Treadstone 71 Selected to Deliver at the RSA Conference 2018 San Francisco

Foundations for a Strong Intelligence Program
April 18, 9AM-11AM RSA Conference
This Lab will explore key aspects of building a strong and long-lasting cyberthreat intelligence program. We’ll review methods of threat intelligence platform selection and bake-off techniques as well as cover stakeholder analysis and priority intelligence requirements. Additionally, we’ll practice collection planning and mission management as well as how to establish effective reporting and dissemination capabilities.

Cyber CounterIntelligence – Deception, Distortion, Dishonesty
April 18, 1:45PM-2:30PM RSA Conference
Deception, distortion, dishonesty are core to social media postings. Our adversaries use these methods concocting stories that create illusions that are meant to leave us divided. The talk will cover methods of countering their messaging while applying these tactics to protect your own organization and brand. Moving from intelligence to counterintelligence is the natural next step in our evolution.

Drone Wars! Threats, Vulnerabilities and Hostile Use

Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_01Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_02Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_03Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_04Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_05Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_06Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_07Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_08Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_09Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_10Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_11Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_12Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_13Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_14Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_15Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_16Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_17Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_18Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_19Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_20Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_21Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_22Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_23Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_24Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_25Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_26Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_27Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_28Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_29Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_30Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_31Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_32Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_33Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_34Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_35Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_36Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_37Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_38Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_39Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_40Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_41Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_42Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_43Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_44Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_45Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_46Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_47Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_48Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_49Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_50Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_51Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_52Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_53Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_54Drone WARS presentation Cyber Event 100417 slides Rev17A_CMC RKN_201701002 (1)_Page_55


Adamy, D. (2001) EW 101 A First Course in Electronic Warfare, Boston: Artech House.

Adamy, D. (2004) EW 102 A Second Course in Electronic Warfare, Boston: Artech House.

Adamy, D. (2009) EW 103 Tactical Battlefield Communications Electronic Warfare, Boston: Artech House.

Adamy, D. (2015) EW 104 EW against a New Generation of Threats, Boston: Artech House.

Anonymous, (2017) GPS/SBAS Signal Generator, GSS4100, Spirent Communications Data Sheet. Satellite AIS, Exact Earth, Ltd.

Anonymous, (9/8/2017) Innovation: Simulating GPS Signals, GPS World,

Anonymous, (8/22/2017) Nationwide Automatic Identification System,

Anonymous, (8/22/2017) Long Range Identification and Tracking (LRIT) Overview,

Anonymous, (8/22/2017) How AIS Works,

Anonymous, (2015) Satellite AIS, Exact Earth, Ltd.

Anonymous, (6/21/2015) Cyber Threats against the Aviation Industry, in SCADA on April8, 2014, INFOSEC Institute.

Anonymous, (2012) A Guide for Testers of GPS Devices and Systems, spectracom, Test & Measurement technical Note, TN15-101A – What You Want to know about GPS.

Anonymous, (5/14/2012) what is a GPS Simulator? Spectracom, Test & Measurement White Paper, WP08-101A.

Anonymous, (1/10/2014) GPS Signal Plan, Navipedia,

Anonymous, (4/2017) Counter-Unmanned Aircraft System Techniques, HQ, Department of the Army, ATP-3-01.81,

Atayero, A.A, Luka, .K. & Alatishe, A.A (8/2011) Satellite Link Design: A Tutorial, International Journal of Electrical & Computer Sciences, IJECS-IJEND Vol: 11 No: 04.

Balduzzi, M., Wilhoit, K., & Pasta, A. (2014) A Security Evaluation of AIS, Trend Micro Forward-Looking Threat Research

Barker, B.C Capt., (2006) Overview of the GPS M-Code Signal, MITRE Report.

Bay-Yen, J. (2000) Chapter 5: GPS C/A Code Signal Structure, Fundamentals of Global Positioning System Receivers: A Software Approach, New York: John Wiley,

Bhatti, J. & Humphreys, T. E. (2016) Hostile Control of Ships via False GPS Signals Demonstration and Detection, Navigation: Journal of the Institute of Navigation, Vol. 64, No.1, Spring 2017.

Buesne, G & DeSanto, D. (2017) GNSS Receivers and the Cyber-Threat: Lessons from the Information Security Community, Spirent Communications, Baltimore, MD

Buesne, G & Holbrow, M. (6/29/2017) GNSS Threats, Attacks and Simulations, Spirent: PNT Advisory Board, Baltimore, MD

Bussert, J.C. (10/2013) China Expands Influence through Electronics, Signal Magazine,

Chachak, E. (retrieved 9/1/2017) U.S. Naval Mishaps – Human Error or Cyber Malfeasance? CyberDB.

Crosby, J. (12/16/2017) here’s What USNS Bowditch Does, Inverse Innovation,

Demchak, C., Patton, K, T. & Tangredi, S.J. (8/25/2017) why are our Ships Crashing? Competence, Overload, and Cyber Considerations, Center for International Maritime Security.

Dupont, G. (2017) SIEM Fundamentals for your Threat Intelligence Program, Recorded Future,

Easton, R.D. & Frazier, E.F. (2013) GPS Declassified: From Smart Bombs to Smartphones, University of Nebraska Press.

FCC Wireless Telecommunications Bureau, Marine VHF Radio Channels, per 47 CFR 80.371© and 80.373(f)

Fessenden, F. & Watkins, D. (6/18/2017) the Path of the Container Ship that Struck a U.S. Destroyer, NYT.

Gaertner, U (2013) UAV Swarm Tactics: An Agent-Based Simulation and Markov Process Analysis, Naval Postgraduate School Thesis.

Haider, Z. & Khalid, S. (8/2016) Survey on Effective GPS Spoofing Countermeasures, 6th International Conference on Innovative Computing Technology (INTECH 2016),

Heath, T. (5/7/2015) How to Hack a Military Drone Parts I & II, Technology-Hackers,

Hodge, H. (8/23/2017) why are Navy Ships colliding in the Pacific? Experts Weigh In,

Homeland Security (2017) Improving the Operation and Development of Global Positioning System (GPS) Equipment Used by Critical Infrastructure, NCIC/NCC Unclassified report.

Hurley, M. (9/2017) Beyond the Iron Triad: The Future of Airborne C2ISR, Arlington, VA: Mitchell Institute for Aerospace Studies.

