Social Media Threats – Part 2: Using CTI to Identify and Neutralize Social Media Threats

Date: 8 July, 2016

Author: Lincoln Kaffenberger


Picture Attribution: http://www.computerweekly.com

In Part 1, we discussed how social media based threats can impact organizations in ways many do not yet fully appreciate. The reputation and cybersecurity risks exist today and many organizations have little to no detection or prevention capability. In Part 2, we will discuss what organizations should do about this threat and how Cyber Threat Intelligence (CTI) can help identify and neutralize the social media based threats.


The CTI has an important role to play here. CTI teams should actively and passively monitor for impersonations, account hijackings, URLs in posts or comments that lead to malware, and reconnaissance activity as these can be indicators of adversary intent and capabilities. CTI teams should partner with anyone in the organization that is working with social media such as the communications or public affairs departments. Chances are, they are already aware of a number of impersonations and/or threats.


CTI teams need the right people, processes, and technology to effectively monitor social media for threats. CTI analysts responsible for this mission need to understand their organization very well, have a strong ability to understand other languages and cultures to understand the context of statements in social media, and have strong familiarity with various social media. Outside of the CTI team, there need to be identified stakeholders who support this effort and will take action when notified of a threat. To that end, there need to be established processes for all pertinent threat scenarios. For technology, many companies offer solutions that have the ability to continuously scan and monitor social media for various threat scenarios. Any tool that fulfills this mission must be able to handle the massive amount of data that is available on social media, possess the ability to search and do analysis in the tool, store data points for later analysis, share with other analysts, and, ideally, facilitate takedowns of certain social media sites or content that are clearly impersonating an organization’s brand and personnel.


What is the minimum?

For CTI, the following are the very minimum things that a CTI section should do regarding social media threats:

  1. Know what your organization’s social media assets are and who owns them. This means doing an assessment early on to know what official social media assets exist that officially represent the organization. It’s important also to know if the communications, marketing, public affairs, or HR departments own these profiles and how they are being secured. Who has access to alter the profile? Who can post content? Who is monitoring traffic? Similarly, the profiles for the organization’s VIPs – the C-suite / Secretary level personnel are very important to track as they are high value targets for impersonations.
  2. Know what other uncontrolled social media assets exist. In addition to the official and high value profiles, the other profiles that either do or could be considered as ‘officially representing the organization’ should also be tracked and monitored by the CTI team as their hijacking or impersonation can cause increased damage since it rarely (if ever) gets official attention.
  3. Establish a baseline for activity to detect account hijacking. What is the average traffic like from and to this profile? What content is normal and what is anomalous? Knowing these are important to quickly identifying a hijacked or impersonated account.
  4. Review (or establish) the appropriate use policy. Many organizations have an appropriate use policy in place that states what is acceptable and unacceptable use on social media. Few however find the right balance between being user-friendly and draconian. CTI can help organizations assess the organization specific threats and likelihood of the potential threat scenarios which help craft sound policy.
  5. Monitor for changes. CTI teams should monitor their social media assets of interest.  Monitoring is best done by establishing automated searches and then alerts that result from changes or spikes in activity. It is important for a CTI team to, at this point, have a good list of contacts in the event or a hijacking or impersonation. Additionally, it is important for the CTI team to know how to execute a take down on all the various social media providers. While all the major providers have an advertised method for requesting a takedown of an imposter account, this process is not always timely or easy. CTI can show real value here if they have contacts within the various social media providers to assist when possible and speed up the process.


Social media is a powerful medium for communication but organizations must be aware of the threats and risk inherent in social media to fully take advantage of the communication opportunities.

What are your experiences with CTI and social media threats? Let us know on Twitter and social media with the hashtag #INSAblog.


About the Author: Lincoln works as an information technology professional in the financial sector. He has over a decade of experience helping organizations understand the threats they face and make informed, risk based decisions.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

cyber intelligence, cybersecurity, Uncategorized

Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain

Date: 29 June, 2016
Author: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI
© Copyright, 25 June, 2016, All Rights Reserved

Argyle Threat Research (TheBrain: Mind Mapping Software: http://www.thebrain.com)

Georegistration and geolocation play a significant role in Activity Based Intelligence (ABI) analyzes and investigations. The dictionary defines “Geolocation” as both the process for finding a location and the actual “real-world” geographic location of a computer, a cell-phone, or a satellite, as determined by the process. (Geolocation, 2016) ABI’s Georegistration for discovery includes all categories of georeferenced information and may indeed offer the ABI analyst the best chance of closing the gap between where one is and where one wishes to be with respect to entity resolution and attribution.

Georegistration for discovery is one of the “Four Pillars” of Activity Based Intelligence (ABI). The other three being “Data Neutrality,” “Sequence Neutrality,” and “Integration before Exploitation” are fully explained in Patrick Biltgen and Stephan Ryan’s book, “Activity Based Intelligence: Principles and Applications” available on Amazon.com with Geo-registration for discovery being the first to be addressed. (Biltgen & Ryan, 2016) The authors go into some detail in describing first degree, direct/indirect, georeference, and second degree georeference and why they are important in context. Geolocation plays a not-so-insignificant role when countering threats in the cyber domain.

