Defining Cyber Intelligence & How The Private Sector Can Benefit From It

A new decade has begun, but the digital age shows no signs of slowing down. Information is all around us and it is very easy to access, yet it isn't being utilized as much as it should be.

As a Cyber Intelligence Professional, it has come to my attention how few have heard about the field of Cyber Intelligence. To be fair, I also didn’t know it existed until 2017. A video game peaked my curiosity about the field, and before I knew it, I was taking the Certified Cyber Intelligence Investigator (CCII) course by McAfee Institute. The course taught me about the different kinds of cyber crimes, how to analyze email headers, what reverse image searches can reveal, how to get on the deep web, and laws to be aware of, but it pretty much ended there. I began my mission to learn more.

A bit about me, my childhood dream was to be a secret agent or a detective. I didn't pursue that dream then due to everyone telling me it was unrealistic, but I always knew it was the right fit for me. I loved learning about people and understanding how they think. I loved puzzles and putting things together logically. I am the kind of person who would watch documentaries about anything in my free time. I am very curious and would refuse to rest until a question was answered. I'd rather know than not know, and I was willing to do the work or question people if I had to.

As a 90's baby, I got to see the internet grow. I remember dial up, AOL, and Neopets. In middle school, I opened my first Facebook account, watched some of the first Youtube videos, and made personal websites for fun. When my family was able to afford the internet years later, I would spend hours just surfing the web discovering new pages and reading content. My laptop always had fifteen plus tabs open as I would open multiple search results for any question I had, and would open more pages to look into unknown terms or subjects on those pages. There was so much information available in front of me to learn from and I loved it. 

So when I discovered that there was a field for digging through the internet for answers, and that that information could be used to solve cases and help people, I knew I had to pursue it. However, my search for more information was futile. There were no other dedicated cyber intelligence courses or guidebooks. I would look into intelligence analysis sites as well, but they were made for those working in the military. It was very discouraging.

Google led me to other computer related courses such as CCNA (Networking), CHFI (Cyber Forensics), and CISSP+ (Cyber Security). I would take a beginner's course in them hoping to learn more about Cyber Intelligence, but it would always miss the mark. Through them, however, I learned vital information in regards to how technology works, and they also introduced me to powerful tools that could assist my intelligence gathering.

After a couple years of exploring, learning, and working in my field, I feel I have clarity on what Cyber Intelligence is, and I wanted to share it with the world. 

WHAT IS CYBER INTELLIGENCE?

Let's start with defining “Intelligence”. According to Oxford, Intelligence has two definitions: 

1. "The ability to acquire and apply knowledge and skills." It is this term that is used in fields like "artificial intelligence" where a robot or program is designed to learn, try, and grow like a baby would. This kind of intelligence is also used when referring to learning styles.

2. "The collection of information of military or political value." This has "information gathering," "surveillance," "observation," and "reconnaissance" as synonyms, and it is this definition that we will be using for Cyber Intelligence.  

Humans were always social creatures. By sharing information and learning from each other, we survived. As civilizations grew, the use of Human Intelligence, aka HUMINT, continued to be the main source of information. Soldiers and guards were asked to collect information, and messengers were used to deliver information. Humans would use scrolls to make notes, plans, or write about events that had happened.

As technology started to advance, countries were able to use other means of intelligence, such as satellites (Geospatial Intelligence or GEOINT) to map out foreign territory, and radio waves (Signal Intelligence or SIGINT) to spy on enemies.

As computers became mainstream and the accessibility of the internet grew, Cyber Intelligence (CYBINT), easily became the biggest source of information. In fact, even though Cyber Intelligence is considered a subset of Open Source Intelligence (OSINT), the majority of Open Source Intelligence resources are from the internet. This has led some websites to claim that OSINT is 'intelligence found on the internet', but they fail to realize that OSINT refers to any open source material, which includes non-digital resources such as newspapers, journals, publications, radio, television, and records from your local court house. CYBINT, on the other hand, is strictly digital. Cyber Intelligence is used to access a large variety of open source material, and the discrete information attached (ie metadata, source code, IP addresses) is also used to dig deeper, make connections, and assist in locating.

