About Teletype
Join
@scully_int
March 7

Current trends in cyberintelligence

Note: everything stated below is my personal opinion and does not claim to be true. This opinion is based on long-term observation of job vacancies, investigations, the work of information and analytical organizations, tools, and individual specialists.

Note 2: we will discuss not only standard probes and compiling dossiers on individuals and legal entities, but also the entire field of cyber intelligence, including the creation of tools, the ability to conduct complex international investigations, social engineering, building your own security model, etc. It's an art form in itself :)

Just a couple of years ago, multitasking and versatility were unique skills that were highly valued. Now, they have become basic cyber intelligence skills if you want to stay up to date, have relevant and effective tools and connections, and solve non-trivial problems with massive amounts of data. All of this is greatly influenced by the development of AI.

In order to maintain and raise the professional bar, you need to possess and be able to use:

  1. Basic programming. Python (pipelines for automation, parsers, scripts for data processing, ml, etc.), bash\shell (must be able to deploy tools).
  2. Working with AI. Be able to compose prompts (and for this you need to know how they work), evaluate the strengths of different models, bypass restrictions, check, correct, and verify data, etc.
  3. Social engineering. Communicating with people is extremely important. Communication can be viewed from two sides: from the perspective of exchanging experiences, ideas, opportunities, contacts, mutual assistance, and from the perspective of the ability to obtain unique information about what you need. Both options require extensive experience in interacting with people, both ordinary and specialized.
  4. To build your own security model, you need a large block of at least basic knowledge about: how networks work (for example, for VPNs, leaving digital traces, etc.), how different operating systems work in terms of convenience for different tasks, security, anonymity, protection, how browsers work, how phones and other technical devices that you use in your work work. It is also worth highlighting the aspect of knowledge about the algorithms used by the police and special agencies. Frankly speaking, in the current times, it is desirable for everyone to know this.
  5. Analytics. Verification, the ability to objectively evaluate data and sources, the ability to write scripts if you work with large amounts of data, evaluating your results, building work algorithms. There are even workshops on verification (for example, Bellingcat).
  6. Disinformation analysis (research into information operations) deserves a separate mention. IMHO, no justification is needed here, as with the point below :)
  7. GeoINT.
  8. Basic knowledge of cryptocurrency.
  9. Proficiency in languages (at least English) and broad knowledge. It may seem strange, but you never know what segment of the internet you will end up in and why. Sometimes you have to learn about the quality and durability of bricks, sometimes you have to understand military technology, and sometimes you have to dig through arab marketplaces.
  10. Ability to work with data leaks: monitoring, searching databases, processing.
  11. Ability to work in onion, knowing where to get or buy information.
  12. Monitoring specialists, tools, and news for professional self-education.
  13. Ability to work with different types of data (how to investigate social networks, what can be done with full name + date of birth, how to investigate a phone number, etc.). It is worth highlighting multimedia verification (images, video, audio, deepfake analysis, out-of-context media, provenance, metadata, content origin chain). For example, at OScon'25 in Zurich, there was a separate report on audio forensics in journalism. In addition to this, there is graph-centric analysis. Connection graphs are currently trending because they are convenient.
  14. This is the point marked with an asterisk. Working with application APIs to be able to retrieve unprotected data. I am currently trying to learn this using Telegram as an example.

Some people sometimes add a section on reproducibility and evidence discipline. To be honest, I just record the entire investigation process and don't worry too much about it. Wherever I need to attach a source or trace the path of information, everything is there. I have my own report formats, and sometimes I tailor them to the client's preferences.

There is one more point I would add, but it is very specific. I have been working on this myself for some time. It is the creation of a local information and analytical system.

Examples:

- https://www.worldmonitor.app/

- https://arxiv.org/abs/2503.03215 (but the manuscript was later withdrawn)

- https://x.com/bilawalsidhu/status/2024672151949766950?s=67

I will tell you a little about my project. I cannot describe all the planned features for obvious reasons, but nevertheless.

What will be included in the basic tasks of the IAS?

  1. Collection and processing of data from diverse sources (primary processing, normalization, preparation)
  2. Extraction of facts, events, entities, and relationships (using ML+IE models such as OneIE\DyGIE\TARS)
  3. Building an internal knowledge base (based on Neo4j to start with, with vector search, indexing, fact enrichment, etc.)
  4. Additional processing using local LLM with RAG (llama.cp)
  5. Convenient visualization

Additional features are planned, but there is no point in talking about them yet, because I am only raising the MVP at the moment.

I expect this to be very helpful when working with projects that have many entities. However, for security reasons, a local deployment is required; Maltego is not suitable in this regard.

These are challenging times...

@scully_int
March 7, 15:12
0 views
0 reposts