Brainstorming the Possibilities…Intelligence Analytics in the Age of Cyber:

&22 October 2015

Alabama Community College System

Insider Threat Social Media

What to Expect Today and Tomorrow?• This may be unlike any presentation you have seen.• Each idea and proposition are carefully designed to build

on each other and progressively reinforce the learning process through collaborative dialogue.

• Audience engagements are designed to allow you to apply the ideas and analytical model components introduced in each presentation.

• Active engagement and participation are essential!• What each of us gleans from our time together today will

be directly proportional to what each of us invests in one another!

35L Counterintelligence Special Agent

UNCLASSIFIED//FOUO

John Whitson, IBM Global Technology Services. University of Alabama CyberSecurity Roundtable, 2 May 2013

Cloud and virtualization

1 billion mobile workers

Innovative technology changes everything

1 trillion connected

objects

Social business

Bring your own IT

Innovation, more leading indicator than lagging…?

What do we want to examine closely today?

or…?

FBI’s Traditional Threat Levels

Level 1

Level 2

Level 3

Level 4

Lone or small group actors Common tools, techniques Unsophisticated without significant support

Individuals or small groups supported by commercial entities, criminal syndicates, or other transnational groups such as terrorist networks

Common tools used in a sophisticated manner Activities include espionage, data collection, network mapping/recon, and data

theft

Individuals or small groups supported by state-sponsored institutions (military or civilian)

Significant resources and sophisticated tools Activities include espionage, data collection, network mapping/recon, and data theft

State-sponsored offensive IO, especially CNA State-of-the-art tools and covert techniques Activities conducted in coordination with military operations

So where does SM fit in…?

The FBI’s Cybersecurity MissionTo protect the United States against:

Terrorist attack Foreign intelligence

operations and espionage Cyber-based attacks and

high technology crimesAs the only U.S. agency with the authority to investigate both criminal and national security cybersecurity threats, the FBI is following a number of emerging trends...

10

UNCLASSIFIED

UNCLASSIFIED

So where does SM fit in…?

SM Like Bank Robbery and Fraud, Somewhat…

The Threat Mosaic and Metrics

Compared to Insider Threat, who are the players?

So just those three? Seems simple enough…

Social Media Cast of Characters…

Research Goals and ObjectivesThe proposed goals of the study are: (1) perform a detailed empirical analysis of terrorist movement and individual differences in Internet use,

type, and frequency pertaining to the pre-incident planning processes; and (2) reexamine the existing ATS data as well as collect new data to offer support and operationalization for

variables necessary to develop testable hypotheses that examine types of technology used, for what purposes they are used, and which technologies and/or strategies have the greatest potential “impact” on the radicalization process. Specific objectives are identified to accomplish these goals and include the following:

a.     Evaluation of Existing Data Points: Extract and code Internet, social media, and other online communication technology use variables from over 3,000 pre-incident events associated with far-right, environmental, AQAM domestic terrorism incidents currently stored in the ATS database.   b.     Re-Examination on Raw Data: In order to extend our preliminary analyses, we also propose to systematically re-examine existing raw data sources, including court records, open-source data, and media files contained linked to over 150 federal terrorism cases from 1995-2012, paying particular attention to types of technology used.   c.     Conduct Comparative Analyses: Conduct comparative analyses based on demographic, spatial, and temporal data related to terrorists’ pre-incident behaviors across terrorist movements, lone actors and group-based terrorists, and users and non-users of ICTs.

d.     Focused Case Studies: We propose to collect new data from a range of social media sites (YouTube, Facebook, MySpace, etc.) between 2008-2014 that are identified in court record documents and other open source materials as being used by specific indicted domestic terrorists. The intent is to collect new data on specific individuals indicted at the federal level for which usage timelines can be constructed detailing the role social media and other ICTs play in the radicalization process.

e.     Creation of Visual Tools For Law Enforcement: We plan to create flowcharts and timelines demonstrating temporal patterns of Internet use relative to pre-incident activities and associated incidents. This objective is designed to assist federal, state, and local law enforcement with early interdiction, more completely understand the process of personal evolution from radical to extremist, and help identify key markers in the timeline where behavior shifts, networks are expanded, and/or important visits (face-to-face) are made to other radicals both inside and outside the United States.

