Monthly Archives

June 2015

Barriers to Sharing Cyber Threat Information Within the Critical Infrastructure Community

June 28, 2015

This was first posted on the Council of Foreign Relations’ blog Net Politics here.


The sharing of cyber threat data has garnered national level attention, and improved information sharing has been the objective of several pieces of legislation and two executive orders. Threat sharing is an important tool that might help tilt the field away from adversaries who currently take advantage of the fact that an attack on one organization can be effective against thousands of other organizations over extended periods of time. In the absence of information sharing, critical infrastructure operators find themselves fighting off adversaries individually instead of using the knowledge and experience that already exists in their community. Better threat information sharing is an important goal, but two barriers, one cultural and the other technical, continue to plague well intentioned policy efforts. Failing to meaningfully address both barriers can lead to unnecessary hype and the misappropriation of resources. Continue Reading

Closing the Case on the Reported 2008 Russian Cyber Attack on the BTC Pipeline

June 27, 2015

This was first posted on the SANS ICS blog here.


An article released today in Sueddeutsche (the largest German national daily newspaper) by Hakan Tanriverdi revealed new information that further cast doubt on a report of a 2008 Russian cyber attack which caused the Baku-Tbilisi-Ceyhan (BTC) pipeline explosion. The Sueddeutsche article can be found here.


The original report of the attack was released on December 14th, 2014 with the title “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar” by Bloomberg. The article referenced an explosion that occurred in 2008 along the BTC pipeline that had previously been attributed to a physical attack by Kurdish extremists in the area. The Bloomberg report cited four anonymous individuals familiar with the incident and claimed the explosion was actually due to a cyber attack. The attribution to the attack was pointed at Russia. Continue Reading

Cyber Intelligence Part 5: Cyber Threat Intelligence

June 27, 2015

This was first published on Tripwire here.


In the previous blog posts in this series, we looked at cyber intelligence and some of its different focus areas, including intelligence collection operationsand counterintelligence. In the final post of the series, we will take a look at threat intelligence and discuss some of its elements.

First and foremost, we need to answer the question – what is threat intelligence? Gartner has defined threat intelligence as: “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

In its entirety, this is a good definition but what does it all mean? How can threat intelligence benefit us? Continue Reading

Cyber Intelligence Part 4: Cyber Counterintelligence From Theory to Practices

June 27, 2015

This was first published on Tripwire here.


In the previous article, Cyber Intelligence Collection Operations, the types of collection and the types of data that could be obtained were discussed. At the end of the discussion I pointed out that analysts must be critical of the data they evaluate as at any time it could be compromised.

Specifically, adversary actors could employ counterintelligence or deception type techniques to push analysts to draw wrong conclusions or discount the data entirely. In this article we will cover this topic of Cyber Counterintelligence (CCI) and discuss its two main branches: Offensive CCI and Defensive CCI. Continue Reading

Cyber Intelligence Part 3: Cyber Intelligence Collection Operations

June 27, 2015

This was first published on Tripwire here.


In the previous article in this series I talked about developing your cyber intelligence analyst skills. The approach largely relied on becoming tool agnostic and developing a strong base through education. As the analyst it is your opinion and expertise that matters most.

I also highlighted three of the more talked about sub-disciplines of cyber intelligence which are Intelligence Collection Operations, Cyber Counterintelligence, and Threat Intelligence. In this blog we will cover Cyber Intelligence Collection Operations.

The topic of Intelligence Collection Operations sounds inherently military or government based in nature especially with the use of the word “operations.” The term here though is meant to invoke the concept of a prolonged process and not just a single action. Continue Reading

Cyber Intelligence Part 2: Developing Your Cyber Intelligence Analyst Skills

June 27, 2015

This was first published on Tripwire here.


In the previous blog in this series, An Introduction to Cyber Intelligence, I gave an overview which primarily focused on defining and discussing some of the fundamentals of intelligence work in general. In this edition we will cover more in depth what it means to be a cyber intelligence analyst in terms of understanding intelligence products, skills to develop, and an introduction to the sub-disciplines of cyber intelligence.

First we need to start with the end goal in mind – intelligence products. An intelligence product is that final evaluation of the data that you provide in a polished and easy to understand format to the customer.

In some cases the customer may just be yourself, your organization, or customers of your organization. There are no set formats and standards for the intelligence product, but technical writing is definitely a skill that needs to be developed properly. The focus should be presenting intelligence that satisfies the original goal or intelligence need. Continue Reading

Cyber Intelligence Part 1: An Introduction to Cyber Intelligence

June 27, 2015

This was first published on Tripwire here.


This is the beginning of a short blog series on the topic of cyber intelligence, its sub-disciplines, and its uses. As an Adjunct Lecturer at Utica College, I teach graduate students in the M.S. Cybersecurity program on topics including cyber intelligence and cyber counterintelligence.

One of my observations while building the course syllabus and instructing the students is that there is a general lack of information on what cyber intelligence is and how to appropriately use it. There are a few resources out there but cyber intelligence is more often thrown around as a buzz word for company statements and contracts than it is actually defined and used.

I would argue that every good analyst working in information technology or “cyber” type roles uses intelligence; although I would readily admit that having encountered plenty of people in this field I know that some use it more than others.

The first step to understanding cyber intelligence is to realize that intelligence tactics, techniques, and procedures (TTPs) as well as various types of operations existed long before cyberspace was conceived. Intelligence is most often seen as offensive in nature when viewed from the lens of spying and collection operations but its ultimate purpose is also equally rooted in defense. Continue Reading