This handbook provides real actionable steps that enable an intelligence operator to target, track, collect and analyse information surrounding cybercrime (or traditional crime) which in turn becomes intelligence.
My passion and the basis of this short handbook is based on my experience in cyber threat intelligence and anti-drug trafficking. I hope this handbook provides you with some easy to implement thought processes that in turn enable you to work more efficiently and effectively in your daily tasks (even disciplines outside of intelligence). This handbook details five primary stages: Management, Intelligence Analysis, Profiling and Collection (MIAPC).
Management (of intelligence operations)
The most valuable leadership skill of all — bringing out the greatness in others!
Management is the overall concept and mindset that enables us to go from “the doer of things” to “leader and strategic thinker!” I will outline five steps that will allow you to look outside the box, into the future and leverage your team’s strengths/weaknesses to the utmost. I use these steps daily in everything I do, there written down next to me; this is so I can always reference them! Whenever I need.
Preparedness — This is your ability to understand and respond to threats against you, your organisation or your clients without having to generate unknown defences on the fly.
Vision — This is your ability to leverage your visual modality and conceptualise an idea/threat/action/targets future state based on current intelligence, then create an idea/thought/concept that could engage others and implement it.
Systematic mindset — This is the ability to perceive, amalgamate, and combine multiple elements/teams/processes/functions to achieve a combined/common outcome or purpose.
Innate Motivation — This is your ability to motivate different people/teams to work together to implement your or your organisation’s vision. When discussing information with anyone, you must acknowledge there comments/statements; this makes the person relax. Furthermore, if you understand what drives that person and then implement actions that excite them.
Partnering — Is the ability to understand your own team’s weaknesses and augment your team with partners, develop strategic alliances with individuals, groups and organisations.
“Only do what only you can do.”
All the above qualities make a leader; anyone can implement these; anyone can change; You can enhance and augment yourself!
I leverage the OODA Loop (It just works so well for criminal and cybercriminal analysis)! The Observe, Orient, Decide and Act (OODA) loop is a recurring decision-making cycle of observe-orient-decide-act.
An entity (whether an individual or an organisation) can leverage this cycle quickly, observing and reacting to unfolding events. The OODA loop was developed to explain how to direct one’s energies to defeat an adversary and survive. MIPAC stages detailed at the beginning of this document also relate to the OODA loop stages above:
- Observe — Intelligence Analysis and Profiling
- Orient — Intelligence Analysis and Profiling
- Decide — Management and Intelligence Analysis; and
- Act — Collection and Intelligence Analysis.
Below are the main takeaway intelligence analysis steps that everyone should leverage when conducting intelligence operations.
Understand — You need to truly understand the information if you want others to comprehend you. You must be clear and precise about all data collected, investigated and reported. There are two primary stages of understanding; We need to understand the data, and we need to be able to present said data as intelligence.
Be Precise — When investigating data make sure you understand what you’re looking at and you are decisive in your actions. Define your data, make sure it relates to your end goal, do not have any superfluous information.
Be Clear — Always be clear about your information. Make it so, the reader doesn’t have to think about it, and they can just read and understand. Don’t be ambiguous or vague with any information, whatever information you’re providing someone is going to take action on. Make your point clear! Mind mapping your ideas at this step will result in you understanding what is missing.
Pivot — Pivoting means exploring information and developing a greater understanding and identifying possible affiliations or connections. Continuous pivots are the key to mapping out intelligence. If it’s an email address if it’s an IP address if it’s a vulnerability, whatever it is, continually links the dots. Think of pieces of information as synapses in the brain, keep connecting synapses to build a complete pathway.
What is the significance? — When pursuing or tracking malicious actors, pieces of information or targets, make sure it has importance to the mission or possible outcomes. Don’t waste your time and efforts on irrelevant data. If you have pivoted on a piece of information and you decide that is negligible stop efforts to pursue it. If you think you’ve put a considerable amount of work into a target and you realise it’s insignificant stop now! Also, don’t hold onto the information just for the sake of holding on to it, give it the 5-second rule test!
Use your intuition — Intuition and instincts the key to learned wisdom in the intelligence field if your gut is telling you something, pivot on that something! Your intuition will make the difference between actionable intelligence and red herrings. When examining information if your spider senses are telling you something, act on it. When operating on intuition, it’s always good to have a notepad and pen handy. Write down what you are thinking about and explore all possible outcomes. If anything interesting comes out of that, pivot on it and explore.
Perception — Perception is related to how we see adversarial actions and what adversaries might be thinking or doing. Make sure to take the viewpoints of everyone(groups included) involved into consideration when analysing intelligence. Think of your position, the position of the adversary and all associated external parties. This process will enable you to understand your thought processes, actions on and divergent thinking techniques.
Track it! — To effectively track adversaries, people, information and targets, we must focus on the significance of the data you’re ingesting and if it’s significant, how deep you go with pivots. Tracking is where great analysis comes from, being able to build a mental picture, pivot on information and leverage intuition to connect all the dots.
Act — Act means, “Take action now, do what you should when you should do it”. Always be acting on instinct when you think action should be made and do not wait. If your intuition is telling you to pivot on that unique piece of information, do it. Always be acting on information, don’t save it for later do it now!.
