cyber intelligence, cybersecurity, Uncategorized

Forecasting Heightened Malicious Cyber Activity with Event Data

By Dr. Andrea Little Limbago, Chief Social Scientist at Endgame


The recent revelation of Russian government hackers infiltrating the DNC’s network and stealing opposition research should not come as a surprise. Nor should the DNS attack on various .gov sites claimed by the Turk Hack Team, which started on July 17 as Turkey responded to the coup. The connection between geopolitics and heightened malicious cyber activity is a global phenomenon. Despite widespread global variation in information technology infrastructure, the use of the digital domain as the modus operandi to achieve various political, social and economic objectives is universal. INSA’s Strategic Cyber Intelligence White Paper articulates well the necessity of geopolitical insights as part of strategic cyber intelligence. The political and economic conditions inform more dynamic and relevant risk-based, strategic decisions when coupled with the more traditional INFOSEC data. Nevertheless, many organizations still focus solely on the technical aspects of cyber indicators and warnings (I&W) frameworks and fail
to consider how geopolitical events impact their cyber risk – both at home and abroad. There is a wide range of events that can trigger malicious cyber activity – and thus an organization’s probability of increased targeting. Some key events that should receive additional Strategic_clockprecautions include elections, sporting events, global summits, disasters, domestic unrest, and demonstrations of geopolitical tension.



Cyber criminals tampering with elections is not merely a concern in the United States, but is a global phenomenon and is likely only going to grow as elections increasingly become digitized. For example, prior to elections, the Ukraine election system was attacked with a virus intended to delete the election results. The Miami-Dade Elections Department in Florida similarly experienced increased malicious activity, but instead was the target of ‘phantom absentee ballot’ requests. The targets do extend beyond organizations associated with the election. The hack on the Philippines Commission on Elections exposed the personally identifiable information of 55 million citizens. In Africa, countries as diverse as Ghana, Ethiopia, and Republic of Congo have started censoring social media during the election season, but in many cases it expanded to also blocking mobile money transfer sites, thus having both an impact on freedom of speech as well as economic well-being.


Sporting Events

International sporting events from the Olympics to the World Cup tend to see spikes in malicious digital activity.  This ranges from an increase in phishing scams for fraudulent tickets or sports packages to more targeted attacks on the financial or government sectors. For instance, the 2014 World Cup in Brazil was a major target, leading to data theft and website jamming. Following, the India-Pakistan cricket match in the Asia Cup, a university was hacked following student celebrations of the match. Both the Copa Americana and UEFA Euro 2016 are targets of widespread financial scams, especially through adware and fraudulent aps. The Olympics have seen an increased spike, with a rise in phishing attacks and adware linked to the games.


Global Summits

Gatherings of global leaders have always been a prime target for activism and dissent, as well as espionage, so it’s no surprise that this translates now into the digital domain. Almost twenty years ago, over 10,000 multinational, coordinated attacks targeted companies protesting the Cologne G8 summit. More recently, the 2014 G20 summit in Brisbane placed the city on heightened security alert, including cybersecurity. As one CERT expert noted, “Where we sit, and what threats are coming through, the G20 is as big as it gets, and everything could be at risk’’. Similarly, July’s NATO meeting coincided with disruption of their websites, with many placing the blame on cyberattacks from Russia.



Both natural and man-made disasters may instigate a spike in malicious activity of many different forms. Following Hurricane Sandy, there was an increase in phishing scams claiming to assist victims. Criminals similarly exploited the Nepalese earthquake with an onslaught of scams and malware pretending to support victims. The exploitation of catastrophes for financial gain is increasingly common, but is not the only kind of natural disaster-driven malicious digital activity. Depending on the country, natural disasters may also prompt government-directed activity to conceal domestic discontent. For instance, in 2014, the Serbian government heightened online censorship due to public outrage over the government’s handling of the disaster. This is not limited to only natural disasters, but man-made ones as well. Following the 2011 train crash in China, the government tightened censorship controls to squash the very vocal opposition to the government over its handling of the crash. In fact, the anniversary of the crash also triggered a spike in censorship.


Domestic unrest

While the Arab Spring is more well-known for the role social media played in supporting the protests, domestic instability also prompts authoritarian governments to turn entire countries dark. Both Egypt and Libya went completely offline for hours as the instability increased and the governments sought to maintain control. In Syria, the causality between unrest and internet outages is bi-directional. The Assad government employs outages as a form of repression, which is followed by an increase in conflict. In each of these cases, internet outages contribute to state repression, and impact people and organizations throughout the country.

