Beyond the Surface: Unlocking Second-Order Thinking for Enhanced Risk Analysis
A foundational layer of the I2R (Intelligence to Risk) pyramid features second-order thinking to derive implications. This work is rarely straightforward, and room needs to exist for incorrect prognostication, but caveats aside, second-order thinking is an intelligence analyst’s primary superpower when done well.
The concept of second-order thinking is fairly straightforward in the abstract — when considering event outcomes, try to imagine not only the immediate consequences but also how those consequences will affect future events. Except for the most simple circumstances, however, effective second-order thinking requires considering events from many different perspectives, using several conceptual frameworks, to reach unintuitive conclusions — to see what everyone else misses. Second-order thinking in threat intelligence is best achieved with knowledge of business, geopolitics, and cybersecurity.
Second-order thinking is particularly thorny when considering specific events in the context of cyber and physical convergence. Here are four key second-order implications derived from recent Insikt Group (Recorded Future) research.
Physical conflict creates unpredictable cyber risk outcomes for businesses.
Adversary motivation informs attack methodology, and recent events blur the line between “criminals”, “hacktivists”, and “state-sponsored employees/contractors”, which muddles second-order implications.
In the future, self-declared ideological positions might require publicly traded companies to notify shareholders of associated cyber risks in financial regulatory reporting.
Access to broad data sources matters (regardless of whether they are first-party, third-party, etc.) toward achieving desired intelligence outcomes.
Let's explore each example below.
1) Physical conflict creates cyber risk — Plenty has been reported on actors, like Killnet, creating cyberattacks in support of Russia’s invasion of Ukraine (which was to be expected). Most of the ineffective activity is likely the work of “hacktivists” — those with an ideological motivation. That’s not to say that financially motivated criminals aren’t also helping the Russian cause. Insikt Group recently released Dark Covenant 2.0, continuing the enumeration of links between the Russian government and the Russian criminal underground.
Much of the Russian cyber effort was relatively predictable once the war began. However, an interesting data point went largely unnoticed. Insikt Group recently reported on Joker DPR’s most significant (alleged) claim that they breached Ukraine’s Delta, a battlefield management system (BMS).
Now, this isn’t any “Joker”. This may be the infamous “JokerStash”, operator(s) of the world’s most prolific online stolen payment cards marketplace, which was shuttered in 2021. Rumor has it (within the criminal underground) that Joker is Ukrainian and was living in Russia. Prior to the start of Russia’s invasion, he moved to Donbass after Russian law enforcement began arresting hackers and fraudsters. Current options may be limited for Joker. He can try to earn immunity from Russian authorities by supporting the war, or help Ukraine and hope that Ukraine recovers Donbass. Thus far, all signs point to Russian support.
Setting aside the question of whether Delta was actually breached, the more important development is that Joker came out of retirement to support Russia. The cryptocurrency billionaire has plenty to lose with increased U.S. law enforcement scrutiny. The potential costly support, by extension, creates new risks for financial services companies that issue payment cards. In a largely unpredictable scenario for Western corporations, the Russian invasion triggered the world’s most prolific stolen payment card supplier to exit retirement, which could lead to increased financial fraud impact for Western banks (if he opens a new shop). Even the best forecasters may not have foreseen the impact that Russia’s invasion would produce on the global payment card fraud market driven by a retired Russian criminal (or group of criminals).
2) Adversary motivation informs attack methodology — Next, the Xiaoqiying/Genesis Day threat actor group has been attacking sites in Taiwan and South Korea. This is a group with no apparent links to the Chinese government. Is the group ideologically motivated? Its rhetoric certainly suggests so, but historically these types of ideologically motivated Chinese groups are relatively rare. Criminals and PLA/MSS employees/contractors abound, but as geopolitical tensions increase, this is one group that appears to be proactively attacking perceived adversaries. Would Xiaoqiying function similarly to a KillNet in the event of a Taiwanese invasion?
It’s easy to dismiss Xiaoqiying as another hacktivist collective pursuing website defacements, but the group’s communications reveal a technical depth and sophistication that belies known accomplishments. Xiaoqiying is a prototypical example of an adversary’s tools and tactics that haven’t been prioritized for examination by most enterprises. In the event of physical conflict with Taiwan (or even in a continued escalation of tensions), this is the type of group that may proactively target Western businesses based on ideological positions and known affiliations.
3) Ideological positions create cyber risk — Speaking of ideological positions, the board of directors at any organization should be thinking about the offensive cyber attention that public announcements or even internal policies may create in the future. As publicly traded regulatory requirements continue to evolve in different geographies, it’s logical to believe that future reporting requirements may include ideological positions that may lead to cyberattacks.
In our age of intense, fractured politics and menacing social media exchanges on every economic and social issue, the business impact of a supported position (such as ESG or Ukraine support) will reasonably include cyber targeting. Properly informing shareholders of those positions, along with the probability of incurring cyberattacks (based on historical data), may become part of good governance.
In February 2017, Shopify faced controversy and internal debate over its ideological position when the company decided to continue hosting Breitbart News’ online store. The decision was based on Shopify's commitment to supporting free speech and enabling commerce for a wide range of businesses, even those with differing political views. That’s the type of decision that could have deeper implications for incurring cyberattacks in the future.
4) Data breadth is critical — Finally, the breadth and quality of data sources informing intelligence efforts have never been more important — both for collection and analysis. Watching Xiaoqiying communicate in Mandarin on Telegram, and the recent intelligence leaks on Discord are two examples illustrating how broad data access is a fundamental building block for delivering on intelligence requirements.
Specifically, data outside of open sources (satellite imagery, malware meta-data, or commercial passive DNS are a few examples) create improved opportunities for analysis and second-order impacts. New access to generative AI is increasing the speed of analysis, and broad data availability is necessary to produce high-quality assessments and, ultimately, better business risk value.