Good, we needed another threat actor naming scheme
-
RE: https://mastodon.social/@campuscodi/116075529238129101
Good, we needed another threat actor naming scheme
@neurovagrant LONG AGO THE SIX ELEMENTS LIVED IN HARMONY
-
RE: https://mastodon.social/@campuscodi/116075529238129101
Good, we needed another threat actor naming scheme
@neurovagrant
I only use @gayint's naming scheme -
RE: https://mastodon.social/@campuscodi/116075529238129101
Good, we needed another threat actor naming scheme
-
RE: https://mastodon.social/@campuscodi/116075529238129101
Good, we needed another threat actor naming scheme
@neurovagrant Should have made it SHADO.
-
RE: https://mastodon.social/@campuscodi/116075529238129101
Good, we needed another threat actor naming scheme
@neurovagrant Yeah, new naming convention ... not great. But I do think they deserve some cred for attempting to put some rigor into it with the admiralty scoring and use of Diamond Model.
But yeah... another naming convention, love it.
I think it's about time the community came up with something, or simply rally around GAYINT.
-
@neurovagrant Yeah, new naming convention ... not great. But I do think they deserve some cred for attempting to put some rigor into it with the admiralty scoring and use of Diamond Model.
But yeah... another naming convention, love it.
I think it's about time the community came up with something, or simply rally around GAYINT.
@nopatience @neurovagrant Didn't microsoft already use elements, then abandon them?
I cannot imagine how this will confuse anyone, but only because I haven't had my coffee yet.
-
@nopatience @neurovagrant Didn't microsoft already use elements, then abandon them?
I cannot imagine how this will confuse anyone, but only because I haven't had my coffee yet.
There's been so many naming conventions, overlapping and what not. It's impossible to keep track of what's "in use", abandonware or the result of advance Chinese whispers game.
-
There's been so many naming conventions, overlapping and what not. It's impossible to keep track of what's "in use", abandonware or the result of advance Chinese whispers game.
@nopatience @neurovagrant True, but there are larger and smaller players.
-
@nopatience @neurovagrant Didn't microsoft already use elements, then abandon them?
I cannot imagine how this will confuse anyone, but only because I haven't had my coffee yet.
@adamshostack @nopatience @neurovagrant It may or may not matter that this is meant for internal, pre-attribution grouping based on Diamond Model similarities. It's goofy as hell, but should only affect internal customers and not appear on the translation spreadsheet for named TAs.
-
@adamshostack @nopatience @neurovagrant It may or may not matter that this is meant for internal, pre-attribution grouping based on Diamond Model similarities. It's goofy as hell, but should only affect internal customers and not appear on the translation spreadsheet for named TAs.
@mttaggart @nopatience @neurovagrant It's "Announced" which I would have thought means "beyond internal" , but any system that groups reliability as "A-F" scale without an expressed "This is precisely how likely the analyst thinks it is..."
As Erica Thmpson writes in Escape from Model Land:
Psychologist Mandeep Dhami studies the communication of probability estimates in intelligence analysis. The communication of probability estimates in intelligence communities has been redesigned, following what Dhami describes as a ‘major intelligence failure’: the misunderstanding of analysts’ judgements about the likelihood of existence of weapons of mass destruction in Iraq. The Chilcot Inquiry report, published in 2016, noted that intelligence organisations had made uncertain judgements about the likelihood that Iraq possessed these weapons: that uncertainty was not effectively communicated either to politicians or to the general public. An earlier example was the use of the words ‘serious possibility’ to communicate the probability of a Soviet invasion of Yugoslavia in 1951. After the Iraq invasion in 2003, new lexicons were developed that identified in numerical terms the probabilities to be associated with phrases like ‘very unlikely’ and ‘virtually certain’. As you might expect, there is disagreement about exactly what numerical ranges should correspond to what phrase. This is a broad and interesting topic in itself, but I want to focus on a single result here. Once the lexicons are chosen and defined (for example: ‘unlikely’: 15–20%; ‘highly likely’: 75–85%; and so on), Dhami takes the interesting approach of performing a reverse experiment and asking analysts to identify the numbers that correspond to the lexicon entry itself. Now, you might think this a waste of time – if the lexicon entry says ‘unlikely (15–20%)’, surely everyone will respond with a probability range of 15–20%? Wrong! In fact, the mean answers given by analysts for the minimum and maximum ends of the ‘unlikely (15–20%)’ range were 13% and 50%. Similarly, ‘highly likely (75–85%)’ was identified as 59–92% in practice. A mathematician faced with the same question would have given the trivially obvious answers, but this is not what the real intelligence analysts are doing. It’s an incredibly striking and seemingly ridiculous result – even when the number is literally written down in the question, people give a different answer!