Every minute, new pages, posts, pictures, videos, articles, and other means of information are being uploaded. Social media is unique to the internet and can be very useful when gathering information on someone. Public databases are being digitized to make it more accessible, and businesses are moving to online platforms to avoid being left behind. Almost everything we do in real life, such as schooling, banking, and shopping, can now be done online. There is also the deep web which has non-indexed sites and is said to be 400 times bigger than the surface web. The internet is it's own world, full of possibilities! 

Thus, Cyber Intelligence is the means of sifting through the billions of pages and posts on the internet, manually and/or via tools, to find the information required.

WHAT IS NOT CYBER INTELLIGENCE?

On my mission to understand what Cyber Intelligence is, "Cyber Threat Intelligence" would pop up quite a bit in its place, but they should not be confused with one another. Cyber Intelligence is a mean of gathering information on a subject, such as a person or a business, through the internet. Cyber Threat Intelligence, on the other hand, is focused on “cyber threats.” As Toddington Institute states, “Threat Analysis involves the review of information on an adversary’s propensity for violence or criminality, or the possible occurrence of criminal activity in a certain time or place.” Thus, Cyber Threat Intelligence is used to keep organizations informed of the risks of advanced persistent threats, zero-day threats and exploits, and how to protect against them.

Cyber Intelligence should also not be used interchangeably with Cyber Investigations and Forensics. Cyber Intelligence can be used anytime to gather information or as a means to confirm or disprove a theory, while Cyber Investigations and Forensics come into play after a cyber crime has taken place. Cyber Investigators need a strong working knowledge in computer science, networking, hacking, cryptography, and forensics as they need to understand code, recover and analyze data, gain access to accounts, trace the crime to its origins, and gather evidence for court. 

To gain further insight on what Cyber Intelligence is, I would recommend watching the new Netflix Documentary about Luka Magnotta, “Don’t F**k with Cats: Catching an Internet Killer.” In the show, a group of self proclaimed ‘internet geeks’ create a group called “Luka Intel” to catch the person who intentionally killed cats and uploaded the footage. 

Through analysis of Magnotta's uploads, the group were able to pinpoint him. They noticed a yellow vacuum in the background of a video and was able to tie him to North America. The streetlights in a picture directed them to Montreal, and a Petro-Canada in the background of a picture, led them to his previous address. Adding on, by getting into the head of Magnotta, they were able to come up with search strings that led them to his previous blogs and content. By asking themselves how did he get the animals for the videos, they checked Craigslist and were able to find his ads. Through speculation of the references made in the videos, they were able to predict what he may do in the future.

Cyber Intelligence was used to understand Magnotta, find his content, and locate him. The group didn’t have computer science or networking knowledge, they didn’t have access to his accounts or devices, nor did they have to hack or do anything illegal, but even if they did, Cyber Intelligence would have been the best option since Magnotta was physically moving around and uploading from different computers and accounts.

WHAT IS A CYBER INTELLIGENCE PROFESSIONAL (CIP)?

In short, a Cyber Intelligence Professional (CIP) is an individual who is skilled at finding information on or through the internet. A CIP must (1) have a deep understanding of networking, social media, and web pages, (2) a keen eye for inconspicuous information, and (3) experience with OSINT tools and software that can assist in their reconnaissance.

Because of how big the digital world is and where technology is being applied, Cyber Intelligence Professionals tend to vary in knowledge and skills. Most are great at looking through social media and popular sites, but few are comfortable scouring through the deep web. One may be an expert at Linux tools that can do most of the work for them, while another is skilled in Geomapping and can manually find a location through clues in a picture or video. Depending on the case, additional skills can be useful to a CIP, such as Psychology or Linguistic Profiling. Regardless of their experience in the field, a CIP has to be creative, persistent, and comfortable with the internet.

In the following sections, we will explore the intricacies of Cyber Intelligence and what separates a CIP from the average internet user or a researcher.

WHAT IS THE PROCESS FOR CYBER INTELLIGENCE? 

