Andrew Thompson Profile picture
Understanding and countering adversaries. Former shooter, counterintelligence, human intelligence, and cyberspace operations.
Sep 27, 2018 5 tweets 1 min read
One analytical struggle in my life is whether a group executed poorly conceived tradecraft, or well executed deception. Deception is rarely discussed on the "threat intelligence" side of information security. Maybe folks are unfamiliar, or intimidated, I don't know. #threatintel We're naive to think we cannot be deceived. Governments with seemingly infinite resources and elaborate espionage capabilities get deceived. It's a thing. I'll go further, there's plenty of regular intelligence analysts who rarely discuss deception. It probably scares them.
Sep 15, 2018 6 tweets 2 min read
Systems should be built with the understanding that if a human is using them, their mistakes must be accounted for. I recently looked at evidence and said this is surely GROUP A. That didn't matter though, because of our systematic approach to analysis. Thread inbound. Having a theory is fine. My theory at the time was not a fabrication nor bias. This was not even a set I am overly excited about. Once more information was collected and analyzed, and we expanded the aperture on why I thought it might be GROUP A, we discovered it wasn't.
Sep 9, 2018 11 tweets 3 min read
We have the 30th round of "I was a volunteer doing dirt for the U.S. government, and as such I'm very uncomfortable that I could be held accountable for my actions by a foreign government, so instead we shouldn't apply pressure to others to avoid the same." My thoughts below. As Jake points out, there are a lot of government sanctioned activities that can end with the individual getting punished by the target if caught. He used the example of SOF conducting renditions abroad, but doesn't really get to the "they shouldn't be arrested" part.
Aug 26, 2018 6 tweets 2 min read
While the reporter was trying to compare two groups of professionals in their respective trades, Scott gives us a reminder that no one is trying to kill you while you're scoping the extent of the intrusion.

Follow on thoughts below. I've have the privilege of working with top professionals in combat arms and information security. "Elite" organizations typically have a higher concentration of top performers who are committed to excellence for themselves and those they work with.
May 25, 2018 5 tweets 4 min read
#StateOfTheHack follow up. Thank you to everyone who tuned in, and we apologize for the technical difficulties and audio. We are going to get that figured out for future iterations. I wanted to follow up with indicators I talked about at the end to prove a point regarding #GDPR.: My team develops sources and methods for pursuing adversaries across our customers networks, and beyond. We do not become reliant on a single source, nor do we allow the loss of a source to cripple our collection efforts. Loss of WHOIS information is not a deal breaker.