This current status quo of treating geopolitics and cyberthreats as two separate issues is a losing strategy that cannot persist.

Geopolitical tensions

While domestic unrest has more widespread impact on anyone within the country, geopolitical tensions tend to produce more targeted, and escalatory, malicious digital activity. For instance, the Syrian Electronic Army has targeted media and social media sites, instigating DDoS and phishing attacks, targeting the New York Times, Twitter, and The Washington Post, among many organizations. Iran also targets companies for their geopolitical stance, including the attack on the Las Vegas Sands Corporation, whose CEO has been an ardent supporter of Israel. The destructive cyberattacks on the Ukraine power grid and the German steel mill also are linked to international tensions, and specifically are indicative of Russia’s unimpeded and expansive targeting of Western organizations. Finally, as regional tensions rise, so too do tensions in the digital domain. The South China Seas disputes between China, the Philippines and Vietnam continue to prompt an increase in cyberattacks. In this regard, “Whenever you see island-dispute issues flare up you also see cyber activities spike as well.” Finally, a shift in foreign policy linked to these tensions similarly can elevate the occurrence of cyber incidents. Following US sanctions against Russia, there has been a strong spike in targeted activity against US corporations. Iran similarly has been linked to spikes in cyber incidents – ranging from US banks to the NY dam – in response to sanctions.


I&W as More than an IT Framework

Despite geopolitical uncertainty and cyberthreats being a top concern for CEOs (as a recent PWC survey revealed), many still fail to see the interconnected nature of geopolitics and cyber activity. As a result, organizations too often fail to understand why they are targeted or how world events impact the risk calculus of nation-state and non-state adversaries.
This current status quo of treating geopolitics and cyberthreats as two separate issues is a losing strategy that cannot persist. As digital mechanisms are increasingly integrated as a tool of statecraft, their deployment is only going to expand in depth and scope as state and non-state actors use them to achieve their various political, economic, and social objectives. Thus, leaders of public and private organizations must analyze cyber risk as more than an IT issue, by implementing preemptive strategies that integrate the global and domestic landscape into their cyber risk assessments. These strategies should not just focus on targeted attacks on data and infrastructure, but also factor in business disruption thanks to more widespread censorship, outages, or DDoS campaigns.  At the strategic level, incorporating these event data, and framing them along with the range of malicious actors – such as nation states, criminal organizations, and terrorist groups – and their objectives could be a first step at a more holistic strategic I&W framework. By linking the events, along with actors and objectives, decision makers will receive greater insight into the timing and potential targets of the range of digital attacks. Political, economic, and social events provide another valuable stream of very visible and intuitive intelligence and must complement any approach to cyber I&W and risk assessments.


Previously posted here:


cybersecurity, Uncategorized

POTUS gives FBI the Nod to Lead ALL Private Sector Cybercrime Investigations

With the recent hack of the Democratic National Committee (DNC) emails, it is clear that cyber threats pose a significant concern to US political organizations, but which agency out of the “alphabet soup” should be responsible for the investigation? New guidance issued by the Obama Administration puts the Federal Bureau of Investigation (FBI) as the lead agency for cyber threat response. This codifies an already important role the FBI has undertaken for quite some time. The FBI has been the lead agency on cases ranging from ransomware to dark web marketplaces. The FBI arguably has the most resources and experience in cybercrime investigations, which gives them the expertise and know-how to be the lead agency in cyber incident response.





The FBI has not been alone in its efforts to combat cyber threats. The Department of Homeland Security US-CERT and Carnegie Mellon University’s CERT have been the cornerstone of computer incident response for over a decade. The US Secret Service and IRS have also played an important role in the investigation of financial crimes committed online and the Bureau of Alcohol, Tobacco, Firearm, and Explosives (ATF) has the responsibility to combat the illegal sale of firearms online. The common tie amongst all these agencies is FBI’s long-standing partnership with them and also FBI’s partnerships with the private sector.