Humphreys, T.E, e. al. (1/1/2009) assessing the Spoofing Threat: Development of a Portable Civilian GPS Spoofer,, Cornell University

Humphreys, T.E, (7/18/2012) Statement on the Vulnerability of Civil Unmanned Aerial Vehicles and Other Systems to Civil GPS Spoofing, Submitted to the Subcommittee on Oversight., Investigations, and Management of the House Committee on Homeland Security.

Kao, Lee, Chang, and Ko. (2007) A Fuzzy Logic Method for Collision Avoidance in Vessel Traffic Service, Journal of Navigation, 60, 17-31.

John, E.N & Schrage, D.P (2017) System Integration and Operation of a Research Unmanned Aerial Vehicle, Atlanta GA: School of Aerospace Engineering, Georgia Institute of Technology.

LaGrone, S. (8/21/2017) Chain of Events Involving U.S Navy Warships in the Western Pacific Raise Readiness, Training Questions, USNI News

LaGrone, S. (1/31/2017) Cruiser USS Antietam Runs Aground in Tokyo Bay, Spills Oil, USNI News.

Mccaslin, I.B. (2017) Red Drones Over Disputed Seas: A Field Guide to Chinese UAVs/UCAVs Operating in the disputed East and South China Seas. Project 2049 Institute.

News Correspondent, (8/22/2017) USS McCain crash is 4th Navy Accident in Pacific this Year, The Washington Post, AP.

News Correspondent, (8/31/2017) DDG 51 Arleigh Burke Class Destroyer,

News Correspondent, (8/21/2017) CNO Orders Operational Pause, Review After Latest Ship Collision,

News Correspondent, (8/21/2017) 10 Sailors Missing, 5 injured after Destroyer Collides with Tanker,

News Correspondent, (8/22/2017) Remains of Navy Sailors found on USS John S McCain,

News Correspondent, (8/17/2017) Navy Fires Commander, XO from USS Fitzgerald for Fatal Collision,

News Correspondent, (7/21/2017) Investigation Faults Navy in Fitzgerald Collision Report,

News Correspondent, (6/20/2017) Stories of Fitzgerald Sailors Killed in Destroyer – Container Ship Crash,

News Correspondent, (6/16/2017) US Navy Destroyer Collides with Japanese Merchant Ship,

News Correspondent, (5/09/2017) US Navy Ship Collides with South Korean Fishing Boat,

News Correspondent, (1/31/2017) Oil Spill in Tokyo Bay After Navy Cruiser Runs Aground,

Nichols, R.K (8/31/2017) Stand By for a whole slew of military short articles on the Navy Collisions (my students only), Private memo to COT799 & CMST 455.

Nichols, R.K. & Lekkas, P.L. (2002) Wireless Security: Threats, Models, Solutions, New York, McGraw Hill.

O’Donnell, W. (2017) Interview with Navy Captain.

Ranganathan, A,, SPREE A Spoofing Resistant GPS Receiver, Department of Computer Science, ETH Zurich, Switzerland, Zurich Information Security and Privacy Center.

Richardson, J. Adm., (8/31/2017) No Evidence of Hacking in McCain and Fitzgerald Collisions,

Rudow, l. (2014) Where to Mount a Radome for best Performance, Boat US,

Schallhorn, K., (9/1/2017) US Military crashes, collisions in the Pacific, FoxNews.

Schmidt,, (5/2016) A Survey and Analysis of the GNSS Spoofing Threat and Countermeasures, ACM Computing Surveys, Vol 48, No 4, Article 64

Sickle, J.V. (8/25/2017) GEOG 862 GPS and GNSS for Geospatial Professionals, Lessons 1-10 complete, Penn State University, College of Earth and Mineral Sciences [ Superb Course on the subject]

Sterling, J. 8/21/2017) A Spate of US Navy warship accidents in Asia since January, CNNNEWS.

Tucker, P., e. al. (9/2017) Beyond GPS: Upgrading the Military’s Navigation-and-timing Backbone, Defense One, e-Book.

Volpe, J.A, (8/29/2001) Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System, Final Report, Office of Assistant Secretary for Transportation Policy, U.S. Department of Transportation, John A Volpe Transportation Systems Center.

Warner, J.S. % Johnson, R.G. (2013) A Simple Demonstration That the Global Positioning System (GPS) is Vulnerable to Spoofing, Journal of Security Administration,, LAUR-03-6163.

Warner, J.S. % Johnson, R.G. (2003) GPS Spoofing Countermeasures, Journal of Security Administration, LAUR-03-2384, Los Alamos, NM:  Los Alamos National Laboratory

Weise, E. (8/23/2017) Could Hackers Be Behind The U.S. Navy Collisions? USATODAY.


Berry, R. & Cook, C. (2016) Detection of wireless data jamming and spoofing, US 9466881 B1



Banggood Blog (9/14/2017) Whats the difference between RHCP and LHCP antennae?

King Blog (9/14/2017) what is the difference between Azimuth and Elevation?

Mike Willis Blog (9/13/2017) Propagation.

Law and Cyber Warfare Blog. Groll, E. (2017) Investigating if Destroyer Crash was Caused by a Cyber Attack,


Editor (8/31/2017) GPS Block IIIA, Wikipedia,

Editor (9/14/2017) Circular polarization, Wikipedia,

Editor (9/19/2017) Electromagnetic Spectrum, Wikipedia,

Editor (9/19/2017) Continuous-wave Radar,

Intelligence for the C-Suite and Stakeholders

This is a one-day course designed to educate corporate leadership and stakeholders in cyber and threat intelligence.  There is a general awareness of the need to establish intelligence functions. Many organizations do not have a fundamental understanding of what intelligence is, where the function should reside, how it is different from business and competitive intelligence while understanding the overlaps and natural points of integration. This one day course targets corporate leadership delivering a clear and coherent training that equips stakeholders with the understanding and tools they need to assist in building a successful intelligence program.

