We are experiencing a period that is increasingly characterized by an exponential development of technology. Technology that also has potential threats to us, that is, the specter of a ubiquitous and active surveillance architecture 24 hours a day, 365 days a year. Architecture that, we have seen, makes the interests of big OTTs (Over the Top), that is those who manage the buying and selling of our personal data and, importantly, the predictive part of our habits and behaviors. A scenario in which Facebook is now one of the authoritative sources of behavioral models. This economic model is defined in Zuboff’s book the “Capitalism of surveillance”; a scenario in which data are the basis of real wars and power movements that challenge even democracies.
Intelligence is the product resulting from the collection, evaluation, analysis and interpretation of the information collected.
The development of an intelligence product requires the collection of information from different sources, sources that must be selected based on the objectives required by the organization.
The information product of this activity provides states with the information necessary to promote their national interests. Intelligence organizations generally look for information regarding military capabilities, issues that threaten national security, economic programs and diplomatic positions. In the digital / cyber scenario, similar scenarios are used in order to prevent threats or to collect strategic information; increasingly sophisticated programs are now part of the defensive / offensive cyber protection strategy both at the government level and in the companies that are part of the critical infrastructures, for the latter we limit ourselves to the defensive part.
The intelligence activity is divided into strategic and operational. The first provides information necessary for decision makers to make choices or make long-lasting decisions, normally this information must then be integrated with information relating to politics, economics, social interactions and technological developments. On the other hand, operational intelligence concerns current or short-term events and does not involve long-term projections.
Information gathering techniques
There are several disciplines used for collecting information. These disciplines include human intelligence (HUMINT), intelligence derived from signals (SIGINT), intelligence derived from images (IMINT), intelligence derived from radio frequency detections and radioactive emissions (MASINT) and open source intelligence derived from sources open (OSINT). On the subject of open source intelligence, it should be noted that the more open an organization / state is, the more successful this type of activity is. Magazines, sites, online databases, social networks are often profitable sources of information regarding government and commercial activities.
Human intelligence activities, HUMINT, are synonymous with espionage and clandestine activities such as those described in the book by Fabrizio Gatti, but the activity carried out by diplomats and military personnel should not be overlooked.
This discipline represents the oldest method for collecting information and remains, until the end of the twentieth century, the main source of intelligence for governments / organizations. HUMINT’s activity includes manifest, sensitive and clandestine activities with the use of people who control, supervise and support the necessary sources. Explicit activities are managed openly, in this case the people who collect the information can be diplomats, seconded military personnel, members of official delegations who participate in or manage unclassified publications or conferences. The clandestine activity requires, however, agents who are infiltrated into the country / organizations playing undercover roles. The management of this discipline requires a significant number of staff both among those who collect information and between those who support and coordinate the various activities.
HUMINT in Onlife
Today, both the perpetrators of threats and professionals working in the IT security sector have increasingly efficient and lethal technologies at their disposal. Together with these means we have the tools that can be considered the most useful ever, human knowledge and experience.
For these reasons, it is well understood how the use of HUMINT is fundamental both for those who work to identify cyber criminals and for those who deal with the management and prevention of threats. Understanding the motivations, trends and reasons behind the adversaries is key to any type of war, including cyber war. As the literature on the subject confirms, one must know one’s enemy by becoming their enemy; you must always keep in mind that the enemy in this cyber war can be virtual, anonymous but never invisible. The technique used in the digital world is similar to that used in the physical world, in order to be successful in using HUMINT, a Threat Hunter must learn and think how the actors who implement threats, identify the tools, techniques used and understand the their goals. All this requires a good ability and ability to infiltrate the actors that generate cyber threats, gain their trust and learn how they work. The same commitment equivalent to that undertaken by agencies when they place an undercover agent to infiltrate a criminal organization. It is painstaking work, which puts a strain on our nerves; identify digital places where threat actors gather to share information, dark web forums, IRC chats, virtual rooms and black markets. A dangerous activity as much as that which takes place in the physical world, no matter how experienced or qualified. When one enters these dark sides of the net, where there are actors who come from all parts of the world and who are often in conflict with each other, one is constantly analyzed. In these forums administrators or moderators examine everything that concerns us in order to determine if we are an infiltrator. The mere suspicion causes at least the placing of our ban. Certainly before starting this activity it is important to protect yourself by managing your security very well, the Threat Hunters need tools that hide their real identity; simple tools like a VPN, TOR, up to proxies and virtual machines. Being exposed can pose a serious threat to yourself and the organization you work for. In these activities it is also possible to clash with the police, with some particular activities, not to mention the possible clash with the legal department of our company. The collection of data through HUMINT techniques can be very time consuming and it is therefore necessary to rely on cutting-edge technologies always keeping in mind the objectives and targets of the organization, i.e. the infrastructure and critical processes of business. To manage HUMINT initiatives you must not only rely on them, but I strongly suggest working in a team with IT security companies that are reliable and in general the more information you have the better the quality of our work. The information comes from multiple sources, dark web, social media etc. .. for this reason it is essential to create the right mix of analysts, internal and external. The work that is carried out cannot be based on the casual search for actors in the dark web, we must get to qualify specialized sources on the assets that are of our interest. For example, it may be useful, in the financial sector, to have sources among developers who exchange and purchase information on credit cards or PINs as well as forum moderators on the subject. On Jabber there are lists and on this decentralized messaging system you ask questions or search for clues to investigate. In this activity it is also necessary to manage and maintain a series of avatars, each of which has its own list of people whom it can contact on Jabber. Clearly one must be careful not to do anything illegal, buy anything or handle illegal material. Another point that needs to be resolved are the times, if you want to maintain the credibility of the avatars you have to get out of the 9-17 and working week paradigm: the absence of the avatar would surely suspect our sources. To be credible you need a constant presence on the net, you will have to ensure the presence of avatars even outside office hours and also access on Saturdays and Sundays.
Software, tools and technologies change quickly, but even in this complex scenario there is a human factor, all cyber attacks are driven by men. Precisely for this reason, knowing the motivations of the opponents, the trends behind campaigns and attacks can help us define strategic decisions and direct the investments that best protect our infrastructure. As described, the activity of HUMINT can represent a fundamental element in our cyber defense strategy, but it can also be incredibly dangerous. Care must be taken to conceal one’s identity and objectives. To begin with, you can certainly start from intelligence platforms that also include this service or rely on companies that offer this type of service. Traditional HUMINT tools and tactics combined together offer us the ability to identify criminal behavior and allow us to move to a more proactive cyber security approach, an approach that focuses on attack prevention, because the best form of mitigation is to stop threats before they affect our infrastructure and critical processes.