Brainstorming the Possibilities…
Intelligence Analytics in the Age of Cyber:
Insider Threat & Social Media
22 October 2015
Alabama Community College System
What to Expect Today and Tomorrow?
• This may be unlike any presentation you have seen.
• Each idea and proposition are carefully designed to build
on each other and progressively reinforce the learning
process through collaborative dialogue.
• Audience engagements are designed to allow you to apply
the ideas and analytical model components introduced in
each presentation.
• Active engagement and participation are essential!
• What each of us gleans from our time together today will
be directly proportional to what each of us invests in one
another!
Innovation, more leading indicator than lagging…?
Innovative technology changes everything
1 trillion
connected
objects
1 billion mobile
workers
Social
business
Bring your
own IT
Cloud and
virtualization
John Whitson, IBM Global Technology Services. University of Alabama CyberSecurity Roundtable, 2 May 2013
What do we want to examine closely today?
or…?
FBI’s Traditional Threat Levels
Level 1



Lone or small group actors
Common tools, techniques
Unsophisticated without significant support
Level 2
 Individuals or small groups supported by commercial entities, criminal syndicates,
or other transnational groups such as terrorist networks
 Common tools used in a sophisticated manner
 Activities include espionage, data collection, network mapping/recon, and data
theft
Level 3
 Individuals or small groups supported by state-sponsored institutions (military or
civilian)
 Significant resources and sophisticated tools
 Activities include espionage, data collection, network mapping/recon, and data theft
Level 4
 State-sponsored offensive IO, especially CNA
 State-of-the-art tools and covert techniques
 Activities conducted in coordination with military operations
So where does SM fit in…?
UNCLASSIFIED
The FBI’s Cybersecurity Mission
To protect the United States
against:



Terrorist attack
Foreign intelligence
operations and espionage
Cyber-based attacks and
high technology crimes
As the only U.S. agency with the authority to
investigate both criminal and national security
cybersecurity threats, the FBI is following a
number of emerging trends...
So where does SM fit in…?
UNCLASSIFIED
SM Like Bank Robbery and Fraud, Somewhat…
The Threat Mosaic and Metrics
Compared to Insider Threat, who are the players?
So just those three? Seems simple enough…
Social Media Cast of Characters…
Research Goals and Objectives
The proposed goals of the study are:
(1) perform a detailed empirical analysis of terrorist movement and individual differences in Internet use,
type, and frequency pertaining to the pre-incident planning processes; and
(2) reexamine the existing ATS data as well as collect new data to offer support and operationalization for
variables necessary to develop testable hypotheses that examine types of technology used, for what
purposes they are used, and which technologies and/or strategies have the greatest potential “impact”
on the radicalization process. Specific objectives are identified to accomplish these goals and include
the following:
a. Evaluation of Existing Data Points: Extract and code Internet, social media, and other
online communication technology use variables from over 3,000 pre-incident events associated with farright, environmental, AQAM domestic terrorism incidents currently stored in the ATS database.
b. Re-Examination on Raw Data: In order to extend our preliminary analyses, we also
propose to systematically re-examine existing raw data sources, including court records, open-source data,
and media files contained linked to over 150 federal terrorism cases from 1995-2012, paying particular
attention to types of technology used.
c. Conduct Comparative Analyses: Conduct comparative analyses based on demographic,
spatial, and temporal data related to terrorists’ pre-incident behaviors across terrorist movements, lone
actors and group-based terrorists, and users and non-users of ICTs.
d. Focused Case Studies: We propose to collect new data from a range of social media
sites (YouTube, Facebook, MySpace, etc.) between 2008-2014 that are identified in court record
documents and other open source materials as being used by specific indicted domestic terrorists. The
intent is to collect new data on specific individuals indicted at the federal level for which usage timelines can
be constructed detailing the role social media and other ICTs play in the radicalization process.
e. Creation of Visual Tools For Law Enforcement: We plan to create flowcharts and
timelines demonstrating temporal patterns of Internet use relative to pre-incident activities and associated
incidents. This objective is designed to assist federal, state, and local law enforcement with early
interdiction, more completely understand the process of personal evolution from radical to extremist, and
help identify key markers in the timeline where behavior shifts, networks are expanded, and/or important
visits (face-to-face) are made to other radicals both inside and outside the United States.