Communicate — If you can’t get your information across what’s the point! I recommend you use the BLUF communication technique. BLUF is an initiative paragraph where the conclusions and recommendations are placed at the beginning, rather than the end, to facilitate *rapid decision* making.
Profiling or criminal profiling is usually leveraged in criminal cases or by Law-enforcement to identify all possible attributes of a criminal (cyber/drug trafficker in my case) that can help to determine current, past or future potential crimes. For the sake of clarity, the textbook meaning of profiling is:
An investigative technique by which to identify the major personality and behavioral characteristics of the offender based upon an analysis of the Crime( s) he or she has committed.
The theory behind leveraging profiling as an approach to understanding the behaviour of trafficking, carding, hacking etc. is reflected in the targets Modus Operandi (MO, Modus Operandi and it literally means way of working, and it’s what an offender does in order to carry out a crime) and this MO can be leveraged as intelligence.
Additionally to the criminals MO, the criminal’s behaviour is another interesting and unique variable that can be leveraged. This behaviour relates to the things offenders are psychologically compelled to do over and above what it takes to commit the crime. This behaviour is fascinating when it comes to state-based threats and drug trafficking! This interest is derived from tracking understanding and interrogating intelligence relating to those threats.
I leverage profiling not against traditional criminals but cybercriminals(APT( s), malicious groups, terrorist organisations and malicious FIN security groups) and online drug traffickers. Furthermore, we can augment the traditional process with our unique skills to build a complete profile backed with factual evidence. This process generally involves seven steps.
- Evaluation of the criminal act itself
- Comprehensive evaluation of the specifics of the crime scene( s)
- Comprehensive analysis of the victim
- Evaluation of actor/criminal reporting
- Evaluation of the unique MITRE or CTF stages of attack that the criminal uses
- Evaluation of the perceived threat (event or source), risk or vulnerability of the victim
- Development of a profile with critical offender characteristics; and
- Investigative suggestions predicated on construction of the profile.
The above process can be summarised as “Data is collected and assessed, the situation reconstructed, hypotheses are formulated, a profile developed and tested, and the results reported back”. If you would like to read more about the FBI’s profiling techniques check out here.
Intelligence collection is broken down into three main components, those being — Understanding, Requirements and Needs.
This is one of the most misunderstood and misused steps in the entire intelligence workflow. People don’t know, what they don’t know! If they don’t know, how can they collect it? What I mean by that is you need to research and understand your target, systems, organisation or group that you’re going to analyse. I’ll explain two examples below, Iranian malware and the terrorist organisation Abu Sayyaf.
APT (Kittens) Malware — We need to conduct a knowledge check before attempting to collect information about IRANS APT activities inclusive of collecting samples, analysing samples and providing valuable intelligence. These checks would be:
- Do I understand process execution within a Windows/Linux environment
- Do I know how to reverse engineer malware
- Do I know how to extract IOCs from malware
- Do I know how to extract tactics and techniques from malware
- Have I examined and understood Iran’s past and present APT operations globally
- Do I have a reverse engineering Lab
- The list goes on and on […SNIP…]
From all the above requirements regarding Iranian malware, can I give actionable intelligence to prevent, hinder or hunt current Iranian malicious action? If the answer is yes, you can create a custom and complete collection process against this malicious actor.
Risk of Abu Sayyaf small arms operations in South East Asia for 2018
As displayed in the above image I collected all the information about Abu Sayyaf from 2002 to 2017 and analysed the data. The data revealed interesting results that can help us in understanding the group as a whole, even before we start collecting new information on this target.
- Two persons were killed with small arms per incident
- Private Citizens & Property were the highest targets
- Tubigan was the highest targetted location for small arm events
- May is the highest rate of attack month for small arms; and
- The list goes on […SNIP…].
Now we understand how Abu Sayyaf has operated in the past and we have a better understanding of the tactics, techniques and procedures they use. This will enable us to create a custom and complete collection process against this malicious actor.
The main point being is that we need to understand our target, the systems they use and understand the technologies that are between us and our intelligence (once we collect it). Once we know this information, we can collect and obtain all the information possible.
A collection requirement is “a statement of information to be collected based on profiling outputs and previous intelligence analysis”. A requirement for the collection on Al-Shabaab actor might look like:
- Propaganda forum collection
- Online presence, actors, community, the proliferation of information etc.
- Language and euphemisms used
- Past evidence collection; and
- National databases etc.
The list could go on and on, but you get the idea. All of the above requirements are obtained through the intelligence orient and observe functions detailed previously.
A collection need is a request or command from the team to collect information that is uniquely specific to the analysis at hand. For example, to accurately assess the risk of attacks by Al-Shabaab in 2018 within Somalia we need to collect information on the 2014–2017 attacks perpetrated by Al-Shabaab, Boko Haram (Ally) and AQ-AP (Ally). This is due to the close relationship these terrorist organisations have to one another and the timeframes on previous attacks.
I’ve explained in detail interesting and unique ways/ideas to understand information and turn it into intelligence. I hope this handbook and the strategies contained within enable you to work more effectively and provide your business or your client with valuable, actionable intelligence!
“Discipline is the bridge between goals and accomplishment.” Grotez