Just like an investigation, Cyber Intelligence should start with a plan. The biggest users of intelligence are the government, military and police. They use intelligence to monitor people or groups for criminal behaviour, terrorism, and threats. For ongoing intelligence, The Intelligence Cycle is commonly used. In the private sector, intelligence is usually requested as a one-time service, such as a background check. Regardless of the purpose, certain steps should always be taken:

1. Requirement Gathering: In the first stage, the CIP needs to understand why intelligence is being requested, what information the client would like to find, the scope or boundaries of the search, and if there are any deadlines.
2. Information Gathering: The CIP will gather as much information as possible about the subject. Sometimes the smallest, most mundane or seemingly unimportant details, can yield the most results. 
3. Planning: The CIP will use the above details to create a plan on how they will approach the search to yield the fastest results, and to avoid missing useful search strings or running in circles. Any sites, databases, and tools they plan to use should be noted.
4. Set Up: A dedicated laptop should be set up and scanned beforehand. Any tools needed should be downloaded or updated, and any sock puppet accounts should be checked or created. More details on privacy and security concerns in the next topic. 
5. Collection: Intelligence gathering can now commence. The CIP will proceed with their Intelligence plan. As new information appears, the plan may be extended. Collection usually ends in two ways: The client has a deadline, or the CIP feels there are no other paths they can take to garner more information.
6. Analysis: Depending on the purpose of the investigation, analysis may be required. The findings should be analyzed and sorted based on its trustworthiness and relevance. Charts, matrices, and other visual boards can then be used to make the information more understandable.
7. Reporting: A detailed report should be written based on the clients requirements. The report should be easy for any potential readers to understand, and recommendations for action should be included.

WHAT SHOULD BE CONSIDERED WHEN CONDUCTING CYBER INTELLIGENCE?

Through research and experience, I believe there are three big domains that should be considered when conducting Cyber Intelligence: security, laws, and evidence. 

I put security first because it is very common for people to quickly look up a person's name on social media without thinking about the risks. During a CPIO (Certified Private Investigators of Ontario) event, one retired officer shared a story of how he casually looked up a suspect’s name during a case, and that same night, the suspect called the officer on his cell phone and threatened him. That experience changed his life and he started taking online security very seriously.

What makes the digital world so frightening is that every single thing you do on a digital device is recorded in some way. Devices have logs of every program and file you open, browsers keep track of your search and site history, and your service provider keeps track of how every byte of data is spent as well.

Every device has a unique MAC (Media Access Control) number and every time you connect to the internet, your device is also given a unique IP (Internet Protocol) address via your ISP (Internet Service Provider). When you connect to a site, there is a record of what MAC and IP is connecting to what MAC and IP, and that information can be found and traced by others. Adding on, you also have websites that share the information you provide, and install cookies to track everything else you do on your browser. 

As internet users become more aware of how often their personal information is being recorded and shared by third parties, tools like VPNs (Virtual Private Networks), browsers like TOR (The Onion Router, also used to access the deep web), and search engines like DuckDuckGo are growing in popularity. 

When conducting Cyber Intelligence, tools like these are highly recommended, as intelligence should be done covertly and cautiously, for your own protection and for your client(s).

A dedicated laptop is also recommended regardless of the kind of case, for if it were hacked, traced, or bugged in any way, you wouldn’t want your personal information to be accessed, stolen, shared, or used for blackmail.

The next big consideration is the laws surrounding privacy and digital information. Although there are a lot of grey areas when it comes to collecting someone’s information from the web, a CIP should be well aware of any laws or acts that may affect their ability to collect intelligence. Under the Criminal Code in Canada, hacking, phishing, or installing spyware is a federal offense and should not even be considered. There’s also the Personal Information and Protection and Digital Evidence Act (PIPEDA) to be aware of as it covers how private businesses can collect and share a person's private information.

Another aspect to consider during Cyber Intelligence is the “Terms of Use/Service” for social media websites. In many cases, creating a fake account is a breach of the contract. Although you can easily get away with it, you should still put some consideration into those accounts to avoid them being reported or deleted. A blank profile with no friends will look sketchy to anyone who is informed that your fake account is viewing their profile, so it can be tempting to use a random person’s photo(s) for your sock puppet account, but you risk that person finding out you are impersonating them, and the subject easily finding out you aren’t who you say you are. 

The last big hurdle is evidence. It was near impossible for me to find any information on collecting evidence from the internet since digital forensics usually refers to collecting evidence off a computer or hard drive that is in custody. But with social media evidence being used more and more in court, this is vital information. 

If you ask the general public “how would you save a social media picture for court?” the consensus would suggest saving the photo, a screenshot, and the URL of the post. Sadly, but understandably, courts will analyze and question every piece of evidence before it is accepted. If the judge or the opposing party asked how you found the evidence, you wouldn’t have a record. If asked how you can prove the photo wasn’t edited, you couldn’t prove it. When you ask them to open the link so they can see it themselves, they get a 404 'page not found' message, because the opposing party deleted it before that day.

