The example we'd toyed with was a bit ambitious but it made for a great test case.
Last summer, Amazon was reported by the NY Times as pushing its employees to the point where they'd breakdown at their desk. The story broke on August 15th. We wanted to know if there would be a corresponding action in the underground cyber chatter as a result of the report that broke in the NY Times, and all of the follow-on circular reporting from the other news outlets.
|Figure 1: Amazon's Stock Price compared to Wapack Labs' Cyber Threat Index measures|
Here's what we did. We have approximately four years of back data. Every day we counted the number of times we saw "amazon.com" or any subdomain or IP addresses in our daily queries. We figured if we kept the model simple, anyone could understand it... I don't like complex algorithms --the only people who understand them are the people who write them. I wanted math that anyone could look at quickly and know what it meant.
Wapack Labs watched the intelligence space (dark web, chatter, etc.) during this time, and counted the number of times we saw anything associated with Amazon --and we plotted it on a moving timeline against the stock price in a chart resembling a stock chart. The result? We showed movement in both the cyber threat activity, and movement of the stock price (we recognize that there are many variables that make a company's stock price move, and Amazon's stock takes a lot to market influencers to make it move). There was a spike on August 4th, followed a short period when we lost eyes, and then an increase in underground 'chatter' shortly after as we watched circular reporting by other reporting outlets. The public reaction to the bad press was evidenced by the downward movement in the stock price. The underground activity? Was this targeting of Amazon because of the bad news? Not sure, but our chart clearly shows something.
So the question is, can increased cyber activity in the underground affect a company's stock price? Probably not directly, but what if the chatter that we monitor turns to action? Absolutely. Cyber isn't the only indicator that can be used to help predict stock movement, but certainly it's one that should be considered. And our experiment in identifying a new means of monitoring cyber intelligence as a leading indicator to potential damage to a company in the form of stock price movement, is proving very cool. Amazon's stock is affected by millions of variables, not just cyber, but what about the company who's price isn't as resilient to changes in a singular variable --like cyber activities focused on them?
On November 9th we saw a massive spike in activity as we slide our viewing window to the right. Why? We believe this was a lead-up to Black Friday, when folks were planning, talking about, exchanging tools and credentials that could potentially exploit retailers during the holiday season. Are we sure? No. Intelligence never is, but clearly, there's a massive spike and then a drop-off to nearly zero on the actual day --why? Bad guys need time off too, and they've already planted their tools. Now they simply sit back and collect the loot.
|Figure 2: Amazon - spike in Cyber Threat Index (Intelligence activity) leading up to Black Friday|
|Figure 3: Amazon's Cyber Threat Index on the day of the "Pony" dump of credentials|