Registration Information – Dates and Times TBD

Course High-Level Outline

  • Using Strategic Intelligence
  • Organization and Focus of the Class
  • Background on Strategic Intelligence and Analysis
  • Approaches and Processes
  • Strategic Plan development, acceptance, and dissemination
    • Mission
    • Vision
    • Guiding Principles
    • Roles and Responsibilities
    • Threat Intelligence Perspective
    • Business Intelligence Perspective
    • Competitive Intelligence Perspective
    • Intelligence Strategic Challenges
    • Goals and Initiatives
    • Next Steps
    • Roadmap
  • Stakeholder checklist and stakeholder management groups with strategic and tactical activities definition for intelligence, description of needs and products. This will include:
  • The Future Use of Strategic Intelligence
  • Intelligence: Role, Definitions, and Concepts
  • Basic Concepts Concerning Intelligence
  • The Strategic Intelligence Process – Operations to Tactics
  • The Role of Strategic Intelligence and Its Impact on Stakeholders
    • Operational, Technical, Tactical
  • Why Stakeholders and Executives Need Strategic Analysis:
  • Strategic Analysis Leading to Strategic Decisions
  • Implementing Intelligence Programs
    • The Treadstone 71 Method (Experience with several program builds globally)
  • Challenges for Stakeholders to Accept Intelligence
  • Stakeholder Views: Impact on Intelligence
  • Intelligence as Catalyst for Stakeholders
  • Integrating Analytical Support and the Stakeholder Thought Process
  • Stakeholders and Self-Directed Strategic Processes, Procedures, Methods
  • The Role of Intelligence Management
  • Issues, Tactics, Techniques, Methods, and Principles
  • Managing Intelligence Projects
  • Providing Focused Leadership
    • Leading the Team
    • Understanding Issues and the Process
    • Analysis Overview
    • Collection Management
    • Production Management
      • Evaluation
      • Analysis
      • Integration
      • Interpretation
    • Types of Analysis
      • 14 Types of Analysis
    • Analytic Writing
      • ICD 203, 206, 208
      • Organization, Evidence, Argument, Sources, Pitfalls
      • Use the Title
      • Who/What, Why Now, So What, Impact so far, Outlook, Implications
      • BLUF and AIMS
      • Supervisory Actions
      • Summary Paragraphs
      • Alternative Analysis
      • Clarity and Brevity
      • Peer review
      • Reports and Reporting
        • Feedback
    • Pre-Mortem
    • Post-Mortem
    • Know your professor, get an A – Communicating Up
      • Relevance, Timeliness, Completeness, Accuracy, Usability
    • Briefing Rules
  • Intelligence Analysts and Self-Management
    • High-Level Tasks
  • Analyst Activities
    • Rules for developing analysts – Alignment and as collectors
    • The Role, Responsibilities, and Functions of the Analyst
    • The Analyst’s Roles and Responsibilities – RACI(s)
    • What the Analyst will face
    • Job Descriptions
  • Conclusion
    • The Executive / Stakeholder’s Roadmap
Corporate stakeholders risk investing large amounts of time and money with little positive effect their security, corporate strategies, and business direction. The C-Suite and Stakeholders participating in this course ensures their understanding of the discipline required to build a successful program. The course helps align information security, incident response, security operations, threat and cyber intelligence with the business.

2017 Training Courses – Treadstone 71

2017 Training Dates

Main Page to Treadstone 71 Training – 2017

(or on demand including in-house or by location)

Treadstone 71 is working with FS-ISAC for training in London, Singapore, Malaysia, and Australia.

FS-ISAC Sponsored Courses:

Cyber Intelligence Tradecraft Training
3-7 April | Reston, VA
More | Register
Cyber Intelligence Tradecraft Training
8-12 May | London
More | Register
Cyber Intelligence Tradecraft Training
19-23 June | Reston, VA
More | Register
Cyber Intelligence Tradecraft Training
21-25 August | Reston, VA
More | Register

Full Suite of Cyber-Threat Intelligence and Counterintelligence Courses Ready for Global Delivery

Treadstone 71 today announced a full suite of Cyber and Threat Intelligence and CounterIntelligence training courses. The courses drive the expansion of Treadstone 71’s accelerated, academically validated, intelligence training to global markets. Treadstone 71 delivers courses in California, Virginia, Canada, the United Kingdom, and the Netherlands and is set to expand to the Middle East and Asia later this year. (

Treadstone 71 offers a compelling business model that delivers rapid cyber and threat intelligence strategic planning, program build, and targeted training in sectors such as financial services, government, healthcare, energy, and other critical infrastructure verticals. Treadstone 71’s format, curriculum, and instruction model are helping meet critical global demand for cyber and threat intelligence and analysis expertise. Treadstone 71 training provide graduates with an attractive pathway to compensation increases, career progression, and much-needed attention to intelligence. The organization has been teaching cyber intelligence at the Master’s level and commercially for seven years. New courses include a focus on campaign management, the use of Tor, Tails, I2P, and Maltego as well as covering persona development and management. Students create a series of identities, character development, and dimensions, storyline, plot synopsis, story drive and limit, story weaving, applicability, scope, tools to be used, methods of interaction with other identities, engaging secondary characters, refining targeting while developing a campaign to gain street credentials.

“Our courses provide academic instruction combined with real-world, hands-on collection, analysis, analytic writing, dissemination, and briefings that many liken to an apprenticeship,” said Jeff Bardin, Chief Intelligence Officer for Treadstone 71. “Our curriculum follows the teachings of Sherman Kent and Richards Heuer giving students the tools necessary to perform targeted collection, structured analysis while authoring reports modeled after intelligence community standards. We teach methods of cyber infiltration, information and influence operations, counterintelligence strategies, mission based counterintelligence, denial and deception, and counter-denial and deception.”

Treadstone 71 courses are validated and proven by intelligence professionals creating job-ready threat intelligence professionals for global organizations suffering a talent shortage. “Intelligence analysis as an inherently intellectual activity that requires knowledge, judgment, and a degree of intuition,” continued Bardin. “Treadstone 71’s intelligence, counterintelligence, and clandestine cyber HUMINT training and services help organizations transform information into intelligence pertinent to their organization.”

Analysis includes integrating, evaluating, and analyzing all available data — which is often fragmented and even contradictory — and preparing intelligence products. Despite all the attention focused on the operational (collection) side of intelligence, analysis is the core of the process to inform corporate stakeholders. Analysis as more than just describing what is happening and why; identifying a range of opportunities… Intelligence Analysis is the key to making sense of the data and finding opportunities to take action. Analysis expands beyond the technical focus of today providing organizations with core capabilities for business, competitive, cyber, and threat intelligence.