Many cases that could have been won were lost due to negligent collection of evidence. Avoid the headache and embarrassment by documenting your search, ensuring you can prove its authenticity and integrity, and maintaining a Chain of Custody. 

More information on electronic evidence and it’s admissibility into court here.

WHAT CAN CYBER INTELLIGENCE BE USED FOR?

When you consider that Cyber Intelligence is the means of finding information on the internet, the uses for it is limitless! Here are some cases where you may want a CIP's help:

1. Digital Background Checks

Thanks to social media, blogs, and other personal content floating on the web, Cyber Intelligence can reveal a lot about a person. It not only gives insight into a person’s character, history, interests, and skills, but it can reveal red flags such as drug use, discriminatory comments, and lies. Whether you are looking into a romantic interest, a job candidate, or a business partner, it never hurts to do your due-diligence. Adding on, using a third party not only saves you time, but it also keeps you safe from the aforementioned security risks, and liability if exposed to protected information.  

2. Social Media Investigations

Although a Cyber Intelligence Professional is not the same as a Cyber Investigator, they can still gather evidence from the internet that can be used to assist in a variety of cases. For example, a family lawyer may enlist a CIP to gather photos and other evidence to prove that the father isn't fit for custody. A CIP can also assist in other matters, such as locating a suspect or finding contact information for a witness.

3. Finding People 

Whether someone has skipped town, or you're trying to get in touch with a long lost friend, a CIP can help find leads that will lead to their location or contact information.

4. Personal Digital Footprint Discovery

When you consider the vast amounts of people being stalked, hacked, or impersonated, it's a good idea to question how much of your own personal information is out there for the world to see. Perhaps there's embarrassing accounts from your youth that you forgot about, pictures that can be used to track your address, or your log in information was pawned and is now floating around the web. Learn what an outsider can discover about you through a Cyber Intelligence Professional.

5. Catfish/Romance Scam Detection

Online dating has grown in recent years, but it hasn’t come without its risk. You may be talking to a complete liar, a romance scammer who aims to drain your bank accounts, or even a potential kidnapper who intends to sell you into human trafficking. Keep yourself safe by hiring a CIP to look into them before you start a relationship or meet up with them.

6. Executive and Personal Protection

Cyber Intelligence is perfect for those who would like reports on how to keep themselves safe. Cyber Intelligence can be used to monitor a variety of potential threats, such as stalkers or disgruntled ex-employees. When travelling, they can provide information about an area's crime rate and common scams, and give you a heads up about a natural disaster coming your way. For executives and celebrities, it is good to have someone keep an eye on what is being said or shared about you, including if your private information is showing up on doxing sites on the deep web. 

7. Brand Protection

Just like with personal protection, it is good to stay alert of potential threats to your business and brand reputation. A CIP can monitor for negative ratings or lies being spread online. They can also see if your competitors are paying for others to write bad reviews, if your content is being stolen and used elsewhere, and if any impersonating sites and accounts pop up. Be the first to know so you can take action and protect your brand.

FINAL WORDS

Cyber Intelligence is often mistaken for something else, or brushed off as something easy, but there are a lot of aspects to the craft that need to be learned for someone to not only make use of the web pages in front of them, but to also work as covertly as possible. These skills cannot be learned overnight, and casual or negligent searches can do more harm than good. Just like plumbing or photography, even if they may seem easy, there will always be times when you should hire a professional. 

Cyber Intelligence is also still a pretty new domain with little information on it, but I have done my best to tie things together and figure it out. The information above may not be 100% correct, but I've done a lot of research to ensure it is quite accurate. I hope this article has been informative to the field and enlightening to the profession. 

I set my eyes on this field because I want to keep the general public safe; safe from cyber crimes, safe from manipulative or dangerous people, and safe from other potential threats. Intelligence, especially Cyber Intelligence, can be used as a preventative measure, so I hope by bringing awareness to the field, those who need it can utilize this resource.  

If you have any questions or need help, feel free to reach out to me through my LinkedIn profile.

Happy New Years Everyone!

Sabrina Liverpool / Certified Cyber Intelligence Professional