f. Procedural and Evidentiary Guidelines for Law Enforcement, Prosecutors and
Judges: Finally, building upon a.-f. above we will develop case of first impression guidelines for securing
search, arrest and electronic surveillance warrants. This will include examination of relevant case law to
glean the evolving new evidentiary requirements for expert witness sponsorship of pre-cursor evidence
and inchoate crime (e.g., in anticipation of attempt and conspiracy indictments and prosecution) proof
metrics necessary for admissibility in accordance with the Federal Rules of Evidence (FRE), as well as
those states adopting a form of the FRE, and more particularly Daubert, et.seq., throughout the following
ten step graduated process of unhinging from nominal to extremist and ultimately radicalized behavior
manifestations:
1. Increasing cyber awareness and savviness;
2. Expression of power dominance in the cyber context; e.g., cyber bullying behaviors;
3. Withdrawal from traditional social support moorings, such as sports, family, church, social groups, etc.
4. Adolescently uncharacteristic risky behaviors;
5. Adult activity role-playing and modeling experimentation; e.g., smoking, shoplifting, driving recklessly;
6. Reward center activity motivations ever increasing in sway over routine functions;
7. Hypersensitivity to immediate / short term reward attractive activities;
8. Ever-increasing risky and thrill seeking behaviors;
9. Surrounds oneself with others similarly self-justified, looking for outlet of expression of pent-up belief
structures; and
10. Self-actualization of 1-9 with radical uncharacteristic behaviors in group settings first and then
graduating to individual competitions to out-do one another.
Demonstrative IC Analytic Tool for
Threat & Consequence Mitigation
e. Creation of Visual Tools For Law Enforcement: We plan to create flowcharts and
timelines demonstrating temporal patterns of Internet use relative to pre-incident activities and associated
incidents. This objective is designed to assist federal, state, and local law enforcement with early
interdiction, more completely understand the process of personal evolution from radical to extremist, and
help identify key markers in the timeline where behavior shifts, networks are expanded, and/or important
visits (face-to-face) are made to other radicals both inside and outside the United States.
f. Procedural and Evidentiary Guidelines for Law Enforcement, Prosecutors and
Judges: Finally, building upon a.-f. above we will develop case of first impression guidelines for securing
search, arrest and electronic surveillance warrants. This will include examination of relevant case law to
glean the evolving new evidentiary requirements for expert witness sponsorship of pre-cursor evidence
and inchoate crime (e.g., in anticipation of attempt and conspiracy indictments and prosecution) proof
metrics necessary for admissibility in accordance with the Federal Rules of Evidence (FRE), as well as
those states adopting a form of the FRE, and more particularly Daubert, et.seq., throughout the following
ten step graduated process of unhinging from nominal to extremist and ultimately radicalized behavior
manifestations:
1. Increasing cyber awareness and savviness;
2. Expression of power dominance in the cyber context; e.g., cyber bullying behaviors.
3. Withdrawal from traditional social support moorings, such as sports, family, church, social groups, etc.
4. Adolescently uncharacteristic risky behaviors;
5. Adult activity role-playing and modeling experimentation; e.g., smoking, shoplifting, driving recklessly;
6. Reward center activity motivations ever increasing in sway over routine functions;
7. Hypersensitivity to immediate / short term reward attractive activities;
8. Ever-increasing risky and thrill seeking behaviors:
9. Surrounds oneself with others similarly self-justified, looking for outlet of expression of pent-up belief
structures;
10. Self-actualization of 1-9 with radical uncharacteristic behaviors in group settings first and then
graduating to individual competitions to out-do one another.
Copies available on back table.
Assessing The Value Added by Harnessing
The Power of Social Media?
An Evolving New Paradigm for Attention:
You can buy attention (advertising);
You can beg for attention from the media (PR);
You can bug people one at a time to get attention (sales); or…
Or you can earn attention by creating something interesting and
valuable and then publishing it online for free.
www.melkettle.com.au@melkettle Thursday, 27 October 2011
Monitor Everything
Consume Threat Intelligence
Integrate Across Domains
SM on the Battlefield?
Bin Laden raid was revealed on Twitter
http://youtu.be/G4unoHBkYNI
Sohaib Athar said he was one of the few people using Twitter in Abbottab
The raid that killed Osama Bin Laden was revealed first on Twitter.
An IT consultant, living in Abbottabad, unknowingly tweeted details of the US-led
operation as it happened.
Sohaib Athar wrote that a helicopter was hovering overhead shortly before the
assault began and said that it might not be a Pakistani aircraft.
He only became aware of the significance of his tweets after President Obama
announced details of Bin Laden's death.
Mr Athar's first posting on the subject came at around 1am local time (9pm BST).
He wrote: "Helicopter hovering above Abbottabad at 1AM (is a rare event)."
The Facebook Suite – Center Headquarters
John W. Grimes, JD
Director of Intelligence Analytics & Assistant Professor
Department of Justice Sciences &
Center for Information Assurance and
Joint Forensics Research*
* National Security Agency & Department of Homeland Security
credentialed National Center of Academic Excellence in Information
Assurance Research (CAE-R)
210 University Boulevard Office Building
1201 University Boulevard
Birmingham, AL 35294
205.934.8509 (campus)
205.329.9112 (bb)
And after 1 March 2015:
John W. Grimes, JD
Cyber Kinetic Weaponry
PO Box 550146
Birmingham, AL 35255
(256) 458 -1323 (CONUS)
(202) 491- 6166 (OCONUS)
cyber.kinetic.weaponry@gmail.com