Bad Actors and Hackers often spoof IP or MAC addresses to cover their activities and mask their whereabouts. Using TOR, (the Onion Router) is another method, but even with TOR, one can be tracked using the proper tools, employing the most effective techniques, and accessing expertise based on years of cyber experience. (Amores, 2016) However, relying purely on technical means is often insufficient, and sometimes impossible when attempting to develop evidence needed for clear “attribution” to justify offensive cyber operations. (Greenemeier, 2011) The ABI approach improves the odds in the cyber counterintelligence fight by its focus on entity resolution.

Transactions, Activity and Correlations (TAC) make up much of the “stuff” of ABI analysis. TAC is like the water in which ABI analysts swim and like the air they breathe. Solid location data is highly prized in the context of TAC.


TAC Relationships (Source: Various)

Object Based Production (OBP) is a new way of organizing data around objects of Interest. (Johnston, 2013) In the context of Object Based Production (OBP), geolocation data is the metadata about objects/entities/proxies of interest. In other words, geolocation data characterize objects in OBP. (Cuddyer, 2016) In a recent conversation, Cyber Security Science Director, Shawn Riley, reminded it is important to remember, “Object-Based Production is the enabler for Activity-Based Intelligence (ABI) and provides the foundation for the correlation of data around objects that then can be observed for activity.” Furthermore, “Object-Based Production also automates analytic pivoting in cyber which is the analytic technique of hypothesis testing.” (Riley, 2016) These two observations, OBP as enabler and automated analysis are crucial to understanding the profound relationship between and among Geolocation, TAC, ABI, and cyber. One is not additive to the other. They are more than their aggregate. To say they are “. . . more than the sum of their parts” is the wrong analogy. It would be better to speak in “Quantum” terms. When an analytical “critical-mass” is achieved, under ABI analysis conditions, the impact is quantum, continuous, and far reaching in scope. Entities are resolved and “Unknown, Unknowns” discovered to provide further direction for additional collection, processing, and analysis. For geolocation to be of most value, context is a critical consideration. For example, NGA’s Ruth Cuddyer says, “And the location information or analysis that will be useful for foreign policy is also different that what might be useful or relevant for net defenders or law enforcement.”(Cuddyer, 2016) ABI methods and techniques manage and inform understanding and “sense-making” with respect to context through the continuous processing of data related to Transactions, Activity, and Correlations (TAC).

Concluding, geolocation and georeference for discovery play an important role in countering cyber threats despite the difficulty of capturing data that can lead to reliable entity resolution. The prospect of being able to do so is increasing as advances in “machine-learning” and data mining continue. Research conducted using DARPA sponsored data sets by Illumina Consulting Group (ICG) to process insider threat data is but one recent example. The study proved successful in finding a malicious actor based on analysis of 18 months and 17GB of network data that included “. . . logon/logoff records, emails, HTTP traffic, USB device use records, LDAP data, file transfers, and employee psychometric data.” ICG utilized the TAC concept in correlating abnormal activity analytics with other observations over time using their LUX software platform. (Gourley, 2015) Further research and experimentation is anticipated using additional data sources.

What are your experiences with ABI and Geolocation? Let us know on Twitter and social media with the hashtag #INSAblog.”


About the Author: Mr. Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years of experience. He is also an award winning broadcast journalist for the 1984 radio series, “The KGB and the Washington Target!” that focused on the Kremlin’s campaign to collect intelligence on High-tech firms in the D.C. area.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber

Intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

Works Referenced or Reviewed

Amores, R. (2016). CEO, Dark Data Services (DDS). (M. Anders, Interviewer)

Biltgen, P., & Ryan, S. (2016). Activity-Based Intelligence (ABI) Principles and Applications. Boston, MA: ARTECH House.

Cuddyer, S. R. (2016, June 9). NGA College Instructor, GEOINT, Email exchage.

Geolocation. (2016). Retrieved from Dictionary.com: http://www.dictionary.com/browse/geolocation

Gourley, B. (2015, June 19). Illumina Consulting Group (ICG) R&D Case Study Uses Streaming Analytics Platform LUX in Insider Threat Detection. Retrieved from CTOvision.com: https://ctovision.com/2015/06/illumina-consulting-group-icg-rd-case-study-uses-streaming-analytics-platform-lux-in-insider-threat-detection/

Greenemeier, L. (2011, June 11). Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers. Retrieved from Scientific American: http://www.scientificamerican.com/article/tracking-cyber-hackers/

Johnston, C. (2013, June 17). (U) Modernizing Defense Intelligence: Object Based Production and Activity Based Intelligence. Retrieved from National Conference Services, Presentations: https://www.ncsi.com/diaid/2013/presentations/johnston.pdf

Riley, S. P. (2016, June 2). Director of Cyber Security Science at Monsanto. Retrieved from http://cscss.org/wp-content/uploads/2015/08/CSCSS-Science-of-Security-Developing-Scientific-Foundations-for-the-Operational-Cybersecurity-Ecosystem.pdf


© Copyright, E. R. Anders

25 June 2016, All Rights Reserved


Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain

cyber intelligence

Activity Based Intelligence (ABI) and the Cyber Domain

By: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI


Argyle Threat Research (TheBrain®: Mind Mapping Software: http://www.thebrain.com/)

Activity-Based Intelligence (ABI) is an analytic methodology—tested by fire and war—in Iraq and Afghanistan.

