HUMINT: Engage Your Cyber Adversaries HUMINTwow.intsights.com/rs/071-ZWD-900/images/HUMINT The Key...

HUMINT: Engage Your Cyber Adversaries

THE KEY TO SUCCESSFULLYENGAGING YOUR CYBER ENEMIES

WHITEPAPER

HUMINT

Threat Intel l igence Real ized.


2 HUMINT: The Key to Successfully Engaging Your Cyber Enemies

Threat Intel l igence Real ized.HUMINT: Engage Your Cyber Adversaries

IntroductIonThreat hunters and incident responders rely on intelligence to see, identify

and respond to attacks. Historically, they have used Open-Source Intelligence

(OSINT), which is data collected from publicly available sources, and Machine

Intelligence—also known as Signals Intelligence (SIGINT)—which involves

the interception of signals from both communications and electronic sources,

e.g., cell phones and computers. In addition, Social Media Intelligence

(SOCMINT), has provided another source of intelligence, which can be used

to identify potential brand and customer-focused attacks. However, the one

constant behind all attacks is that they are human-driven. As threat actors

keep innovating to make their attacks more difficult to see and stop, another

form of intelligence has become critical for cybersecurity success—Human

Intelligence (HUMINT).

Because attacks are human-driven, the best way to anticipate, identify and

respond to them requires human skill and effort. Gathering HUMINT can be

one of the most difficult and most dangerous forms of intelligence (as we’ll

explain later), but it can also be one of the most valuable sources of intelligence

available to organizations. Cybersecurity researchers, threat hunters and

incident responders need to leverage all of the tools and intelligence sources

at their disposal to prevent attacks, minimize data leakage and try to stay one

step ahead of threat actors.

This paper focuses on HUMINT, defining it, discussing how it can be gathered

and used, and the important role it plays in helping threat hunters defeat threat

actors in the increasingly high-stakes world of cyber threats.




What Is huMInt?In The Art of War, Chinese military strategist Sun Tzu wrote: “To know your Enemy, you must become your Enemy.” That advice from 2,500 years ago remains very applicable to today’s world of cyber warfare. What makes cyber attacks so difficult to see, identify and stop is the fact that they are very often planned and executed by savvy, well-trained experts who use their skill and cunning—along with an impressive array of high-tech cyber weaponry—to deliver stealthy attacks that often begin and end before the victims even notice.

HUMINT can be defined as the process of gathering intelligence through interpersonal contact and engagement, rather than by technical processes, feed ingestion or automated monitoring. HUMINT can be performed by both threat hunters and threat actors, meaning it could be recruiting an intelligence source (by threat hunter), or through misrepresentation and social engineering (by threat actor). It’s typically a manual process, requiring a very specific set of skills and knowledge to remain undercover and not raise suspicion.

While difficult, human intelligence is the key to seeing, identifying and effectively thwarting the efforts of cyber attackers, whether they seek financial gain, are looking to advance their political and social agendas, or are commissioned by nation-state espionage aimed at disrupting operations and national security.

Both threat actors and cyber-security professionals have impressive technology at their disposal, but they also deploy perhaps the most useful (and dangerous) weapon of all in their work—human knowledge and experience. That’s why the advent of HUMINT is a critical intelligence source for threat hunters and incident responders. Understanding the motives and tendencies behind your adversaries is a key to any type of warfare, including cyber warfare. Therefore, threat hunters must know their enemy by becoming their enemy (as Sun Tzu advised over 2,500 years ago). The good news for cybersecurity experts is that while the enemy may be virtual and anonymous, they are not invisible.

huMInt can be defIned as the process of gatherIng IntellIgence through Interpersonal contact and engageMent, rather than by technIcal processes, feed IngestIon or autoMated MonItorIng.

“

”




We conducted an in-depth interview with a professional threat hunter—we’ll call him ”Joe” to protect his identity—who currently works as head of cyber threat intelligence for a multinational corporation. Joe also spent several years earlier in his career working as a senior intelligence analyst for the Israeli government. He is an expert at using HUMINT to infiltrate threat actor forums on the dark web to gather information that helps identify and defend attacks aimed at his organization.

The key for a threat researcher or hunter to successfully obtain and use HUMINT is to learn how threat actors think, what tools and techniques they use, and what they are targeting. That requires the ability to engage with and infiltrate threat actors to gain their trust and learn how they operate. It’s the high-tech equivalent of what an undercover FBI agent does when he or she spends months or years working to infiltrate a criminal organization. It’s painstaking and nerve-racking work, and means going where threat actors congregate and share information, which usually includes dark web forums, IRC chat rooms and black markets. It can be a dangerous activity for an individual, no matter how experienced and skilled they are.

