Starting your own threat lab … where to begin?

For the fifth installment in the Threat Analysis and Sharing webinar series, Internews’ E&E Community Manager Mykola Kostynyan hosted a conversation between Artur Papyan (Media Diversity Institute Armenia), Harlo Holmes (Director of Digital Security, Freedom of the Press Foundation), and Vadym Gudyma (Digital Security Lab Ukraine) during which they shared their experiences setting up digital threat analysis labs at their respective organizations.

Key learnings shared during the conversation included:

So, what is a ‘threat lab’?

Threat labs at these organizations conduct forensic analysis on digital attacks that require deeper research after initial triage, before publishing threat reports and sharing Indicators of Compromise on MISP. The threat labs form one component of broader digital security services and support for investigative journalists, anti-corruption activists, and human rights activists that Media Diversity Institute, Freedom of the Press Foundation, and Digital Security Lab offer. Phishing attacks are the most prevalent form of attack they respond to, but they also conduct device forensics and analysis of spyware/stalkerware and other malicious APKs. 

What’s the point?

Deeper analysis can identify who is behind specific attacks against civil society partners. On a broader scale, this analysis enables Media Diversity Institute, Freedom of the Press Foundation, and Digital Security Lab to tailor the support and mitigations they offer to their communities more effectively.

“IF YOU’RE FAMILIAR WITH JOURNALIST / NGO CULTURE, YOU KNOW PEOPLE ALWAYS DREAM OF BEING TOLD ‘YOU’VE BEEN HACKED – THE BIG GUNS ARE AFTER YOU!’ BUT AS A JOURNALIST I KNOW THAT THE VALUE OF WORDS IS HIGH – YOU NEED EVIDENCE.” – ARTUR PAPYAN

But what do I need to get started?

You’ll need a few supplies, but not as many as you’d think:

  • A powerful laptop with enough RAM to run a few virtual machines
  • A few internet connections
  • VPNs & VPS
  • External hard drives, sniffers

What’s really key is personnel and organizational capacity:

  • Some experience in digital security support and training
  • Understanding of internet functionality
  • Time to allocate for analysis of cases and campaigns rather than incident response
  • Friends in the industry to ask for guidance when you hit a wall, or to provide support when you find something that needs a stronger skill-set
  • Patience and empathy to just observe! Often the people we support are overworked and scared – be prepared to just set up a basic camera and watch whatever it is that is going wrong to advance an investigation.

On publicizing your threat lab and soliciting samples from the community

Different organizations take different approaches. For some, incidents and samples come primarily from long term engagements with local partners. Others also have set up public intake forms and help request desks, but they also take a proactive approach by providing trainings and security audits, which often lead to the discovery of incidents needing investigation.

On cooperation with other CERTs and companies

The threat labs all work with the CiviCERT community, sharing Indicators of Compromise on MISP. Some also collaborate with private tech companies and local startups. Collaboration with government CERTs can be challenging, especially as it can set the journalist / human rights community we serve on edge.

How do we stay sustainable?

The ever elusive question! The most important commodity to starting and sustaining your threat lab is time to dedicate to analysis. Too often practitioners are running from incident to incident, and it is very difficult to get the time needed to actual perform analysis.

CHECK OUT THE DETAILED NOTES FROM THE WEBINAR!

Cover Image by Thomas Grimer / CC by 4.0