Analysts consider best practice for cyber-threat research
The ubiquity of digital communications is expanding the range of analyst roles that require research into cyber threats. Jane's Intelligence Reviewexamines the best practice for conducting this research and providing assessments for decision-makers.
This is an extract from an article that appeared in Jane's Intelligence Review.
- Analysts examining cyber threats are required to work with sources that are at risk of manipulation through deliberate disinformation campaigns, or which are potentially malicious to view or interact with.
- The increasing sophistication of state-based or -backed cyber adversaries applying intelligence tradecraft has created additional challenges for analysts conducting research and producing analysis on cyber threats.
- Best practice for analysts would include practising sound operational security, establishing 'ground truth' in digital evidence and verifying sources, and working with an in-depth understanding of the requirements of the customers using their analyses.
Analysts at private organisations and public agencies are increasingly tasked with researching cyber threats. As the range of missions that include cyber threats has broadened, so has the range of potential sources considered useful for collecting intelligence.
For example, affiliates of terrorist groups such as Al-Qaeda and the Islamic State have run virtual recruitment campaigns and distributed media such as training videos across social networks such as Facebook, Twitter, and YouTube. An analyst tasked with covering threats from transnational terrorist groups such as these would therefore increasingly be required to research the online activity of these groups.
Similarly, military analysts are now considering the same open-source social media platforms used by terrorists for the distribution of material and recruitment as sources of targeting intelligence. Speaking in 2015, retired United States Air Force General Herbert Carlisle, then head of Air Combat Command, described how "... a post on social media [led] to bombs on target in less than 24 hours". For analysts looking at cyber threats, examples such as this serve to underline the importance of verifying sources and clearly delineating the levels of confidence around their assessments.
In a 2012 analysis of the cyber-intelligence practices of 30 organisations, including six from government and 24 from private industry, researchers from the Software Engineering Institute (SEI) at Carnegie Mellon University noted the growing importance of verifying intelligence, writing that, "... the operational tempo required for intelligence analysts to keep pace with the ever-changing cyber environment is overwhelming at best. While technology and external resources offer value, analysts also need to critically assess the information they receive."
Echoing this sentiment at the Black Hat hacker conference in 2017, Daniel Cuthbert, who has trained public sector and corporate analysts in cyber-intelligence collection for more than a decade with the UK-based hacking consultancy Sensepost, said that the greatest issue facing analysts looking at cyber threats is "establishing truth in the data".
This raises the question of best practice for cyber-threat analysis, particularly as the range of analyst tasks with a cyber component has broadened, potentially leading to less experienced individuals conducting research on these threats.
The content from this blog post is compiled from Jane's Intelligence Review. For more information or to subscribe visit Jane's Intelligence Review.
Jane's is running a cyber-security awareness training course on 9 - 10 October 2017 in London. To find out more or register visit the Jane's OSINT Training.
Jane's Editorial Staff
Posted 29 September 2017
- South African defence technology remains in focus despite budget bottoming out
- Gulf States’ Defence Spending to Hit Record High
- Software-defined radios point way for simpler direction finding
- Construction at North Korean missile base underlines operational focus
- From Tempest to Gripen E – Jane’s coverage of Farnborough 2018
- President Trump signs the US FY19 National Defense Authorization Act
- Indicators track Iranian threat to Strait of Hormuz shipping
- Social media provides insights into Indonesian militancy