cyber intelligence

Activity Based Intelligence (ABI) and the Cyber Domain

By: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI


Argyle Threat Research (TheBrain®: Mind Mapping Software:

Activity-Based Intelligence (ABI) is an analytic methodology—tested by fire and war—in Iraq and Afghanistan.

Faced with the challenge of detecting, tracking and countering violent insurgent threats, particularly improvised explosive device (IED) networks and terrorist cells, intelligence analysts developed a “multi-INT” approach to the collection, processing, analysis, and dissemination of “actionable” intelligence (Long, 2013). Under the most trying of battlefield conditions, the foundations for ABI were laid. Threats from nation-state actors, and non-state actors, in the close context of the cyber arena, were also addressed (Riley, 2015). Technical advances in data processing and analysis has further added to the development of ABI techniques, practices, and recognized tradecraft.

The art and science of ABI is deeply involved in collecting data about transactions and correlating data to human behaviors and activity. ABI is concerned about transactions and activities involving an entity—including a person or an electronic device—, a population, or even some particular area of interest (Phillips, 2012). Activities can range from face-to-face meetings between individuals to the installation of malicious software on a victim’s computer. ABI is a “natural” fit for understanding diverse, complex threats, and malicious activity of covert cell-based organizations. Consequently, ABI tradecraft is well suited to countering the similar and growing cyber threat against computer networks, and systems.

ABI and Cyber is about human action and human interaction with the machine. According to ABI practitioners like Melanie Corcoran, with Analytic Fusions, “At the heart of it is behavior and intent. And also, having the ability to bring all the data in and make it relatable.”  The core concept is built upon “The Four Pillars” of ABI (Meyer, 2015).

Becoming comfortable with “The Four Pillars” of ABI can take some getting used to by intelligence analysts and non-intelligence analysts alike, who may be more familiar with traditional analytical methodologies. A better way might be to think organically instead of architecturally.

4 Pillars_20160509021940 (2)

(Based on “Terms of Reference,” (Military Operations Research Society, 2016)

ABI emphasis on geo-spatial, and temporal analysis may be troubling, perhaps not so much for the general analyst, but more so for the cyber analyst. Understanding Data Neutrality (one of the “Four Pillars”) can be a challenge to some steeped in the sensitive and secretive nature of government data classification requirements. Sequence Neutrality often must be accepted before an individual recognizes the full benefit. And lastly, Integration Before Exploitation can best be grasped by those in the trenches who are closest to the action and to the rapidly changing operational campaigns of persistent cyber threats and well-funded nation-state adversaries.

Clearly, ABI, and how it applies specifically to counter cyber security threats, is beginning to emerge from the shadows with the help of technical research and development—but slowly. Analytical tools like “Artemis” by Dark Data Services—still in development, but tested—are crawling the depths of the so-called “Dark Web” to accelerate the emergence (Amores, 2016). Other advances in super-computing to support “Big Data” analytics are additional drivers. How much, when, and to what extent ABI and cyber continue to converge remains a tantalizing vision of innovation and creativity on the far horizon.

What are your experiences with ABI and Cyber? Let us know on Twitter using @cyberintelblog and #cyberintel .

To contact the author or submit comments please email


Works Cited
Amores, R. (2016). Artemis and the “Dark Web”. (M. Anders, Interviewer)

Corcoran, M. (2016). ABI and Cyber. (M. Anders, Interviewer)

Long, L. A. (2013). ABI: Activity Based Intelligence: Understanding the Unknown. Retrieved from The Intelligencer: Journal of U.S. Intelligence Studies:

Meyer, S. (2015, August 21). Activity Based Intelligence (ABI), Human Domain Analytics. Retrieved from LinkedIn: Pulse:

Military Operations Research Society (MORS). (2016, January 26). Operations Research Methods for Activity Based Intelligence (ABI). Retrieved from A MORS Workshop:

Phillips, M. (2012). A Brief Overview of Activity Based Intelligence and Human Domain Analytics. Retrieved from Trajectory:

Riley, S. (2015, February 11). Insights to Modern Cyber Threat Intelligence. Retrieved February 12, 2015, from




About the Author: Mike Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years. Mr. Anders is a member of INSA’s Cyber Intelligence Sub-Council

