Ten Commandments of Cyber Counterintelligence

Be Offensive        Cyber CI that is passive and defensive will fail. We cannot hunker down in a defensive mode and wait for things to happen.  We are spending far too much money on signature-based solutions, incident response, event monitoring, and other purely defensive measures to protect our sensitive data. That is not how we have been hurt in recent years. Cyber espionage is destroying us. Our Cyber CI mindset should be relentlessly offensive. We need to go after our Cyber CI adversaries. They are not prepared for this. It is not cost effective for many of them to defend.



Honor Your Professionals              The truth is that Cyber CI staff are not popular and in most cases, do not even exist. You may see them today as information security risk analysts. They are not always welcome when they walk in. They usually bring bad news and news that does not lead to an arrest for those of that mindset (see - detect - arrest - all after the fact). They are easy marks to criticize when things go wrong. Their successes are their failures. If they catch someone infiltrating the infrastructure, they are roasted for having taken so long. If they are not catching anyone, why not? What have they done with all that money they spent on Cyber CI? It is no-win.  To date, not much of anything is being spent on Cyber CI.  It is all being spent on defensive devices and procedures. We are punch drunk and do not even know it.  We are in the ring with dozens of adversaries but can only focus on one at a time.

Own the Street  Any Cyber CI program worthy of the name has to be able to engage the opposition on the Internet, the field of play for cyber espionage. And when we do go to the street/Internet, we have to be the best service there. This means and any all protocols of the street. We need to have a strong offensive presence in all protocols, solutions, Web 2.0, and news non-inclusively. If they are on Twitter and Facebook, so are we. In fact, we should not wait for our adversaries to be there but establish a cyber beachhead as soon as the technology is available. If we are beaten on the street, it is worse than not having been there at all. Establishing street creds builds a following. A following can be leveraged in cyber CI crowdsourcing. Get involved in the IRCs of various groups. Participate in their discussions. Join their ranks.  

Know your History               I find it inconceivable that any Cyber CI practitioner today could ply his or her trade without an in-depth knowledge of the Moonlight Maze, Titan Rain, Aurora, Byzantine Hades, and all the latest hacking and cyber espionage cases from EMC and Citi to Sony and Lockheed Martin.  Examine every hack. Review each nation-states cyber warfare doctrine.


Do Not Ignore Analysis    Online operators do not make good analysts. A good Cyber CI program will recruit and train true cyber security analysts in sizable numbers. I do not think it would be excessive as a rule of thumb in a top-notch Cyber CI service to be evenly divided between operators and analysts.

Wonderful things happen when good analysts in sufficient numbers pore over our OSINT reports, presence lists, IRC chats, audio and video transcripts, Geotagging, blogs, and Web 2.0 data. They find the clues, make the connections, and focus our efforts in the areas that will be most productive.

Do Not Be Parochial          Cyber CI is so difficult, even in the best of circumstances, that the only way to do it is together. We should not let personalities, or jealousies, or turf battles get in the way of our common cyber mission. Our colleagues in our peer companies and organizations are as dedicated, professional, hardworking, and patriotic as we are, and they deserve our respect and cooperation. The best people I have known in my career have been Cyber CI people, regardless of their organizational affiliation. So let us be collegial working together sharing the embarrassing moments under proper agreements.

Train Your People                Cyber CI is a conglomerate of several disciplines and skills. A typical operation, for example, might include analysts, cyber security specialists, HUMINT specialists, cyber defense technical experts, language experts, ethical hackers, religious experts, and programmers. Each area requires its own specialized training curriculum. It takes a long time to develop Cyber CI specialists, and that means a sustained investment in Cyber CI training. We are just scratching the surface in this area and have a long way to go. Moving to a balance between offensive and defensive measures is a first step since 99% of our efforts are defensive in nature.

Do Not Be Shoved Aside                            When necessary, a Cyber CI service has to impose itself on the organizations and groups it is assigned to protect (if in fact they even recognize the value you bring). A Cyber CI professional who is locked out or invited in only when it is convenient to the host cannot do his or her job. In most cases today, we research issues after the fact as incident response and handling only to prevent the issue from happening again. Not to leverage the intelligence gained to learn more about your adversary beating them at their own game on the street is a travesty. Review, fix the defenses and forget the intelligence. Not a way to keep the adversaries at bay.

My advice to Cyber CI colleagues has always been this: “If you are blocked by some senior, obtuse, anti-Cyber CI officer (even the CISO), go around him/here or through him/her by going to higher management. In addition, document all instances of denied access, lack of cooperation, or other obstruction to carrying out your Cyber CI mission. If not, when something goes wrong, as it likely will in that kind of situation, you in Cyber CI will take the blame.”

Do Not Stay too Long       Sensible and productive Cyber CI needs lots of ventilation and fresh thinking. There should be constant flow through. Non-Cyber CI staff should be brought in regularly on rotational tours. I also believe it is imperative that a good Cyber CI service build in rotational assignments outside Cyber CI for its Cyber CI specialists. They should go spend time with the operators or with the other groups they are charged to protect learning every facet of the game. In fact, we may be best served to have them spend time early in their careers in these fields observing all activities as they analyze. This side by side on the job training can serve us well. They will gain a respect for all surrounding functions. They will come back refreshed, smarter, and less likely to fall into the nether world of professional Cyber CI: the school of doublethink, the us-against-them mindset, the nothing-is-what-it-seems syndrome, personal biases, staleness in critical thinking, or the wilderness of mirrors. They will produce better product.

