There's a lot of talk about "cyber threat intelligence" these days, but very few organizations have fully implemented and operationalized a program. Most companies will ingest technical intelligence, which consists of indicators of compromise, malware signatures, malicious IPs, and other tactical intel. These are relatively easy to understand and act on but they don't do much to protect your organization long term.
At the end of the day, all attacks are perpetrated by humans. Understanding your attackers' motives and tendencies can help you make strategic decisions to protect your company long term. This means good news and bad news.
The bad news: This type of intelligence is the most difficult (and most risky) to collect.
The good news: Your adversaries might be anonymous, but they're not invisible.
Here is how organizations can use human intelligence — known as HUMINT — to engage their cyber adversaries and enhance their existing intelligence program.
What Is HUMINT?
HUMINT can be defined as the process of gathering intelligence through interpersonal contact and engagement rather than by technical processes, feed ingestion, or automated monitoring. It's the equivalent of what an FBI or CIA agent does when they go undercover and involves creating avatars that act like fellow hackers to blend in on Dark Web and anonymous forums.
Whether it's done by a threat actor or threat hunter, HUMINT gathering requires highly specialized skills and knowledge to avoid suspicion and detection.
So, why is it worth the risk?
Here are some of the ways companies can use HUMINT in their cybersecurity operations:
- New Threat Discovery: Engaging with threat actors can help you uncover new tools, tactics, and/or attacks that may affect your organization. It's a great way to supplement your existing intelligence feeds to provide more context and a deeper understanding of threats.
- Threat or Attack Investigation: If you discover a new threat, you may want to engage your established threat actor sources to learn more about it and how it may impact you.
- Damage Assessment: If you are breached, you need to understand the extent of that breach, what data has been exposed, and how the attacker got in. We've seen an increase in extortion attacks, where threat actors will claim to have stolen sensitive data and demand a ransom to not publish that data. HUMINT can help you uncover the source of a leak and/or if the attacker's claim is legitimate.
There are a number of best practices organizations should keep in mind when conducting HUMINT gathering.
1. Take Personal Security Measures: Hackers are like white blood cells. If they detect a foreign object, they attack. If you are discovered as a threat hunter, you immediately become a target, so you need to make sure nothing leads back to you or your company. When engaging with cyber enemies, make sure you use a virtual machine with nothing saved on it. If your cover is blown, you don't want them turning their attention to you or your company.
2. Tell a Good Story: When FBI or CIA agents go undercover, they spend months or even years developing their backstory. Your story has to be believable, so spend time developing a good backstory and stick to it. If you're pretending to be a college student, make sure you know what classes you take, details of the university you're attending, and why you're spending your time on dark web forums.
3. Engage at All Hours: Hackers don't work 9 to 5. Your avatar shouldn't either. If you want to be believed as a threat actor, you need to spend time logging in to forums late at night and on weekends so others don't get suspicious.
4. Use the Right Lingo: Again, HUMINT gathering is all about blending in. Many threat actors and communities have a distinct way of communicating and use lots of slang. Make sure you do the same to blend in.
5. Don't Wait Until You Need It to Start: Avatars and sources take months or even years to develop. You can't simply create an avatar and boom! ... you have HUMINT. You must establish these sources early and continuously work at them, so when the need arises, you have the credibility and established sources to gather intelligence.
Automation, machine learning, and advanced cybersecurity solutions have enabled organizations to respond to threats faster and significantly reduce mitigation times. These technologies are critical to any effective cybersecurity program; however, as long as attacks are human-driven, humans will be part of the threat-hunting process. Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization. Collecting HUMINT through threat actor engagement can be a great way to supplement your existing intelligence program and help inform strategic decisions that make a long-term impact.
For more about HUMINT and its best practices, you can download our white paper.