Practical and Actionable Threat Intelligence Collection

From IFF Wiki
Revision as of 13:49, 11 March 2017 by (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Practical and Actionable Threat Intelligence Collection
Presenter(s) Seamus Tuohy
Title(s) Consultant
Organization(s) Prudent Innovation
Country(ies) USA
Social media @seamustuohy
2017 theme Training & Best Practices

Human rights implementers worldwide face a constant struggle to identify, track, and respond to their threat landscape. We are often reliant on publicly available analysis, and often limited data, provided by knowledge brokers who appear and disappear based upon the level of local media freedom and the availability of funding for human rights research. When trying to infer the risks we, and those we defend, face and how to respond we are left relying news, human rights documentation, global indicators, and “trusted” rumors that are often too delayed, partial, distorted, and misleading to be used alone.

In this presentation I will provide concrete guidance on approaches for adopting data-rich, practical, and actionable threat information collection with unstructured sources. In this content heavy 1 hour talk I will discuss a few tools and techniques for seeking out sources of actionable information, distinguishing valuable information from useless but interesting information, and streamlining your information collection and analysis process to allow you to focus on your real work.

This talk WON’T be focused on collecting or sharing threat intelligence and/or human rights research aimed at evidence creation or changing the public dialogue. It WILL be focused on helping you identify, collect, and use publicly available sources of information to respond to your changing threat landscape.

Format Training
Target Groups Human rights implementers
Length 1
Skill Level Novice
Language English


== Practical and Actionable Threat Intelligence Collection How to use threat intelligence to support your work without becoming a threat researcher ==

Who Am I?

Seamus Tuohy Principal consultant at Prudent Innovation Previously Senior Technologist and Risk Advisor at Internews Co-Architect of SAFETAG risk assessment framework

Prudent Innovation provides technical and security guidance, development, research, and programmatic support to organizations working in complex or hostile environments.

This is not:

Investigative Threat Intelligence Cyber-Threat intelligence (IOC, cyber-observables, etc.) Sharing threat intelligence In-depth technical solutions for supporting your workflow

What this is:

What is threat intelligence? How can threat intelligence be useful for civil society & human rights work? The stages of threat intelligence collection and analysis. Identifying what information you want to collect. Finding sources for that information. Evaluating sources of information. Building an information collecting workflow. Building an information analysis workflow.

How can threat intelligence be useful for civil society & human rights work?

Identifying, collecting, and using publicly available sources of information to respond to your changing threat landscape.

Risk Management

What threats are priorities? How should we go about mitigating them? How might our threats change if we mitigate them in each way?

Program Design

What threats does our program create? How should we go about designing our program to mitigate or take advantage of them? How might our threats change if we design our program in different ways? How do we Monitor and Evaluate if our program is using appropriate strategies to respond to the environment we are facing?

Advocacy & Activism

How do the threat actors who we are against go about targeting other groups? What are their capabilities? What does it look like when a group gets targeted by these actors? How have others responded to / mitigate these threats? How do we know when we have been targeted? What can we do to respond once we have been targeted?


How do we prove to our donor that the threats we think exist actually do? How do we show that we are responding to threats as the threat landscape changes?

How do we prove that we need additional resources, or are properly spending our current resources, to appropriately respond to threats?

Stages of Threat Intelligence

Analysis Baseline Analysis Ongoing Analysis Implementation Applying Threat Intelligence Updating indicators Updating Outputs

Identification Identifying Need Developing Indicators Identifying Sources Collection Data Collection Evaluating Sources Updating Indicators

Identifying what information you want to collect

Direct Benefit

Should directly benefit specific activities Should produce valuable outputs look like for consumers


Respect staff capacity Respect activity timelines I recommend not being your own consumer so that you have an outside person who can rank the actionability of the information.

Don’t let the analysis get in the way of what the analysis is supporting Don’t increase your collection/analysis until there is a process or person who might benefit from that information. Questions to always keep in mind: Who are you supporting, when do they need that information, how often do they REALLY need it updated? If you just need threat intel during specific times (program development, annual budget tech/security review, etc.) you can plan your process around that. Make sure that the output of your work is valuable for its intended consumers and purposes.

Finding Information Sources

One time sources

Use these to form a baseline you can buld on until you can find an ongoing source you can rely on. Reports, news, etc.