“When a threat researcher relies on HUMINT as a key investigatory technique, it can be very risky,” said Joe. “When you are entering a realm, via the dark web, especially one frequented by threat actors from parts of the world rife with

such practitioners, you are analyzed constantly. There are many cases in the forums I’ve joined where the administrators or moderators scrutinize everything about you to determine if you’re really a fellow threat actor or a security researcher. They want to know who you are and where you’re coming from. If they even suspect that you are in law enforcement or a security researcher, they will ban you very quickly.”

Before starting to engage with threat actors on these forums, operational security for threat hunters is critical.

Researchers need tools to help them hide their identity. It can be a VPN, a proxy, a virtual machine, or TOR. “The more precautions and tools you use, the better,” Joe said. “For threat researchers who work for corporations, getting unmasked by the hackers we’re trying to infiltrate is the biggest problem. It’s also possible to run afoul with law enforcement with some of the things we have to do, but the biggest concern for us is to incur the wrath of our own corporate legal departments.”

Because HUMINT gathering can be such a time-consuming activity, Joe says people who do the work rely on cutting-edge technologies that

can provide them with the HUMINT they need to do their jobs effectively. “I have a few key products that provide me with strong intelligence about organizations that may have acquired information from my company that they’re trying to monetize or share with fellow hackers. It’s my job to prevent that valuable information from being sold on the dark web.”

Meet Joe: a huMInt and threat huntIng expert

It’s the hIgh-tech equIvalent of What an undercover fbI agent does When he or she

spends Months or years WorkIng to InfIltrate a crIMInal organIzatIon.

- JoeHead of Cyber THreaT InTellIgenCe

aT a MulTI-naTIonal CorporaTIon

“

”




the rIsks & challenges of solo huMInt gatherIngWhile HUMINT can be an incredibly valuable to an organization, it doesn’t come without its risks. Avoiding mistakes that can reveal a threat hunter’s identity is vitally important. The last thing you want is to become a target, and that’s exactly what will happen if your true identity is exposed.

takIng approprIate precautIons“You never use your own computer,” Joe explained. “You never save anything onto the machine you’re using when you’re engaging with hackers. Everything needs to be deleted each time you access the dark web. That’s how I work. And that’s what I did when I worked for the Israeli government. I always have an image and each time I go into the dark web, I load from that image. Meaning operational system and all the files are deleted every time I shut down my computer. I don’t want anyone to know who I am, where I’m from, what I’m doing and what my MO is,” he emphasized.

“A colleague of mine, an Israeli researcher, was investigating an APT from North Korea,” Joe recalled. “Basically, he wasn’t as cautious as he should have been with his operational security, and he was hacked. He was using his personal computer for HUMINT gathering. Threat actors put all of his personal data online. It’s a cautionary tale of how not to do things. That’s why I supplement my own HUMINT-gathering work with the best security products and services on the market that provide me with not only HUMINT, but also OSINT and machine intelligence, which help me achieve my goals while minimizing my risks.”

establIshIng MultIple sourcesWith all of that pressure to infiltrate threat actors’ domains while also protecting their own identities, HUMINT researchers need help. Fortunately, when starting an investigation, threat hunters don’t have to rely solely on their own efforts to acquire the information they need to achieve their goals. “My preference is to use information collected by a trusted cybersecurity company,” said Joe. “I have two goals when I’m trying to find threat actors and recover stolen information: get the data back and protect my identity from people who would like nothing more than to hack and expose me. The more information I have, the better job I can do. That information can come from the dark web, social media or other sources. But there’s too much information for one person to obtain. That’s why finding the right company with a team of highly skilled analysts collecting data is the best way to achieve my goals.”

I currently have 20 to 30 threat actor sources, so every tIMe I have a questIon, such as What neW tools or botnets are out there, I go to theM.- Joe

“

”




a 24x7 sIde proJectOne of the main reasons why professional threat hunters choose to work with leading HUMINT tools is the limitations the lifestyle

poses on their personal lives. “If you collect your own HUMINT by spending time on social media sites, forums or other darknet

sites, you have to be willing to change the hours you work,” said Joe. “You simply can’t work 9-to-5, as you would in a typical

corporate job because that will be a big tipoff that you might be a threat analyst and not a threat actor. The hackers will ask you,

‘Hey, why are you only online at certain hours?’ So to maintain the credibility of my avatars, I would have to log in on Friday and

Saturday nights, or Sunday mornings. Just to check in with a few people to ask ‘What’s up? What’s going on?’ ‘Have you heard

about the new Tor forum, that was opened?’ I put in the effort to make them think that I’m a real threat actor like them. I need

to make a strong impression that I’m a fraudster, not a security researcher.”

