When I posted Required Reading: The Online Operations Kill Chain, I assumed I’d be able to get through ten phases in twelve weeks, but life has other plans. Here we are, almost 50% done with the quarter, and I’m just now starting on phase 3 - Gathering Information.

Some earlier posts already addressed this area to some degree.

• Prepared Prowler - how to nose around safely.

• Post Prowl Pondering - even more how to nose around safely.

• Situational Awareness - stuff to use while nosing around.

Attention Conservation Notice:

This is a topic that’s covered in some fashion in almost every article on here. You should at least skim it and see if there’s anything that’s new to you.

Gathering, In General:

What sort of information are you going to gather? There’s an old saying - “Begin with the end in mind.”, which is to collections as “What hunts you?” is to defense.

Here are some things I’ve done since the start of the month.

• Examined domains with Maltego, BuiltWith, RiskIQ, etc.

• Obtained and indexed a trove of PDF documents.

• Employed Hunchly and manually crawled Facebook, LinkedIn, Twitter, etc.

• Reviewed incoming RSS news using Inoreader.

• Created a task related email, made Talkwalker Alerts, routed to Inoreader.

• Collected and auto-transcribed some audio and video material.

• Contacted individuals in my network to inquire about various matters.

So what end are you seeking when you begin collecting? If you’re brand new to this sort of thing, maybe you’re just passively taking it all in, waiting to see if your perceptions are proven by the flow of events.

What am I doing with all that? A one word summation would be this: ATTRIBUTION. There are many influence operations in play right now, there are varying degrees of concealment, and there are people who want to understand, but they lack the skills and/or time to pursue things on their own.

First Tasking:

Among the one third of the audience for this Substack that I recognize, everyone is either a producer of intelligence, a consumer of it, or some mix of the two. They will know what they don’t know and have some idea of how to get it. I’m concerned for those who are brand new, because I think your first experience needs to have some bounds in terms of both effort and time. So … something that could start today and with five to ten hours of digging get to a point where a judgment could be made.

This gets touchy for me - if I point out something to look at, then the people involved quickly hear my name, and an very unwanted feedback loop begins. So maybe this is … a chance to help with scoping. Let’s try this:

• Get your LinkedIn investigation account warmed up.

• See if you can find a cluster of fake users that might be China at work.

• Fire up Maltego and make a graph of names, companies, and other relationships.

I’m drafting this in between mouse clicks associated with upgrading a couple Proxmox systems so I haven’t had time to dig on my own to select a starting point, and I probably won’t be able to do so until mid-month.

Conclusion:

The big things you will wrestle with are polar opposites - under-collection and over-collection. If you’re actively participating in a grassroots environment there will be intentionally created mysteries, cognitive sinkholes crafted for precisely that purpose. And, not knowing precisely what you’re going to do once you HAVE some stuff collected, you’ll likely go deeper into things than is necessary.

The best thing here might be a journal. Pick a thing to inspect. Make some notes on what you think is happening. Come back and review the thing. Then review your notes. The writing here is key, there’s a whole lot of material on cognitive psych about how our brains stitch together linear narratives using all the pieces of a puzzle that we have. Failures will include not grasping the depth of a network involved in an activity, or conflating things that are only coincidentally related.

OK, so that’s that. I guess the next article will be on analytical tradecraft in this area.