Tagged, organized, and free for anyone who wants it, social media posts and data are an underused threat intelligence resource for many enterprise cybersecurity teams.

Just as cybercriminals have found social media platforms useful for gathering information on targets and launching attacks, network defenders should likewise be looking at Twitter and other similar public-facing social media data sources, so called open source intelligence (OSINT), to help inform cyber defenses, according to experts.

“Social media and other digital platforms are invaluable resources for gathering intelligence on external cyber threats, because it is often one of the earliest indicators of trouble brewing,” AJ Nash, vice president of Intelligence at ZeroFox, explains to Dark Reading. “Waiting until a threat materializes to the point where it sets off an alert in your SOC might mean it’s too late to stop it — a truly proactive security posture includes leveraging data from digital platforms to stay ahead of these threats.”

Igal Iytzki with Perception Point himself uses Twitter and Reddit to share threat intelligence and advises cybersecurity teams to utilize social media as part of their overall strategy.

“There is a lot of threat intelligence being posted on public platforms every day that businesses can tap into,” Iytzki explains to Dark Reading. “The infosec community has created an environment where we share our findings openly and freely, understanding the benefits this can have for the community at large, while also taking care to protect valuable data.”

Gathering Social Media Threat Intel

Making social media data useable, as well as accessible, posts are tagged and easily searchable, he adds.

“If you search for a particular IP, domain, malware, exploit, or CVE in the search bar on a social platform, you can easily find related tags or tweets about a particular attack or trend,” Iytzki says. “What businesses need to do is make sure their security teams are taking the time to be part of that community and experimenting with which channels, profiles, and tags are yielding the most relevant and actionable data for them.”

As with any information collected from social media, it’s imperative to check its veracity to be effective, he adds.

Outsourcing Social Media Threat Intel

Of course, the sheer amount of information can be overwhelming. For resource-strapped teams, an external threat intelligence provider can help manage the OSINT collection and verification process, according to Brian Wrozek, principal analyst at Forrester.

“Leveraging their expertise to gather, correlate, enrich, and analyze the data is the best way to utilize OSINT,” Wrozek recommends. “It can be expensive to internally staff threat analyst resources and then gather, store, and process all that data yourself.”

Outsourcing social media threat intelligence gathering can also avoid inundating beleaguered cybersecurity teams with yet another data stream filled with false alerts, Wrozek adds.

“OSINT is a valuable source of information but suffers from false positives if the assets being monitored are common words,” he says. “Be on the lookout for misinformation and stale information. Prioritize providers who not only have advanced algorithms to process all that data but also trained human analysts who can provide that extra level of analysis.”

Whether its outsourced or undertaken by internal enterprise cybersecurity teams, some level of social media threat intelligence gathering is a valuable addition to any organization’s overall security posture, Perception Point’s Iytzki says.

“It seems to me a no-brainer for security teams to leverage social media to get actionable threat intelligence in a way that’s quick, effective, and budget-friendly,” he adds.

This article originally appeared in Dark Reading on June 5, 2023, written by Becky Bracken.