cyber intelligence, cybersecurity, Uncategorized

Forecasting Heightened Malicious Cyber Activity with Event Data

By Dr. Andrea Little Limbago, Chief Social Scientist at Endgame

 

The recent revelation of Russian government hackers infiltrating the DNC’s network and stealing opposition research should not come as a surprise. Nor should the DNS attack on various .gov sites claimed by the Turk Hack Team, which started on July 17 as Turkey responded to the coup. The connection between geopolitics and heightened malicious cyber activity is a global phenomenon. Despite widespread global variation in information technology infrastructure, the use of the digital domain as the modus operandi to achieve various political, social and economic objectives is universal. INSA’s Strategic Cyber Intelligence White Paper articulates well the necessity of geopolitical insights as part of strategic cyber intelligence. The political and economic conditions inform more dynamic and relevant risk-based, strategic decisions when coupled with the more traditional INFOSEC data. Nevertheless, many organizations still focus solely on the technical aspects of cyber indicators and warnings (I&W) frameworks and fail
to consider how geopolitical events impact their cyber risk – both at home and abroad. There is a wide range of events that can trigger malicious cyber activity – and thus an organization’s probability of increased targeting. Some key events that should receive additional Strategic_clockprecautions include elections, sporting events, global summits, disasters, domestic unrest, and demonstrations of geopolitical tension.

 

Elections

Cyber criminals tampering with elections is not merely a concern in the United States, but is a global phenomenon and is likely only going to grow as elections increasingly become digitized. For example, prior to elections, the Ukraine election system was attacked with a virus intended to delete the election results. The Miami-Dade Elections Department in Florida similarly experienced increased malicious activity, but instead was the target of ‘phantom absentee ballot’ requests. The targets do extend beyond organizations associated with the election. The hack on the Philippines Commission on Elections exposed the personally identifiable information of 55 million citizens. In Africa, countries as diverse as Ghana, Ethiopia, and Republic of Congo have started censoring social media during the election season, but in many cases it expanded to also blocking mobile money transfer sites, thus having both an impact on freedom of speech as well as economic well-being.

 

Sporting Events

International sporting events from the Olympics to the World Cup tend to see spikes in malicious digital activity.  This ranges from an increase in phishing scams for fraudulent tickets or sports packages to more targeted attacks on the financial or government sectors. For instance, the 2014 World Cup in Brazil was a major target, leading to data theft and website jamming. Following, the India-Pakistan cricket match in the Asia Cup, a university was hacked following student celebrations of the match. Both the Copa Americana and UEFA Euro 2016 are targets of widespread financial scams, especially through adware and fraudulent aps. The Olympics have seen an increased spike, with a rise in phishing attacks and adware linked to the games.

 

Global Summits

Gatherings of global leaders have always been a prime target for activism and dissent, as well as espionage, so it’s no surprise that this translates now into the digital domain. Almost twenty years ago, over 10,000 multinational, coordinated attacks targeted companies protesting the Cologne G8 summit. More recently, the 2014 G20 summit in Brisbane placed the city on heightened security alert, including cybersecurity. As one CERT expert noted, “Where we sit, and what threats are coming through, the G20 is as big as it gets, and everything could be at risk’’. Similarly, July’s NATO meeting coincided with disruption of their websites, with many placing the blame on cyberattacks from Russia.

 

Disasters

Both natural and man-made disasters may instigate a spike in malicious activity of many different forms. Following Hurricane Sandy, there was an increase in phishing scams claiming to assist victims. Criminals similarly exploited the Nepalese earthquake with an onslaught of scams and malware pretending to support victims. The exploitation of catastrophes for financial gain is increasingly common, but is not the only kind of natural disaster-driven malicious digital activity. Depending on the country, natural disasters may also prompt government-directed activity to conceal domestic discontent. For instance, in 2014, the Serbian government heightened online censorship due to public outrage over the government’s handling of the disaster. This is not limited to only natural disasters, but man-made ones as well. Following the 2011 train crash in China, the government tightened censorship controls to squash the very vocal opposition to the government over its handling of the crash. In fact, the anniversary of the crash also triggered a spike in censorship.