About INSA: INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber Intelligence Sub-Council: The INSA Cyber Intelligence Sub-Council was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.


cyber intelligence, cybersecurity

A Brief Overview of the Dark Web – Part 2: The Dark Web Dwellers

A Brief Overview of the Dark Web – Part 2: The Dark Web Dwellers

May 29, 2015

In the last blog article we looked at what the dark web is and why it matters to law enforcement and intelligence professionals. In this installment we will look at the actors and potential adversaries who use the dark web to conduct their business, along with efforts to de-anonymize dark web users. Jamie Bartlett has authored a book titled, The Dark Net, where he conducts in-depth interviews of dark web participants, and even orders cannabis on a dark market site using bitcoin. Bartlett conducts interviews of right-wing extremists, hackers, cypherpunks, pedophiles, porn stars, self-harmers and those dealing with eating disorders. These are the types of actors who inhabit the dark web and Bartlett does an excellent job introducing novices into this world. It is worth reading for anyone interested in how the dark web works and delving into the minds of adversaries (or people on the fringe of society). The main takeaway for law enforcement and intelligence professionals is that the dark web is an area worth targeting.

In this world, it is a cat and mouse game between those who break the law and those who enforce the law. Law enforcement and intelligence agencies must combine traditional and high-tech analytical and collection methodologies. In the case of the downfall of Silk Road 2, it appears from the criminal complaint that law enforcement used an undercover agent to infiltrate the operators of the site. HUMINT has been, and will continue to be, an imperative method of intelligence collection – even in the high-tech world. This is not to discount using technology as a collection platform. Tor has faults, as demonstrated by a professor at Columbia University who discovered more than 81 percent of Tor clients can be de-anonymized. Just as proliferation in an arms race, those who seek anonymity continue to find new ways to mask their internet presence, all while intelligence agencies and law enforcement seek to de-anonymize them. With the holes in Tor, researchers have built a new Tor client called Astoria, which is said to reduce the vulnerability of being de-anonymized down to 5.8 percent. This shows the dark web is here to stay. Those in the intelligence and law enforcement communities must remain cognizant of the latest technology, along with using traditional law enforcement and intelligence techniques to target those who use the dark web to conduct their business.

What are your experiences with Tor and the Dark Web? Let us know on Twitter and social media with the hashtag #INSAblog.

cyber intelligence, cybersecurity

New DoD Cyber Strategy reinforces the importance of Cyber Intelligence

Apr 29th, 2014

By: Lincoln Kaffenberger

U.S. Secretary  of Defense Ashton Carter announced the 2015 DOD Cyber Strategy this past Friday at Stanford University. This is the second DoD Cyber Strategy and it follows a series of recent U.S. government cybersecurity focused events. The Director of National Intelligence James Clapper stated to the House Appropriations Subcommittee on Defense that cyber threats were the most substantial threat to the U.S. – more than terrorism or weapons of mass destruction. On 25 February President Obama announced the formation of the Cyber Threat Intelligence Integration Center. These and the various cyber intelligence sharing bills making their way through Congress all speak to the level of importance the U.S. Federal Government is placing on cybersecurity as well as the growing need for cyber intelligence.

This new strategy sets prioritized strategic goals and objectives for DoD’s cyber activities and missions to achieve over the next five years. It focuses on building capabilities for effective cybersecurity and cyber operations to defend DoD networks, systems, and information; defend the nation against cyberattacks of significant consequence; and support operational and contingency plans. This strategy builds on previous decisions regarding DoD’s Cyber Mission Force and cyber workforce development and provides new and specific guidance to mitigate anticipated risks and capture opportunities to strengthen U.S. national security.

One theme that resonates throughout the new strategy is the vital importance of cyber intelligence to ensure DoD is able to accomplish its strategy. Cyber intelligence will be critical to helping at all echelons – strategic, operational, and tactical. As DoD network defenders protect the confidentiality, integrity, and availability of DoD information on DoD networks and systems they will rely heavily on tactical cyber intelligence. INSA’s paper Operational Levels of Cyber Intelligence describes the tactical level as “the level where an adversary finds a vulnerability and infiltrates a network.” Tactical cyber intelligence informs network defenders in DoD – or any organization with this critical capability – on the details of who, when, where, and how and adversary will attempt to infiltrate the network.

