How to Build a Cyberintelligence Capability

Session ID:

Session Classification:

Stewart Kenton Bertram

Cyber Recon Manager: Verisign / iDefense

How to Build a Cyber Intelligence Capability

STAR-308

Intermediate

Content taken from iDefense White Paper

“Establishing a Formal Intelligence Program”

Stewart Kenton Bertram June 2011

Talk Contents

Objective

Share some thoughts on what a good model for a cyber intelligence team should look like in the private sector

Lessons learnt over the past years

3

Talk Contents

Objective

Share some thoughts on what a good model for a cyber intelligence team should look like in the private sector

Lessons learnt over the past years

Contents

1.The socio-technical approach to intelligence team design

2.The growth of the influence of the intelligence team within the wider business context

3.Some points to consider – legal and reporting points

4

What is a Socio-technical system?

“an approach to complex organizational work design that recognizes the interaction between people, information and technology in workplaces”

5

People

Technology Information

People

Technology Information

Capability

People

Technology Information

Capability

“Who should staff this theoretical team them?”

9

Computer

Science Folk

Computer

Science Folk

Former

Military

Computer

Science Folk

Former

Military

Social

Science

Computer

Science Folk

Former

Military

Social

Science

15

Counter Insurgency (COIN)

•Battle for hearts and minds

•Human Terrain Analysis

Computer

Science Folk

Former

Military

Social

Science

Computer

Science Folk

Former

Military

Social

Science

29

30 How many possible connections can be made within this

group?

31

Clustering Coefficient

N * (N - 1) / 2

25 * (25 - 1) / 2 = 300

However…consider this

John P. Reed

the utility of large networks, particularly social networks, can scale exponentially with the size of the network.

33

33 Million possible combinations!!!!!!!!!

People

Technology Information

Capability

People

Technology Information

Capability

42

43

Levels of Intelligence product

44

Levels of Intelligence product

Critical Intelligence

“Mr President the missiles are in flight!”

45

Levels of Intelligence product

Critical Intelligence

Significant Intelligence

“Iran may be developing a nuclear

weapons capability ”

46

Levels of Intelligence product

Critical Intelligence

Significant Intelligence

Contextual Intelligence

“Country X’s long term political goals

could bring us into conflict with them in

the next 20 years”

47

Levels of Intelligence product

Critical Intelligence

Significant Intelligence

Contextual Intelligence Intelligence Product

48

Change In Behavior Within The Decision Maker

Critical Intelligence

Significant Intelligence

Contextual Intelligence Intelligence Product

49

Direct Levels of Intelligence Team Effort

Intelligence Product

Behavioral Influence Team Effort

50

Technical Automaton VS Human Talent

Intelligence Product

Behavioral Influence

Trade Craft and Talent

Team Effort

Structures , Procedures

and technology

People

Technology Information

Capability

Data

Information

Intelligence

Data

Information

Intelligence

Data

Information

Intelligence

Collection Collection

Data

Information

Intelligence

Analysis

Collection Collection

Data

Information

Intelligence

Analysis

Collection Collection

Dissemination

Data

Information

Intelligence

Analysis

Collection Collection

Dissemination

Data

Information

Intelligence

Analysis

Collection Collection

Dissemination

Risk: Strategic Surprise!

Data

Information

Intelligence

Analysis

Collection Collection

Dissemination

The Up The Pyramid Principle

Data

Information

Intelligence

Analysis

Collection Collection

Dissemination

People

Technology Information

“Why are we even discussing an intelligence capability in the first place?”

62

“Why are we even discussing an intelligence capability in the first place?”

63

“Why are we even discussing an intelligence capability in the first place?”

64

“Why are we even discussing an intelligence capability in the first place?”

“Is Cyber Threat posing a greater threat than it was 10 years ago?”

65

“Why are we even discussing an intelligence capability in the first place?”

“Is Cyber Threat posing a greater threat than it was 10 years ago?”