Faced with the challenge of detecting, tracking and countering violent insurgent threats, particularly improvised explosive device (IED) networks and terrorist cells, intelligence analysts developed a “multi-INT” approach to the collection, processing, analysis, and dissemination of “actionable” intelligence (Long, 2013). Under the most trying of battlefield conditions, the foundations for ABI were laid. Threats from nation-state actors, and non-state actors, in the close context of the cyber arena, were also addressed (Riley, 2015). Technical advances in data processing and analysis has further added to the development of ABI techniques, practices, and recognized tradecraft.

The art and science of ABI is deeply involved in collecting data about transactions and correlating data to human behaviors and activity. ABI is concerned about transactions and activities involving an entity—including a person or an electronic device—, a population, or even some particular area of interest (Phillips, 2012). Activities can range from face-to-face meetings between individuals to the installation of malicious software on a victim’s computer. ABI is a “natural” fit for understanding diverse, complex threats, and malicious activity of covert cell-based organizations. Consequently, ABI tradecraft is well suited to countering the similar and growing cyber threat against computer networks, and systems.

ABI and Cyber is about human action and human interaction with the machine. According to ABI practitioners like Melanie Corcoran, with Analytic Fusions, “At the heart of it is behavior and intent. And also, having the ability to bring all the data in and make it relatable.”  The core concept is built upon “The Four Pillars” of ABI (Meyer, 2015).

Becoming comfortable with “The Four Pillars” of ABI can take some getting used to by intelligence analysts and non-intelligence analysts alike, who may be more familiar with traditional analytical methodologies. A better way might be to think organically instead of architecturally.

4 Pillars_20160509021940 (2)

(Based on “Terms of Reference,” (Military Operations Research Society, 2016)

ABI emphasis on geo-spatial, and temporal analysis may be troubling, perhaps not so much for the general analyst, but more so for the cyber analyst. Understanding Data Neutrality (one of the “Four Pillars”) can be a challenge to some steeped in the sensitive and secretive nature of government data classification requirements. Sequence Neutrality often must be accepted before an individual recognizes the full benefit. And lastly, Integration Before Exploitation can best be grasped by those in the trenches who are closest to the action and to the rapidly changing operational campaigns of persistent cyber threats and well-funded nation-state adversaries.

Clearly, ABI, and how it applies specifically to counter cyber security threats, is beginning to emerge from the shadows with the help of technical research and development—but slowly. Analytical tools like “Artemis” by Dark Data Services—still in development, but tested—are crawling the depths of the so-called “Dark Web” to accelerate the emergence (Amores, 2016). Other advances in super-computing to support “Big Data” analytics are additional drivers. How much, when, and to what extent ABI and cyber continue to converge remains a tantalizing vision of innovation and creativity on the far horizon.

What are your experiences with ABI and Cyber? Let us know on Twitter using @cyberintelblog and #cyberintel .

To contact the author or submit comments please email cyberthreatintelblog@gmail.com


Works Cited
Amores, R. (2016). Artemis and the “Dark Web”. (M. Anders, Interviewer)

Corcoran, M. (2016). ABI and Cyber. (M. Anders, Interviewer)

Long, L. A. (2013). ABI: Activity Based Intelligence: Understanding the Unknown. Retrieved from The Intelligencer: Journal of U.S. Intelligence Studies: http://www.afio.com/publications/LONG_Tish_in_AFIO_INTEL

Meyer, S. (2015, August 21). Activity Based Intelligence (ABI), Human Domain Analytics. Retrieved from LinkedIn: Pulse: https://www.linkedin.com/pulse/international-awareness-seek-out-professionals-sam-meyer

Military Operations Research Society (MORS). (2016, January 26). Operations Research Methods for Activity Based Intelligence (ABI). Retrieved from A MORS Workshop: http://www.mors.org/Portals/23/Docs/Events/2016/ABI/2016-01-20%20MORS%20ABI%20Workshop%20Terms%20of%20Reference

Phillips, M. (2012). A Brief Overview of Activity Based Intelligence and Human Domain Analytics. Retrieved from Trajectory: http://www.trajectorymagazine.com/civil/item/1369-human-domain-analytics.html

Riley, S. (2015, February 11). Insights to Modern Cyber Threat Intelligence. Retrieved February 12, 2015, from

LinkedIn: https://www.linkedin.com/pulse/insights-modern-cyber-threat-intelligence-shawn-riley



About the Author: Mike Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years. Mr. Anders is a member of INSA’s Cyber Intelligence Sub-Council

About INSA: INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber Intelligence Sub-Council: The INSA Cyber Intelligence Sub-Council was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.