To defend the nation against cyberattacks of significant consequence DoD leaders must utilize strategic cyber intelligence. INSA’s paper Strategic Cyber Intelligence describes its purpose as informing senior leaders’ risk decision making, ultimately leading to improved strategy, policy, architecture, and investment. As senior leaders in the Pentagon try to accomplish their mission of defending the U.S. against significant cyberattacks, they must have timely, accurate strategic cyber intelligence to inform their decisions.

In supporting operational and contingency planning, the DoD will utilize operational cyber intelligence. INSA’s paper on Operational Cyber Intelligence describes the primary purpose of operational cyber intelligence as reducing risk to an organizations critical missions and assets by: defining the operational environment, describing the effects of the operational environment, evaluating the adversary, and describing potential adversary courses of action.

The U.S. DoD is taking significant strides to ensuring success in cyberspace by investing in its people and infrastructure, developing and revitalizing its strategy, building alliances with partner organizations, agencies, and nations, and taking a proactive approach to cybersecurity. Corporations, non-profits, and other organizations would do well to take similar steps in integrating cyber intelligence into their organizations’ cybersecurity plan.


JMU’s Cyber Intelligence Trends in Education, Training, and Workforce Gaps Workshop

Government, Industry and Academic Approaches to Cyber Intelligence

Author: William Cullin, INSA Cyber Intelligence Task Force Research Intern

At this panel during the JMU Cyber Intel workshop, organized by INSA Cyber Intelligence Task Force member and Associate Professor in the Intelligence Analysis Program Dr. Edna Reid, three representatives from government and industry spoke on cyber intelligence. Dean Checknita, Peter Mitchener, and John Felker gave detailed and grounded explanations of the Cyber Intelligence discipline from their agency’s/company’s perspective. In keeping with the theme of the workshop, the panel discussed the skills required for a new cyber intelligence analyst.

Dean Checknita, Deputy Chief of Staff for Strategy and Plans for the Office of Cyber and Infrastructure Analysis (OCIA), National Protection and Programs Directorate (NPPD) at DHS, spoke about DHS’s unique mission, the need to provide meaningful analysis, and the concept of Cyber resiliency. DHS “has a large and rather vague mission”, in essence protecting American cyber space. To accomplish this mission, Checknita argued that you need commonality of effort and an Admiral Rogers-esque “team sport” mentality. He also stressed the importance of ISAC’s, and the need for the government and the private sector to share information. To accomplish these goals, Mr. Checknita told young analysts that they needed to understand the scope of the cyber problem and be able to provide meaningful analysis to decision makers. This means engaing economic thinking, “death and dollars”, even the concepts of Cyber Insurance and managing risk. Mr. Checknita wanted the new cyber intelligence analysts to understand some cyber issues but broaden their concepts and understand the totality of the issues facing the public and private sectors.

Peter Mitchener, Acting Assistant Section Chief, Cyber Intelligence Section at the FBI, spoke on the FBI’s view of Cyber intelligence and the needs of his agency. Having a dual law enforcement and national security mission the FBI is in a unique position and Mr. Mitchener stressed that it is changing its culture and practices for the 21st century. As part of this change, Mr. Mitchener said they are looking for cyber intelligence analysts who have three things: cyber knowledge, intelligence analysis skills, and threat subject matter expertise. In essence, you need more than just cyber skills to be a good cyber analyst, and you need to provide decision makers with the “so-what”. In response to a question for Dr. Reid on what the FBI is looking for in a young cyber analyst, Mr. Mitchener said he would like to see all three skill areas, but will take one or two. The reason being that the government is  very committed to teaching young analysts and giving them the additional skill sets they need to create effective cyber intelligence analysts.

John Felker, Director, Cyber Intelligence Strategy at HP, and co-chair of the Cyber Intelligence Task Force at INSA, spoke of the holistic approach to dynamic cyber defense, and cyber intelligence’s role within it. Stressing that there will never be one solution, one piece of software to buy or one silver bullet for the cyber problem, Mr. Felker pointed to cyber intelligence as a way to fill the gap. While Mr. Felker recognized that industry is catching on to the need, he said we still need “translators” who can take the problem from the IT guys and effectively present the problem to the CEOs in the board room. Touching on Mr. Checknita’s point on Cyber Resiliency, Mr. Felker told us we need to be comfortable with the enemy on our networks. We need to assume security breaches and be able to work around it. Mr. Felker tasked the young analysts in the room to watch out for “stupid users” and to create programs and tools to ensure proper use on our own networks. This means coming up with regular, effective and “sticky” ways to ensure your own workforce doesn’t become the cyber security threat. So what makes a good cyber intelligence analyst for the private sector? Someone who understands the cyber threat issues but can see beyond the 1’s and 0’s and frame the issue in terms of the company’s bottom line.