 

Domestic unrest

While the Arab Spring is more well-known for the role social media played in supporting the protests, domestic instability also prompts authoritarian governments to turn entire countries dark. Both Egypt and Libya went completely offline for hours as the instability increased and the governments sought to maintain control. In Syria, the causality between unrest and internet outages is bi-directional. The Assad government employs outages as a form of repression, which is followed by an increase in conflict. In each of these cases, internet outages contribute to state repression, and impact people and organizations throughout the country.

This current status quo of treating geopolitics and cyberthreats as two separate issues is a losing strategy that cannot persist.

Geopolitical tensions

While domestic unrest has more widespread impact on anyone within the country, geopolitical tensions tend to produce more targeted, and escalatory, malicious digital activity. For instance, the Syrian Electronic Army has targeted media and social media sites, instigating DDoS and phishing attacks, targeting the New York Times, Twitter, and The Washington Post, among many organizations. Iran also targets companies for their geopolitical stance, including the attack on the Las Vegas Sands Corporation, whose CEO has been an ardent supporter of Israel. The destructive cyberattacks on the Ukraine power grid and the German steel mill also are linked to international tensions, and specifically are indicative of Russia’s unimpeded and expansive targeting of Western organizations. Finally, as regional tensions rise, so too do tensions in the digital domain. The South China Seas disputes between China, the Philippines and Vietnam continue to prompt an increase in cyberattacks. In this regard, “Whenever you see island-dispute issues flare up you also see cyber activities spike as well.” Finally, a shift in foreign policy linked to these tensions similarly can elevate the occurrence of cyber incidents. Following US sanctions against Russia, there has been a strong spike in targeted activity against US corporations. Iran similarly has been linked to spikes in cyber incidents – ranging from US banks to the NY dam – in response to sanctions.

 

I&W as More than an IT Framework

Despite geopolitical uncertainty and cyberthreats being a top concern for CEOs (as a recent PWC survey revealed), many still fail to see the interconnected nature of geopolitics and cyber activity. As a result, organizations too often fail to understand why they are targeted or how world events impact the risk calculus of nation-state and non-state adversaries.
This current status quo of treating geopolitics and cyberthreats as two separate issues is a losing strategy that cannot persist. As digital mechanisms are increasingly integrated as a tool of statecraft, their deployment is only going to expand in depth and scope as state and non-state actors use them to achieve their various political, economic, and social objectives. Thus, leaders of public and private organizations must analyze cyber risk as more than an IT issue, by implementing preemptive strategies that integrate the global and domestic landscape into their cyber risk assessments. These strategies should not just focus on targeted attacks on data and infrastructure, but also factor in business disruption thanks to more widespread censorship, outages, or DDoS campaigns.  At the strategic level, incorporating these event data, and framing them along with the range of malicious actors – such as nation states, criminal organizations, and terrorist groups – and their objectives could be a first step at a more holistic strategic I&W framework. By linking the events, along with actors and objectives, decision makers will receive greater insight into the timing and potential targets of the range of digital attacks. Political, economic, and social events provide another valuable stream of very visible and intuitive intelligence and must complement any approach to cyber I&W and risk assessments.

 

Previously posted here: http://thehill.com/blogs/congress-blog/technology/288525-predicting-heightened-malicious-cyber-activity-the-old

 

Standard
cyber intelligence, cybersecurity

INSA Cyber Intel Task Force Launches Cyber Indications and Warnings Project

Date: 28 July 2016

Author: Blake Moore

I am excited to work with Andrea Limbago and other members of the Cyber Intelligence Task Force at INSA on a fledgling research effort looking at cyber threat indications and warning (I&W).

The development of sound strategic warning capabilities in cyberspace is essential to U.S. national security and the security of our allies; I&W plays a significant role in that. Unfortunately, at the present time there is not a comprehensive understanding of how organizations approach I&W in the cyber domain. Through surveys and interviews with practitioners as well as executive leadership, we hope to understand how I&W processes and procedures compare and contrast across government, industry, and academia. By identifying key trends, best practices, and foremost challenges related to I&W, we hope this effort will result in insights that will empower organizations to enhance their cyber strategic warning capabilities and implement more proactive cybersecurity approaches. We will post updates here as the project progresses.

