Drone Threat Intel Report: DroneSec Notify #21

This summary has been extracted from our weekly public threat intelligence report. For more information on the platform or weekly email PDFs, please visit: or email us at [email protected] or join the slack group at

Welcome to another monthly roll up of our public Threat Intelligence release. We’ll go through some of the more interesting statistics we’ve observed during the month gone (April). Many of these artefacts help us make certain estimations and determinations about the future – more on that later though, as we’ll be adding some drone security ‘predictions’ to our State of Drone Security report in June.

We appreciate all Notify artefacts provided via community submissions; notably for the Digital Forensic tool Autopsy’s newest Drone Analyzer ingest module. You’ll find this, and a number of featured reports, all within this week’s Threat Intelligence report. You may also see some contact information provided in the featured recommendations too; that’s because our team is highly skilled and able to provide remediation services in these areas.

This week, I want to deconstruct how our database catalogues and visualises ‘artefacts’ provided in reports such as these. So, what goes into an artefact? For example, you might only see the following:

Illegal drone flies over jockey race, operator found caught by security personnel, Hong Kong

In reality, the backend take-away is much more complex (and useful). Our Drone Security Analysts combine Open-Source Intelligence (OSINT), Imagery Intelligence (IMINT) and Geo-spatial Intelligence (GEOINT) to categorise, classify and assess drone incidents. Big acronyms, but they all serve a purpose.

When our threat intelligence team receives a notification or observes an incident, it is triaged and logged with a number of identifiers. This is then be used to geo-locate the incident on a map, compared to other incidents that didn’t result in an arrest, and identify patterns that might suggest if the operator has been involved in drone incidents before (yes, we log names of individuals and groups where Law Enforcement have been involved in drone incidents – and where this information has been made public).

Now that the information is logged, we can do very quick and powerful searches to receive unique insights. For example, if someone searched for queries requesting drone incidents that:

  • Occurred in Hong Kong
  • Resulted in Arrest
  • During May 1st – May 10th

They would find any incidents that matched, including the above horse racing incident. Because of the information logged, the indicators of both can be analysed to see if any patterns exist. Coupled with other sources (law enforcement, drone detection systems, UTM systems, keywords) this information provides a pre-fact and post-fact enumeration tool for drone activity. This moves Law Enforcement closer to identifying repeat offenders where individuals or groups are intentionally misusing drones.

I hope you find the above useful in the effort that goes into each artefact, and the incredible use of which can be extracted from it. For more information on our Notify Threat Intelligence Platform and what it could do you for organisation, please feel free to chat to the team at [email protected]

See how the DroneSec Notify Threat Intelligence Platform can benefit your organisation.

Leave a reply