But what about companies that don’t allow their security teams to work unusual hours, or take risks to establish themselves as

credible threat actors so they can get close to hackers? That’s where the value of using HUMINT from a cybersecurity firm that

has a team of people working around the clock—and around the world—gathering HUMINT, SIGINT, SOCMINT and OSINT to

provide to their clients. Joe says that enterprise legal departments often frown on in-house researchers spending time on dark

web forums gathering information on threat actors.

According to Joe, the majority of HUMINT work is not necessarily approaching random threat actors. “You need to have a strong list of threat actors that are already among your contacts, or ‘sources’ in the lingo of threat hunters. I currently have 20 to 30 threat actor sources, so every time I have a question, such as what new tools or botnets are out there, I go to them. I have sources that are developers, threat actors who are carders [people who steal, trade and buy credit card information and PINs], and threat actors who are moderators on different forums. There is a list on Jabber [the secure messenger that threat actors use] and I have a list of the people that I can approach anytime if I have a question, or if there is a lead that I need to investigate.”

But to be as successful as Joe is in pursuing threat targets, it’s unnecessary—and unwise—to rely solely on your own resources. One of the key tools for any good threat researcher

who works to infiltrate the threat actor underground is a list of contacts. “Having a good list mimics how threat actors operate. Once established, you can work with those people. If you need somebody to write a botnet you have someone from forum A who can do that. If you need somebody to ask about a new way of cashing out then you have another guy, a carder, from forum B,” said Joe.

“Each avatar that I operate has its own persona and its own list on Jabber of people he can contact. The best part about this approach is there’s nothing illegal about it. I’m very cautious. I’m not buying anything. That’s what I use my security solutions for. But I do speak to those people and I’m trying to build a bond. Over the years, there are some sources that I consider to be very good sources because I’ve been talking to them for a very long time.”




It’s a lot of work for any individual to work their regular day job and then spend time at night and on weekends trying to dig

out HUMINT on their own. That’s why even skilled professionals like Joe see the value in working with a leading vendor that

can do a lot of the heavy lifting for them. A solo HUMINT practitioner has to put a great deal of time and effort into creating

and maintaining the avatars that, if done well, will allow them to gain access to hacker forums. “If you have a story behind your

avatar—for example, one of my avatars is a Russian student—you need to back up your avatar’s persona,” said Joe. “You need

to know about the university you claim to attend because you will be questioned about it. As part of the process for threat actors

to get comfortable with a new avatar, they will press you about what classes you take and other aspects of campus life. You

need to be a good liar as well and to log in at hours that will convince threat actors that you are who you say you are.

“The name of the game is mimicking the threat actors’ behavior. That’s why I spend so much time logging into forums. I study

the moderators and the biggest threat actors in a forum. I read everything they write and I try to understand how I can write

the same way. You want to mimic their behavior,” said Joe. “It’s a tremendous amount of work, and that’s why I don’t try to do

everything myself. I have access to excellent HUMINT from my top security vendor. That takes some of the load off me and

provides me with a great deal of information because the team is so good at infiltrating hacker forums.”

suppleMentIng research WIth huMInt toolsPeople like Joe, who have the skills, cunning and years of experience to conduct their own HUMINT, are a rarity in most

enterprise organizations. While many have spent years honing their ability to successfully infiltrate dark net forums, most threat

researchers need help so they can more effectively use HUMINT to protect their organization and their customers.

In fact, most threat hunters, even ones as talented as Joe, need to supplement their own research and HUMINT gathering with

other solutions and sources of intelligence. Working in isolation, or even with a team of colleagues, only enables threat hunters

to obtain a fraction of the HUMINT they need.

I apprecIate havIng access to a platforM that provIdes Me WIth the fIrst lead to threat actors.- Joe

“

”




“I appreciate having access to a platform that provides me with the first lead to threat actors. For example, there was a

threat actor that I was pursuing and I made good progress with my investigation because I was able to get a name from the

cybersecurity provider I rely on. Once I had the name, it gave me the option of talking directly to him in the forum or asking my

contacts if they know him. Having accurate, reliable HUMINT made it much easier to determine if he were legitimate, so I could

start building an investigation into his activities. It takes a lot of time and expertise to get effective intel on a threat actor, such

as how long he has been active and what other threat actors think about him. The big question is ‘Is he legitimate or is he just

a scammer who is trying to sell things that do not really exist?’ That level of detail is incredibly valuable to someone who does

what I do for a living,” Joe said.

