A thread on bad analysis. When #ThreatIntel analysts want to show off their Foreign Policy and Economist subscription status after reading the Russian foreign policy Wikipedia page /n #threatintelligence #cybersecurity #infosec Image
Most analysts who are "doing attribution" aren't doing good cyber threat intelligence, they're doing poor foreign policy analysis
They neither have neither the data nor the expertise to make even a moderately confident statement on attribution
Even if you were a "Russian analyst" 5 years ago doesn't mean you know anything about current foreign policy objectives and internal motivations of such a massive body politic
Coming from someone who, in my past, was proud of the years I put into rock-solid cyber attribution cases through a variety of intelligence sources and ACH analysis across the community - I reel at the thought of naming a country as responsible and culpable w/o evidence
Yet, it's done with such flagrant disregard to ethics and standards it makes me sick. Words matter. Naming people and things matter. Know what you know and know what you don't know. Don't confuse those two with guesses and mirror imaging bias.
Answering a customer's intelligence requirement with bad analysis because you're afraid to say "I don't know" is irresponsible, unethical, and dangerous. If your words hit a major publication policy makers will read it and your wrong words will shape the world.
Russia does a lot of stupid and frankly, bad, shit. I'm using them as an example because it's so common...which is also a great example of Recency Bias - if analysts read more about APT28, they're more likely to link an activity to that group naturally regardless of ACH.
There is no requirement that an intel analysts must say anything and answer everything. In fact, our remit is INSTEAD that we only say what we know and mean what we say. Know what you know, know what you don't know, know the difference.
The private sector is not a national intelligence community. We don't share standards - in fact, most companies don't even have analytic standards documented. Few have peer-review of intelligence nor anyone ever questioning them. You can't treat everyone's intelligence as equal.
Just because someone publishes "it's the GRU!" doesn't mean you now get to label everything associated as the GRU. That's not how this works. If they didn't do good analysis, you're not doing good analysis. An inference on top of an inference is nothing but a dumpster fire.
Friends don't let friends do bad analysis. Please share this thread. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Sergio Caltagirone

Sergio Caltagirone Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cnoanalysis

Jun 10, 2020
False flag operations are very rare because they're risky and the blowback effects are bad. Interestingly, the risks increase the more "important" you are so the most powerful countries are less likely to conduct FF ops. /1 #infosec #cybersecurity #ThreatIntel
Traditional covert and clandestine operations are cheaper, less risky, and more likely to succeed than false flag ops. Importantly, not all attempts to redirect blame is a false flag but just considered standard covert ops. /2
False flags are also generally misunderstood and confused. For example, using Russian as an English speaker in malware is, by itself, not a false flag but rather just considered good covert practice. It doesn't attempt to place blame but just conceal the operators better. /3
Read 5 tweets
Apr 10, 2020
This is terrible. Let me tell you why. THREAD #privacy #infosec #cybersecurity #COVID19 theverge.com/2020/4/10/2121…
First, health data has ALWAYS been considered protected and sensitive. Hence, the privacy requirements and oaths physicians abide by - courts have LONG recognized this privacy.
Here, we're going to have health data records tied to a person tied to a phone tied to a location. It's literally a real-time walking health report.
Read 17 tweets
Mar 30, 2020
Yesterday made ciabatta for the first time. The bottom was slightly overcooked but flavor and texture was great. /thread Image
First, the “biga.” fermented the yeast, flour, and water for 24 hours to get a strong flavor. Image
Add more flour and yeast, let it rise another 3 hours. Image
Read 5 tweets
Dec 15, 2019
THREAD Tonight, some live tweeting making dinner. This evening comes from a little further afield from last time. No spoilers as to what it is until the end. Guesses are welcome 😃 #Cooking #Cuisine
First, a load of Pecorino Romano cheese in a bowl. Image
Roast a lot of tellicherry peppercorns Image
Read 13 tweets
Nov 25, 2019
"My kingdom is not of this world. If my kingdom were of this world, my servants would have been fighting, that I might not be delivered over to the Jews. But now (or 'as it is') my kingdom is not from the world" (John 18:36) #theocracy #chosenone cnn.com/2019/11/25/pol… Image
This line of thinking make the problem of evil sooo much worse. If Rick Perry believes this, then he must believe God ordained Hitler and the Holocaust too.
Jesus made it clear that civil government and God's kingdom were not related. "Render unto Caesar the things that are Caesar's, and unto God the things that are God's" (Matthew 22:21)
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!