Treadstone 71’s Cyber Intelligence Tradecraft Certification is the gold standard in the industry today derived from both academia and from Treadstone 71’s experience in building cyber intelligence programs at Fortune 500 organizations worldwide.

Treadstone 71

888.714.0071 – osint@treadstone71.com

We Are in a State of Cyber Cold War?

Wisdom begins with the definition of terms – Socrates

Many believe that we are not in some sort of state of cyber warfare. Many believe that it is only influence operations. These are the same people who are selling you security technologies and services to protect your environment. They believe calling our current state cyber war is hype. They fact that they believe this is demonstrated in their technologies that have double and triple downed on solutions that do not work. Solutions based solely on see, detect, and arrest. A paradigm proven over the past 20 years to be a paradigm of failure. The game of many a vendor (not all) is to generate revenue off your fear. A fear that can be remedied if we fix information security by first starting to fix information technology (see Cyber Security Predictions – Not Reality TV – Just Daytime Entertainment). One of the problems we have is standard taxonomy and glossary. Most do not have an understanding of the basics of intelligence and war. Most feel the need to apply physical characteristics to cyber actions in order for those actions to be taken as some sort of warfare. This is a major misnomer. My request here is for you to read the limited glossary items below. Once you have read these items, think of where we are today with respect to cyber security. If after reading and applying critical thinking to the terms and our current state of cyber security you do not believe we are in a state of cyber cold war, then provide some well thought out comments as to what state we are in fact in.

Information Operations (IO). The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own. (JP 1-02)

           This includes five core capabilities incorporated into IO

  1. Electronic warfare is any action involving the use of the electromagnetic spectrum or directed energy to control the spectrum, attack of an enemy, or impede enemy assaults via the spectrum.
  2. Computer Network Operations (CNO)
    1. Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations (JP 1-02)
  3. Psychological operations
    1. Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals. The purpose of psychological operations is to induce or reinforce foreign attitudes and behavior favorable to the originator’s objectives. (JP 1-02 and JP 3-13.2)
  4. Military Deception
    1. Actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission. (JP 1-02)
    2. According to JP 3-13.4, Counterintelligence provides the following for MILDEC planners:
    3. Identification and analysis of adversary intelligence systems to determine the best deception conduits;
    4. Establishment and control of deception conduits within the adversary intelligence system, also known as offensive CI operations;
    5. Participation in counterdeception operations;
    6. Identification and analysis of the adversary’s intelligence system and its susceptibility to deception and surprise; and
    7. Feedback regarding adversary intelligence system responses to deception operations.
  5. Operations Security


Treadstone71 2017 Cyber Intel Courses –


OPSEC is a five-step iterative process that assists an organization in identifying specific pieces of information requiring protection and employing measures to protect them.

  1. Identification of Critical information: Critical information is information about friendly intentions, capabilities and activities that allow an adversary to plan effectively to disrupt their operations. U.S. Army Regulation 530-1 has redefined Critical Information into four broad categories, using the acronym CALI- Capabilities, Activities, Limitations (including vulnerabilities), and Intentions.This step results in the creation of a Critical Information List (CIL). This allows the organization for focus resources on vital information, rather than attempting to protect all classified or sensitive unclassified information. Critical information may include, but is not limited to, military deployment schedules, internal organizational information, details of security measures, etc.
  2. Analysis of Threats: A Threat comes from an adversary – any individual or group that may attempt to disrupt or compromise a friendly activity. Threat is further divided into adversaries with intent and capability. The greater the combined intent and capability of the adversary, the greater the threat. This step uses multiple sources, such as intelligence activities, law enforcement, and open source information to identify likely adversaries to a planned operation and prioritize their degree of threat.
  3. Analysis of Vulnerabilities: Examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action. Threat can be thought of as the strength of the adversaries, while vulnerability can be thought of as the weakness of friendly organizations.
  4. Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff. Risk is calculated based on the probability of Critical Information release and the impact if such as release occurs. Probability is further subdivided into the level of threat and the level of vulnerability. The core premise of the subdivision is that the probability of compromise is greatest when the threat is very capable and dedicated, while friendly organizations are simultaneously exposed.
  5. Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans. Countermeasures must be continually monitored to ensure that they continue to protect current information against relevant threats.The U.S. Army Regulation 530-1 refers to “Measures” as the overarching term, with categories of “Action Control” (controlling one’s own actions); “Countermeasures” (countering adversary intelligence collection); and “Counteranalysis” (creating difficulty for adversary analysts seeking to predict friendly intent) as tools to help an OPSEC professional protect Critical Information.

Offensive Cyber Operations. Programs and activities that through the use of cyberspace, 1) actively gather information from computers, information systems or networks or 20 manipulate, disrupt, deny, degrade, or destroy targeted adversary computers, information systems, or networks. (NSPD-38)

Cold War – a state of political hostility between countries characterized by threats, propaganda, and other measures short of open warfare – a conflict or dispute between two groups that does not involve actual fighting.


Cyber War – the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks through, for example, computer viruses or denial-of-service attacks.

Try this link for more definitions

To repeat. think of where we are today with respect to cyber security. Apply critical thinking to the terms and our current state of cyber security. Assess our relationship with Russia. Provide some well thought out comments as to what state we are in fact in if you believe we are not in a state of cyber cold war with Russia. If we are not, then how would you define our current state?

Treadstone 71




The 12 Days of Cyber Christmas

…or What I want for Cyber Security and Intelligence Christmas 2016

  1. All CIOs must have served as a CISO for at least 4 years before being allowed to be a CIO.
  2. All CIOs must have a CISSP, CISM, and at least 2 technical information security certifications and have been thoroughly trained and qualified to be a CIO. No more cronyism.
  3. CISOs will never report to the CIO – conflict of interest and a recipe for … what we have now.
  4. If you are the administrator for a device, you secure that device (servers, routers, appliances, etc.). You are responsible and accountable – Secure what you own. Secure what you manage.
  5. CIOs and their leadership will be held liable for deploying vulnerable systems.
  6. All new products (IoT and beyond) must be certified secure before public release. No more figure it out as we go and bolt it on after we have consumers hooked.
  7. All root access / administrative rights for production, critical, supporting, etc., systems and devices are removed and granted only for approved changes and incidents.
  8. All written code and script must be written properly. There is no such thing as secure code, only code the works correctly and does not create vulnerabilities.