The Presidential Directive also gives new responsibilities to DHS and Office of the Director of National Intelligence:

  1. The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, shall be the Federal lead agency for asset response activities.
  2. The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, shall be the Federal lead agency for intelligence support and related activities.[i]

The Directive specifically notes FBI’s lead role due to the possibility of nation-states being involved in cyber incidents, as well as the national security implications these cyber threats pose. As the FBI wears the hat of both criminal investigators and a member of the intelligence community they are uniquely qualified for this leadership role. The importance of the directive is it gives clear guidance on the “rules of the road,” which is often an issue in federal investigations. As cyber is
an emerging realm, it is important for federal agencies to understand who will take the lead in cyber investigations. It is clear there are many capable agencies with long-standing contributions in the area of cyber threat response. The Presidential Directive allows for clearer lines of communication and the ability to efficiently assign leadership and subordinate roles. The next step is to put this directive into action and this is where the rubber will meet the road in the ever-evolving realm of cyber threats.



Social Media Threats – Part 2: Using CTI to Identify and Neutralize Social Media Threats

Date: 8 July, 2016

Author: Lincoln Kaffenberger


Picture Attribution:

In Part 1, we discussed how social media based threats can impact organizations in ways many do not yet fully appreciate. The reputation and cybersecurity risks exist today and many organizations have little to no detection or prevention capability. In Part 2, we will discuss what organizations should do about this threat and how Cyber Threat Intelligence (CTI) can help identify and neutralize the social media based threats.


The CTI has an important role to play here. CTI teams should actively and passively monitor for impersonations, account hijackings, URLs in posts or comments that lead to malware, and reconnaissance activity as these can be indicators of adversary intent and capabilities. CTI teams should partner with anyone in the organization that is working with social media such as the communications or public affairs departments. Chances are, they are already aware of a number of impersonations and/or threats.


CTI teams need the right people, processes, and technology to effectively monitor social media for threats. CTI analysts responsible for this mission need to understand their organization very well, have a strong ability to understand other languages and cultures to understand the context of statements in social media, and have strong familiarity with various social media. Outside of the CTI team, there need to be identified stakeholders who support this effort and will take action when notified of a threat. To that end, there need to be established processes for all pertinent threat scenarios. For technology, many companies offer solutions that have the ability to continuously scan and monitor social media for various threat scenarios. Any tool that fulfills this mission must be able to handle the massive amount of data that is available on social media, possess the ability to search and do analysis in the tool, store data points for later analysis, share with other analysts, and, ideally, facilitate takedowns of certain social media sites or content that are clearly impersonating an organization’s brand and personnel.


What is the minimum?

For CTI, the following are the very minimum things that a CTI section should do regarding social media threats:

  1. Know what your organization’s social media assets are and who owns them. This means doing an assessment early on to know what official social media assets exist that officially represent the organization. It’s important also to know if the communications, marketing, public affairs, or HR departments own these profiles and how they are being secured. Who has access to alter the profile? Who can post content? Who is monitoring traffic? Similarly, the profiles for the organization’s VIPs – the C-suite / Secretary level personnel are very important to track as they are high value targets for impersonations.
  2. Know what other uncontrolled social media assets exist. In addition to the official and high value profiles, the other profiles that either do or could be considered as ‘officially representing the organization’ should also be tracked and monitored by the CTI team as their hijacking or impersonation can cause increased damage since it rarely (if ever) gets official attention.
  3. Establish a baseline for activity to detect account hijacking. What is the average traffic like from and to this profile? What content is normal and what is anomalous? Knowing these are important to quickly identifying a hijacked or impersonated account.
  4. Review (or establish) the appropriate use policy. Many organizations have an appropriate use policy in place that states what is acceptable and unacceptable use on social media. Few however find the right balance between being user-friendly and draconian. CTI can help organizations assess the organization specific threats and likelihood of the potential threat scenarios which help craft sound policy.
  5. Monitor for changes. CTI teams should monitor their social media assets of interest.  Monitoring is best done by establishing automated searches and then alerts that result from changes or spikes in activity. It is important for a CTI team to, at this point, have a good list of contacts in the event or a hijacking or impersonation. Additionally, it is important for the CTI team to know how to execute a take down on all the various social media providers. While all the major providers have an advertised method for requesting a takedown of an imposter account, this process is not always timely or easy. CTI can show real value here if they have contacts within the various social media providers to assist when possible and speed up the process.


Social media is a powerful medium for communication but organizations must be aware of the threats and risk inherent in social media to fully take advantage of the communication opportunities.

What are your experiences with CTI and social media threats? Let us know on Twitter and social media with the hashtag #INSAblog.


