Monthly Archives: January 2017

Read “Effective Threat Intelligence: Building and running an intel team for your organization”.

Recently I read the kindle version of “Effective Threat Intelligence: Building and running an intel team for your organization” by James Dietle. I found out after the fact there was a paper back version of it, and even gave one copy away as a Christmas present.

Anyway, this is the book I wish I had in January of 2016, when  I moved from Incident Response / Event Analysis to Threat Intelligence. It’s a good primer on the subject. While it’s not completely new material, it’s the basics in one place. When I started doing TI, I had to learn from the ground up, and things were scattered. Some was easy, other parts were more advanced, and nothing made a good how to. Especially when I wanted to start showing value from the word go.

I think that if I had, had this book and read it when I was starting it would have been very beneficial. While it’s not as in depth as SANS For578,  I do think that it would make a good primer for anyone in IR going to SANS for Cyber Threat Intelligence.




The other day I mentioned Sailing the Sea of OSINT. Then in a Facebook group I’m in, they posted the BBC article about Ambulances Jamming car radios. In the group we made some speculations. But having a bit of a radio background, HAM Radio, CB Radio, and Broadcast Radio in college. I know how some of systems work.

So I went and dug up several articles on their pilot program. None however said how they worked. Just that they worked with the RDS radios in some cars. So I went and looked up RDS. Radio Data Systems, and the similar Radio Broadcast Data Systems in North America, is a protocol for sending data over the airwaves along with an FM signal.

In this case of both, they use PTY tags to associate what the data is. This is the same system that displays  the radio system call sign and song title on some radios. It can do more like say what type of music station it is based off the tags they use. This would allow people to search by genre.

However when they made the protocol they included a tag for Alarms (in the EU) / Emergency (in North America).

Reading up on the receivers with the RDS protocol / system built in they are designed to switch to the frequency broadcasting the Alarm / Emergency tag. Even if the radio is playing a “cassette” (which tells you how old this protocol is), a CD, connected via Bluetooth. Basically, if an RDS equipped radio is turned on it will tune to the station for the frequency the ambulance is broadcasting to.

The neat parts of this, the goal is to make it 10 to 15 seconds of alert, based on the speed of the ambulance. Which tells me the broadcast switch is tied to the Light and Siren switch, as well as either the ambulances GPS or ODB-II port, and the broadcast power is associated off that.

The people that came up with the idea said because Ambulances are getting stuck in traffic and or people are having accidents trying to get out of the way.

This is probably one of the items that really should be considered in Autonomous cars.

Review of “Sailing the Sea of OSINT in the Information Age”

Just read, or re-read “Sailing the Sea of OSINT in the Information Age” by Stephen C. Mercado from the Studies in Intelligence Volume 48, number 3. I’ve had this for a while, I bought it 2013. Which is part of why I don’t remember if I read it before. It’s available from the CIA’s Library. It’s an article from the CIA’s Peer Reviewed Journal.

I found it very informative, even for something originally written in 2007.  While today, I think most of us in IT, think of OSINT as mainly tracking social media accounts (what some call SOCINT), it really goes beyond it.

The main points that were brought up:

  1. OSINT has been there for a very long time, since the beginning of Intelligence programs in the United States. It just hasn’t ever been formally given a department like others.
  2. It’s based off public media like magazines, books, news papers, radio and TV broadcasts.
  3. There are not enough people who understand foreign language / culture to get proper use out of OSINT.

There is things in the public space where OSINT lives that comes out better than in some of the other sources of intelligence. An example was information gathered by the Japanese about a former KGB officer.  “The resulting book and Levchenko’s press conferences were, according to a US intelligence officer, more revealing than his CIA debriefing”.

Which oddly ties in to something I saw on my Firefox browser recently.

So I’m curious, do we as a mono-langauge culture really have the skills we need to do intelligence. How many data leaks are found on foreign language hacking forums?




The article is worth the read, and brings up some good questions. I liked Mercado’s recommendation on making the Foreign Broadcast Information Service an intelligence service again, put OSINT under it, like how the NRO has IMGINT, and create incentives for people to study things like language and culture to increase the ability of the agency.