cyber intelligence, cybersecurity

Activity Based Intelligence (ABI), TAC, and the Cyber Domain

Date: 26 May, 2016
Author: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI
© Copyright, 26 May 2016, All Rights Reserved


Argyle Threat Research (TheBrain®: Mind Mapping Software:

Activity-based Intelligence (ABI) analyst are deeply immersed in data, as are other Intelligence Analysts. For ABI Analysts engaged in the Cyber fight, Transactions, Activity, and Correlations (TAC) tend to dominate. Former National Geospatial Intelligence Agency (NGA) Director, Letitia Long writes, “Activity-based Intelligence is defined as a discipline of intelligence where the analysis and subsequent collection are focused on the activity and transactions associated with an entity, a population or an area of interest.” Furthermore she says specifically, “These activities and transactions are not solely tied to geospatial actions, but also apply across the cyber, social, financial and commercial domains.”  For ABI Analysts working Cyber incidents TAC has a very purposeful meaning.(Long)

When users communicate over the Internet they are engaging in a “transaction” in the classic sense of ABI. One can argue that the “Three-way-handshake” that takes place between TC/IP devices communicate are themselves a “Transaction.” The “Activity” takes place according to communication protocols, or the “rules” of the Transaction, and the OSI model’s standardization of communication functions. Communication happens because protocols are followed, transactions initiated, data flows, and activity is terminated according to the rules. And everything happens at the speed of Cyber. The ABI analyst’s task is to detect, to identify, and to sort through these transactions and correlate them to activity in a way that makes sense of it all. The “Four Pillars” of ABI provide the foundation for doing precisely that.

Analyst trained in the ABI methodology are familiar with the terms “Geo-registration for Discovery,” “Data Neutrality,” “Sequence Neutrality,” and “Integration before Exploitation” as explained in great detail and with considerable clarity, in Patrick Biltgen and Stephan Ryan’s new book, “Activity Based Intelligence: Principles and Applications”. (Biltgen & Ryan, 2016) Transactions, Activity and Correlations are all given ample treatment, more than this blog can address. For the ABI analyst in the cyber arena, the “Four Pillars” open up the space for wider ranging analysis and offers the prospect of identifying, and even discovering “Unknown, unknowns” that may have significant consequences through the course of an investigation or counter-cyber campaign.

Cyberspace is a virtual World that resides within the physical World. NSA Director Adm. Rogers has remarked, “Every single cyber component has a physical geographic position on the face of the Earth.” Dual-hatted as commander of U.S. Cyber Command, Rogers says it is not enough to throw down a network schematic on a conference table, but rather “. . . show me where it is because there are lots of ways to try to understand things.” (USGIF, 2015) That is why Rogers has called for a closer relationship between the National Security Agency (NSA) and the National Geospatial-Intelligence Agency (NGA). The “lots of ways” Adm. Rogers suggests is exactly what ABI is all about—even for cyber intelligence analysis, it is not just Log and Security file analysis, Pcap traces, and vulnerability reports. The requirement is all of that and more. Practitioners such as Chandler P. Atwood describe ABI’s Multi-INT approach to data as being “Transformational” in both impact and scope. (Atwood, 2015) Since ABI takes a Multi-INT/All Source approach to data collection, processing, and interpretation, analysts can build upon all “Four” pillars of ABI to solve CYBINT and Counter-CYBINT problems. The interplay of Transactions, Activity, and Correlations form a mosaic revealing the “who,” the “what,” and the “why” of suspicious computer network activity and malicious cyber campaigns

At the center of ABI is correlation—particularly so, with respect to Integration before Exploitation, one of the “Four Pillars” of ABI. (Biltgen & Ryan, 2016, pp. 255-256).  In fact, in the book on ABI, Biltgen and Ryan spend an entire chapter on correlation and data fusion. Both art and science are evident and intricately bound up in making the kind of associations, correlations, and relationships from data collected that lead to estimations and assessments in intelligence analysis. Correlation is key to understanding computer network activity as well.  Because ABI is all-source and multi-INT, cyber investigators benefit at multiple levels to include, but not limited to the physical network layer, the logical layer, and the cyber human persona layer—when it comes to countering targeted threat activity. (DoD, 2013)

ABI does not exist in analytical isolation. Object Based Production (OBP) provides a significant enhancement when combined with ABI techniques, and methods. According to Charlotte Shabarekh, the head of Analytics, Modeling, and Simulation at Aptima, Inc., “In Cyber, OBP is a challenging task due to spoofing or masking of IP addresses.  It’s necessary to perform “co-reference resolution” tasks to associate spoofed packets to the correct source address.” (Shabarekh, 2016) ABI can provide the required context to accurately perform data association in cyber networks.

Concluding, Tractions, Activity, and Correlations are primary drivers of ABI investigations and analysis. That does not, however, exclude other methodologies. Whether it is the “Diamond Model” or the “Cyber Kill-Chain” an ABI analyst has access to all sources and means to prosecute investigations and threat analysis. Being able to do so is a core concept and understanding of Activity Based Intelligence (ABI) in the Cyber Domain.

What are your experiences with ABI and TAC? Let us know on Twitter and social media with the hashtag #INSAblog.”


Works Referenced or Reviewed

Atwood, C. P. (2015, April 1). Activity-Based Intelligence: Revolutionizing Military Intelligence Analysis. Retrieved from Joint Force Quarterly 77:

Biltgen, P., & Ryan, S. (2016). Activity-Based Intelligence (ABI) Principles and Applications. Boston, MA: ARTECH House.