If you would like to learn more about the I&W project and/or want to participate in the survey, please contact us here!

About INSA: INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

 

Standard
cyber intelligence, cybersecurity, Uncategorized

Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain

Date: 29 June, 2016
Author: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI
© Copyright, 25 June, 2016, All Rights Reserved
Argyle_Iran_20160606001808

Argyle Threat Research (TheBrain: Mind Mapping Software: http://www.thebrain.com)

Georegistration and geolocation play a significant role in Activity Based Intelligence (ABI) analyzes and investigations. The dictionary defines “Geolocation” as both the process for finding a location and the actual “real-world” geographic location of a computer, a cell-phone, or a satellite, as determined by the process. (Geolocation, 2016) ABI’s Georegistration for discovery includes all categories of georeferenced information and may indeed offer the ABI analyst the best chance of closing the gap between where one is and where one wishes to be with respect to entity resolution and attribution.

Georegistration for discovery is one of the “Four Pillars” of Activity Based Intelligence (ABI). The other three being “Data Neutrality,” “Sequence Neutrality,” and “Integration before Exploitation” are fully explained in Patrick Biltgen and Stephan Ryan’s book, “Activity Based Intelligence: Principles and Applications” available on Amazon.com with Geo-registration for discovery being the first to be addressed. (Biltgen & Ryan, 2016) The authors go into some detail in describing first degree, direct/indirect, georeference, and second degree georeference and why they are important in context. Geolocation plays a not-so-insignificant role when countering threats in the cyber domain.

Bad Actors and Hackers often spoof IP or MAC addresses to cover their activities and mask their whereabouts. Using TOR, (the Onion Router) is another method, but even with TOR, one can be tracked using the proper tools, employing the most effective techniques, and accessing expertise based on years of cyber experience. (Amores, 2016) However, relying purely on technical means is often insufficient, and sometimes impossible when attempting to develop evidence needed for clear “attribution” to justify offensive cyber operations. (Greenemeier, 2011) The ABI approach improves the odds in the cyber counterintelligence fight by its focus on entity resolution.

Transactions, Activity and Correlations (TAC) make up much of the “stuff” of ABI analysis. TAC is like the water in which ABI analysts swim and like the air they breathe. Solid location data is highly prized in the context of TAC.

INSA TAC

TAC Relationships (Source: Various)

Object Based Production (OBP) is a new way of organizing data around objects of Interest. (Johnston, 2013) In the context of Object Based Production (OBP), geolocation data is the metadata about objects/entities/proxies of interest. In other words, geolocation data characterize objects in OBP. (Cuddyer, 2016) In a recent conversation, Cyber Security Science Director, Shawn Riley, reminded it is important to remember, “Object-Based Production is the enabler for Activity-Based Intelligence (ABI) and provides the foundation for the correlation of data around objects that then can be observed for activity.” Furthermore, “Object-Based Production also automates analytic pivoting in cyber which is the analytic technique of hypothesis testing.” (Riley, 2016) These two observations, OBP as enabler and automated analysis are crucial to understanding the profound relationship between and among Geolocation, TAC, ABI, and cyber. One is not additive to the other. They are more than their aggregate. To say they are “. . . more than the sum of their parts” is the wrong analogy. It would be better to speak in “Quantum” terms. When an analytical “critical-mass” is achieved, under ABI analysis conditions, the impact is quantum, continuous, and far reaching in scope. Entities are resolved and “Unknown, Unknowns” discovered to provide further direction for additional collection, processing, and analysis. For geolocation to be of most value, context is a critical consideration. For example, NGA’s Ruth Cuddyer says, “And the location information or analysis that will be useful for foreign policy is also different that what might be useful or relevant for net defenders or law enforcement.”(Cuddyer, 2016) ABI methods and techniques manage and inform understanding and “sense-making” with respect to context through the continuous processing of data related to Transactions, Activity, and Correlations (TAC).

