HUMINT in a cyber world

TL;DR

• HUMINT / Human Intelligence is gathered from a person in the location in question. It’s the sort of information we think of in the context of spying.
• A modern intelligence apparatus is multi-discipline with many different collection methods.
• HUMINT sources include officers, agents, diplomats, and more.
• CyberHUMINT is the process of gather HUMINT using cyber techniques.
• Common forms include agent recruitment, deception and disinformation or PsyOps.
• SOFIT can be used to identify people prone to divulging intelligence.
• Defending requires both a technical and social approach.
• Identifying organisational impacts to staff’s wellbeing can be a key defence against insider threats.

A while ago I co-presented at BSides Cymru on the intricacies of intelligence domains. We gave a 101 on how a modern intelligence organisation gathers information.

History

British Intelligence used to be very much about what equipment the enemy had, how many people they had, what the bore of the cannons were, along with the fortifications. It wasn’t really until around 1909 that the start of modern British intelligence was born.

Largely this was as a result of some spy stories written by a dual British and French author William Le Queux, who, in 1908 released novels discussing hypothetical German spies infiltrating the UK. These had the effect of causing widespread paranoia and as a result in 1909 Mansfield Smith-Cumming and Vernon Kell created the Secret Service Bureau. Smith-Cumming was a naval officer, who reportedly suffered from sea sickness, and Kell who was an army chief.

They went on to be the first heads of, respectively, MI6 or Secret Intelligence Service and MI5 or Security Service. A third intelligence service, defence intelligence, was formed in 1964. In 1909 Intelligence was military focused. It would be many years before it became the discipline we know now.

What does intelligence apparatus look like today?

Intelligence is acquired using many methods which all add to the intelligence apparatus. The main methods are:

TECHINT
Technical Intelligence is intelligence about weapons and equipment used by armed forces.

SIGINT
Signals Intelligence is the interception and analysis of transmissions to gather information.

FININT
Financial Intelligence is the gathering of information about financial transactions.

RADINT
adar Intelligence is the collection and analysis of information from radar systems.

OSINT
Open-Source Intelligence is probably the most well-known and is the collection and analysis of information from public open sources

CYBINT / DNINT
Cyber Intelligence is sometimes called Digital Network Intelligence is the collection and analysis of intelligence from cyberspace. This is often considered a subset of OSINT but is a distinct intelligence method.

IMINT / GEOINT
Imagery Intelligence and Geospatial intelligence are intelligence gathered from satellite and aerial photography, along with other photography, GEOINT can also include mapping and terrain intelligence. GEOINT is commonly used in “OSINT Challenges”, but is not technically OSINT, although open-source information is commonly used in solving these challenges.

MASINT
Measurement and signature intelligence involving the scientific analysis of data, such as acoustic sensors or infra-red heat sensors.

HUMINT
Human Intelligence is gathered from a person in the location in question, this is the sort of intelligence we think of when thinking of spies.

There are other methods, however, this will suffice for this post. We are hoping to create a series of these posts exploring each area in more detail, but for now let’s focus on HUMINT.

HUMINT Sources

There are many HUMINT sources, the most common ones we think go are officers or agents. Officers are typically working for the intelligence organisation, with agents working on behalf of the intelligence organisation. Think of it a little like officers are an undercover police office usually based in the country of operations and an agent is their confidential informant usually living and working in the country of operations. This is an oversimplification, but it helps clarify the difference.

Alongside officers and agents, there are diplomats, non-governmental organisations, espionage, advisors, military attaches, detainees, refugees, traveller debriefings, even routine patrolling and special reconnaissance units can all be sources of HUMINT.

CyberHUMINT

How does this relate to the cyber domain? Lets look at some of the modern CyberHUMINT techniques used by intelligence operatives. CyberHUMINT is the process of gathering HUMINT with cyber techniques, most commonly social engineering.

CyberHUMINT is used in many ways:

Agent recruitment
This could be through access agents, unwittingly or complicitly. For example, using phishing to elicit information.

SOFIT or Sociotechnical and Organizational Factors for Insider Threat can be used to help identify people who might be prone or susceptible to divulging intelligence on purpose or accidentally. My colleague Tom has spoken and written about this. It is a common form of CyberHUMINT.

Deception
Using online social engineering to deceive victims threat actors can elicit information. This is not necessarily to be confused with agent recruitment.

A really good example of this is the attacks highlighted by the Think before you link campaign from NPSA, highlighting how social media is being used to entice targets to divulging information on the promise of a better job, an all-expense paid conference, etc.

Disinformation or PsyOps
The highly effective disinformation campaigns or psychological operations affecting the US election of 2016 and Brexit votes of the same year are examples where threat actors have used social media to push a particular narrative.

This can also be used to manipulate individuals into divulging information by turning targets in to an insider threat by altering their thoughts about the organisation using social media and conspiracy theories.

Disruption
CyberHUMINT is really effective at providing pre-attack intelligence. By infiltrating online groups and gaining trust, defensive intelligence offices can identify when attacks are likely and what they may look like. Some examples are the infiltrations of Cozy bear and Darkside to gain intelligence.

CYBINT / DNINT Enrichment
Enriching intelligence such as malware signatures and code repetition with possible motivations, likely targets, likely perpetrators can also be used.

Countering the threat

HUMINT is one of the most effective methods to gather actionable intelligence, countering it is not to be underestimated.

If we focus on countering CyberHUMINT some of the more effective controls are both social and technical. For example, technology can prevent phishing emails from reaching end user mailboxes, however, it rarely is able to prevent all phishing emails reaching staff and therefore, cyber threat training is crucial. This needs to extend to consider current more advanced threats.

A key control alongside education is OPSEC or Operations Security. In this context, it is crucial to be mindful of what you are leaking, both personally and organisationally. Information leaked to corporate social media and by business social media can allow attackers to determine who to target with deception operations.

One area that is often overlooked by CISOs is the insider threat risk. Whilst it is on the risk register, how many are actively attempting to counter it within the business? It cannot be emphasised enough how much of a risk insider threat is. A happy and motivated workforce can be the organisations greatest asset, countering insider threat at the same time.

How many of your workforce are feeling effects of burnout, with pointless tasks being levied by ineffective managers, or bureaucracy and unnecessary oversight and no recognition? These are things that threat actors will look for. What do your company reviews look like? Consider what internal SOFIT framework you have. If you don’t have one Tom’s framework will help.

Countering disinformation is particularly challenging. NATO says “Comprehensively understanding the information environment, specifically disinformation, is crucial to enable a credible response”.

They suggest that their methods to do that include fact-based, credible public communications, publicly refuting false claims, and debunking disinformation narratives. This approach can be adopted by organisations too. For it to be effective though leadership has to be trustworthy, which goes back to SOFIT.

Conclusion

Intelligence is a multi-discipline process, with a long history of gathering information that can help in both attack and defence. HUMINT is certainly not going anywhere in a modern cyber world and CyberHUMINT is becoming big risk to organisations.

Having robust processes in place to counter the threat is crucial, SOFIT frameworks are more important now than ever and attackers are looking for weaknesses in your organisations.

As Intelligence gathering methods adapt to the changing world, are you?