Gaining the Intelligence Advantage with Cyber HUMINT -… | Intel471 Skip to content

Gaining the Intelligence Advantage with Cyber HUMINT - Part One

Advantages, pitfalls and best practices from leading cyber intelligence operators worldwide.
Author: Michael DeBolt, Intel 471 Chief Intelligence Officer

May 14, 2023
Humint part 1

Human intelligence (HUMINT) — that is, intelligence derived from human sources — is the oldest of the six intelligence disciplines. While digital-dependent intelligence disciplines such as open source intelligence (OSINT), social media intelligence (SOCMINT) and signals intelligence (SIGINT) have become commonplace in our interconnected world, HUMINT continues to transcend technological advancements, cultural changes, geopolitical eras and generational ebbs and flows. It remains arguably the most lucrative — and challenging — source of intelligence, including for cybersecurity, because fundamentally every attack starts with a human behind the computer. The person controlling the keyboard has a modus operandi that includes intentions, motivations and capabilities – the elicitation of which can result in the most valuable intelligence organizations can use to protect themselves. The drawback of HUMINT is that it doesn’t move at the speed of machine-to-machine communication; it moves at the speed of humans. It requires relationships to be nurtured, sometimes for years. It requires experience, patience, discipline and precise execution at the right time. Intel 471’s next three posts will delve into the cyber HUMINT discipline and why it is an imperative to any successful cybersecurity arsenal, including key advantages it offers, pitfalls to be aware of and lessons learned from Intel 471’s experienced team of intelligence operators around the world.

What is Cyber HUMINT?

HUMINT’s primary focus — using human beings to elicit intelligence from other human beings — is consistent regardless of the operational environment. While the premise remains the same across the physical and virtual domains, how cyber HUMINT is conducted differs significantly from the physical world that spies work. Traditional HUMINT typically involves two individuals bumping into each other — the handler, a trained operator working to fill intelligence gaps at the behest of a higher power such as a government entity, and a source, the person doing the collection and reporting intelligence back to the handler. However, cyber HUMINT typically takes the form of a single human collector operating a digital identity — commonly referred to as a persona, sock puppet, handle or moniker — curated with believable backstories and motivations aka legends (like traditional HUMINT). Collectors behind these controlled “sources” typically include independent researchers, vendors, academics and government agencies. Conversely, threat actors also employ HUMINT techniques for counterintelligence purposes to detect and prevent attempts by the good guys. It is a crowded space, and not everyone is doing it properly (we’ll get to that later). So why the need for cyber HUMINT as an important tool in cybersecurity?

Understanding the imperative of cyber HUMINT starts with revisiting the Pyramid of Pain — a useful tool to conceptualize the inverse relationship between the novelty of adversary indicators and their associated value to a defender. Simply put, the indicators at the base of the pyramid are straightforward to collect and therefore possess lesser value when compared to the categories at the top where adversary indicators are difficult to collect but the resulting intelligence value is greater. Cyber HUMINT is perched at the very top of the pyramid due to its ability to elicit exclusive and proactive insights from adversaries divulging their motives, tactics, plans, tools and more.

Cyber HUMIN Tpart1 image2

Another way to think about the value of cyber HUMINT is by placing it on the sliding scale of proactive versus reactive threat intelligence gathering. A reactive threat intelligence approach relies heavily on post-attack indicators after an adversary has already targeted the organization or industry vertical, primarily focused on the lower part of the Pyramid of Pain where indicators like IP addresses and hashes are plentiful but not super useful. Conversely, a proactive stance establishes consistent coverage of adversaries before they impact the organization by infiltrating their planning stages and focusing on the behaviors, capabilities, intent, and motivations that precede attacks. Cyber HUMINT is an important component to this proactive intelligence gathering approach, providing “eyes and ears” visibility into pre-attack signals that would otherwise go undetected.

Cyber HUMIN Tpart1 image3

Automation, then Cyber HUMINT: A One-Two Punch

If raw content gathered using automation is king and the context gleaned from it is pocket aces, then cyber HUMINT is a royal flush - the most powerful yet hardest to achieve in the cyber intelligence gathering card deck. In other words, cyber HUMINT has the advantage over other types of cyber intelligence collection methods because it reaches below the surface to reveal critical insights necessary to solve security and risk use cases that would be otherwise missed using other collection methods.

To help illustrate, automated collection of forum advertisements — or scraping as it is sometimes called — is necessary for initial triage and alerting to the possibility that an organization is impacted. But cyber HUMINT illuminates key details, such as credible proof of the identity of a breached victim organization, that is simply unattainable without a well-placed source to elicit from the threat actor.

Cyber HUMIN Tpart1 image1
An advertisement on a popular predominantly Russian language forum.

As the figure above illustrates, threat actors are specifically vague for operational security (OPSEC) purposes, preventing forum scraping from being successful in identifying key information that can be used by a defender. This specific advertisement titled “Selling Accesses” allegedly offered for sale remote access credentials to multiple undisclosed organizations worldwide. It is common for threat actors to loosely describe victims by industry, geography and annual revenue, and only reveal more identifying details in private messages with trusted contacts, which could be HUMINT source.

How does this one-two punch of automation and HUMINT provide the best approach for cyber threat intelligence programs?

The following table lists common enterprise security and risk use cases that are supported using a combination of automated collection and cyber HUMINT-derived insights.

Intelligence Collection Opportunity

Use Case

Automated coverage reveals:

+ Cyber HUMINT reveals:

Third-Party Risk

Forum advertisement with the generic description, geography and industry of breach victim

+ Actual breach victim identity with valid proof and assessment of credibility

Vulnerability Management

Recently disclosed remote code execution (RCE) vulnerability

+ Prolific ransomware group planning to exploit it for initial access

Insider Threat

Forum advertisement claiming insider access to a global bank

+ Actual bank’s identity and clues to the insider’s role and intention

Identity & Access Management

Victim’s username and password combination inside an information-stealer malware log

+ Reputable initial access broker reselling the victim’s administrator credentials to corporate environment

Network & Security Operations

Advertisement for a new malware-as-a-service offering

+ Exclusive samples and insights into capabilities and reputation of developer and clients

As shown in the chart above, cyber HUMINT can help answer the next logical question of “Who?” and “What might happen next?” as well as “How big of a threat does this incident pose?” These are critical questions that – if answered – make the material collected via automation an order of magnitude more valuable. Part two of this series will discuss the intricacies and processes involved in gaining and maintaining access to sources that result in high-quality cyber HUMINT as well as some of the pitfalls that practitioners should avoid.

This is part one of a three-part blog series by Michael DeBolt, Chief Intelligence Officer.