Concluding, geolocation and georeference for discovery play an important role in countering cyber threats despite the difficulty of capturing data that can lead to reliable entity resolution. The prospect of being able to do so is increasing as advances in “machine-learning” and data mining continue. Research conducted using DARPA sponsored data sets by Illumina Consulting Group (ICG) to process insider threat data is but one recent example. The study proved successful in finding a malicious actor based on analysis of 18 months and 17GB of network data that included “. . . logon/logoff records, emails, HTTP traffic, USB device use records, LDAP data, file transfers, and employee psychometric data.” ICG utilized the TAC concept in correlating abnormal activity analytics with other observations over time using their LUX software platform. (Gourley, 2015) Further research and experimentation is anticipated using additional data sources.

What are your experiences with ABI and Geolocation? Let us know on Twitter and social media with the hashtag #INSAblog.”

 

About the Author: Mr. Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years of experience. He is also an award winning broadcast journalist for the 1984 radio series, “The KGB and the Washington Target!” that focused on the Kremlin’s campaign to collect intelligence on High-tech firms in the D.C. area.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber

Intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

Works Referenced or Reviewed

Amores, R. (2016). CEO, Dark Data Services (DDS). (M. Anders, Interviewer)

Biltgen, P., & Ryan, S. (2016). Activity-Based Intelligence (ABI) Principles and Applications. Boston, MA: ARTECH House.

Cuddyer, S. R. (2016, June 9). NGA College Instructor, GEOINT, Email exchage.

Geolocation. (2016). Retrieved from Dictionary.com: http://www.dictionary.com/browse/geolocation

Gourley, B. (2015, June 19). Illumina Consulting Group (ICG) R&D Case Study Uses Streaming Analytics Platform LUX in Insider Threat Detection. Retrieved from CTOvision.com: https://ctovision.com/2015/06/illumina-consulting-group-icg-rd-case-study-uses-streaming-analytics-platform-lux-in-insider-threat-detection/

Greenemeier, L. (2011, June 11). Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers. Retrieved from Scientific American: http://www.scientificamerican.com/article/tracking-cyber-hackers/

Johnston, C. (2013, June 17). (U) Modernizing Defense Intelligence: Object Based Production and Activity Based Intelligence. Retrieved from National Conference Services, Presentations: https://www.ncsi.com/diaid/2013/presentations/johnston.pdf

Riley, S. P. (2016, June 2). Director of Cyber Security Science at Monsanto. Retrieved from http://cscss.org/wp-content/uploads/2015/08/CSCSS-Science-of-Security-Developing-Scientific-Foundations-for-the-Operational-Cybersecurity-Ecosystem.pdf

 

© Copyright, E. R. Anders

25 June 2016, All Rights Reserved

 

Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain

Aside
cyber intelligence, cybersecurity

Activity Based Intelligence (ABI), TAC, and the Cyber Domain

Date: 26 May, 2016
Author: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI
© Copyright, 26 May 2016, All Rights Reserved

Argyle_20160503003539

Argyle Threat Research (TheBrain®: Mind Mapping Software: http://www.thebrain.com/)

Activity-based Intelligence (ABI) analyst are deeply immersed in data, as are other Intelligence Analysts. For ABI Analysts engaged in the Cyber fight, Transactions, Activity, and Correlations (TAC) tend to dominate. Former National Geospatial Intelligence Agency (NGA) Director, Letitia Long writes, “Activity-based Intelligence is defined as a discipline of intelligence where the analysis and subsequent collection are focused on the activity and transactions associated with an entity, a population or an area of interest.” Furthermore she says specifically, “These activities and transactions are not solely tied to geospatial actions, but also apply across the cyber, social, financial and commercial domains.”  For ABI Analysts working Cyber incidents TAC has a very purposeful meaning.(Long)

When users communicate over the Internet they are engaging in a “transaction” in the classic sense of ABI. One can argue that the “Three-way-handshake” that takes place between TC/IP devices communicate are themselves a “Transaction.” The “Activity” takes place according to communication protocols, or the “rules” of the Transaction, and the OSI model’s standardization of communication functions. Communication happens because protocols are followed, transactions initiated, data flows, and activity is terminated according to the rules. And everything happens at the speed of Cyber. The ABI analyst’s task is to detect, to identify, and to sort through these transactions and correlate them to activity in a way that makes sense of it all. The “Four Pillars” of ABI provide the foundation for doing precisely that.

