Berto Jongman: Cyber Counterintellingence – From Theory to Practice

Advanced Cyber/IO
Berto Jongman
Berto Jongman

Cyber Counterintelligence: From Theory to Practice

Tripwire.com, 5 May 2014

In the previous article, Cyber Intelligence Collection Operations, the types of collection and the types of data that could be obtained were discussed. At the end of the discussion I pointed out that analysts must be critical of the data they evaluate as at any time it could be compromised.

Specifically, adversary actors could employ counterintelligence or deception type techniques to push analysts to draw wrong conclusions or discount the data entirely. In this article we will cover this topic of Cyber Counterintelligence (CCI) and discuss its two main branches: Offensive CCI and Defensive CCI.

Counterintelligence is as old of a tradecraft as intelligence operations. The concept is simple: provide protection against foreign intelligence operations. The goal with counterintelligence is to prevent, deter, defeat, or manipulate the adversary from conducting intelligence operations on you, those you protect, or your organization to include its operations.

With the unique aspects of cyberspace though, we have to draw some contrasts between traditional counterintelligence and cyber counterintelligence. Many compromises and data loss scenarios are intrusions and espionage attempts for the purpose of some type of economic or political gain even if not orchestrated by a foreign government.

If we limited CCI to only focus on intrusions by adversary foreign governments or intelligence services many of the scenarios would be overlooked. However, we cannot simply apply all defensive actions meant to prevent intrusions into the field of CCI. If we labeled CCI as all efforts related to stopping intrusions then CCI would become an overused term and the skillset would not be restricted in a useful way; an overused term and tradecraft quickly loses benefit to an organization.

Therefore, CCI could best be described as the tradecraft and actions employed to identify and protect against an adversary’s cyber intelligence collection operations. There is a focus here not only on the intrusion but the intent of the intrusion and tradecraft used.

Read full article.