In part one, we defined cyber HUMINT and why it is different from other kinds of intelligence. We showed how cyber HUMINT can be a crucial differentiator for analysis, providing context to material collected by automation and helping to answer the next logical question. In the second installment here, we examine what can be collected from underground forums and how cyber threat intelligence analysts using cyber HUMINT can pull the signal from the noise.
Gain, Maintain and Elevate
As we’ve seen, the intelligence value cyber HUMINT provides is unmatched. But how is this high level of intelligence value obtained and why is it difficult to achieve? It all comes down to placement, access and barrier to entry.
A successful cyber HUMINT operation hinges on how effective the collector can gain, maintain and elevate their access into hard to reach places.
Gain. Spot, assess and achieve access by knowing what you are looking for and developing a believable persona that gets you through the door.
Maintain. Persist access by establishing a reputation and gaining trust.
Elevate. Seek opportunities to gradually climb the reputational ladder to gain access into hard to reach places ripe with opportunities for more exclusive intelligence gathering.
Primed for the Cybercriminal Underground
The underground ecosystem offers countless opportunities for HUMINT collectors to exploit the intelligence value found at the intersection of everyday business activities within the cybercriminal underground.
Buyers and sellers transact illicit products, services and goods daily within an organized ecosystem of forums, instant messaging platforms, private messages and other platforms. Mirroring our traditional economy, systems are built to encourage as much financial success as possible through competition, resiliency and the reliable transaction of funds between consumers and sellers. Sellers openly rely on marketing techniques to brand their offerings and build reputation. Buyers rely on escrow systems to ensure purchased goods are valid. Customer service representatives field complaints from upset customers and respond to feedback about products. Forum administrators maintain peace and order to ensure everyone has the opportunity to make as much money as possible.
Automated collection of data across platforms commonly populated by threat actors such as forums, instant messaging apps and underground marketplaces provides baseline coverage of the cybercriminal underground ecosystem. It provides a bird’s-eye view that helps defenders maintain a pulse on activity at a high level and to stay alert to any anomalies or signals that may impact their organization. But it is HUMINT that goes one step further to reveal the truly valuable intelligence needed to gain an advantage over the adversary.
Key Advantages of Cyber HUMINT
Peek behind the curtain
Financially motivated threat actors are typically opportunistic in their targeting. Whatever and whoever has the greatest potential to make the most money with the least amount of effort is the guidepost for most threat actors. This opportunistic threat environment leaves defenders struggling to stay one step ahead of a potential incident - running from one possible weakness to another trying to plug security holes in tireless hopes that it prevents them from becoming a victim.
Cyber HUMINT reveals the mystery behind pre-attack planning by providing deeper visibility into the tools, tactics and methodologies threat actors use. This results in a more robust security posture based on controls and detections that are aligned and prioritized to real-life impending threats, rather than simply a static list of IOCs drawn from events that already occurred or a hypothetical scenario derived from open source reporting.
Establish trends and predict outcomes
As cyber HUMINT coverage becomes more ingrained in an intelligence program over time, historical analysis becomes available and organizations will start to gain the upper hand by being able to assess trends and predict outcomes with relative confidence. This consistent coverage of threat actors, tools and methodologies will soon become a necessary ingredient to forming intelligence assessments internal stakeholders rely on for decisive actions and strategic decisions to protect the organization now and into the future. As figure 2 illustrates, various topics covered by HUMINT derived reporting can be used to answer immediate intelligence gaps and establish the groundwork to analyze trends and predict outcomes.
Calm the storm
As CTI professionals, our job is to speak clarity into chaos, not to steer the hype train into a dark and winding tunnel. Today’s constant deluge of information leaves analysts tracking down endless claims of breaches, mainstream headlines of significant vulnerabilities and cascading whispers of third-party attacks. This leaves a fraction of time available for proactive research and, as a result, creates a reactive security environment where defenders are always on the back foot chasing the next “big” thing.
Cyber HUMINT cuts through the noise by going directly to the source to confirm or deny the validity of a potential threat - clarifying truth to decision-makers, calming the storm and saving opportunity costs to focus on priority tasks.
While the many advantages of cyber HUMINT demonstrate it’s imperative in the fight against the adversary, there are some obstacles to be cognizant of. Part three of this series will discuss the intricacies and processes involved in gaining and maintaining access to sources that result in high-quality Cyber HUMINT as well as some of the pitfalls that practitioners must avoid.
This is part two of a three-part blog series by Michael DeBolt, Chief Intelligence Officer.
