As we look at the sporting calendar for 2025 with the UEFA Women’s European Championship in Switzerland and the Tour de France in July, as well as the 2025 Women's Rugby World Cup in the UK starting in August, armchair sportspeople and in-person spectators are spoilt for choice. But aside from the marvel of watching athletes compete to achieve their dreams, the organization (and security) of such events requires meticulous planning, particularly as dates are fixed and immovable. To put this into context, the Olympic Games are one of the most widely covered sporting events in the world, with an audience of more than 4 billion viewers.
But events of this nature also attract the wrong attention, owing to their high profile, meaning bad actors seek ways to disrupt them for ideological reasons or illegal profit. Therefore, both physical and digital security measures require specific and careful consideration. So, how do you go about gathering the right threat intelligence for such large-scale events, and what makes a good threat intelligence report?
This was a key topic under discussion at one of the keynote sessions during our Cyber Rhino Threat Week in December 2024, Jeremy Couture, Head of the SOC for the Organizing Committee of the Olympics and Paralympics for Paris 2024 was one of our panelists.
Looking at threat intelligence reporting through the lens of a large event
The conversation kicked off by looking at threat intelligence reporting and expectations surrounding this from a customer and end user perspective. With the panel agreeing that the priority, particularly when looking at this through the lens of a large event, is to really understand the threat landscape and what to expect, in terms of known threats. It was noted that while there will be some known paths for hackers to exploit, there will also be areas that are unknown.
This analysis includes looking at past Olympic Games to identify who attacked these events and how they did it. Once this analysis has been undertaken, the priority is to determine how the cybersecurity posture and approach might be adapted given this context. This is where arming the team with actionable insights is so important. This includes trying to understand the modus operandi (MO) of the threat actors: who is trying to attack you, do you know their last movements, what facts can you arm the SOC team with to protect against these sorts of attackers?
The temporary nature of such events often means a different mix of security measures may be appropriate compared to a more permanent site. There will be an enormous IT infrastructure required with many different technologies and partners, therefore any threat intelligence platform and reporting tool needs to work with a variety of systems to disseminate and receive information.
Taking a strategic view on intelligence reporting
Once all this information has been gathered, it is then important to take a strategic view to understand how best to operationalize, automate and validate these threats. The panel agreed how important it is to make informed decisions to prioritize alerts and allocate resources in the right places. They also talked about the importance of collaboration and sharing intelligence with relevant communities.
The panel asked about the sort of reports that Jeremy might have requested to understand the threat landscape for Paris 2024. Jeremy advised that the organization for last year’s Olympics was quite specific, and with a relatively small team, this meant that the threat intelligence posture within his team had to change to accommodate this event. Jeremy’s team focused on real intelligence and being laser-focused and strategic at spotting where the genuine threats lay.
Jeremy also had to consider how reporting intelligence could be shared with the Paris 2024 ecosystem. The sheer size of these events and the involvement of hundreds of sponsors and other key stakeholders means that scale is a major consideration. Particularly when looking at how to scale threat intelligence across all the various parties.
Pre-defined reports versus custom reports
In terms of how enterprise organization demands have changed around threat intelligence reporting in recent years, there has been a combination of requirements with predefined reports as well as customers wanting to generate their own reports based on insights gathered from their threat intelligence platform. Additionally, organizations are requesting sector and geographic based reports relevant to their own country or industry.
Going back to the Paris 2024 Olympics and these types of events have very tight timeframes. For example, the Olympic Games is only 29 days long, so set-up and take-down is a very intense period where threat actors can take advantage. This means that cybersecurity must adapt to an evolving threat landscape and an information system under construction. Once detected, there are also reduced time scales to contend with around the threat emerging and the countermeasures deployed to protect the system. That means that any methods employed to improve the quality and efficacy of threat intelligence reporting, sharing and automation can make a huge difference.
Jeremy talked about the ability to cross-relate incidents and for reporting to be integrated with detection and response, matching external threat intelligence with what his team were seeing on the ground in the SOC. Everything they had been aggregating helped to quickly identify the tactics that needed to be addressed. Fast sharing of intelligence with all parties concerned was key to ensuring that they prevented any incidents. Using the MITRE ATT&CK® framework, Jeremy was able to identify techniques used by the attackers and he could see that 80% were trying to enter using phishing. Therefore, they prioritized deployment of security solutions that would protect identities within the network and stop credentials from being stolen.
Continuously monitoring threat exposure management
The panel agreed how important it is to undertake a thorough post-event analysis and assimilate the lessons learned, looking back with a critical eye on what happened. What were the trends? What types of threats did they face? This includes examining the volume of the attacks and incidents dealt with. They also agreed on the importance of looking at continuous models of threat exposure management.
Closing the discussion, Jeremy talked about the changing threat landscape and that over the next four years, AI will play a role with aspects like deepfakes. The panel concluded saying how critical threat intelligence reporting is as the threat landscape continuously evolves and underlined the value of having real-life intelligence to combat any attacks.
20130 Lakeview Center Plaza
Suite 400
Ashburn, VA 20147
