Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Guy Nizan
Guy Nizan
Connect Directly
E-Mail vvv

How to Engage Your Cyber Enemies

Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization.

There's a lot of talk about "cyber threat intelligence" these days, but very few organizations have fully implemented and operationalized a program. Most companies will ingest technical intelligence, which consists of indicators of compromise, malware signatures, malicious IPs, and other tactical intel. These are relatively easy to understand and act on but they don't do much to protect your organization long term.

At the end of the day, all attacks are perpetrated by humans. Understanding your attackers' motives and tendencies can help you make strategic decisions to protect your company long term. This means good news and bad news.

The bad news: This type of intelligence is the most difficult (and most risky) to collect.

The good news: Your adversaries might be anonymous, but they're not invisible.

Here is how organizations can use human intelligence — known as HUMINT — to engage their cyber adversaries and enhance their existing intelligence program.

HUMINT can be defined as the process of gathering intelligence through interpersonal contact and engagement rather than by technical processes, feed ingestion, or automated monitoring. It's the equivalent of what an FBI or CIA agent does when they go undercover and involves creating avatars that act like fellow hackers to blend in on Dark Web and anonymous forums.

Whether it's done by a threat actor or threat hunter, HUMINT gathering requires highly specialized skills and knowledge to avoid suspicion and detection.

So, why is it worth the risk?

Here are some of the ways companies can use HUMINT in their cybersecurity operations:

  • New Threat Discovery: Engaging with threat actors can help you uncover new tools, tactics, and/or attacks that may affect your organization. It's a great way to supplement your existing intelligence feeds to provide more context and a deeper understanding of threats.
  • Threat or Attack Investigation: If you discover a new threat, you may want to engage your established threat actor sources to learn more about it and how it may impact you.
  • Damage Assessment: If you are breached, you need to understand the extent of that breach, what data has been exposed, and how the attacker got in. We've seen an increase in extortion attacks, where threat actors will claim to have stolen sensitive data and demand a ransom to not publish that data. HUMINT can help you uncover the source of a leak and/or if the attacker's claim is legitimate.

Best Practices
There are a number of best practices organizations should keep in mind when conducting HUMINT gathering.

1. Take Personal Security Measures: Hackers are like white blood cells. If they detect a foreign object, they attack. If you are discovered as a threat hunter, you immediately become a target, so you need to make sure nothing leads back to you or your company. When engaging with cyber enemies, make sure you use a virtual machine with nothing saved on it. If your cover is blown, you don't want them turning their attention to you or your company.

2. Tell a Good Story: When FBI or CIA agents go undercover, they spend months or even years developing their backstory. Your story has to be believable, so spend time developing a good backstory and stick to it. If you're pretending to be a college student, make sure you know what classes you take, details of the university you're attending, and why you're spending your time on dark web forums.

3. Engage at All Hours: Hackers don't work 9 to 5. Your avatar shouldn't either. If you want to be believed as a threat actor, you need to spend time logging in to forums late at night and on weekends so others don't get suspicious.

4. Use the Right Lingo: Again, HUMINT gathering is all about blending in. Many threat actors and communities have a distinct way of communicating and use lots of slang. Make sure you do the same to blend in.

5. Don't Wait Until You Need It to Start: Avatars and sources take months or even years to develop. You can't simply create an avatar and boom! ... you have HUMINT. You must establish these sources early and continuously work at them, so when the need arises, you have the credibility and established sources to gather intelligence.

Automation, machine learning, and advanced cybersecurity solutions have enabled organizations to respond to threats faster and significantly reduce mitigation times. These technologies are critical to any effective cybersecurity program; however, as long as attacks are human-driven, humans will be part of the threat-hunting process. Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization. Collecting HUMINT through threat actor engagement can be a great way to supplement your existing intelligence program and help inform strategic decisions that make a long-term impact.

For more about HUMINT and its best practices, you can download our white paper.

Related Content:

Guy Nizan is the CEO & Co-Founder of Intsights Cyber Intelligence. As CEO, Guy leverages his entrepreneurial experience, extensive military leadership training, and technology acumen in the areas of offensive security, cyber threat reconnaissance, and artificial intelligence ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/17/2019 | 2:05:37 AM
Wire your Security up
I reckon that hiring a security company to ensure that you have the appropriate security systems up is one of the most important things in ensuring that threats are reduced right? It's not just about having the wiring in storage properly organized or installing the right protective systems in place but contiguous monitoring! Unless you have some sort of dedicated security services taking care of that, your facility may not be as safe as you want it to be...
User Rank: Moderator
1/9/2019 | 1:04:17 AM
Staying ahead of attacks
It is a difficult task to complete to stay ahead of your cyberattackers because the more advanced the technology that you use, the more high-tech the attacks would most likely to be. The attackers take the opportunity of evolving technologies to further upgrade their techniques. This simply means that outdoing them might cause them to further excel and beat you at your own game.
User Rank: Strategist
12/18/2018 | 11:35:09 AM
Regarding Cyber Enemies by Microsoft Live Support Chat
I agree with you, But still we are not able to protect our cyber enemines in other way, like spam boot. People are doing automation or boot to visit your webiste form spam location to increase nmber of theart on your website that will let you down your website (dos attack).

We are still fighting to get rid out of that.



User Rank: Ninja
12/18/2018 | 11:23:17 AM
Take Personal Security Measures-Poking the Bear
The recommendation by the article is to ensure that you limit the ability that if you are discovered for the adversary to link it back to your company. I would recommend to take this one step further and not operate within the internal networks of your organizaiton. Instead, operate on the surface. Utilize a public IP so that if anything goes wrong you are less likely to be fingerprinted.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file.
PUBLISHED: 2019-12-05
reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file.
PUBLISHED: 2019-12-05
The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.
PUBLISHED: 2019-12-05
haskell-tls-extra before 0.6.1 has Basic Constraints attribute vulnerability may lead to Man in the Middle attacks on TLS connections
PUBLISHED: 2019-12-05
Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate c...