usIng huMInt for securIty actIonIt’s clear that gathering HUMINT is a challenge and comes with many risks. So why is it worth the hassle and how do you

use this intelligence for security action? Here are a few use cases:

Because sources and avatars take time to develop, you shouldn’t wait until after one of the above scenarios happens to

begin collecting HUMINT. You need to start developing your HUMINT process now so that you have the credibility and

sources to go to if you find yourself in one of these situations. If you reach out to threat actors as a new avatar right after

a recent security incident, they will immediately be suspicious of your motives.

post-attack InvestIgatIonHackers will often make claims or

take credit for attacks online. If the

attack mentions your company or

perhaps another in your industry,

it may be worth contacting the

threat actor to investigate how they

performed the attack, figure out their

entry point and learn what tools they

used. This intelligence can be used

to stop further damage or protect

against a similar attack.

extortIon attack daMage assessMent

Extortion attacks have been on

the rise over the past year. If

your company is being extorted,

you might want to verify what

information has been stolen and if

the threat actor has actually stolen

any valuable information. This can

be used to assess the potential

impact of a breach.

neW attack vector dIscovery

As a part of threat hunting process,

HUMINT can be used to discover

new scamming methods, new

exploits and other hacker TTPs that

may be used against you. Threat

intelligence solutions can provide

you with a lot of this intelligence,

but supplementing it with your own

HUMINT gathering can help you

gain an even deeper understanding

of current threats.

https://www.intsights.com/blog/new-cyber-trends-and-threats-targeting-financial-services-organizations-infographic

https://www.intsights.com/blog/new-cyber-trends-and-threats-targeting-financial-services-organizations-infographic




DEvElop ApproprIATE lANgUAgE SkIllSThe third capability you need to perform HUMINT investigations, according to Joe, is language skills. “If you don’t speak reasonably good Russian, and you’re trying to establish yourself on Russia-based forums, you need to work with a colleague who not only speaks Russian but who understands the lingo and the slang. When you speak to Russians they will quickly figure out if you are using Google Translate and are not a Russian speaker. Why is it important? Because they trust you more if you have good language capabilities and can convincingly present yourself as one of them.”

TAkE pErSoNAl SECUrITY MEASUrES“First of all,” said Joe, “personal security is critical. Any computer that is used for HUMINT work is a ‘dirty machine.’ You need to perform HUMINT work on a computer that is not connected to your network. You can’t be recognized as an employee of your organization. If threat actors determine that you are not a fellow hacker, but you work for a specific company, they will come after you and the results won’t be good.” So, first and foremost, you need to build your dark net capability and persona with a thorough commitment to your own—and your organization’s—security.

TEll A gooD STorYSecond, you need to be able to tell a “good story,” that is to create an avatar and persona with a thorough and believable story behind it. When it comes to that “good story”, Joe says that also applies to the skills that you present as part of your persona. “For example, if your goal is to infiltrate a forum full of actors who perform financial fraud, you need to have a deep understanding of the subject. That means you have either technological understanding of programming and creating botnets, or you need to present yourself as an expert in physical fraud, such as the ability to hack ATMs. You must be able to talk knowledgeably about various aspects of the field. If you know how to ‘talk shop’ about those things, you will be accepted into the dark net forums you’re targeting. It will be also easier for you to bring your avatar and persona up to a level the incumbents will trust.”

addIng huMInt Into your threat IntellIgence prograMMost organizations do not have an experienced, skilled threat hunter like Joe on staff who can perform his own HUMINT work. But there are a variety of tools that allow organizations to leverage HUMINT, as well as OSINT and machine intelligence, to proactively uncover cyber threats.

Here are three recommendations on how any enterprise can start using HUMINT to see, identify and stop threat actors intent on stealing or destroying your intellectual property, customer information and other

sensitive data.




The learning curve to become a credible HUMINT threat hunter can be up to six months, according to Joe, with a lot of trial

and error. This may involve getting thrown out of forums for asking the wrong questions—or not having the right answers to

questions you’re asked. However, if you take the appropriate precautions and protect your identity, you can continue working

to develop new avatars and sources, laying the foundation for successful HUMINT gathering.

the IntsIghts advantageSo where can someone with the experience Joe has—

not to mention those who haven’t spent years perfecting

avatars and methods for accessing threat actors—get the

information they need to effectively secure their organization’s

data? That’s where the team and technology from IntSights

come in.