Did you attend the workshop, and have additional comments? What issues concerning cyber intelligence would you like to see discussed at future events?

Remember to subscribe and follow at #cyberintel


Upcoming Cyber Intel Workshop

Discussing the trends in education, training, and workforce gaps

Date: 12 April, 2015

Author: Lincoln Kaffenberger, INSA Cyber Intelligence Task Force Member

Many leaders in government and private industry have identified that there is a shortage of cybersecurity professionals. Yahoo’s CIO Alex Stamos echoed this recently saying, “It is pretty much impossible to hire folks within the indicated backgrounds.” President Obama recognizes the problem and is pushing an initiative to fund cybersecurity training. But what about cyber intelligence?

Cyber intelligence is an up and coming field within cybersecurity. The market is for cyber intelligence is still developing, but already private sector companies, cybersecurity companies, and governments are trying to increase their organization’s cyber intelligence capability by getting the right people. But who are the right people? What skills should cyber intelligence professionals possess? What training, education, and background should employers look for when hiring cyber intelligence analysts and managers?

These are the questions that the Workshop on Cyber Intelligence will be addressing at James Madison University (JMU) on April 20th. Organized by the JMU Intelligence Analysis Program, the JMU Office of Research Scholarship, and the JMU Military and Operational Intelligence Organization, this workshop will discuss many of the training, educating, and workforce gap issues that face our nation today and propose solutions.
The workshop objectives are:
Discuss Intelligence and National Security Alliance (INSA) Cyber Intelligence Task Force’s white paper on status of cyber intelligence (Intel) education, training, and workforce gaps
Share experience and insight about education, training, workforce gaps, and curriculum development such as interdisciplinary undergraduate courses, graduate education, certificates, and training programs
Identify opportunities for academic collaboration with industry, non-profit organizations, and government (e.g., National Defense University (NDU), MARFORCYBERCOM, FBI Cyber Intel Group, and DHS)
Expand outreach to academic, students, businesses, and government (federal, state, and local) communities about cyber intelligence, an emerging specialty

Cyber intelligence is a critical piece to solving the cybersecurity puzzle that requires well trained and educated professionals. Sign-up for the workshop to see how your organization can answer the cyber intelligence workforce problem.

About the Author: Lincoln Kaffenberger is a cyber intelligence professional who has been helping inform leaders and decision makers reduce risk for the past nine years.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber Intelligence Task Force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber
intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.


Interview with Darkside: A Glimpse into How Online Black Markets Operate

December 8th, 2014

By: Lincoln Kaffenberger, INSA Cyber Intelligence Task Force Member

The dark web is becoming more mainstream and becoming a more regular topic in the news. But as Clint Kehr discussed recently in his first of a two part series on the Dark Web, few people – to include members of the Intelligence Community – understand how it works. Wired recently interviewed the administrator of a Russian online black market site called RAMP that sells drugs to primarily Russian clients. Here are some of the highlights from the interview:

  •  The administrator, who goes by the name Darkside, says that he makes about $250k a year from his online business. This is much more than the average person makes in his city, illustrating cyber crime’s allure.
  • RAMP uses the classic model for Russian dark web business which is decentralized, forum based.
  • RAMP avoids politics as they “attract attention.” This has been one of the downfalls of other dark web market sites.
  • RAMP has survived numerous crackdowns by law enforcement by remaining local, in this case that means inside Russia. Darkside said, “We never mess with the CIA.” And “You can’t rape the whole world and remain safe.” By focusing solely on the local Russian market where Russian authorities are less likely to prosecute cyber criminals, RAMP is able to stay in business.

The important thing to understand about dark web markets is that these are businesses and those who run them want to make money and minimize their exposure to risk. If analysts and policy makers want to disrupt or hinder online black marketer efforts they need to understand that.
What are your experiences? Let us know on Twitter and social media with the hashtag #INSAblog.