f. Procedural and Evidentiary Guidelines for Law Enforcement, Prosecutors and Judges: Finally, building upon a.-f. above we will develop case of first impression guidelines for securing search, arrest and electronic surveillance warrants. This will include examination of relevant case law to glean the evolving new evidentiary requirements for expert witness sponsorship of pre-cursor evidence and inchoate crime (e.g., in anticipation of attempt and conspiracy indictments and prosecution) proof metrics necessary for admissibility in accordance with the Federal Rules of Evidence (FRE), as well as those states adopting a form of the FRE, and more particularly Daubert, et.seq., throughout the following ten step graduated process of unhinging from nominal to extremist and ultimately radicalized behavior manifestations: 1. Increasing cyber awareness and savviness; 2. Expression of power dominance in the cyber context; e.g., cyber bullying behaviors; 3. Withdrawal from traditional social support moorings, such as sports, family, church, social groups, etc. 4. Adolescently uncharacteristic risky behaviors; 5. Adult activity role-playing and modeling experimentation; e.g., smoking, shoplifting, driving recklessly; 6. Reward center activity motivations ever increasing in sway over routine functions; 7. Hypersensitivity to immediate / short term reward attractive activities; 8. Ever-increasing risky and thrill seeking behaviors; 9. Surrounds oneself with others similarly self-justified, looking for outlet of expression of pent-up belief structures; and10. Self-actualization of 1-9 with radical uncharacteristic behaviors in group settings first and then graduating to individual competitions to out-do one another.

Demonstrative IC Analytic Tool for Threat & Consequence Mitigation

e.     Creation of Visual Tools For Law Enforcement: We plan to create flowcharts and timelines demonstrating temporal patterns of Internet use relative to pre-incident activities and associated incidents. This objective is designed to assist federal, state, and local law enforcement with early interdiction, more completely understand the process of personal evolution from radical to extremist, and help identify key markers in the timeline where behavior shifts, networks are expanded, and/or important visits (face-to-face) are made to other radicals both inside and outside the United States.

f. Procedural and Evidentiary Guidelines for Law Enforcement, Prosecutors and Judges: Finally, building upon a.-f. above we will develop case of first impression guidelines for securing search, arrest and electronic surveillance warrants. This will include examination of relevant case law to glean the evolving new evidentiary requirements for expert witness sponsorship of pre-cursor evidence and inchoate crime (e.g., in anticipation of attempt and conspiracy indictments and prosecution) proof metrics necessary for admissibility in accordance with the Federal Rules of Evidence (FRE), as well as those states adopting a form of the FRE, and more particularly Daubert, et.seq., throughout the following ten step graduated process of unhinging from nominal to extremist and ultimately radicalized behavior manifestations: 1. Increasing cyber awareness and savviness; 2. Expression of power dominance in the cyber context; e.g., cyber bullying behaviors. 3. Withdrawal from traditional social support moorings, such as sports, family, church, social groups, etc. 4. Adolescently uncharacteristic risky behaviors; 5. Adult activity role-playing and modeling experimentation; e.g., smoking, shoplifting, driving recklessly; 6. Reward center activity motivations ever increasing in sway over routine functions; 7. Hypersensitivity to immediate / short term reward attractive activities; 8. Ever-increasing risky and thrill seeking behaviors: 9. Surrounds oneself with others similarly self-justified, looking for outlet of expression of pent-up belief structures;10. Self-actualization of 1-9 with radical uncharacteristic behaviors in group settings first and then graduating to individual competitions to out-do one another.

Copies available on back table.

Assessing The Value Added by Harnessing The Power of Social Media?

An Evolving New Paradigm for Attention:

You can buy attention (advertising);

You can beg for attention from the media (PR);

You can bug people one at a time to get attention (sales); or…

Or you can earn attention by creating something interesting and valuable and then publishing it online for free.

www.melkettle.com.au@melkettle Thursday, 27 October 2011

Monitor Everything

Consume Threat Intelligence

Integrate Across Domains

SM on the Battlefield?

Bin Laden raid was revealed on Twitter

Sohaib Athar said he was one of the few people using Twitter in Abbottab

The raid that killed Osama Bin Laden was revealed first on Twitter.

An IT consultant, living in Abbottabad, unknowingly tweeted details of the US-led operation as it happened.

Sohaib Athar wrote that a helicopter was hovering overhead shortly before the assault began and said that it might not be a Pakistani aircraft.

He only became aware of the significance of his tweets after President Obama announced details of Bin Laden's death.

Mr Athar's first posting on the subject came at around 1am local time (9pm BST).

He wrote: "Helicopter hovering above Abbottabad at 1AM (is a rare event)."

http://youtu.be/G4unoHBkYNI

The Facebook Suite – Center Headquarters

John W. Grimes, JDDirector of Intelligence Analytics & Assistant ProfessorDepartment of Justice Sciences &Center for Information Assurance and

Joint Forensics Research** National Security Agency & Department of Homeland Security credentialed National Center of Academic Excellence in Information Assurance Research (CAE-R) 210 University Boulevard Office Building1201 University Boulevard Birmingham, AL 35294 205.934.8509 (campus)205.329.9112 (bb)

And after 1 March 2015:

John W. Grimes, JDCyber Kinetic WeaponryPO Box 550146Birmingham, AL 35255

 (256) 458 -1323 (CONUS)(202) 491- 6166 (OCONUS)

cyber.kinetic.weaponry@gmail.com