“When I started doing HUMINT in 2008, I had to do everything

manually by myself,” recalled Joe. “I investigated forums and

looked for relevant information on my own when I was working

for the Israeli government. But now, I rely on IntSights for a

lot of that information. I put my keywords into their crawler

and get information 24/7 from the dark net. That means I

don’t need to search for everything manually. If I find a new

forum while I’m doing my own HUMINT, I send it to IntSights

and then the information becomes part of the service and it’s

available to the entire threat hunting community.” IntSights

delivers many advantages to threat hunters and researchers

like Joe, freeing them from having to spend countless hours

frequenting forums to painstakingly gather information piece

by piece.

“The bottom line is IntSights saves me time. I have all of the

information gathered and checked by the IntSights’ team

each morning,” said Joe. “I have the keywords, the name of

the threat actor, the address of the dark net forum and the

screen shots of what was said, what’s relevant to me. Since

I started using IntSights for HUMINT, OSINT and machine

intelligence, I don’t have to do all the prep work myself. I get

the page and the post I need to look at. For example, there

were a hundred posts in one thread, and I only needed to look

at page 45. I no longer have to do it all manually. Everything is

automatic. That is the biggest advantage IntSights gives me

as a HUMINT researcher.”

IntSights provides two types of information to enterprise

threat hunters and researchers. For those who lack the

resources to conduct their own HUMINT on the dark web,

they can get all their information from the IntSights team

and use it to protect their organizations’ data. Alternativey,

experienced, uniquely-skilled researchers (such as Joe)

can use IntSights’ information—gathered from continuous

Internet and dark web crawling—to pinpoint their efforts

and make their forays into forums quicker, safer and more

productive. Clients can search IntSights’ database of forums

and all of the information gathered from them. Researchers

can look for keywords or certain emails, intellectual property

(IP), indicators of compromise (IOC) or related information.




IntSights also enables enterprise researchers to conduct a combination of OSINT and HUMINT so they can bring the entire

investigation picture to company executives to demonstrate the threat, its ramifications and how they will respond to it. The

IntSights’ global team generates a tremendous amount of actionable data for its clients, including:

• Who are the most important threat actors in forums

• What information they are selling

• The abilities they have

• Which programming languages they know

• What their offensive capabilities are

IntSights’ information enables enterprise security professionals to truly understand the motive, relevance and context of the

threat actors who are targeting their organizations. As Joe says, “This information helps me see the motive of specific threat

actors and what they’re thinking.”

So whichever approach to HUMINT works best for you, the intelligence provided by IntSights can complement your own efforts

or give you the advantage of having a team of HUMINT experts feeding you valuable insights every day. Or, you can stay up all

night and work weekends to gather the intelligence you need. The choice is yours.

conclusIonWhile tools, technology and tactics change, all cyber attacks have one thing in common, they’re all human-driven. Knowing the

motivations and tendencies behind your cyberadversaries can help you make the right strategic decisions and investments to

better protect your organization.

Human Intelligence (HUMINT) can be incredibly valuable, yet incredibly dangerous, to collect. You need to have the right set

of skills, expertise and time to gather HUMINT effectively and ensure your true identity and intentions are hidden. Whether

you’re looking to get started with HUMINT gathering, or want to enhance your existing program, leveraging HUMINT and other

intelligence tools can be incredibly helpful.

When it comes to protecting your organization from cyber threats, you’re only as good as your intelligence. Cyber security

professionals and threat hunters need to have access to the right information so they can take appropriate action and mitigate

threats before they cause damage. Leveraging tools that ingest, process and contextualize these different sources of intelligence

can be the difference between stopping an attack and getting breached. Make sure your team is armed with the right tools and

intelligence so that you can effectively protect your company, your employees and your customers.

HUMINT: Engage Your Cyber Adversaries

About IntSIghtSIntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that transforms tailored threat intelligence into automated security operations. Our ground-breaking data-mining algorithms and unique machine learning capabilities continuously monitor an enterprise’s external digital profile across the surface, deep and dark web, categorize and analyze tens of thousands of threats, and automate the risk remediation lifecycle — streamlining workflows, maximizing resources and securing business operations. This has made IntSights’ one of the fastest growing cyber security companies in the world. IntSights has offices in Tel Aviv, Amsterdam, New York, Tokyo, Singapore and Dallas and is backed by Glilot Capital Partners, Blumberg Capital, Blackstone, Tola Capital and Wipro Ventures. To learn more, visit www.intsights.com.


THE KEY TO SUCCESSFULLYENGAGING YOUR CYBER ENEMIES

WHITEPAPER

HUMINT


Date post:	25-Jun-2020
Category:	Documents
Upload:	others
View:	14 times
Download:	2 times

HUMINT: Engage Your Cyber Adversaries HUMINTwow.intsights.com/rs/071-ZWD-900/images/HUMINT The Key...

Documents