A thread on bad analysis. When #ThreatIntel analysts want to show off their Foreign Policy and Economist subscription status after reading the Russian foreign policy Wikipedia page /n #threatintelligence #cybersecurity #infosec
Most analysts who are "doing attribution" aren't doing good cyber threat intelligence, they're doing poor foreign policy analysis
They neither have neither the data nor the expertise to make even a moderately confident statement on attribution
Even if you were a "Russian analyst" 5 years ago doesn't mean you know anything about current foreign policy objectives and internal motivations of such a massive body politic
Coming from someone who, in my past, was proud of the years I put into rock-solid cyber attribution cases through a variety of intelligence sources and ACH analysis across the community - I reel at the thought of naming a country as responsible and culpable w/o evidence
Yet, it's done with such flagrant disregard to ethics and standards it makes me sick. Words matter. Naming people and things matter. Know what you know and know what you don't know. Don't confuse those two with guesses and mirror imaging bias.
Answering a customer's intelligence requirement with bad analysis because you're afraid to say "I don't know" is irresponsible, unethical, and dangerous. If your words hit a major publication policy makers will read it and your wrong words will shape the world.
Russia does a lot of stupid and frankly, bad, shit. I'm using them as an example because it's so common...which is also a great example of Recency Bias - if analysts read more about APT28, they're more likely to link an activity to that group naturally regardless of ACH.
There is no requirement that an intel analysts must say anything and answer everything. In fact, our remit is INSTEAD that we only say what we know and mean what we say. Know what you know, know what you don't know, know the difference.
The private sector is not a national intelligence community. We don't share standards - in fact, most companies don't even have analytic standards documented. Few have peer-review of intelligence nor anyone ever questioning them. You can't treat everyone's intelligence as equal.
Just because someone publishes "it's the GRU!" doesn't mean you now get to label everything associated as the GRU. That's not how this works. If they didn't do good analysis, you're not doing good analysis. An inference on top of an inference is nothing but a dumpster fire.
Friends don't let friends do bad analysis. Please share this thread.
You can follow @cnoanalysis.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more