DoD. (2013). DTIC. Retrieved from Joint Publication 3-12 (R):

Long, L. A. (Fall/Winter 2013). Activity Based Intelligence: Understanding the Unknown . The Intelligencer 20, no. 2, 7-15.

Shabarekh, C. (2016, May 26). Director Analytics, Modeling and Simulation Division, Aptima, Inc.,, (M. Anders, Interviewer)

USGIF. (2015, June 24). NSA Eyes Closer Ties to NGA. Retrieved from Trajectory:

About the Author: Mr. Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years of experience. He is also an award winning broadcast journalist for the 1984 radio series, “The KGB and the Washington Target!” that focused on the Kremlin’s campaign to collect intelligence on High-tech firms in the D.C. area.


INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.


About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber

Intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.


© Copyright, E. R. Anders

26 May 2016, All Rights Reserved


cyber intelligence

Activity Based Intelligence (ABI) and the Cyber Domain

By: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI


Argyle Threat Research (TheBrain®: Mind Mapping Software:

Activity-Based Intelligence (ABI) is an analytic methodology—tested by fire and war—in Iraq and Afghanistan.

Faced with the challenge of detecting, tracking and countering violent insurgent threats, particularly improvised explosive device (IED) networks and terrorist cells, intelligence analysts developed a “multi-INT” approach to the collection, processing, analysis, and dissemination of “actionable” intelligence (Long, 2013). Under the most trying of battlefield conditions, the foundations for ABI were laid. Threats from nation-state actors, and non-state actors, in the close context of the cyber arena, were also addressed (Riley, 2015). Technical advances in data processing and analysis has further added to the development of ABI techniques, practices, and recognized tradecraft.

The art and science of ABI is deeply involved in collecting data about transactions and correlating data to human behaviors and activity. ABI is concerned about transactions and activities involving an entity—including a person or an electronic device—, a population, or even some particular area of interest (Phillips, 2012). Activities can range from face-to-face meetings between individuals to the installation of malicious software on a victim’s computer. ABI is a “natural” fit for understanding diverse, complex threats, and malicious activity of covert cell-based organizations. Consequently, ABI tradecraft is well suited to countering the similar and growing cyber threat against computer networks, and systems.

ABI and Cyber is about human action and human interaction with the machine. According to ABI practitioners like Melanie Corcoran, with Analytic Fusions, “At the heart of it is behavior and intent. And also, having the ability to bring all the data in and make it relatable.”  The core concept is built upon “The Four Pillars” of ABI (Meyer, 2015).

Becoming comfortable with “The Four Pillars” of ABI can take some getting used to by intelligence analysts and non-intelligence analysts alike, who may be more familiar with traditional analytical methodologies. A better way might be to think organically instead of architecturally.

4 Pillars_20160509021940 (2)

(Based on “Terms of Reference,” (Military Operations Research Society, 2016)

ABI emphasis on geo-spatial, and temporal analysis may be troubling, perhaps not so much for the general analyst, but more so for the cyber analyst. Understanding Data Neutrality (one of the “Four Pillars”) can be a challenge to some steeped in the sensitive and secretive nature of government data classification requirements. Sequence Neutrality often must be accepted before an individual recognizes the full benefit. And lastly, Integration Before Exploitation can best be grasped by those in the trenches who are closest to the action and to the rapidly changing operational campaigns of persistent cyber threats and well-funded nation-state adversaries.

Clearly, ABI, and how it applies specifically to counter cyber security threats, is beginning to emerge from the shadows with the help of technical research and development—but slowly. Analytical tools like “Artemis” by Dark Data Services—still in development, but tested—are crawling the depths of the so-called “Dark Web” to accelerate the emergence (Amores, 2016). Other advances in super-computing to support “Big Data” analytics are additional drivers. How much, when, and to what extent ABI and cyber continue to converge remains a tantalizing vision of innovation and creativity on the far horizon.

What are your experiences with ABI and Cyber? Let us know on Twitter using @cyberintelblog and #cyberintel .

To contact the author or submit comments please email


Works Cited
Amores, R. (2016). Artemis and the “Dark Web”. (M. Anders, Interviewer)

Corcoran, M. (2016). ABI and Cyber. (M. Anders, Interviewer)

Long, L. A. (2013). ABI: Activity Based Intelligence: Understanding the Unknown. Retrieved from The Intelligencer: Journal of U.S. Intelligence Studies:

Meyer, S. (2015, August 21). Activity Based Intelligence (ABI), Human Domain Analytics. Retrieved from LinkedIn: Pulse:

Military Operations Research Society (MORS). (2016, January 26). Operations Research Methods for Activity Based Intelligence (ABI). Retrieved from A MORS Workshop:

Phillips, M. (2012). A Brief Overview of Activity Based Intelligence and Human Domain Analytics. Retrieved from Trajectory:

Riley, S. (2015, February 11). Insights to Modern Cyber Threat Intelligence. Retrieved February 12, 2015, from




About the Author: Mike Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years. Mr. Anders is a member of INSA’s Cyber Intelligence Sub-Council

About INSA: INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber Intelligence Sub-Council: The INSA Cyber Intelligence Sub-Council was created to set the landscape for cyber intelligence by discussing why cyber intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.