Analyst trained in the ABI methodology are familiar with the terms “Geo-registration for Discovery,” “Data Neutrality,” “Sequence Neutrality,” and “Integration before Exploitation” as explained in great detail and with considerable clarity, in Patrick Biltgen and Stephan Ryan’s new book, “Activity Based Intelligence: Principles and Applications”. (Biltgen & Ryan, 2016) Transactions, Activity and Correlations are all given ample treatment, more than this blog can address. For the ABI analyst in the cyber arena, the “Four Pillars” open up the space for wider ranging analysis and offers the prospect of identifying, and even discovering “Unknown, unknowns” that may have significant consequences through the course of an investigation or counter-cyber campaign.

Cyberspace is a virtual World that resides within the physical World. NSA Director Adm. Rogers has remarked, “Every single cyber component has a physical geographic position on the face of the Earth.” Dual-hatted as commander of U.S. Cyber Command, Rogers says it is not enough to throw down a network schematic on a conference table, but rather “. . . show me where it is because there are lots of ways to try to understand things.” (USGIF, 2015) That is why Rogers has called for a closer relationship between the National Security Agency (NSA) and the National Geospatial-Intelligence Agency (NGA). The “lots of ways” Adm. Rogers suggests is exactly what ABI is all about—even for cyber intelligence analysis, it is not just Log and Security file analysis, Pcap traces, and vulnerability reports. The requirement is all of that and more. Practitioners such as Chandler P. Atwood describe ABI’s Multi-INT approach to data as being “Transformational” in both impact and scope. (Atwood, 2015) Since ABI takes a Multi-INT/All Source approach to data collection, processing, and interpretation, analysts can build upon all “Four” pillars of ABI to solve CYBINT and Counter-CYBINT problems. The interplay of Transactions, Activity, and Correlations form a mosaic revealing the “who,” the “what,” and the “why” of suspicious computer network activity and malicious cyber campaigns

At the center of ABI is correlation—particularly so, with respect to Integration before Exploitation, one of the “Four Pillars” of ABI. (Biltgen & Ryan, 2016, pp. 255-256).  In fact, in the book on ABI, Biltgen and Ryan spend an entire chapter on correlation and data fusion. Both art and science are evident and intricately bound up in making the kind of associations, correlations, and relationships from data collected that lead to estimations and assessments in intelligence analysis. Correlation is key to understanding computer network activity as well.  Because ABI is all-source and multi-INT, cyber investigators benefit at multiple levels to include, but not limited to the physical network layer, the logical layer, and the cyber human persona layer—when it comes to countering targeted threat activity. (DoD, 2013)

ABI does not exist in analytical isolation. Object Based Production (OBP) provides a significant enhancement when combined with ABI techniques, and methods. According to Charlotte Shabarekh, the head of Analytics, Modeling, and Simulation at Aptima, Inc., “In Cyber, OBP is a challenging task due to spoofing or masking of IP addresses.  It’s necessary to perform “co-reference resolution” tasks to associate spoofed packets to the correct source address.” (Shabarekh, 2016) ABI can provide the required context to accurately perform data association in cyber networks.

Concluding, Tractions, Activity, and Correlations are primary drivers of ABI investigations and analysis. That does not, however, exclude other methodologies. Whether it is the “Diamond Model” or the “Cyber Kill-Chain” an ABI analyst has access to all sources and means to prosecute investigations and threat analysis. Being able to do so is a core concept and understanding of Activity Based Intelligence (ABI) in the Cyber Domain.

What are your experiences with ABI and TAC? Let us know on Twitter and social media with the hashtag #INSAblog.”

 

Works Referenced or Reviewed

Atwood, C. P. (2015, April 1). Activity-Based Intelligence: Revolutionizing Military Intelligence Analysis. Retrieved from Joint Force Quarterly 77: http://ndupress.ndu.edu/Media/News/NewsArticleView/tabid/7849/Article/581866/jfq-77-activity-based-intelligence-revolutionizing-military-intelligence-analys.aspx

Biltgen, P., & Ryan, S. (2016). Activity-Based Intelligence (ABI) Principles and Applications. Boston, MA: ARTECH House.

