Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/18/2018
10:30 AM
Guy Nizan
Guy Nizan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Engage Your Cyber Enemies

Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization.

There's a lot of talk about "cyber threat intelligence" these days, but very few organizations have fully implemented and operationalized a program. Most companies will ingest technical intelligence, which consists of indicators of compromise, malware signatures, malicious IPs, and other tactical intel. These are relatively easy to understand and act on but they don't do much to protect your organization long term.

At the end of the day, all attacks are perpetrated by humans. Understanding your attackers' motives and tendencies can help you make strategic decisions to protect your company long term. This means good news and bad news.

The bad news: This type of intelligence is the most difficult (and most risky) to collect.

The good news: Your adversaries might be anonymous, but they're not invisible.

Here is how organizations can use human intelligence — known as HUMINT — to engage their cyber adversaries and enhance their existing intelligence program.

What Is HUMINT?
HUMINT can be defined as the process of gathering intelligence through interpersonal contact and engagement rather than by technical processes, feed ingestion, or automated monitoring. It's the equivalent of what an FBI or CIA agent does when they go undercover and involves creating avatars that act like fellow hackers to blend in on Dark Web and anonymous forums.

Whether it's done by a threat actor or threat hunter, HUMINT gathering requires highly specialized skills and knowledge to avoid suspicion and detection.

So, why is it worth the risk?

Here are some of the ways companies can use HUMINT in their cybersecurity operations:

  • New Threat Discovery: Engaging with threat actors can help you uncover new tools, tactics, and/or attacks that may affect your organization. It's a great way to supplement your existing intelligence feeds to provide more context and a deeper understanding of threats.
  • Threat or Attack Investigation: If you discover a new threat, you may want to engage your established threat actor sources to learn more about it and how it may impact you.
  • Damage Assessment: If you are breached, you need to understand the extent of that breach, what data has been exposed, and how the attacker got in. We've seen an increase in extortion attacks, where threat actors will claim to have stolen sensitive data and demand a ransom to not publish that data. HUMINT can help you uncover the source of a leak and/or if the attacker's claim is legitimate.

Best Practices
There are a number of best practices organizations should keep in mind when conducting HUMINT gathering.

1. Take Personal Security Measures: Hackers are like white blood cells. If they detect a foreign object, they attack. If you are discovered as a threat hunter, you immediately become a target, so you need to make sure nothing leads back to you or your company. When engaging with cyber enemies, make sure you use a virtual machine with nothing saved on it. If your cover is blown, you don't want them turning their attention to you or your company.

2. Tell a Good Story: When FBI or CIA agents go undercover, they spend months or even years developing their backstory. Your story has to be believable, so spend time developing a good backstory and stick to it. If you're pretending to be a college student, make sure you know what classes you take, details of the university you're attending, and why you're spending your time on dark web forums.

3. Engage at All Hours: Hackers don't work 9 to 5. Your avatar shouldn't either. If you want to be believed as a threat actor, you need to spend time logging in to forums late at night and on weekends so others don't get suspicious.

4. Use the Right Lingo: Again, HUMINT gathering is all about blending in. Many threat actors and communities have a distinct way of communicating and use lots of slang. Make sure you do the same to blend in.

5. Don't Wait Until You Need It to Start: Avatars and sources take months or even years to develop. You can't simply create an avatar and boom! ... you have HUMINT. You must establish these sources early and continuously work at them, so when the need arises, you have the credibility and established sources to gather intelligence.

Automation, machine learning, and advanced cybersecurity solutions have enabled organizations to respond to threats faster and significantly reduce mitigation times. These technologies are critical to any effective cybersecurity program; however, as long as attacks are human-driven, humans will be part of the threat-hunting process. Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization. Collecting HUMINT through threat actor engagement can be a great way to supplement your existing intelligence program and help inform strategic decisions that make a long-term impact.

For more about HUMINT and its best practices, you can download our white paper.

Related Content:

Guy Nizan is the CEO & Co-Founder of Intsights Cyber Intelligence. As CEO, Guy leverages his entrepreneurial experience, extensive military leadership training, and technology acumen in the areas of offensive security, cyber threat reconnaissance, and artificial intelligence ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Techgmyth
50%
50%
Techgmyth,
User Rank: Strategist
2/15/2020 | 12:12:50 PM
Regarding the cyber attack by Microsoft Professional Support
I agree with you, But still, we are not able to protect our cyber enemies in another way, like spam boot. People are doing automation or boot to visit your website from spam locations to increase the number of threats on your website that will let you down your website (dos attack).

We are still fighting to get rid out of that.
MarkSindone
100%
0%
MarkSindone,
User Rank: Moderator
1/17/2019 | 2:05:37 AM
Wire your Security up
I reckon that hiring a security company to ensure that you have the appropriate security systems up is one of the most important things in ensuring that threats are reduced right? It's not just about having the wiring in storage properly organized or installing the right protective systems in place but contiguous monitoring! Unless you have some sort of dedicated security services taking care of that, your facility may not be as safe as you want it to be...
EdwardThirlwall
100%
0%
EdwardThirlwall,
User Rank: Moderator
1/9/2019 | 1:04:17 AM
Staying ahead of attacks
It is a difficult task to complete to stay ahead of your cyberattackers because the more advanced the technology that you use, the more high-tech the attacks would most likely to be. The attackers take the opportunity of evolving technologies to further upgrade their techniques. This simply means that outdoing them might cause them to further excel and beat you at your own game.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
12/18/2018 | 11:23:17 AM
Take Personal Security Measures-Poking the Bear
The recommendation by the article is to ensure that you limit the ability that if you are discovered for the adversary to link it back to your company. I would recommend to take this one step further and not operate within the internal networks of your organizaiton. Instead, operate on the surface. Utilize a public IP so that if anything goes wrong you are less likely to be fingerprinted.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...