Use a comprehensive trusted source (report by an in-community group) to form strong baselines. Then use supplemental information collected from others to guide you forward.

The quality of these often vary. Collect them over time and evaluate them together to smooth out the individual biases.

“Outsider” Sources

There are a variety of other communities who are collecting the information you need for your indicators. One of them may have the information you need under another name Create a glossary of alternative ways of talking about the indicator you are interested in.


The Global Cybersecurity Index (GCI) is a multi-stakeholder initiative to measure the commitment of countries to cybersecurity. Cybersecurity has a wide field of application that cuts across many industries and sectors. Each country’s level of development will therefore be analyzed within five categories: Legal Measures, Technical Measures, Organizational Measures, Capacity Building and Cooperation.​​​​​ We currently have 195 country profiles available.​

Repeated Sources

These are the gold mine. Repeated sources are more valuable than one off sources because you don’t have to seek them out.


Most ongoing reporting and analysis aggregate and strip away contextual information in order to produce “quantified knowledge” that is technically reliable and useful for governmental decision making. The results produced end up too delayed, partial, and distorted to be used alone to build direct responses to the threats being faced.

Evaluating sources of information

You don’t want to become the expert on everything, you want to offload some of that to other groups/individuals you can use as indicators

“Just enough data is good enough.” This is a time consuming process. You do not want to collect more information than you need to take action.


Does this source provide something that other sources don’t provide?


Do you have enough DIVERSE sources to confirm the accuracy of your conclusions?

While you only want to collect enough data to make a decision. You want to make sure that decision is a reasonable one.


“If we also collect, consume, and combine this information with the other information how much closer are we from being able to make a decision?”

Building an information collecting workflow

Collection is separate from analysis.

The working document

  • Document may be anything from a google doc, to a spreadsheet, to an evernote pad.

Create a document* with possible sources for the information you will need during the next round of analysis.

What does the document look like?

Adding sources is easy to do The “document” has a structure that provides context to the sources that are added The document has a space where you can document/link-to useful sources that you don’t have feeds for Document Structure (Can be as simple as headings)

Even though your current information sources may be good enough to answer the question, the people behind them may run out of funding, get arrested, get bored, die, leave the country, take up new hobbies, or otherwise stop updating those sources. You want to keep track of the alternative sources as you collect them, or encounter them in other ways, so that you can go back to your list of sources to identify

The Feeds

Push towards automatic collection of feeds that you can manually, but quickly, funnel into one location.

Baseline Feeds

RSS Feeds from topic specific blogs & sites Google News Alerts Email Lists Private Twitter Lists & Hashtags

Triaging the info-stream

Get it out of your daily channels Use a separate e-mail address to send any relevant information to Use e-mail tags and filters to help you sort it quickly for later use Automating the funnel Create “triggers” that push content with specific topics and keywords from other feeds into a single location Zapier, If-This-Than-That, Huggin

The Archive

Even though your current information sources may be good enough to answer the question, the people behind them may run out of funding, get arrested, get bored, die, leave the country, take up new hobbies, or otherwise stop updating those sources.

Keep track of the alternative sources as you encounter them, and the alternative terms they use to describe your indicators, so that you can more easily identify alternatives as you need them.

Surveillance Monitoring Wiretap eavesdrop communications interception equipment Surveille

Building an information analysis workflow

Examine the information you collect to create intelligence that can inform how you go about your work.

The ideal situation

Your feeds automatically populate your working document over time with updated data you can use for re-evaluating your assumptions and update your output document.

What should you actually aim for?

At a scheduled interval you you manually examine the items you have picked out of your feeds for further examination to re-evaluate your assumptions and update your output document.

== A Quick Exploration of Search Engines and Finding Initial Information Sources


If we have time!

Google Dorking

linkto: Using linkto: and related: with other key terms to find sources that talk about related content linkto: [COUNTRY NAME]

Google Dorking

filetype: Using filetype: to find different types of one-off source documents. I find that high-level final reports are often published in pdf format. Lower level in-depth reports are often found in word document formats. site:org filetype:docx theft risk sudan

I literally chose this search at random but it provided good results.

Session Outputs

Next Steps

Additional Notes

Relevant Resources