Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Guy Nizan
Guy Nizan
Connect Directly
E-Mail vvv

How to Engage Your Cyber Enemies

Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization.

There's a lot of talk about "cyber threat intelligence" these days, but very few organizations have fully implemented and operationalized a program. Most companies will ingest technical intelligence, which consists of indicators of compromise, malware signatures, malicious IPs, and other tactical intel. These are relatively easy to understand and act on but they don't do much to protect your organization long term.

At the end of the day, all attacks are perpetrated by humans. Understanding your attackers' motives and tendencies can help you make strategic decisions to protect your company long term. This means good news and bad news.

The bad news: This type of intelligence is the most difficult (and most risky) to collect.

The good news: Your adversaries might be anonymous, but they're not invisible.

Here is how organizations can use human intelligence — known as HUMINT — to engage their cyber adversaries and enhance their existing intelligence program.

HUMINT can be defined as the process of gathering intelligence through interpersonal contact and engagement rather than by technical processes, feed ingestion, or automated monitoring. It's the equivalent of what an FBI or CIA agent does when they go undercover and involves creating avatars that act like fellow hackers to blend in on Dark Web and anonymous forums.

Whether it's done by a threat actor or threat hunter, HUMINT gathering requires highly specialized skills and knowledge to avoid suspicion and detection.

So, why is it worth the risk?

Here are some of the ways companies can use HUMINT in their cybersecurity operations:

  • New Threat Discovery: Engaging with threat actors can help you uncover new tools, tactics, and/or attacks that may affect your organization. It's a great way to supplement your existing intelligence feeds to provide more context and a deeper understanding of threats.
  • Threat or Attack Investigation: If you discover a new threat, you may want to engage your established threat actor sources to learn more about it and how it may impact you.
  • Damage Assessment: If you are breached, you need to understand the extent of that breach, what data has been exposed, and how the attacker got in. We've seen an increase in extortion attacks, where threat actors will claim to have stolen sensitive data and demand a ransom to not publish that data. HUMINT can help you uncover the source of a leak and/or if the attacker's claim is legitimate.

Best Practices
There are a number of best practices organizations should keep in mind when conducting HUMINT gathering.

1. Take Personal Security Measures: Hackers are like white blood cells. If they detect a foreign object, they attack. If you are discovered as a threat hunter, you immediately become a target, so you need to make sure nothing leads back to you or your company. When engaging with cyber enemies, make sure you use a virtual machine with nothing saved on it. If your cover is blown, you don't want them turning their attention to you or your company.

2. Tell a Good Story: When FBI or CIA agents go undercover, they spend months or even years developing their backstory. Your story has to be believable, so spend time developing a good backstory and stick to it. If you're pretending to be a college student, make sure you know what classes you take, details of the university you're attending, and why you're spending your time on dark web forums.

3. Engage at All Hours: Hackers don't work 9 to 5. Your avatar shouldn't either. If you want to be believed as a threat actor, you need to spend time logging in to forums late at night and on weekends so others don't get suspicious.

4. Use the Right Lingo: Again, HUMINT gathering is all about blending in. Many threat actors and communities have a distinct way of communicating and use lots of slang. Make sure you do the same to blend in.

5. Don't Wait Until You Need It to Start: Avatars and sources take months or even years to develop. You can't simply create an avatar and boom! ... you have HUMINT. You must establish these sources early and continuously work at them, so when the need arises, you have the credibility and established sources to gather intelligence.

Automation, machine learning, and advanced cybersecurity solutions have enabled organizations to respond to threats faster and significantly reduce mitigation times. These technologies are critical to any effective cybersecurity program; however, as long as attacks are human-driven, humans will be part of the threat-hunting process. Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization. Collecting HUMINT through threat actor engagement can be a great way to supplement your existing intelligence program and help inform strategic decisions that make a long-term impact.

For more about HUMINT and its best practices, you can download our white paper.

Related Content:

Guy Nizan is the CEO & Co-Founder of Intsights Cyber Intelligence. As CEO, Guy leverages his entrepreneurial experience, extensive military leadership training, and technology acumen in the areas of offensive security, cyber threat reconnaissance, and artificial intelligence ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
12/18/2018 | 11:23:17 AM
Take Personal Security Measures-Poking the Bear
The recommendation by the article is to ensure that you limit the ability that if you are discovered for the adversary to link it back to your company. I would recommend to take this one step further and not operate within the internal networks of your organizaiton. Instead, operate on the surface. Utilize a public IP so that if anything goes wrong you are less likely to be fingerprinted.
User Rank: Moderator
1/9/2019 | 1:04:17 AM
Staying ahead of attacks
It is a difficult task to complete to stay ahead of your cyberattackers because the more advanced the technology that you use, the more high-tech the attacks would most likely to be. The attackers take the opportunity of evolving technologies to further upgrade their techniques. This simply means that outdoing them might cause them to further excel and beat you at your own game.
User Rank: Moderator
1/17/2019 | 2:05:37 AM
Wire your Security up
I reckon that hiring a security company to ensure that you have the appropriate security systems up is one of the most important things in ensuring that threats are reduced right? It's not just about having the wiring in storage properly organized or installing the right protective systems in place but contiguous monitoring! Unless you have some sort of dedicated security services taking care of that, your facility may not be as safe as you want it to be...
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-08
Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthentic...
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.