Treadstone 71 2017 Intelligence Training Courses – Sign up now or inquire about how to have us come onto your site to training.

    9. All operating systems will be shipped closed and installed closed with a risk rating system for each port, protocol, and/or service. Each modification reduces the security posture of the operating system providing a risk score while automatically offering advice on how to remediate that score with other controls. 

    10. New regulations to enforce security and privacy, demanding disclosure of breaches,    fining companies and individuals for negligence are put in place, at once.

    11. Vendors posting adversary IoCs, TTPs, and other methods that would normally be seen as ‘telling the enemy what we know, i.e., sedition’ will be fined for such activity.

  12. You will tell yourselves over and over again that contracting with Treadstone 71 to build your cyber intelligence strategy and program is the absolute right thing to do (repeat after me …).

Merry Cyber Christmas from Treadstone 71


Active Defense – Strike, CounterStrike, Mercenary or Vigilante?

The opponent lands combination after combination to the head, ribs, and kidneys. This barrage continues until the defender boxer is knocked out, dragged off the mat to hopefully fight another day. The fighter cannot continue. (Bardin, 2011)

This picture is much like our cyber defenses today. Culturally trained to block every punch, cyber defenses attempt to detect where the next punch will hit. Standing toe-to-toe with an adversary that is much more devious, much more innovative and completely offensive in nature (Bardin, 2011).  Corporate information security programs are uniquely designed to detect and defend. The programs organized to prevent malware from penetrating corporate information systems. This foundation is not designed to perform intelligence collection, execute cyber espionage actions or organize cyber operations activities.


The United States Department of Defense (DOD) is only responsible for the .mil domain name environment. The Department of Homeland Security is charged with defending the .gov domain name environment. There is no defensive or offensive body defending corporate or civilian networks. Security operations centers (SOCs) are purely reactive in nature. Several organizations are trying to change this model but still cling to the see, detect, and arrest mentality upon which the SOC is built. Even the much vaunted ‘kill chain’ is built upon this model. The kill chain contains elements that may be considered to contain offensive methods, but it is truly not aggressive in nature or intended to represent an offensive model.

Within lies the problem.  One boxer stands against multiple opponents all in the ring at the same time.

activeD2All cyber defenses today are just that – defensive.  What we know drives how we deploy cyber defenses. Largely, this means that any nuance or change by the attacker goes unnoticed until the blood is already running from your infrastructure. Data is hemorrhaging before detection.

The see, detect and arrest methods of cyber security only serve as an after-the-fact solution.  All too often, security leadership uses this method as a demonstration of heroism (Bardin J. , 2011). Like the fictional figure Rocky, security leadership believes they can take the body blows and headshots while eventually knocking out their opponent. The fighter is a hero to the organization. In the meantime, highly sensitive data has flowed through organizational defenses, and while eroding customer confidence.

Upon data breach, all the issues identified in your information technology (IT) environment as high risk are in vogue for remediation.  The Chief Information Officer (CIO) is paying attention, finally realizing the gravity of the risk. Money flows across your desk like a plague of locusts.  How long will this last?  Will organizational leadership realize the protection of their assets requires different thinking? How long will the organization employ security professionals who thrive on the pain associated with see, detect and arrest? How will you educate them otherwise?

Cyber espionage is the virtual manifestation of the physical tradecraft. A tradecraft represented by the cycle of intelligence, counterintelligence and espionage now translated to cyberspace. Cyber espionage incorporates cyber power with methods to influence, manipulate, and shutdown adversary cyber infrastructures.  It includes people, process and technology weaknesses while using dynamic methods that focuses effort and emphasis on weakest areas. Cyber espionage includes:

  • Human Intelligence (HUMINT)
  • Information Security (INFOSEC)
  • Communications Intelligence (COMINT)
  • Signals Intelligence (SIGINT)
  • Open Source Intelligence (OSINT)
  • Culturonomics non-inclusively(Bardin, 2011).

activeD3Cyber espionage is opportunistic in nature but only as sophisticated as it needs to be. A sophistication determined and dictated by aggressors after performing intelligence gathering on the intended targets.  The intelligence leads to the exploitation of technological and human vulnerabilities.

The attackers establish repeatable processes and use metrics to determine targets. They are adept at using denial and deception to obfuscate and misdirect (Bardin, 2011). They remain hidden and resident in your environments while extracting information of value for monetization, economic advantage, military and strategic advantage.

Many SOCs employ either staff or vendors to assist in scanning for vulnerabilities, updating firewall rules and patching systems. This model is part of the failed defensive foundation. This model is nothing more than an attempt at a blocking action. Organizations need to examine other options. Those options include passive data collection for analysis to intelligence, methods of either mitigative or retributive counterstriking or outright cyber operations to counter and weaken the threat.

Passive Data Collection

Passive data collection is an active method to gather information about adversaries without disrupting, hacking, or violating law. Passive data collection includes structured methods of open source data collection. Open source data is:

Raw print, broadcast, podcasts, vodcasts, webinars, images, websites, Facebook, YouTube, LinkedIn, Twitter, Foursquare, Google+, radio, TV, budgets, demographics, legislative debates, conferences, speeches, academic sources, symposia, professional associations, dissertations, experts, imagery, trip reports, working and discussion papers, surveys, proceedings, research reports, briefs, studies, publically available unofficial government or corporate documents.

Passive data collection creates Open Source Intelligence (OSINT). OSINT is the only discipline that is both a necessary foundation for effective data collection and analysis, and a full multi-media discipline in its own right. OSINT combines:

  • Overt human intelligence from open sources,
  • Commercial imagery,
  • Foreign broadcast monitoring, and
  • Numerous other direct and localized information sources and methods not now properly exploited by the secret intelligence community.

There are a great number of tools available for use to collect open source data. Dozens may be found at the Internet Tools and Resources for Open Source Intelligence (OSINT) website at  Organizations should develop a strategy and program that uses passive data collection efforts. Planning for the production of unstructured data ensures proper use. Many organizations collect data without priority intelligence or information requirements. This leads to unfulfilled expectations and inappropriate collection methods.

