Gaining the Intelligence Advantage with Cyber HUMINT -… | Intel471 Skip to content

Gaining the Intelligence Advantage with Cyber HUMINT - Part Three

Advantages, pitfalls and best practices from the world’s leading cyber intelligence operators. Author: Michael DeBolt, Intel 471 Chief Intelligence Officer

May 24, 2023
Humint Part 2

Cyber HUMINT is conducted by creating credible personas that can move fluidly in the cybercriminal underground, engaging with threat actors and gaining exclusive access to information. But this end goal isn’t easy to achieve. The following are some of the most common pitfalls of cyber HUMINT programs.

Costly to build, maintain and scale

The success of any cyber HUMINT capability is founded upon operational security (OpSec) and resiliency. Curating the best sources and positioning them in the most advantageous places to glean the most valuable intelligence should be the final phase in a painstaking process that ensures certain mission critical risks are mitigated. If these important preconditions are overlooked, introducing a human collector in a dynamic operational environment alongside unpredictable threat actors will create an unwanted risk of exposure that can lead to reputational, legal and operational harm to the organization. Some of the difficult considerations include:

  • Non-attributable infrastructure. Endpoints and networks need to be configured in a manner that lowers the risk of source exposure in unsafe online environments.

  • Source development. Believable personas, aliases, cover stories and motivations need to be curated over time with an aim to increase reputation and status using legal and ethical means.

  • Resiliency and overlap. Preventing source exposure is not failproof. Multiple overlapping sources need to be developed to ensure valuable placement and access is maintained in the event a single source is compromised.

  • Native language proficiency. Threat actors come from all cultures and languages. Collectors with native language capabilities and an aptitude to understand the unique cybercriminal jargon is critical to gain, maintain and elevate access into the hardest to reach areas.

Managing risk

To reap the full rewards of cyber HUMINT, certain unavoidable risks need to be addressed first. The underground environment is inherently unpredictable and fraught with criminality, creating a gray area where well-intentioned researchers can haphazardly and unwittingly get caught up in legal, ethical and other risky activities that can have serious direct and collateral consequences for organizations.

With careful planning and consideration, mature organizations can often overcome a small subset of risks associated with cyber HUMINT — though most are cost-prohibitive and burdensome for an organization to mitigate on its own to an acceptable level regardless of maturity. Some of the major risks to consider when building a cyber HUMINT capability include:

  • Reputational risk. The fallout from a compromised source and the identification of the real-name collector and organization behind it creates undesired attention and presents the risk of reputational damage.

  • Business or operational risk. Failure to use proper HUMINT tradecraft raises the likelihood of skylining — or inadvertently calling attention to — the organization the collector is trying to protect. Ironically, a collector’s good intentions to elicit information can pivot the attention of otherwise preoccupied threat actors and put the organization in the crosshairs for future attacks.

  • Legal or ethical risk. Interacting directly with nefarious individuals inherently opens the door to unlawful and unethical activity. Without careful thought and a legal framework to operate from, a well-intentioned collector can easily be tempted to cross a red line in an effort to boost their source’s reputation, gain hard-to-reach access or obtain exclusive information.

  • Financial risk. Each of the above risk scenarios often culminates in the same bottom-line outcome: negative financial impact. Mitigating the fallout from these risks — including the time, money and effort to conduct public relations messaging, incident response and legal proceedings — can quickly bring an organization to its knees.

Cyber HUMINT Best Practices

The safest, most advantageous approach for any organization interested in leveraging cyber HUMINT is to rely on a specialized vendor who possesses the expertise, tradecraft and resiliency to appropriately handle the various types of risks involved with the highest degree of professionalism unmatched by any organic in-house alternative. Some of the hallmark tenants and best practices of a successful and sustainable cyber HUMINT program include:

  • Hyper focused. A successful cyber HUMINT program bases its operations on the priority requirements of its stakeholders and aligns its production to support key security and risk use cases of the organization. Shaping strategy around intelligence requirements maximizes valuable HUMINT resources and limits the energy spent chasing down rabbit holes that are not important to the organization. At Intel 471, we align our efforts to our customer’s intelligence requirements using the General Intelligence Requirements (GIR) framework.

  • Mapped to enterprise security and risk protection. Follow consistent methodologies to evaluate cyber HUMINT-derived intelligence using NATO’s Admiralty System (FM 2-22.3 Appendix B) and analytic standards (pdf). This establishes consistency and trust, enabling analysts to confidently translate unstructured insights gleaned from human-to-human interactions into actionable frameworks — such as MITRE ATT&CK, D3FEND and NIST. In a previous blog, we stepped through a real-life example of how this concept works in practice.

  • Assets are protected. Well-developed sources are indispensable and must be treated as key assets to the intelligence program. Safeguarding requires painstakingly documenting and securely storing the important elements of a curated source to ensure resiliency and redundancy in the event a collector becomes unavailable. Also, as mentioned above, starting with a firm foundation focused on operational security goes a long way to protect these assets and gives the intelligence program the greatest chance for lasting success.

  • Governed by rules. Mitigating risks associated with cyber HUMINT operations requires established rules and procedures for everyone to abide by — from hiring people with ethical intentions and clean backgrounds, to establishing a zero-tolerance rules of engagement (RoE) document and regularly reviewing activity to ensure compliance. Jurisdictions have differing opinions on which behaviors cross a legal threshold, so it's important to align the RoE to the local laws within the places that the collectors are physically located. In 2020, the U.S. Department of Justice published an excellent report outlining key considerations for threat intelligence collection, which influences Intel 471’s established RoE and governing principles.

This concludes our three-part series into cyber HUMINT. We hope this has been helpful in understanding how cyber HUMINT is an important component of cyber threat intelligence and how it can proactively help organizations defend themselves in an intensifying threat environment.