Last updated at Tue, 24 May 2022 18:22:03 GMT
Threat hunters and incident responders rely on intelligence to see, identify and respond to attacks. There are many different forms of intelligence, like Open-Source Intelligence (OSINT), Signals Intelligence (SIGINT), and Social Media Intelligence (SOCMINT). However, the one constant behind all attacks is that they are human-driven. As threat actors keep innovating to make their attacks more difficult to see and stop, another form of intelligence has become critical for cybersecurity success — Human Intelligence (HUMINT).
Because attacks are human-driven, the best way to anticipate, identify and respond to them requires human skill and effort. Gathering HUMINT can be one of the most difficult and most dangerous forms of intelligence, but it can also be one of the most valuable sources of intelligence available to organizations. Cybersecurity researchers, threat hunters, and incident responders need to leverage all of the tools and intelligence sources at their disposal to prevent attacks, minimize data leakage and try to stay one step ahead of threat actors.
HUMINT can be defined as the process of gathering intelligence through interpersonal contact and engagement, rather than by technical processes, feed ingestion or automated monitoring. HUMINT can be performed by both threat hunters and threat actors, meaning it could be recruiting an intelligence source (by threat hunter) or through misrepresentation and social engineering (by threat actor). It’s typically a manual process, requiring a very specific set of skills and knowledge to remain undercover and not raise suspicion.
While difficult, human intelligence is the key to seeing, identifying and effectively thwarting the efforts of cyberattackers, whether they seek financial gain, are looking to advance their political and social agendas, or are commissioned by nation-state espionage aimed at disrupting operations and national security.
HUMINT risks and challenges
While HUMINT can be incredibly valuable to an organization, it doesn’t come without its risks. Avoiding mistakes that can reveal a threat hunter’s identity is vitally important. The last thing you want is to become a target, and that’s exactly what will happen if your true identity is exposed.
We conducted an in-depth interview with a professional threat hunter — we’ll call him Joe to protect his identity — who currently works as head of cyber threat intelligence for a multinational corporation. He is an expert at using HUMINT to infiltrate threat actor forums on the dark web to gather information that helps identify and defend attacks aimed at his organization. He outlined some of the following risks associated with solo HUMINT gathering.
Taking appropriate precautions
“You never use your own computer,” Joe explained. “You never save anything onto the machine you’re using when you’re engaging with hackers. Everything needs to be deleted each time you access the dark web. That’s how I work. And that’s what I did when I worked for the Israeli government. I always have an image and each time I go into the dark web, I load from that image. Meaning operational system and all the files are deleted every time I shut down my computer. I don't want anyone to know who I am, where I'm from, what I'm doing and what my MO is,” he emphasized.
“A colleague of mine, an Israeli researcher, was investigating an APT from North Korea,” Joe recalled. “Basically, he wasn’t as cautious as he should have been with his operational security, and he was hacked. He was using his personal computer for HUMINT gathering. Threat actors put all of his personal data online. It’s a cautionary tale of how not to do things. That’s why I supplement my own HUMINT-gathering work with the best security products and services on the market that provide me with not only HUMINT, but also OSINT and machine intelligence, which help me achieve my goals while minimizing my risks.”
Establishing multiple sources
With all of that pressure to infiltrate threat actors’ domains while also protecting their own identities, HUMINT researchers need help. Fortunately, when starting an investigation, threat hunters don’t have to rely solely on their own efforts to acquire the information they need to achieve their goals.
“My preference is to use information collected by a trusted cybersecurity company,” said Joe. “I have two goals when I’m trying to find threat actors and recover stolen information: get the data back and protect my identity from people who would like nothing more than to hack and expose me. The more information I have, the better job I can do. That information can come from the dark web, social media or other sources. But there’s too much information for one person to obtain. That’s why finding the right company with a team of highly skilled analysts collecting data is the best way to achieve my goals.”
According to Joe, the majority of HUMINT work is not necessarily approaching random threat actors.
“You need to have a strong list of threat actors that are already among your contacts, or ‘sources’ in the lingo of threat hunters. I currently have 20 to 30 threat actor sources, so every time I have a question, such as what new tools or botnets are out there, I go to them. I have sources that are developers, threat actors who are carders [people who steal, trade and buy credit card information and PINs], and threat actors who are moderators on different forums. There is a list on Jabber [the secure messenger that threat actors use] and I have a list of the people that I can approach anytime if I have a question, or if there is a lead that I need to investigate.”
Working at all hours
One of the main reasons why professional threat hunters choose to work with leading HUMINT tools is the limitations the lifestyle poses on their personal lives.
“If you collect your own HUMINT by spending time on social media sites, forums or other darknet sites, you have to be willing to change the hours you work,” said Joe. “You simply can’t work 9-to-5, as you would in a typical corporate job because that will be a big tipoff that you might be a threat analyst and not a threat actor. The hackers will ask you, ‘Hey, why are you only online at certain hours?’ So to maintain the credibility of my avatars, I would have to log in on Friday and Saturday nights, or Sunday mornings. Just to check in with a few people to ask ‘What’s up? What’s going on?’ ‘Have you heard about the new Tor forum that was opened?’ I put in the effort to make them think that I’m a real threat actor like them. I need to make a strong impression that I'm a fraudster, not a security researcher.”
It’s a lot of work for any individual to work their regular day job and then spend time at night and on weekends trying to dig out HUMINT on their own. A solo HUMINT practitioner has to put a great deal of time and effort into creating and maintaining the avatars that, if done well, will allow them to gain access to hacker forums.
“The name of the game is mimicking the threat actors’ behavior. That’s why I spend so much time logging into forums. I study the moderators and the biggest threat actors in a forum. I read everything they write and I try to understand how I can write the same way. You want to mimic their behavior,” said Joe.
While tools, technology and tactics change, all cyber attacks have one thing in common, they’re all human-driven. Knowing the motivations and tendencies behind your cyber adversaries can help you make the right strategic decisions and investments to better protect your organization.
HUMINT can be incredibly valuable, yet incredibly dangerous, to collect. You need to have the right set of skills, expertise and time to gather HUMINT effectively and ensure your true identity and intentions are hidden. Whether you’re looking to get started with HUMINT gathering, or want to enhance your existing program, leveraging HUMINT and other intelligence tools can be incredibly helpful.