DoD. (2013). DTIC. Retrieved from Joint Publication 3-12 (R): http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf

Long, L. A. (Fall/Winter 2013). Activity Based Intelligence: Understanding the Unknown . The Intelligencer 20, no. 2, 7-15.

Shabarekh, C. (2016, May 26). Director Analytics, Modeling and Simulation Division, Aptima, Inc., http://www.aptima.com, (M. Anders, Interviewer)

USGIF. (2015, June 24). NSA Eyes Closer Ties to NGA. Retrieved from Trajectory: http://trajectorymagazine.com/got-geoint/item/1989-nsa-eyes-closer-ties-with-nga.html

About the Author: Mr. Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years of experience. He is also an award winning broadcast journalist for the 1984 radio series, “The KGB and the Washington Target!” that focused on the Kremlin’s campaign to collect intelligence on High-tech firms in the D.C. area.

 

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

 

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber

Intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

 

© Copyright, E. R. Anders

26 May 2016, All Rights Reserved

 

Standard
cyber intelligence

Activity Based Intelligence (ABI) and the Cyber Domain

By: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI

Argyle_20160503003539

Argyle Threat Research (TheBrain®: Mind Mapping Software: http://www.thebrain.com/)

Activity-Based Intelligence (ABI) is an analytic methodology—tested by fire and war—in Iraq and Afghanistan.

Faced with the challenge of detecting, tracking and countering violent insurgent threats, particularly improvised explosive device (IED) networks and terrorist cells, intelligence analysts developed a “multi-INT” approach to the collection, processing, analysis, and dissemination of “actionable” intelligence (Long, 2013). Under the most trying of battlefield conditions, the foundations for ABI were laid. Threats from nation-state actors, and non-state actors, in the close context of the cyber arena, were also addressed (Riley, 2015). Technical advances in data processing and analysis has further added to the development of ABI techniques, practices, and recognized tradecraft.

The art and science of ABI is deeply involved in collecting data about transactions and correlating data to human behaviors and activity. ABI is concerned about transactions and activities involving an entity—including a person or an electronic device—, a population, or even some particular area of interest (Phillips, 2012). Activities can range from face-to-face meetings between individuals to the installation of malicious software on a victim’s computer. ABI is a “natural” fit for understanding diverse, complex threats, and malicious activity of covert cell-based organizations. Consequently, ABI tradecraft is well suited to countering the similar and growing cyber threat against computer networks, and systems.

ABI and Cyber is about human action and human interaction with the machine. According to ABI practitioners like Melanie Corcoran, with Analytic Fusions, “At the heart of it is behavior and intent. And also, having the ability to bring all the data in and make it relatable.”  The core concept is built upon “The Four Pillars” of ABI (Meyer, 2015).

Becoming comfortable with “The Four Pillars” of ABI can take some getting used to by intelligence analysts and non-intelligence analysts alike, who may be more familiar with traditional analytical methodologies. A better way might be to think organically instead of architecturally.

4 Pillars_20160509021940 (2)

(Based on “Terms of Reference,” (Military Operations Research Society, 2016)

ABI emphasis on geo-spatial, and temporal analysis may be troubling, perhaps not so much for the general analyst, but more so for the cyber analyst. Understanding Data Neutrality (one of the “Four Pillars”) can be a challenge to some steeped in the sensitive and secretive nature of government data classification requirements. Sequence Neutrality often must be accepted before an individual recognizes the full benefit. And lastly, Integration Before Exploitation can best be grasped by those in the trenches who are closest to the action and to the rapidly changing operational campaigns of persistent cyber threats and well-funded nation-state adversaries.

Clearly, ABI, and how it applies specifically to counter cyber security threats, is beginning to emerge from the shadows with the help of technical research and development—but slowly. Analytical tools like “Artemis” by Dark Data Services—still in development, but tested—are crawling the depths of the so-called “Dark Web” to accelerate the emergence (Amores, 2016). Other advances in super-computing to support “Big Data” analytics are additional drivers. How much, when, and to what extent ABI and cyber continue to converge remains a tantalizing vision of innovation and creativity on the far horizon.