Never Give Up     The tenth and last commandment is the most important. What if Master Splynter had quit after a few months instead of persisting for over two years? What if, in my own experience, we had stopped developing personas and infiltrating websites? Would we have such a strong knowledge of our targets as we do today? The information not provided can fill volumes. The unknown can and will hurt you. The short history of Cyber CI is already full of such examples.  If you doubt me, look at all the breaches at attrition.org.  These are only the ones reported.  These are but a fraction of what actually occurs. And what occurs and is discovered is still unknown.  Do we need more evidence of our cyber defensive failures to be convinced?  Be persistent and don't let those who 'fake it til they make' stand in the way of real progress. Reach out to your peers. Share the information.  Drive towards offensive cyber operations.  Our adversaries do not operate under any rules of engagement nor do they believe in some sort of Internet Geneva Convention.


Thank you James M. Olson                   https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/fall_winter_2001/article08.html

Search Our Site

Treadstone 71 YouTube Channel 



The Cyber Intelligence Training adds rapid returns to both Cyber Intel Analysts, and Security Ops Centers.  Each student receives quality instruction and hands-on experience with today’s OSINT tools and intelligence tradecraft.  This is necessary for anyone new to Cyber Intelligence and complimentary to any Security Operations within your enterprise. This 4.5-day class provides the student with the resources and fundamentals needed to establish cyber intelligence as a force as both a proactive offensive step and a counter intelligence-contributing arm of your larger team.  – Antonio 

Online Cyber Intelligence Training Center for online courses

Jan 14-18, 2019 Cyber Intelligence - Amsterdam, NL

Cyber Intelligence Tradecraft Certification - Reston, VA March 4-8, 2019           

Cyber CounterIntelligence Tradecraft Certification - Reston, VA March 11-14, 2019

Intelligence Tradecraft - CounterIntelligence - Clandestine Cyber HUMINT  - Cyber Psyops - Persona Creation and Management - Cyber Influence Operations - Middle Eastern Cyber Warfare Tradecraft

Blended courses - Courses on demand - Courses developed per your needs, quietly and quickly

Students and organizations taught (non-inclusively): AIB, American Express, Capital One, NATO, Belgian Military Intelligence, Commonwealth Bank, Bank of America, ING, NCSC NL, Defense Security Services, PNY, Dell Secureworks, HPE Security, EclecticIQ, Darkmatter (AE), General Electric, General Motors, PNC, Sony, Goldman Sachs, NASA, DoD, East West Bank, Naval Air Warfare Center, VISA, USBank, Wyndham Capital, Egyptian Government, DNB Norway, Euroclear, Malaysian Cyberjaya, People's United Bank, Baupost Group, Bank of North Carolina, Fidelity Investments, Citi, Citigroup, T. Rowe Price, Wells Fargo, Discover, Blackknight Financial Services, Intercontinental Exchange (ICE), Citizens Financial Group, Scottrade, MetLife, NY Life, Synchrony Financial, TD Ameritrade, National Reconnaissance Office, FBI, Stellar Solutions, Lockheed Martin, Harvard Pilgrim, State of Florida, Deloitte, Ernst and Young, Mitsubishi, Tower Research, Geller & Company, KeyBank, Fannie Mae, BB&T, Aviation ISAC, JP Morgan Chase, Barclays, Nomura International, ING, Finance CERT Norway, BBVA, PenFED, Santander, Bank of America, Equifax, BNY Mellon, OCC, Verizon, Vantiv, Bridgewater Associates, Bank of Canada, Credit Suisse, HSBC, International Exchange, Vista Equity Partners, Aetna, Betaalvereniging Nederland, Dutch Police, non-inclusively (as well as several other firms by proxy as they hire qualified intelligence professionals trained by Treadstone 71).

Terms of Use - Privacy Policy - Course EULA



"Fantastic class that gets to the foundational aspects of traditional tradecraft. We studied hard examining recent attack campaigns. The analysis training prepared me for real-world efforts. Have to say this is one of the best classes I have ever taken having taken many from SANS.  SANS does not compare. They are more of a class mill today.  The Treadstone 71 course material is unique, focused, and timely."

“This is one of the best, if not the best, Cyber Threat Intelligence training course I've attended.”


Ironically, said Bardin, it was Stuxnet that led Iran to enhance its offensive capability: ‘If Stuxnet had happened to the US or UK, it would have been seen as an act of war. In Iran, it made them invest heavily in offensive cyber operations.’

He revealed that 18 percent of Iranian university students are studying computer science – a cyber warfare talent pool.

Treadstone 71 Interview - Daily Mail on Industrial Control System Hacks



Treadstone 71 Cyber Intelligence Services

Treadstone 71 at Blackhat


Treadstone 71 New Services - Analysis as a Service

Cyber Jihad - 2008-2011 Compilation Part 1

Cyber CoiunterIntelligence Doctrine

Iran Cyber Proxies and Capabilities 

The Irari Report

Gaming as a Method of Jihadist Training

Treadstone 71 Keynote

Treadstone 71 Fox News

Treadstone 71 Hacktivity