-
@adamshostack @nopatience @neurovagrant It may or may not matter that this is meant for internal, pre-attribution grouping based on Diamond Model similarities. It's goofy as hell, but should only affect internal customers and not appear on the translation spreadsheet for named TAs.
@mttaggart @nopatience @neurovagrant Oh, wait, elements are ... literally the platonic elements of earth, air, fire and water?
I'm going to step away now before I insult people.
-
RE: https://mastodon.social/@campuscodi/116075529238129101
Good, we needed another threat actor naming scheme
Agreed.
Solid process, though. Still horrible naming convention. Would have been better if they used real elements from the periodic table, maybe stick to the noble gases or something to keep the variations short.
-
@mttaggart @nopatience @neurovagrant It's "Announced" which I would have thought means "beyond internal" , but any system that groups reliability as "A-F" scale without an expressed "This is precisely how likely the analyst thinks it is..."
As Erica Thmpson writes in Escape from Model Land:
Psychologist Mandeep Dhami studies the communication of probability estimates in intelligence analysis. The communication of probability estimates in intelligence communities has been redesigned, following what Dhami describes as a ‘major intelligence failure’: the misunderstanding of analysts’ judgements about the likelihood of existence of weapons of mass destruction in Iraq. The Chilcot Inquiry report, published in 2016, noted that intelligence organisations had made uncertain judgements about the likelihood that Iraq possessed these weapons: that uncertainty was not effectively communicated either to politicians or to the general public. An earlier example was the use of the words ‘serious possibility’ to communicate the probability of a Soviet invasion of Yugoslavia in 1951. After the Iraq invasion in 2003, new lexicons were developed that identified in numerical terms the probabilities to be associated with phrases like ‘very unlikely’ and ‘virtually certain’. As you might expect, there is disagreement about exactly what numerical ranges should correspond to what phrase. This is a broad and interesting topic in itself, but I want to focus on a single result here. Once the lexicons are chosen and defined (for example: ‘unlikely’: 15–20%; ‘highly likely’: 75–85%; and so on), Dhami takes the interesting approach of performing a reverse experiment and asking analysts to identify the numbers that correspond to the lexicon entry itself. Now, you might think this a waste of time – if the lexicon entry says ‘unlikely (15–20%)’, surely everyone will respond with a probability range of 15–20%? Wrong! In fact, the mean answers given by analysts for the minimum and maximum ends of the ‘unlikely (15–20%)’ range were 13% and 50%. Similarly, ‘highly likely (75–85%)’ was identified as 59–92% in practice. A mathematician faced with the same question would have given the trivially obvious answers, but this is not what the real intelligence analysts are doing. It’s an incredibly striking and seemingly ridiculous result – even when the number is literally written down in the question, people give a different answer!
@adamshostack @mttaggart @nopatience @neurovagrant
There are plenty of probabilistic frameworks that incorporate subjective subject matter expert input in lieu of formal measurements. Bayesian approaches certainly come to mind.
The tricky bit with intelligence analysis is you're asking a human being to provide a quantified probability for an event for which there are essentially no previous experiments from which to derive that probability other than "the subject matter expert said so."
I don't know that we'll ever get past the fundamental problem. Maybe with the benefit of hindsight you can examine prior predictions of analysts individually or as groups to recalibrate their practices going forward. Maybe they're too bold in some areas but too meek in others.
Given large enough volumes of structured data, you could potentially train a model. I remember Mandiant did this with their APTinder a.k.a., Going ATOMIC work. But that requires massive amounts of rigorously collected and structured data over years.
-
@mttaggart @nopatience @neurovagrant Oh, wait, elements are ... literally the platonic elements of earth, air, fire and water?
I'm going to step away now before I insult people.
@adamshostack @nopatience @neurovagrant Inb4 they announce their new TIP, "Avatar."