Can a Cyber NCTC Prevent the Next Catastrophic Attack?

Wednesday, November 19, 2014

Bipartisan Policy Center

By: Noel Hardesty, INSA Cyber Intelligence Task Force Research Intern

As cyber threats become increasingly evident in the intelligence community, it becomes apparent that there is a need to approach the issue using both new and existing capabilities. On Wednesday, November 19, the Bipartisan Policy Center structured a discussion around this particular issue, asking whether a cyber version of the National Counterterrorism Center (NCTC) could prevent the next catastrophic cyber-attack. Speaking on the issue were panelist members Michael Chertoff, Matt Olsen, Philip Zelikow, and Siobhan Gorman acting as moderator.

The panelists were asked to indicate elements of success that they believed would make a proposed cyber NCTC effective. While suggestions varied among the panelists, there were some points of agreement; such as the need for a center populated with cyber representatives from major elements in the government, the need to focus on the importance of major agencies having equal participation, and the necessity to establish a cyber infrastructure to monitor and address cyber-attacks. They also argued for a joint workforce of individuals and leadership across multiple agencies that could enable and widen the aperture on various capabilities. Also imperative is the need for authorities that come with legislation to support and protect the clearing house, more cyber visibility within the intelligence community, and the need for international partnership in the cyber realm.

When asked about the palpable trust deficit between the public and the government, Chertoff argued that trust has always been an issue even before the Snowden affair. He states that the perceived issue is a “conceptual challenge based on how data is handled.” Instead of dissuading the public, Chertoff insists on implementing an additional level of permission to inspect collected data. Olsen followed suit and argued that the lack of coordination has negatively affected information sharing in the government and across the domestic and foreign divide.  Zelikow argued that the trust issue is a cycle of “having to earn and re-earn trust” and intelligence organizations will continuously experience the cycle as with other powerful agencies before them.

Information sharing was also a key topic. Panelists discussed the type of information shared during a cyber-attack. Chertoff referred to data analyzing as looking at “a stream of 1s and 0s” that can either be translated or searched to find executable instruction such as malware. Chertoff mentioned that the information being shared is the executable instruction, and not customer data. He points out that misinformation and misunderstanding created an “illusion of sharing personal information [that] alarms customers and shareholders.” He went on to say that “information sharing on the cyber side is essential, but we don’t have it yet.” Zelikow concluded by saying that it is necessary to establish a “neutral non-profit” institution for information sharing and to “reassure the public to say that it’s not about intelligence gathering.”

During the Q&A with the audience, panelists were asked a number of questions based on their earlier responses. One topic centered on the creation of a centralized clearing-house for the sharing of cyber-threat information and the strategic value in releasing certain amount of information. Chertoff used Boston’s Advanced Cybersecurity Center as an example to emulate, specifically to apply the Center’s blend of academics, private sector, and state government resources to enable info sharing across various sectors. Questions also focused on the cyber workforce, with recommendations to include a workforce emulating the aviation industry, but with the idea to establish a national service opportunity for cyber warriors similar to programs such as Cyber Corp or Code for America. A workforce development problem, however, keeps cyber skills in high demand but in short supply. Other points include developing standards and best practices within the private sector.

Closing remarks were particularly important with each panelist discussing their thoughts on applying NCTC’s strategic operation to leverage all elements of national power to deal with the counterterrorism threat and the different mechanisms from the public and private sector that the government should use. Olsen remarked that “[NCTC] holds a plausible model to address cyber,” and stated that a cyber NCTC should work in support of the White House to bring all the organizations together and help organize, coordinate, and synchronize activities across multiple organizations. Zelikow noted that the concept involved here is the effort to try and find more networking ways to manage the day to day operations of a very complex system. Chertoff argued, however, that operation planning is challenging as a single department and would be difficult to set up a similar system with cyber command. Instead, Chertoff recommended having departments submit ideas and have them operate in terms of synchronization. He noted that the line between execution and planning is challenging, but noted that if all the authorities were gathered, it would be possible to coordinate despite not having a single directive authority over the agencies.

Overall, the panel discussion was informative and the panelists did their best to provide insight from their respective subject matter expertise.

What are your experiences? Let us know on Twitter and social media with the hashtag #INSAblog.