cyber intelligence, cybersecurity, Uncategorized

Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain

Date: 29 June, 2016
Author: E. R. “Mike” Anders, M.A., CCIP, CCII, CEH, C|HFI
© Copyright, 25 June, 2016, All Rights Reserved

Argyle Threat Research (TheBrain: Mind Mapping Software:

Georegistration and geolocation play a significant role in Activity Based Intelligence (ABI) analyzes and investigations. The dictionary defines “Geolocation” as both the process for finding a location and the actual “real-world” geographic location of a computer, a cell-phone, or a satellite, as determined by the process. (Geolocation, 2016) ABI’s Georegistration for discovery includes all categories of georeferenced information and may indeed offer the ABI analyst the best chance of closing the gap between where one is and where one wishes to be with respect to entity resolution and attribution.

Georegistration for discovery is one of the “Four Pillars” of Activity Based Intelligence (ABI). The other three being “Data Neutrality,” “Sequence Neutrality,” and “Integration before Exploitation” are fully explained in Patrick Biltgen and Stephan Ryan’s book, “Activity Based Intelligence: Principles and Applications” available on with Geo-registration for discovery being the first to be addressed. (Biltgen & Ryan, 2016) The authors go into some detail in describing first degree, direct/indirect, georeference, and second degree georeference and why they are important in context. Geolocation plays a not-so-insignificant role when countering threats in the cyber domain.

Bad Actors and Hackers often spoof IP or MAC addresses to cover their activities and mask their whereabouts. Using TOR, (the Onion Router) is another method, but even with TOR, one can be tracked using the proper tools, employing the most effective techniques, and accessing expertise based on years of cyber experience. (Amores, 2016) However, relying purely on technical means is often insufficient, and sometimes impossible when attempting to develop evidence needed for clear “attribution” to justify offensive cyber operations. (Greenemeier, 2011) The ABI approach improves the odds in the cyber counterintelligence fight by its focus on entity resolution.

Transactions, Activity and Correlations (TAC) make up much of the “stuff” of ABI analysis. TAC is like the water in which ABI analysts swim and like the air they breathe. Solid location data is highly prized in the context of TAC.


TAC Relationships (Source: Various)

Object Based Production (OBP) is a new way of organizing data around objects of Interest. (Johnston, 2013) In the context of Object Based Production (OBP), geolocation data is the metadata about objects/entities/proxies of interest. In other words, geolocation data characterize objects in OBP. (Cuddyer, 2016) In a recent conversation, Cyber Security Science Director, Shawn Riley, reminded it is important to remember, “Object-Based Production is the enabler for Activity-Based Intelligence (ABI) and provides the foundation for the correlation of data around objects that then can be observed for activity.” Furthermore, “Object-Based Production also automates analytic pivoting in cyber which is the analytic technique of hypothesis testing.” (Riley, 2016) These two observations, OBP as enabler and automated analysis are crucial to understanding the profound relationship between and among Geolocation, TAC, ABI, and cyber. One is not additive to the other. They are more than their aggregate. To say they are “. . . more than the sum of their parts” is the wrong analogy. It would be better to speak in “Quantum” terms. When an analytical “critical-mass” is achieved, under ABI analysis conditions, the impact is quantum, continuous, and far reaching in scope. Entities are resolved and “Unknown, Unknowns” discovered to provide further direction for additional collection, processing, and analysis. For geolocation to be of most value, context is a critical consideration. For example, NGA’s Ruth Cuddyer says, “And the location information or analysis that will be useful for foreign policy is also different that what might be useful or relevant for net defenders or law enforcement.”(Cuddyer, 2016) ABI methods and techniques manage and inform understanding and “sense-making” with respect to context through the continuous processing of data related to Transactions, Activity, and Correlations (TAC).

Concluding, geolocation and georeference for discovery play an important role in countering cyber threats despite the difficulty of capturing data that can lead to reliable entity resolution. The prospect of being able to do so is increasing as advances in “machine-learning” and data mining continue. Research conducted using DARPA sponsored data sets by Illumina Consulting Group (ICG) to process insider threat data is but one recent example. The study proved successful in finding a malicious actor based on analysis of 18 months and 17GB of network data that included “. . . logon/logoff records, emails, HTTP traffic, USB device use records, LDAP data, file transfers, and employee psychometric data.” ICG utilized the TAC concept in correlating abnormal activity analytics with other observations over time using their LUX software platform. (Gourley, 2015) Further research and experimentation is anticipated using additional data sources.

What are your experiences with ABI and Geolocation? Let us know on Twitter and social media with the hashtag #INSAblog.”


About the Author: Mr. Anders is a Certified Cyber Intelligence Professional with an Intelligence/Counterintelligence skill-set developed over 30+ years of experience. He is also an award winning broadcast journalist for the 1984 radio series, “The KGB and the Washington Target!” that focused on the Kremlin’s campaign to collect intelligence on High-tech firms in the D.C. area.

INSA is the premier intelligence and national security organization that brings together the public, private and academic sectors to collaborate on the most challenging policy issues and solutions.

About the INSA Cyber intelligence task force: The INSA Cyber Intelligence Task Force was created to set the landscape for cyber intelligence by discussing why cyber

Intelligence is necessary and providing thoughts on how to develop this function in the cyber domain.

Works Referenced or Reviewed

Amores, R. (2016). CEO, Dark Data Services (DDS). (M. Anders, Interviewer)

Biltgen, P., & Ryan, S. (2016). Activity-Based Intelligence (ABI) Principles and Applications. Boston, MA: ARTECH House.

Cuddyer, S. R. (2016, June 9). NGA College Instructor, GEOINT, Email exchage.

Geolocation. (2016). Retrieved from

Gourley, B. (2015, June 19). Illumina Consulting Group (ICG) R&D Case Study Uses Streaming Analytics Platform LUX in Insider Threat Detection. Retrieved from

Greenemeier, L. (2011, June 11). Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers. Retrieved from Scientific American:

Johnston, C. (2013, June 17). (U) Modernizing Defense Intelligence: Object Based Production and Activity Based Intelligence. Retrieved from National Conference Services, Presentations:

Riley, S. P. (2016, June 2). Director of Cyber Security Science at Monsanto. Retrieved from


© Copyright, E. R. Anders

25 June 2016, All Rights Reserved


Activity Based Intelligence (ABI), Geolocation, and the Cyber Domain