat profiles contribute to a more comprehensive understanding of the individual or organization behind the threat, enabling more informed judgment calls. Once you’ve assembled a profile through your investigative research process, it can be easier to assess subsequent threats from the same threat actor.
Some areas to consider when gathering information on a POI include:
While anyone can make a threat, not everyone is capable of acting on it. To assess capability, consider questions like: Does this threat actor have the means, skills, and know-how to achieve their goal of targeting a principal or office? Are they a single individual or an organization? Do they have an engaged audience or associates who could assist them?
A threat’s risk level is influenced by the stimulus driving the actor to conduct it. Evaluating motivation involves asking questions such as: Do they possess an ideological motive for carrying out the threat? Are they affiliated with any extremist groups or movements that endorse their actions? Have they provided specific details — such as individuals, locations, dates, or methods — suggesting the presence of a formulated plan?
Since local threats typically require more attention, it’s essential to understand a threat actor’s proximity. Is the threat actor geographically close to the principal or business location they’re targeting? How difficult might it be for them to travel there? (For example, are they located within a drivable distance or in another country?) Do they have means of transportation?
- Past record
A threat actor’s criminal history, involvement in civil litigations, and other adverse marks on their record can markedly influence the gravity of a risk. This information may indicate the likelihood of someone acting beyond legal or societal norms. Are there any previous offenses or a track record of violent actions and behaviors?
Conduct Threat Assessments
Once you’ve adequately gathered information on your POI, conducting threat assessments can help ground your rationale with research. A threat assessment is a security team’s systematic process of evaluating all criteria gathered within a profile, determining where a threat falls on the threat matrix, and how the threat could impact the targeted principal or organization.
For example, you may discover that, although a threat actor lives in the same metro area as the principal, they have no criminal record or history of violent acts, no known ideological motivations, and a low capability of carrying out a threat. Given this information, you might determine that, while it’s still wise to monitor the individual, it’s unlikely there is any imminent danger.
On the other hand, if the investigative research shows a threat actor was recently fired from their job for violence in the workplace and actively engages with an extremist group that previously targeted members of your company’s C-suite, a security team would rank the threat as a high-priority risk.
After conducting threat assessments, consider a process for classifying threats by contextualizing the risks alongside the people and assets most valuable to your organization. For example, a security team would handle a credible violent threat toward the CEO differently than a POI who became heated over wait times with a customer service representative. While both threats should be acknowledged and mitigated, you likely wouldn’t deploy the same resources in both scenarios.
This process helps you quickly determine when to escalate, engage law enforcement, trigger active threat monitoring, or take other necessary actions to streamline your security response process. This way, you’ll have a protocol to reference when a similar threat emerges.
Bringing it All Together: The Power of Connected Intelligence Via a Centralized Platform
Building profiles, conducting threat assessments, and determining risks are all vital components for helping you find and focus on your most significant threats. However, while having a structured workflow is important, the research required for these efforts can take hours of work. Having all of this performed in one centralized platform allows you to easily look at all of the information you’ve gathered in relation to your assets.
Additionally, you still have to compile investigative findings into useful reports. Too often, security teams rely on a web of disparate systems, including spreadsheets and legacy collaboration tools, for creating reports and sharing data.
Plus, reports must be manually updated each time new information surfaces.
Fortunately, leveraging technology with Connected Intelligence can help strengthen your defenses by streamlining and automating these efforts so you can hone in on the signals that matter most. Think of it this way: If identifying your top-level threats feels like searching for needles in a haystack, then a tool like Ontic Integrated Research is your metal detector. With a highly comprehensive suite of public records and legal case data research, including both real-time and historical data, an investigation that used to take a security team several hours can be reduced to a few minutes.
Using a centralized platform means you can easily log incidents, conduct investigative research, compile reports, track cases, access threat modeling, and monitor threats in real-time, all from one convenient location. By creating comprehensive workflows and leveraging the power of Connected Intelligence in a centralized platform, you can quickly find your riskiest threats and ensure you’re dedicating resources to the right places.