Josh Lefkowitz, CEO, Flashpoint, explains why large gatherings of people now need to consider cybersecurity strategy as part of the security risk assessment
It’s been 50 years since the iconic gathering at Woodstock that saw half a million people come together. Today the lure of mass-participation events is just as strong, whether they are music festivals, global sporting tournaments — the Rugby World Cup in Japan being the next big competition on the agenda — or popular interest gatherings such as Comic-Con. People simply love to get together to share experiences.
Unfortunately, any event that attracts large audiences also attracts those who want to make an illicit profit, cause disruption, or inflict physical harm. Sometimes this is little more than a minor inconvenience. But often the impacts are more distressing or dangerous, such as financial loss through fraudulent ticket sales, transport network disruptions, cyberattacks or — worse yet — threats to physical safety. The most high-profile events may provoke nation state actors to target critical national infrastructure with the goal of embarrassing the host nation.
This means organisers have to build a strategy to identify, manage, and mitigate the physical and cybersecurity threats that can converge around mass-participation events. It’s essential to take a holistic approach as, ultimately, physical and cyber threats cannot be neatly separated into two distinct threat types. Disruption or scams conceived and planned online can have devastating real-world effects.
Managing the risks around any mass-audience event needs two critical elements working in tandem: 1) a multi-disciplinary security team, and 2) clear visibility across all channels to build intelligence that identifies relevant threats and the risk of them becoming reality.
Building a multi-disciplinary team
The security team should include stakeholders from across the organisation to bring the right intelligence into focus. Trust and transparency between different departments is essential if the team is to function effectively.
As well as the obvious partners like law enforcement, transport authorities and network cybersecurity professionals, this should also include representatives from less immediately obvious stakeholders, such as marketing. Marketing teams promoting the event can provide first-hand information on what is being publicised, where and to whom, what the authorised ticket sales channels are, and what systems are in place to prevent fraud.
Marketing teams also heavily monitor social media for stories and sentiment so, although not directly focused on threat hunting, they could have valuable insight to offer on themes arising around the event. It’s important to remember that risks can emerge not just through malicious attacks, but through incidents like performers/artists making political statements or athletes failing doping tests that suddenly change the dynamic of the occasion.
Cyber threat and social media monitoring teams are essential. Set up well in advance and active throughout the planning and execution phases, the team members need to be experts in the cyberthreat and geo-political landscape, with a strong working knowledge of the groups and actors that could target the event.
Visibility of threat communities and communications
Threat actors use multiple channels, both on the surface and deep & dark web (DDW), to discuss and plan disruption and money-making schemes. It’s important to note, too, that the channels used by bad actors evolve all the time as they work to evade detection. Teams need to be on top of the latest communications networks used. For example, right now we’re seeing encrypted chat services being used to discuss tactics, techniques, and procedures (TTPs) and co-ordinate cyberattacks; monitoring these is therefore critical.
Our analysts always witness a spike in activity around major events, so it is essential for the multi-disciplinary security team to have visibility into all the relevant communities and channels.
To assess the credibility of a possible threat, it may also be necessary to interact in these communities. This isn’t something that every security pro can undertake; it is work for experienced analysts with trusted dark web personas. These may be provided by companies such as Flashpoint, whose intelligence analysts are skilled at monitoring illicit communities and interacting where needed. We can also provide finished intelligence reports correlating threats with evidence to inform management strategies.
Information-sharing and private sector engagement
Many mass-participation events take place on a regular calendar cycle. This can be an advantage for defenders, as they can improve their tactics over time and apply past learnings to future strategies. However, that same regularity means that there is certainty for bad actors around how the event usually plays out, giving them time to probe for vulnerabilities.
Security teams should certainly pay attention to previous incidents and successful tactics, but must build their strategy around the very latest intelligence. Working with information-sharing and analysis centres (ISACs) and private sector specialist intelligence organisations is extremely valuable. These communities shed light on the emerging threats and root causes of cyberattacks and enable members to share best practices and defensive tactics. The aim of this activity is to ensure that high quality intelligence flows directly to the security team, with associated analysis that helps to focus resources where they are most needed to manage both day-to-day risks, as well as spot major threats.
Global mass-participation events always involve heightened risk, but defenders can get a window into adversaries by developing an intelligence cycle that utilises multiple sources to give them an edge. With such an approach, whether protecting music festivals, or the contest between nations during international sports tournaments, security teams can do their utmost behind the scenes to help ensure the experience is safe and memorable for all the right reasons.