About the Author: Lincoln works as an information technology professional in the financial sector. He has over a decade of experience helping organizations understand the threats they face and make informed, risk based decisions.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

cyber intelligence, cybersecurity, Uncategorized

Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain

Date: 29 June, 2016
Author: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI
© Copyright, 25 June, 2016, All Rights Reserved

Argyle Threat Research (TheBrain: Mind Mapping Software:

Georegistration and geolocation play a significant role in Activity Based Intelligence (ABI) analyzes and investigations. The dictionary defines “Geolocation” as both the process for finding a location and the actual “real-world” geographic location of a computer, a cell-phone, or a satellite, as determined by the process. (Geolocation, 2016) ABI’s Georegistration for discovery includes all categories of georeferenced information and may indeed offer the ABI analyst the best chance of closing the gap between where one is and where one wishes to be with respect to entity resolution and attribution.

Georegistration for discovery is one of the “Four Pillars” of Activity Based Intelligence (ABI). The other three being “Data Neutrality,” “Sequence Neutrality,” and “Integration before Exploitation” are fully explained in Patrick Biltgen and Stephan Ryan’s book, “Activity Based Intelligence: Principles and Applications” available on with Geo-registration for discovery being the first to be addressed. (Biltgen & Ryan, 2016) The authors go into some detail in describing first degree, direct/indirect, georeference, and second degree georeference and why they are important in context. Geolocation plays a not-so-insignificant role when countering threats in the cyber domain.

Bad Actors and Hackers often spoof IP or MAC addresses to cover their activities and mask their whereabouts. Using TOR, (the Onion Router) is another method, but even with TOR, one can be tracked using the proper tools, employing the most effective techniques, and accessing expertise based on years of cyber experience. (Amores, 2016) However, relying purely on technical means is often insufficient, and sometimes impossible when attempting to develop evidence needed for clear “attribution” to justify offensive cyber operations. (Greenemeier, 2011) The ABI approach improves the odds in the cyber counterintelligence fight by its focus on entity resolution.

Transactions, Activity and Correlations (TAC) make up much of the “stuff” of ABI analysis. TAC is like the water in which ABI analysts swim and like the air they breathe. Solid location data is highly prized in the context of TAC.


TAC Relationships (Source: Various)

Object Based Production (OBP) is a new way of organizing data around objects of Interest. (Johnston, 2013) In the context of Object Based Production (OBP), geolocation data is the metadata about objects/entities/proxies of interest. In other words, geolocation data characterize objects in OBP. (Cuddyer, 2016) In a recent conversation, Cyber Security Science Director, Shawn Riley, reminded it is important to remember, “Object-Based Production is the enabler for Activity-Based Intelligence (ABI) and provides the foundation for the correlation of data around objects that then can be observed for activity.” Furthermore, “Object-Based Production also automates analytic pivoting in cyber which is the analytic technique of hypothesis testing.” (Riley, 2016) These two observations, OBP as enabler and automated analysis are crucial to understanding the profound relationship between and among Geolocation, TAC, ABI, and cyber. One is not additive to the other. They are more than their aggregate. To say they are “. . . more than the sum of their parts” is the wrong analogy. It would be better to speak in “Quantum” terms. When an analytical “critical-mass” is achieved, under ABI analysis conditions, the impact is quantum, continuous, and far reaching in scope. Entities are resolved and “Unknown, Unknowns” discovered to provide further direction for additional collection, processing, and analysis. For geolocation to be of most value, context is a critical consideration. For example, NGA’s Ruth Cuddyer says, “And the location information or analysis that will be useful for foreign policy is also different that what might be useful or relevant for net defenders or law enforcement.”(Cuddyer, 2016) ABI methods and techniques manage and inform understanding and “sense-making” with respect to context through the continuous processing of data related to Transactions, Activity, and Correlations (TAC).

Concluding, geolocation and georeference for discovery play an important role in countering cyber threats despite the difficulty of capturing data that can lead to reliable entity resolution. The prospect of being able to do so is increasing as advances in “machine-learning” and data mining continue. Research conducted using DARPA sponsored data sets by Illumina Consulting Group (ICG) to process insider threat data is but one recent example. The study proved successful in finding a malicious actor based on analysis of 18 months and 17GB of network data that included “. . . logon/logoff records, emails, HTTP traffic, USB device use records, LDAP data, file transfers, and employee psychometric data.” ICG utilized the TAC concept in correlating abnormal activity analytics with other observations over time using their LUX software platform. (Gourley, 2015) Further research and experimentation is anticipated using additional data sources.

What are your experiences with ABI and Geolocation? Let us know on Twitter and social media with the hashtag #INSAblog.”