Mitigative counterstriking is method of actively fighting back against an adversary during a cyberattack. Mitigative counterstriking may be construed as active defense. Active defense is a method of attacking back against an adversary during an actual attack. The idea is to get the attacker to cease and desist relative to the attack. The goal is reduce the amount of damage related to the current attack (Hayes, 2011).

Retributive counterstriking is an extension of mitigative counterstriking. Retributive counterstriking not only works to mediate the damage to an existing attack but also seeks to inflict some level of damage upon the attacker (Hayes, 2011).

Both mitigative and retributive counterstriking may be deemed legal based upon Article 51 of the Charter of the United Nations. Article 51 discusses the right of self-defense prior to, during and after a physical attack upon a sovereign nation.

The Tallinn Manual on the International Law Application to Cyber Warfare discusses many of the same issues. One area of note refers to civilian organizations. Civilians retain civilian status regardless their level of participation in hostile cyber actions (Experts, 2012).  The manual states that civilians are not covered by the Geneva Conventions and may be targeted. Of interest is the fact that civilian organizations are already targeted serving as a great source of intellectual property loss and data loss for monetization. The manual continues to state that civilians may be prosecuted under local laws of the country that captures them (Experts, 2012).

evwOf further interest in the Tallinn Manual are definitions associated with the concept of an attack. The Tallinn Manual based upon the International Group of Experts does not consider cyber espionage as an attack. What is very interesting is that the dropping of leaflets from aircraft is not considered illegal. Would then the dropping of virtual leaflets on the sovereign virtual websites of a country or corporate entity be considered illegal? Would the modification of a website to communicate information in a cyber-leaflet qualify as an attack?

Civilian populations are not to be attacked under the Tallinn Manual. If this is to be adopted, then wouldn’t most commercial organizations fit the civilian model?

The bottom line is that no government organization is prepared to defend corporate organizations or civilians in the case of an attack. Corporations and civilians are attacked daily for information. Corporations and civilians are directed not to counterstrike. Corporations and civilians are not protected online by their governments. Who then will protect you? Organizations need to retool their SOC environments to address the changing threat environment. Current information security technologies continue to offer defensive protections. Protections that do not work. Vendors need to retool their products to incorporate methods of active defense or mitigative counterstriking.

Seed the movement

If an organization makes the decision to counterstrike, the changes in organizational risk must accompany changes in information security structure. In fact, information security as a function itself may not be the best location for a cyber operations function. If the decision to launch a cyber attack comes, execute the attack correctly. The need to purchase or steal botnets covertly from criminal networks to launch attacks, feed ‘patriotic’ blogs to incite attacks and list targets, must be considered as options depending upon the level of risk acceptance and understanding. Assume you have made these decisions. Past adversary activities included the attempt to take over a highly enhanced DNS sinkhole capability of an information security vendor.  If the adversary had succeeded, they would have increased their ability to:

  • Further mine organizational networks for sensitive information
  • Monetize stolen information for personal and professional gain
  • Use new found wealth to build greater virtual and physical capabilities
  • Potentially redirect botnet activities as a distributed denial of service
  • Enhance the existing code and protocols with new navigational functions, advanced payloads and more stealthy and powerful delivery mechanisms
  • Deceive organizations or nation-states into thinking another is attacking their critical infrastructures.

Many adversaries use the free/libre/open source software (FLOSS) model he Open Source Warfare concept takes the developmental model for FLOSS and applies it to how Internet-based proxy organizations learn and expand (Robb, 2005).  The bazaar model within the open source software community uses methods and a high level of sophistication. The model may seem to be ad hoc and disorganized. Yet the model is highly effective. This model could be a foundational capability for organizations looking to build an offensive capability. The bazaar examines how several small and adverse groups would crowdsource their efforts to conduct mitigative and retributive counterstriking.

Here are the factors that apply (from the perspective of the guerrillas) and as developed by Eric Raymond (Raymond, 2001):

  1. Release early and often. Try new forms of attacks against different types of targets early and often. Don’t wait for a perfect plan.
  2. Given a large enough pool of co-developers, any difficult problem will be seen as obvious by someone, and solved. Eventually some participant of the bazaar will find a way to disrupt a particularly difficult target. All you need to do is copy the process they used.
  3. Your co-developers (beta-testers) are your most valuable resource. The other guerrilla networks in the bazaar are your most valuable allies. They will innovate on your plans, swarm on weaknesses you identify, and protect you by creating system noise.
  4. Recognize good ideas from your co-developers. Simple attacks that have immediate and far-reaching impact should be adopted.
  5. Perfection is achieved when there is nothing left to take away (simplicity). The easier the attack is, the more easily it will be adopted. Complexity prevents swarming that both amplifies and protects.
  6. Tools are often used in unexpected ways. An attack method can often find reuse in unexpected ways.
  7. Release early and often. Try new forms of attacks against different types of targets early and often. Don’t wait for a perfect plan.

Raymond’s theories may serve as the basis for goals and objectives within a cyber intelligence strategic plan.

We all face Hackers, Hacktivists and Virus Writers that are driven by ego or a technical challenge. We also deal with disgruntled employees or customers seeking revenge. Each organization faces crooks interested in personal financial gain or covering criminal activity knock at our virtual doors daily. Organized crime is seeking to launder money or traffic in humans using cyber means to drive effective command and control of their operations. Organized terrorist groups focused on breaking public will use cyberspace for command, control, communication, recruitment, infiltration, surveillance and radicalization (Bardin J. , Cyber Shafarat 2012: Cyber Warfare, OPSEC and Intelligence, 2012).

Nation-states use cyber espionage seeking to exploit information for economic, political or military purposes. They use tactical countermeasures intended to disrupt specific military weapons or command systems are tested frequently and periodically used. They also target corporations and civilian organizations. Multifaceted tactical information warfare is applied in a broad, orchestrated manner to disrupt major military missions while facing future actions against large organized groups or nation states who are intent on overthrowing target countries. The need for expanding beyond a defensive posture is clear. Doing so may lead to unintended consequences. Dr. Joe St.   of the University of Oregon states it this way:

Let’s not overlook the “shifting wind” or “boomerang” problem: computer malware, like traditional chemical or biological warfare agents, can potentially “get away from you,” drifting off course or “boomeranging back,” accidentally hitting one’s own forces or allies or hitting uninvolved third parties, rather than the enemy (Sauver, 2008).