What are your experiences with ABI and Cyber? Let us know on Twitter using @cyberintelblog and #cyberintel .

To contact the author or submit comments please email cyberthreatintelblog@gmail.com

 

Works Cited
Amores, R. (2016). Artemis and the “Dark Web”. (M. Anders, Interviewer)

Corcoran, M. (2016). ABI and Cyber. (M. Anders, Interviewer)

Long, L. A. (2013). ABI: Activity Based Intelligence: Understanding the Unknown. Retrieved from The Intelligencer: Journal of U.S. Intelligence Studies: http://www.afio.com/publications/LONG_Tish_in_AFIO_INTEL
_FALLWINTER2013_Vol20_No2.pdf

Meyer, S. (2015, August 21). Activity Based Intelligence (ABI), Human Domain Analytics. Retrieved from LinkedIn: Pulse: https://www.linkedin.com/pulse/international-awareness-seek-out-professionals-sam-meyer

Military Operations Research Society (MORS). (2016, January 26). Operations Research Methods for Activity Based Intelligence (ABI). Retrieved from A MORS Workshop: http://www.mors.org/Portals/23/Docs/Events/2016/ABI/2016-01-20%20MORS%20ABI%20Workshop%20Terms%20of%20Reference
%20rev%206.pdf

Phillips, M. (2012). A Brief Overview of Activity Based Intelligence and Human Domain Analytics. Retrieved from Trajectory: http://www.trajectorymagazine.com/civil/item/1369-human-domain-analytics.html

Riley, S. (2015, February 11). Insights to Modern Cyber Threat Intelligence. Retrieved February 12, 2015, from

LinkedIn: https://www.linkedin.com/pulse/insights-modern-cyber-threat-intelligence-shawn-riley

 

 

About the Author: Mike Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years. Mr. Anders is a member of INSA’s Cyber Intelligence Sub-Council

About INSA: INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber Intelligence Sub-Council: The INSA Cyber Intelligence Sub-Council was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

 

Standard
cyber intelligence, cybersecurity

A Brief Overview of the Dark Web – Part 2: The Dark Web Dwellers

A Brief Overview of the Dark Web – Part 2: The Dark Web Dwellers

May 29, 2015

In the last blog article we looked at what the dark web is and why it matters to law enforcement and intelligence professionals. In this installment we will look at the actors and potential adversaries who use the dark web to conduct their business, along with efforts to de-anonymize dark web users. Jamie Bartlett has authored a book titled, The Dark Net, where he conducts in-depth interviews of dark web participants, and even orders cannabis on a dark market site using bitcoin. Bartlett conducts interviews of right-wing extremists, hackers, cypherpunks, pedophiles, porn stars, self-harmers and those dealing with eating disorders. These are the types of actors who inhabit the dark web and Bartlett does an excellent job introducing novices into this world. It is worth reading for anyone interested in how the dark web works and delving into the minds of adversaries (or people on the fringe of society). The main takeaway for law enforcement and intelligence professionals is that the dark web is an area worth targeting.

In this world, it is a cat and mouse game between those who break the law and those who enforce the law. Law enforcement and intelligence agencies must combine traditional and high-tech analytical and collection methodologies. In the case of the downfall of Silk Road 2, it appears from the criminal complaint that law enforcement used an undercover agent to infiltrate the operators of the site. HUMINT has been, and will continue to be, an imperative method of intelligence collection – even in the high-tech world. This is not to discount using technology as a collection platform. Tor has faults, as demonstrated by a professor at Columbia University who discovered more than 81 percent of Tor clients can be de-anonymized. Just as proliferation in an arms race, those who seek anonymity continue to find new ways to mask their internet presence, all while intelligence agencies and law enforcement seek to de-anonymize them. With the holes in Tor, researchers have built a new Tor client called Astoria, which is said to reduce the vulnerability of being de-anonymized down to 5.8 percent. This shows the dark web is here to stay. Those in the intelligence and law enforcement communities must remain cognizant of the latest technology, along with using traditional law enforcement and intelligence techniques to target those who use the dark web to conduct their business.

What are your experiences with Tor and the Dark Web? Let us know on Twitter and social media with the hashtag #INSAblog.

Standard