66

Contextual Change

“Why are we even discussing an intelligence capability in the first place?”

“Is Cyber Threat posing a greater threat than it was 10 years ago?”

YES

67

“Why are we even discussing an intelligence capability in the first place?”

“Is Cyber Threat posing a greater threat than it was 10 years ago?”

YES

BUT

68

“Why are we even discussing an intelligence capability in the first place?”

“Is Cyber Threat posing a greater threat than it was 10 years ago?”

YES

BUT

Due to the contextual change of the importance of cyber space to Western Society

69

Effect on the intelligence team within the wider business context

Effect on the intelligence team within the wider business context

A Corps – Circa 1990

Effect on the intelligence team within the wider business context

A Corps – Circa 1990

Sales

HR

Marketing

PR

Risk

IT

Physical Security

Effect on the intelligence team within the wider business context

73

A Corps – Circa 1990

Sales

HR

Marketing

PR

Risk

IT

Physical Security

Intelligence Team

Effect on the intelligence team within the wider business context

74

A Corps – Circa 2012

Sales

HR

Marketing

PR

Risk

IT Physical Security

Intelligence Team

Talk Contents

Objective

Share some thoughts on what a good model for a cyber intelligence team should look like in the private sector

Lessons learnt over the past years

Contents

1.The socio-technical approach to intelligence team design

2.The growth of the influence of the intelligence team within the wider business context

3.Some points to consider – legal and reporting points

75

Talk Contents

Objective

Share some thoughts on what a good model for a cyber intelligence team should look like in the private sector

Lessons learnt over the past years

Contents

1.The sociotechnical approach to intelligence team design

2.The growth of the influence of the intelligence team within the wider business context

3.Some points to consider – legal and reporting points

76

https://www.facebook.com/muslimdefenceleague

• Social Media Intelligence

“SOCMINT”

• “SOCMINT is not yet

capable of making a

decisive contribution to

public security and

safety.”

• “SOCMINT does not fit

easily into the existing

systems we have

developed to ensure

intelligence collected can

be confidently acted on.”

• Social Media Intelligence

“SOCMINT”

• “SOCMINT is not yet

capable of making a

decisive contribution to

public security and

safety.”

• “SOCMINT does not fit

easily into the existing

systems we have

developed to ensure

intelligence collected can

be confidently acted on.”

• “SOCMINT does not fit

easily into the existing

systems we have

developed to ensure

intelligence collected can

be confidently acted on.”

• “SOCMINT does not fit

easily into the existing

systems we have

developed to ensure

intelligence collected can

be confidently acted on.”

Legal

Reporting

Public Place?

Private Place?

Something Else? Expectation of privacy?

1st Question 2nd Question

• “SOCMINT does not fit

easily into the existing

systems we have

developed to ensure

intelligence collected can

be confidently acted on.”

Legal

Reporting

Some Thoughts on SOCMINT

SOCMINT is a combination of two intelligence disciplines

Signals Intelligence (SIGINT): the communication element of the medium

Human Intelligence (HUMINT): the message element of the medium

The 5 x 5 x 5 intelligence grading system is ideal for SOCMINT reporting

SO WHAT?: If done write then OSINT based intelligence can have a far greater penetration rate within an organization than other closed sources of inelligence

5x5x5 according to the NIM

5x5x5 according to the NIM

5x5x5 according to the NIM

5x5x5 according to the NIM

5x5x5 according to the NIM

5x5 example

1/ A 2/ B 3/ C 4/ D 5/ E

Intel Evaluation

Source Evaluation

Grade: Not know to the source but externally corroborated, Unreliable

Some concluding though on Open Source Intelligence

OSINT Is not for the “new guy”

Established models of best practice in other intelligence disciplines

99

Final concluding point on developing a cyber intelligence capability

100

Final concluding point on developing a cyber intelligence capability

“If today is the information age then tomorrow will be the intelligence age”

101

Questions?