Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Guy Nizan
Guy Nizan
Connect Directly
E-Mail vvv

How to Engage Your Cyber Enemies

Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization.

There's a lot of talk about "cyber threat intelligence" these days, but very few organizations have fully implemented and operationalized a program. Most companies will ingest technical intelligence, which consists of indicators of compromise, malware signatures, malicious IPs, and other tactical intel. These are relatively easy to understand and act on but they don't do much to protect your organization long term.

At the end of the day, all attacks are perpetrated by humans. Understanding your attackers' motives and tendencies can help you make strategic decisions to protect your company long term. This means good news and bad news.

The bad news: This type of intelligence is the most difficult (and most risky) to collect.

The good news: Your adversaries might be anonymous, but they're not invisible.

Here is how organizations can use human intelligence — known as HUMINT — to engage their cyber adversaries and enhance their existing intelligence program.

HUMINT can be defined as the process of gathering intelligence through interpersonal contact and engagement rather than by technical processes, feed ingestion, or automated monitoring. It's the equivalent of what an FBI or CIA agent does when they go undercover and involves creating avatars that act like fellow hackers to blend in on Dark Web and anonymous forums.

Whether it's done by a threat actor or threat hunter, HUMINT gathering requires highly specialized skills and knowledge to avoid suspicion and detection.

So, why is it worth the risk?

Here are some of the ways companies can use HUMINT in their cybersecurity operations:

  • New Threat Discovery: Engaging with threat actors can help you uncover new tools, tactics, and/or attacks that may affect your organization. It's a great way to supplement your existing intelligence feeds to provide more context and a deeper understanding of threats.
  • Threat or Attack Investigation: If you discover a new threat, you may want to engage your established threat actor sources to learn more about it and how it may impact you.
  • Damage Assessment: If you are breached, you need to understand the extent of that breach, what data has been exposed, and how the attacker got in. We've seen an increase in extortion attacks, where threat actors will claim to have stolen sensitive data and demand a ransom to not publish that data. HUMINT can help you uncover the source of a leak and/or if the attacker's claim is legitimate.

Best Practices
There are a number of best practices organizations should keep in mind when conducting HUMINT gathering.

1. Take Personal Security Measures: Hackers are like white blood cells. If they detect a foreign object, they attack. If you are discovered as a threat hunter, you immediately become a target, so you need to make sure nothing leads back to you or your company. When engaging with cyber enemies, make sure you use a virtual machine with nothing saved on it. If your cover is blown, you don't want them turning their attention to you or your company.

2. Tell a Good Story: When FBI or CIA agents go undercover, they spend months or even years developing their backstory. Your story has to be believable, so spend time developing a good backstory and stick to it. If you're pretending to be a college student, make sure you know what classes you take, details of the university you're attending, and why you're spending your time on dark web forums.

3. Engage at All Hours: Hackers don't work 9 to 5. Your avatar shouldn't either. If you want to be believed as a threat actor, you need to spend time logging in to forums late at night and on weekends so others don't get suspicious.

4. Use the Right Lingo: Again, HUMINT gathering is all about blending in. Many threat actors and communities have a distinct way of communicating and use lots of slang. Make sure you do the same to blend in.

5. Don't Wait Until You Need It to Start: Avatars and sources take months or even years to develop. You can't simply create an avatar and boom! ... you have HUMINT. You must establish these sources early and continuously work at them, so when the need arises, you have the credibility and established sources to gather intelligence.

Automation, machine learning, and advanced cybersecurity solutions have enabled organizations to respond to threats faster and significantly reduce mitigation times. These technologies are critical to any effective cybersecurity program; however, as long as attacks are human-driven, humans will be part of the threat-hunting process. Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization. Collecting HUMINT through threat actor engagement can be a great way to supplement your existing intelligence program and help inform strategic decisions that make a long-term impact.

For more about HUMINT and its best practices, you can download our white paper.

Related Content:

Guy Nizan is the CEO & Co-Founder of Intsights Cyber Intelligence. As CEO, Guy leverages his entrepreneurial experience, extensive military leadership training, and technology acumen in the areas of offensive security, cyber threat reconnaissance, and artificial intelligence ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/17/2019 | 2:05:37 AM
Wire your Security up
I reckon that hiring a security company to ensure that you have the appropriate security systems up is one of the most important things in ensuring that threats are reduced right? It's not just about having the wiring in storage properly organized or installing the right protective systems in place but contiguous monitoring! Unless you have some sort of dedicated security services taking care of that, your facility may not be as safe as you want it to be...
User Rank: Moderator
1/9/2019 | 1:04:17 AM
Staying ahead of attacks
It is a difficult task to complete to stay ahead of your cyberattackers because the more advanced the technology that you use, the more high-tech the attacks would most likely to be. The attackers take the opportunity of evolving technologies to further upgrade their techniques. This simply means that outdoing them might cause them to further excel and beat you at your own game.
User Rank: Ninja
12/18/2018 | 11:23:17 AM
Take Personal Security Measures-Poking the Bear
The recommendation by the article is to ensure that you limit the ability that if you are discovered for the adversary to link it back to your company. I would recommend to take this one step further and not operate within the internal networks of your organizaiton. Instead, operate on the surface. Utilize a public IP so that if anything goes wrong you are less likely to be fingerprinted.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.