However, if malware can learn to distinguish “friends” from “foes,” unintended potential side effects may be able to be contained, and inhibitions (which might otherwise deter potential use) may be lowered or eliminated.

In a 2003 report (Klare M. , 2011) at least 1,134 companies in 98 countries worldwide were involved in some aspect of the production of small arms and/or ammunition.

In addition, massive exports of small arms by the US, the former Soviet Union, China, Germany, Belgium, and Brazil during the Cold War took place commercially and to support ideological movements. These small arms have survived many conflicts and many are now in the hands of arms dealers or smaller governments who move them between conflict areas as needed.

Past activities of Anonymous demonstrate the same type of small arms proliferation albeit in a virtual plane.  Driven largely by ideological activities, Anonymous distributes a revamped version of the Low Orbit Ion Cannon (LOIC) tool used in mass Distributed Denial of Service (DDoS) attacks.  LOIC was the primary weapon used by Anonymous in its ongoing “Operation Payback” DDoS campaign against film and recording industry associations, as well as other organizations involved in anti-piracy efforts. The application was originally created by a user named Praetox and was used in several mass attacks over the years, including Anonymous’ campaigns against the Church of Scientology or the Australian government or the Iranian election protests last year. In January 2009 the code of the Windows program was released on SourceForge as an open source project and a cross-platform Java version was later created. This release allows for the proliferation of code that can be enhanced, improved, and utilized in low intensity conflicts with the potential for significant media coverage.

In past years another developer branched off the code and added a new feature called “Hive Mind” to the tool. This feature allows users to relinquish control over the application after installation and makes it act as a botnet client, which can be controlled from an IRC channel. This method of virtual small arms proliferation allows like-minded individuals to participate in DDoS activities based upon their ideology while giving up control to centralized resources.

Small arms and light weapons have been responsible for the majority of the combat deaths in recent wars and figure in much of the crime and civil violence visited upon vulnerable societies around the world (Klare). Virtual small arms are currently responsible for all the malware activities around the world today.  This will continue for the foreseeable future and be the bane of most governments and anyone who disagrees with a group capable of extracting virtual revenge, censorship, and elimination of the right to disagree or have a different ideology.

Virtual small arms are ideal methods for online disruption. They are widely available, low in cost if there is even a cost at all, they deliver a strong payload, simple to use, highly portable, easily concealed, and potentially possess legitimate military, police, and civilian uses (Klare). These virtual weapons are light in footprint, and so can be used by the very young yet technically astute who have played such a significant role in recent virtual conflicts.

But once the virtual conflict is over, virtual small arms still exist in the hands of the participants. Virtual small arms can easily be used to start other conflicts that may be more personal.  It creates a surplus of virtual small arms establishing a culture of hacktivism and an endless circle of virtual conflicts.

The latest concern is the revelation that Anonymous acquired much of the code related to Stuxnet.  According to some ‘experts’ malware is largely uncharted territory for Anonymous, “which has built its notoriety on crippling the websites of governments and multinational corporations, such as Visa and MasterCard, which it deems a threat to freedom of speech (Halliday, 2011).”  The problem is that no one really knows the capabilities of Anonymous since it is such a loose knit group who come together to crowdsource their targets and attacks based upon a shared ideology or belief. Anonymous uses Web 2.0 technologies to establish a community-based design for their focused efforts. They even use Web 2.0 as a method to propel their payload to new levels.

Regardless, the residual virtual small arms left over by Stuxnet provides a foundation for melding together new attacks that can be leveraged in much the same way that LOIC has been leveraged and matured over time.

The asymmetrical methods of cyber hacktivism used by Anonymous and other such organizations make it extremely difficult for nation-states. Governments are struggling to create their own cyber defenses based upon outdated laws while asymmetrical attacks are increasing in scope, frequency and lethality.

The response is to create and leverage cyber mercenary forces. These are civilian-based organizations and/or individuals who have the skill, moxie and risk appetite to combat those who participate in illegal activities against commercial entities, individuals and governments.  Currently personified by the lone wolf Th3J35t3r (The Jester), the single-mindedness of such individuals and/or groups combined with technical skill, cyber counter intelligence capabilities and a penchant for offensive action (taking the fight to the adversary’s doorstep) is what is required.  Cyber mercenaries have the same asymmetrical capabilities as their adversaries.  If contracted by commercial and/or government entities, cyber mercenaries could acquire the funding and technology to rapidly increase their cache of virtual small arms. Access to the technical repositories, financial resources and knowhow of government and non-government organizations (NGOs) could enable cyber mercenaries to expand offensive activities with maximum lethality, quickly and efficiently. But what of the potential for virtual arms to be left behind?  Would this parallel the same activities we have seen over and over again in the physical world with respect to the proliferation of small arms?

Cyber mercenaries are already being employed by the US government and have been for several years. The cyber mercenaries of today though are in place as a defensive measure.  They analyze malware, reverse engineer malware and examine penetration attempts, attacks, and deal with incident response and handling. What needs to be leveraged and organized are small teams of cyber mercenary groups with offensive capabilities and the will to strike at a moment’s notice.

The days of the virtual aircraft carrier operating in small corridors attacked by a multitude of speed boats each packed with enough explosives to immediately disable the vessel is upon us. Until such time governments figure out how to deal with such fast moving, guerilla-style, virtual asymmetrical attacks, they should rely upon cyber mercenaries.  It is time to organize.

It is not illegal to use offensive-based cyber mercenary groups to drop cyber jihadist sites.  We are at war with Daesh (ISIS), Al-Qa’eda, and the Taliban in terms of physical action. We should be at war with them as well in the virtual world. We know where their sites are; we know their vulnerabilities; we have those like Th3J35t3r who temporarily remove them from their virtual perches acting in the interests of the US government even though not condoned or authorized by the US government to do so. Regardless, this hacktivism is correct and just. It carries the war to the doorstep of our enemies. It disrupts their communications which is a core tenet of offensive warfare.

The capabilities of such people should be leverage creating cyber mercenary organizations to combat the oncoming tide and virtual onslaught that is at our doorstep.