About the Author: Mr. Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years of experience. He is also an award winning broadcast journalist for the 1984 radio series, “The KGB and the Washington Target!” that focused on the Kremlin’s campaign to collect intelligence on High-tech firms in the D.C. area.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber

Intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

Works Referenced or Reviewed

Amores, R. (2016). CEO, Dark Data Services (DDS). (M. Anders, Interviewer)

Biltgen, P., & Ryan, S. (2016). Activity-Based Intelligence (ABI) Principles and Applications. Boston, MA: ARTECH House.

Cuddyer, S. R. (2016, June 9). NGA College Instructor, GEOINT, Email exchage.

Geolocation. (2016). Retrieved from

Gourley, B. (2015, June 19). Illumina Consulting Group (ICG) R&D Case Study Uses Streaming Analytics Platform LUX in Insider Threat Detection. Retrieved from

Greenemeier, L. (2011, June 11). Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers. Retrieved from Scientific American:

Johnston, C. (2013, June 17). (U) Modernizing Defense Intelligence: Object Based Production and Activity Based Intelligence. Retrieved from National Conference Services, Presentations:

Riley, S. P. (2016, June 2). Director of Cyber Security Science at Monsanto. Retrieved from


© Copyright, E. R. Anders

25 June 2016, All Rights Reserved


Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain


JMU’s Cyber Intelligence Trends in Education, Training, and Workforce Gaps Workshop

Government, Industry and Academic Approaches to Cyber Intelligence

Author: William Cullin, INSA Cyber Intelligence Task Force Research Intern

At this panel during the JMU Cyber Intel workshop, organized by INSA Cyber Intelligence Task Force member and Associate Professor in the Intelligence Analysis Program Dr. Edna Reid, three representatives from government and industry spoke on cyber intelligence. Dean Checknita, Peter Mitchener, and John Felker gave detailed and grounded explanations of the Cyber Intelligence discipline from their agency’s/company’s perspective. In keeping with the theme of the workshop, the panel discussed the skills required for a new cyber intelligence analyst.

Dean Checknita, Deputy Chief of Staff for Strategy and Plans for the Office of Cyber and Infrastructure Analysis (OCIA), National Protection and Programs Directorate (NPPD) at DHS, spoke about DHS’s unique mission, the need to provide meaningful analysis, and the concept of Cyber resiliency. DHS “has a large and rather vague mission”, in essence protecting American cyber space. To accomplish this mission, Checknita argued that you need commonality of effort and an Admiral Rogers-esque “team sport” mentality. He also stressed the importance of ISAC’s, and the need for the government and the private sector to share information. To accomplish these goals, Mr. Checknita told young analysts that they needed to understand the scope of the cyber problem and be able to provide meaningful analysis to decision makers. This means engaing economic thinking, “death and dollars”, even the concepts of Cyber Insurance and managing risk. Mr. Checknita wanted the new cyber intelligence analysts to understand some cyber issues but broaden their concepts and understand the totality of the issues facing the public and private sectors.

Peter Mitchener, Acting Assistant Section Chief, Cyber Intelligence Section at the FBI, spoke on the FBI’s view of Cyber intelligence and the needs of his agency. Having a dual law enforcement and national security mission the FBI is in a unique position and Mr. Mitchener stressed that it is changing its culture and practices for the 21st century. As part of this change, Mr. Mitchener said they are looking for cyber intelligence analysts who have three things: cyber knowledge, intelligence analysis skills, and threat subject matter expertise. In essence, you need more than just cyber skills to be a good cyber analyst, and you need to provide decision makers with the “so-what”. In response to a question for Dr. Reid on what the FBI is looking for in a young cyber analyst, Mr. Mitchener said he would like to see all three skill areas, but will take one or two. The reason being that the government is  very committed to teaching young analysts and giving them the additional skill sets they need to create effective cyber intelligence analysts.

