Page 249 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 249

Identity Risk Intelligence for Disinformation Security

            Identity risk intelligence enables several types of disinformation security measures:

               •  Digital footprint verification: Cybersecurity analysts can investigate a job applicant’s claimed
                   identity by leveraging breach and darknet databases. Discrepancies, such as an email address
                   or name appearing in breach data associated with different individuals, or a supposed U.S.-based
                   engineer’s records tracing back to foreign IP addresses, should raise concerns. In disinformation
                   security,  this  helps  identify  fabricated  identities  used  to  spread  false  information  or  gain
                   unauthorized  access.  Digital  footprint  analysis  involves  thoroughly  examining  a  user's  online
                   presence across platforms to verify their legitimacy. Inconsistencies or a lack of a genuine online
                   presence can indicate a synthetic identity.
               •  Proof of life / Synthetic identity detection: Advanced platforms can analyze combinations of
                   Personally Identifiable Information (PII) to determine the likelihood of an identity being genuine
                   versus fabricated. Non-existent social media presence or AI-generated profile photos are strong
                   indicators of a synthetic persona. This is crucial for disinformation security, as threat actors often
                   use AI-generated profiles to create believable fake identities. AI algorithms and machine learning
                   techniques  are  essential  for  detecting  these  anomalies  within  large  datasets.  Behavioral
                   biometrics,  which  analyzes  unique  user  interaction  patterns,  can  further  aid  in  distinguishing
                   between genuine and synthetic identities.
               •  Continuous identity monitoring: Monitoring activity and credentials can expose anomalies even
                   after an individual is hired. For example, an alert could be generated if a contractor’s account
                   appears in a credential dump online. For disinformation security, this allows for the detection of
                   compromised accounts used to spread malicious content or propaganda.

            Sophisticated disinformation campaigns highlight the importance of linking cyber threats to identity risk
            intelligence. Static IOCs cannot reveal the danger of a seemingly “normal” user account belonging to a
            hostile  actor;  nor  can  it  reveal  if  a  “normal”  user's  data  is  actively  being  used  by  a nefarious  actor.
            However, identity-centric analysis can provide early warnings by meticulously vetting an individual's true
            identity and determining if their digital persona connects to known threat activity. This is threat attribution
            in action: prioritizing identity signals makes it possible to attribute suspicious activity to the actual threat
            actor. The Lazarus Group, for instance, utilizes social engineering tactics on platforms like LinkedIn to
            distribute malware and steal credentials, highlighting the need for identity-focused monitoring even on
            professional  networks.  Similarly,  APT29  (Cozy  Bear)  employs  advanced  spear-phishing  campaigns,
            underscoring the importance of verifying the legitimacy of individuals and their digital footprints.

















                                                                                                            249
   244   245   246   247   248   249   250   251   252   253   254