Certainly, cybersecurity will never get better until we are able to curb cybercrime. However, there is much more we need to do to improve cybersecurity. These center around building security into every function of business and IT planning. If we build security into every function and facet of every bit of software and hardware that we create implement and deploy, then our levels of risk will be reduced significantly. This means regardless the level of attempts at cybercrime our data is protected. If we encapsulate our sensitive data upon inception, much like the creators of Gauss encrypted the payload we significantly reduce risk.

The legal issues surrounding cyber operations notwithstanding, offensive cyber actions are the only way organization are going to get our adversaries to pay attention. Whether they are cyber criminals, foreign intelligence services, cyber proxies, hackers, hacktivists, or some other such adversary, organizations need to do more than just stand and take a beating.  Organizational intellectual property and client data is being stolen.

When organizations attack the attackers (and this is not active defense), the attackers are not attacking back but defending. Most cyber criminals have no defensive posture whatsoever. When hit with an offensive attack, they quickly shift their targets since it is not cost effective and their whole intent is economic in nature.

When an organization counter attacks or openly attacks an adversary, it is going to be just as difficult for the adversary to identify the organization as it is for the organization to identify them if not more difficult. The means, motives and methods of our adversaries are well known. We have been watching their methods, identifying and tracking their tools and tendencies to the point where we (in our efforts to counter attack) have the ability to look and smell just like our enemies. They may not realize that a cyber-proxy is virtually standing right next to them. They believe it is their brother in arms. The usage of sock puppets, anonymity, methods of misinformation, disinformation, cyber Psyops, and cyber espionage greatly diminishes their capabilities and forces the adversary to invest defensive measures.  It forces them to defend their environments.  When doing this, they are certainly not attacking your organization.

Organizations must look at host country current cyber legal and military environments as they relate to defending their virtual boundaries. Government cyber operations are highly immature with limited vision and strategic foresight for creating a cyber National Guard and cyber police force to protect civilian organizations.

We are living in a world much like the times of the American French and Indian War (Seven Years War).  The military secured protected locations such as Albany, Fort Edward, and Fort William Henry.                                 Corporations are like the frontiersmen and women depicted in the movie “Last of the Mohicans,” where we have carved out a virtual living for ourselves in potentially hostile area. Corporations live amongst the enemy and understand their methods and indicators. Corporations know the enemy and are able to fight them on the same level yet choose otherwise. The opportunity to change this paradigm is upon us.

The legal doctrine of self-defense is fine in the physical world but it does not apply in the virtual world. At least not yet. Corporations are still on that proverbial frontier. There is positive outcome when attacking your cyber adversaries. It disrupts their command and control. If forces them off their mission. If forces the adversary to invest in measures they have never invested in.

Many worry that companies may suffer reputational issues, stock price drops or financial loses should they be caught executing counterstrikes.  This is exactly what has been happening for years as companies lose data and suffer all the above.  Individuals may be more inclined to invest in a company that protects data through any means as opposed to one that continues to lose it. Is it more risky to continue the same methods of cyber defense (stand in the ring with multiple opponents just bobbing and weaving never throwing a punch) or more risky to start fighting back with jabs, combinations, head and body blows?

judgedbyMany worry that companies may suffer reputational issues, stock price drops or financial loses should they be caught executing counterstrikes.  This is exactly what has been happening for years as companies lose data and suffer all the above.  Individuals may be more inclined to invest in a company that protects data through any means as opposed to one that continues to lose it. Is it more risky to continue the same methods of cyber defense (stand in the ring with multiple opponents just bobbing and weaving never throwing a punch) or more risky to start fighting back with jabs, combinations, head and body blows?

Are mitigative and retributive cyber actions reckless? Every country in the world has been hit with cyber-attacks and malware for years. Isn’t it time organizations used their capabilities to attack adversaries in a virtual mode? Do we really think that establishing a convention on cybercrime is going to stop our adversaries? They do not recognize virtual borders or virtual sovereignty. Why would they recognize a convention on cybercrime that creates a document much like the Geneva Conventions? All this does is force offensive cyber forces to establish an unwieldy ‘rules of engagement’ that ties the hands of those who can execute offensive cyber actions. These actions started in the United States years ago (Titan Rain, Moonlight Maze and Operation Aurora to name a few).  The problem is that all organizations are in the ring with several fighters at one time.

We must maintain defensive capabilities but there needs to be parallel offensive action to protect organizational assets while waiting for those courses of action to take effect. Organizations cannot afford to stand idly by while intellectual property, sensitive information and wealth is pilfered on a daily basis.

At its core, counterstriking is about two things: deterring attackers, and ensuring that organizations are not deprived of the inherent right to defend themselves and their property. There are many views of deterrence, but deterrence is generally accomplished through the existence of one or both of the following elements: punishing the attacker through the infliction of unacceptable costs, or denying the attacker success. When will your organization begin to punish the attacker?


Treadstone 71

Bardin, J. (2011, April 4). Cyber Defenses – Bloodied, Battered and Bruised. Retrieved from CSO Online:—bloodied–battered-and-bruised.html

Bardin, J. (2011, September 16). When to Strike Back. Retrieved from CSO Online:

Bardin, J. (2012, February 1). Cyber Shafarat 2012: Cyber Warfare, OPSEC and Intelligence. Retrieved from CSO Online:–cyber-warfare–opsec-and-intelligence.html

Experts, I. G. (2012). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press.

Halliday, J. (2011, February 14). Anonymous claims to have Stuxnet access. Retrieved February 11, 2011, from

Hayes, J. P. (2011). Mitigative Counterstriking: Self Defense and Deterrence in Cyberspace. Urbana-Champaign: University of Illinois .

Klare, M. (2011, February 14). Small Arms. Retrieved from Small Arms Proliferation and Interational Security:

Klare, M. (n.d.). Small Arms. Retrieved February 14, 2011, from Small Arms Proliferation and International Security:

Raymond, E. (2001). The Cathedral and The Bazaar. O’Reilly Media.

Robb, J. (2005, July 26). Open Source Warfare. Retrieved from Open the Future:

Sauver, J. S. (2008, October 21). Cyberwar, Cyber Terrorism and Cyber Espionage. Retrieved from Cyberwar:,d.eXY

Blog at

Up ↑

%d bloggers like this: