Share this page!

Robert M. Lee Profile picture
Twitter logo
17 Feb, 14 tweets, 3 min read
A quick thread on intelligence analysis in the context of cyber threat intelligence. I see a number of CTI analysts get into near analysis paralysis phases for over thinking their assessments or over obsessing about if they might be wrong. (1/x)
Consider this scenario. A CTI analyst identifies new intrusions and based on the collection available and their expertise note that the victims are all banks. Their consumer wants to know when threats specifically target banks (not just that banks are victims).
The CTI analyst has, from their collection, at this time, and based on their expertise enough to make an activity group (leveraging the Diamond Model in this example) that meet's the requirement of their consumer. So what's the problem?
The CTI analyst begins to over think it. "What if I had more collection? Would my analysis change? I really don't *know* they aren't also targeting mining companies in Australia as I don't have collection there."
The analyst knows their analysis is going to be shared. Maybe even public. "What if another team or professional intelligence firm has more collection and ends up noting that it isn't banking specific at all. Banks are victims, not targets. Will my consumer distrust me later?"
It's a scenario I see often. I see many of my #FOR578 students run into scenarios like this. "What if I say something about ICS, what will Dragos say. What if I say something about this APT, what will FireEye say. What if I say something about $X, what will CrowdStrike say."
All of our assessments are made using our expertise at a point in time with the available collection. One of the values of estimative language is explicitly accounting for the gaps. If you have significant collection gaps, bake that into the assessment: e.g. Low Confidence
Too many analysts and consumers look for facts. Intelligence is analysis. It's allowed to evolve and change as collection, time, or other considerations change. We're advising consumers to help them make better choices. Not to know the unknowable.
I would advise that analyst to make the group. Sure they can always try to coordinate with others, share, see if other groups/teams see what they see or can expose collection gaps, etc. But that's not always necessary or possible.
One of my favorite articles is the Fifteen Axioms of Intelligence Analysts by Frank Watanabe. It's been in my CTI class for years now as the last slide of the course: apps.dtic.mil/dtic/tr/fullte…
He doesn't start off with anything about being wrong. Or making mistakes. He starts off with "Believe in your own professional judgements." The #2 is "Be aggressive, and do not fear being wrong." It's not until #3 we hear "It is better to be mistaken than to be wrong."
Build confidence with yourself. Then build trust with your consumer. That you are going to deliver the best judgement based on the insights you have at that time. And that if it changes, you'll let them know and admit it. That's really hard to do - but it's vital.
Don't sit on your intelligence and not disseminate it, or overthink it to even finishing your work, if it can be valuable to your consumer. It's always a point in time and based on what you know at that time. You'll never have enough to feel comfortable
The balance is in not blasting your consumer with thinly supported guesses though. Go through your processes. Use your team. "Aggressively pursue collection of information you need." But then make the call. If it was easy it wouldn't be intelligence.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robert M. Lee

Robert M. Lee Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RobertMLee

Robert M. Lee Profile picture
11 Feb
Yesterday in the Congressional hearing on homeland cybersecurity @C_C_Krebs and @DAlperovitch very kindly called out @DragosInc as a good example/company to work with in ICS/OT. Not “buy Dragos stuff” but “here’s a good example of an approach” and I just want to say thanks
We’ve been afforded a really cool place in the community to be allowed to focus on ICS/OT and have a ton of support from around the community.

What mostly stood out to me on this topic is that both recognized the unique approach required for ICS (Dragos or not)
Enterprise security is very important. And there’s lots to learn from them for ICS. But ICS security is different especially when dealing with physical systems. Understanding the unique risks, systems, etc all matter but most important is understanding the mission and priorities
Read 5 tweets
Robert M. Lee Profile picture
11 Feb
The fact that so many are focusing on the water plant using Windows 7, which had nothing to do with how the attack was done, is interesting. Folks have an obsession with vulnerabilities and while they can matter a lot it is a fundamentally different value prop in ICS.
The attack took advantage of TeamViewer. In this instance the OS didn’t matter. The TeamViewer application was Internet facing and available. The attack took advantage of the HMI, that’s not a software vuln issue, they just did what operators could do on the system natively
There’s a lot of “insecure by design” systems in ICS. Meaning most of the things you want to do you don’t need a vulnerability or exploit to do.

Also a lot of IT security is system or data security, protect the system don’t let folks get root, encrypt the data, etc. ICS is not
Read 9 tweets
Robert M. Lee Profile picture
10 Feb
In my career I have found the loudest naysayer voices find themselves in echo chambers to make themselves feel like thought leaders but are often well in the minority and simply not part of where the real work happens, ostracized by the do’ers for being heroes in their own mind.
My advice to the folks who find themselves trapped in those echo chambers is to step out of the social media bubble when necessary and look into the much larger community and partake in it and move the needle forward. In all corners of this infosec industry you’ll find the do’ers
It’s appropriate to have informed discussion about what the best paths forward are. But if you find yourself critiquing more than working - ask yourself what path you’re on. Everyone’s biases, that’s ok, but make sure you’re building up more than tearing down or you’ll be alone
Read 4 tweets
Robert M. Lee Profile picture
20 Dec 20
I know there’s a desire to calm people down and have some confidence, but I would advise anyone pretending they have an understanding of the scope of the SolarWinds compromise to dial it down a bit. It’s going to take time, could be more accesses, and our collection isn’t great.
E.g. “right now there are only $X orgs that are impacted” is based on very limited visibility with an expectation we understand all the compromise routes and adversary command and control capabilities. We simply don’t know that to be true and won’t in the first couple weeks
Should average citizens be freaking out? No, this isn’t war stop the hyperbole. From a national security perspective though the President and Congress must have confidence in the integrity of its critical and defense critical sites. We’re no where near “we understand this” yet.
Read 5 tweets
Robert M. Lee Profile picture
23 Jun 20
Fun to be on this episode of @DarknetDiaries - the heroes of the story IMO are Julian & @naserdossary who are interviewed as well and were incident responders on the case. Credit to to the @DragosInc intel team for their hard work too (special thx for @ReverseICS @mayahustle)
I think the story really got carried away and at some point Saudi Aramco was named as the victim when in reality they were the first responders helping out their community. Kudos to them and the other unsung heroes. Lots of teams come together to help in such events
I’m thankful Julian and @naserdossary have since joined the Dragos team. Our team is better for having them on it.
Read 4 tweets
Robert M. Lee Profile picture
3 Jun 20
I’ve had a few folks reach out to me because of some of my employees’ comments in the media and on their social media apparently expecting me to censor them or take some action. Some general end of day stressed thoughts: (1/x)
First, I’m prior military, please do not play the “support our troops” card on me. Our military has a wide set of diverse views not supporting one position or party. Many support military usage here and many sont and are following lawful orders but ready to refuse unlawful ones
Second, our customers are damn lucky my firm has divsere views. Lack of diversity is the enemy of success. Diversity isn’t a PC topic to us, it’s not only morally right, but it is selfishly necessary to counter strategic well funded adversaries in highly ambiguous scenarios.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @RobertMLee has new unrolls!

Check out other threads from @RobertMLee!

Read all threads by @RobertMLee