John Felker, Director, Cyber Intelligence Strategy at HP, and co-chair of the Cyber Intelligence Task Force at INSA, spoke of the holistic approach to dynamic cyber defense, and cyber intelligence’s role within it. Stressing that there will never be one solution, one piece of software to buy or one silver bullet for the cyber problem, Mr. Felker pointed to cyber intelligence as a way to fill the gap. While Mr. Felker recognized that industry is catching on to the need, he said we still need “translators” who can take the problem from the IT guys and effectively present the problem to the CEOs in the board room. Touching on Mr. Checknita’s point on Cyber Resiliency, Mr. Felker told us we need to be comfortable with the enemy on our networks. We need to assume security breaches and be able to work around it. Mr. Felker tasked the young analysts in the room to watch out for “stupid users” and to create programs and tools to ensure proper use on our own networks. This means coming up with regular, effective and “sticky” ways to ensure your own workforce doesn’t become the cyber security threat. So what makes a good cyber intelligence analyst for the private sector? Someone who understands the cyber threat issues but can see beyond the 1’s and 0’s and frame the issue in terms of the company’s bottom line.

Did you attend the workshop, and have additional comments? What issues concerning cyber intelligence would you like to see discussed at future events?

Remember to subscribe and follow at #cyberintel


Upcoming Cyber Intel Workshop

Discussing the trends in education, training, and workforce gaps

Date: 12 April, 2015

Author: Lincoln Kaffenberger, INSA Cyber Intelligence Task Force Member

Many leaders in government and private industry have identified that there is a shortage of cybersecurity professionals. Yahoo’s CIO Alex Stamos echoed this recently saying, “It is pretty much impossible to hire folks within the indicated backgrounds.” President Obama recognizes the problem and is pushing an initiative to fund cybersecurity training. But what about cyber intelligence?

Cyber intelligence is an up and coming field within cybersecurity. The market is for cyber intelligence is still developing, but already private sector companies, cybersecurity companies, and governments are trying to increase their organization’s cyber intelligence capability by getting the right people. But who are the right people? What skills should cyber intelligence professionals possess? What training, education, and background should employers look for when hiring cyber intelligence analysts and managers?

These are the questions that the Workshop on Cyber Intelligence will be addressing at James Madison University (JMU) on April 20th. Organized by the JMU Intelligence Analysis Program, the JMU Office of Research Scholarship, and the JMU Military and Operational Intelligence Organization, this workshop will discuss many of the training, educating, and workforce gap issues that face our nation today and propose solutions.
The workshop objectives are:
Discuss Intelligence and National Security Alliance (INSA) Cyber Intelligence Task Force’s white paper on status of cyber intelligence (Intel) education, training, and workforce gaps
Share experience and insight about education, training, workforce gaps, and curriculum development such as interdisciplinary undergraduate courses, graduate education, certificates, and training programs
Identify opportunities for academic collaboration with industry, non-profit organizations, and government (e.g., National Defense University (NDU), MARFORCYBERCOM, FBI Cyber Intel Group, and DHS)
Expand outreach to academic, students, businesses, and government (federal, state, and local) communities about cyber intelligence, an emerging specialty

Cyber intelligence is a critical piece to solving the cybersecurity puzzle that requires well trained and educated professionals. Sign-up for the workshop to see how your organization can answer the cyber intelligence workforce problem.

About the Author: Lincoln Kaffenberger is a cyber intelligence professional who has been helping inform leaders and decision makers reduce risk for the past nine years.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber Intelligence Task Force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber
intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.


Interview with Darkside: A Glimpse into How Online Black Markets Operate

December 8th, 2014

By: Lincoln Kaffenberger, INSA Cyber Intelligence Task Force Member

The dark web is becoming more mainstream and becoming a more regular topic in the news. But as Clint Kehr discussed recently in his first of a two part series on the Dark Web, few people – to include members of the Intelligence Community – understand how it works. Wired recently interviewed the administrator of a Russian online black market site called RAMP that sells drugs to primarily Russian clients. Here are some of the highlights from the interview:

  •  The administrator, who goes by the name Darkside, says that he makes about $250k a year from his online business. This is much more than the average person makes in his city, illustrating cyber crime’s allure.
  • RAMP uses the classic model for Russian dark web business which is decentralized, forum based.
  • RAMP avoids politics as they “attract attention.” This has been one of the downfalls of other dark web market sites.
  • RAMP has survived numerous crackdowns by law enforcement by remaining local, in this case that means inside Russia. Darkside said, “We never mess with the CIA.” And “You can’t rape the whole world and remain safe.” By focusing solely on the local Russian market where Russian authorities are less likely to prosecute cyber criminals, RAMP is able to stay in business.

The important thing to understand about dark web markets is that these are businesses and those who run them want to make money and minimize their exposure to risk. If analysts and policy makers want to disrupt or hinder online black marketer efforts they need to understand that.
What are your experiences? Let us know on Twitter and social media with the hashtag #INSAblog.