CHAPTER
3
Cyber Counterintelligence
Counterintelligence
tradecraft has its roots in the earliest of military orders and has been continually refined by practitioners for centuries. In any language, or any country around the world, government activities spend significant resources ferreting out spies with elaborate plans. As new challenges arise, the intelligence community has engaged to meet them head on.
tradecraft has its roots in the earliest of military orders and has been continually refined by practitioners for centuries. In any language, or any country around the world, government activities spend significant resources ferreting out spies with elaborate plans. As new challenges arise, the intelligence community has engaged to meet them head on.In moving into the information age, we see a greater dependence on advanced technologies. Information travels much faster today than it did even 100 years ago, let alone a 1,000 years ago! The advancement in technology over the past three decades is exponential, which conversely forces the counterintelligence community to exponentially increase its capabilities. This is true with the advent of computers and the ever-expanding role of cyberspace in the world today. Computers and the cyber realm offer new problem sets for counterintelligence professionals.
One prominent problem is the mire of anonymity. Many of the components of computer operations lend themselves to naturally obscuring identity. Of course complete technical anonymity is not absolute; as it is not easy in every case to obscure your true identity online, and many people don’t know the extra steps needed to heighten obfuscation of their true identity. Hardware, software, and the nature of operating in the digital arena heap piles of ambiguity into the situation, as there are now dozens of unique identifiers by which your identity or even organization can be determined.
So how do you find someone? Where do you start, and how do you know when you do find that person once you have identified the information that you believe to be enough? These are tough questions that still go unanswered by many security and counterintelligence professionals.
Fundamental Competencies
The Office of the National Counterintelligence Executive (NCIX) is a subordinate directorate to the US executive branch. In 2006, the Director, Dr. Joel Brenner, directed that a study of the US counterintelligence discipline be conducted to identify the required core competencies across the US counterintelligence community. The resulting list is a rather universal one; that is, it transcends organizations—even nations!
NOTE
It is interesting to note that after extensive research, no references to studies by the Russian or Chinese counterintelligence services were discovered. As a matter of fact, there is no official presence by either service. In conducting online queries, the top result returned references to the office of the NCIX. Searches were conducted on Google and other prominent search engines (Bing, Yahoo!, and Dogpile). Some of the queries which ran included “information operations,” “counterintelligence,” and “computer operations”—all done in the native language with the same results. The United States is setting an example for the rest of the world by publishing the most information allowing anyone to review and understand how the United States performs counterintelligence (or is putting the information out there deception in and of itself?).
The following sections describe the 19 items that the NCIX study identified as skills every counterintelligence professional should have, as presented in Fundamental Elements of the Counterintelligence Discipline, Volume 1; Universal Counterintelligence Core Competencies, published by the Office of the National Counterintelligence Executive and Office of the National Counterintelligence Institute (January, 2006).
Knowledge of National CI Structure and Agency Missions
Knowledge of the counterintelligence structure and agency missions is a basic but critical component for counterintelligence professionals. Any corporate organization or government agency has new employees attend an orientation of sorts. This is what the individual needs to know in a rudimentary way to be successful in the organization. The mission at all levels must be communicated clearly and understood for success. This competency speaks to the fact that this information will also enlighten an individual as to where additional counterintelligence support is coming from within the community, and the structure of the counterintelligence activity with missions and functions.
Knowledge of Interagency Memoranda of Understanding and Procedures
To protect everyone involved, every individual in the community should have a clear understanding of all standing agreements for a number of reasons, not the least of which is to understand the limitations and boundaries for the practitioner. This could be the subject, an asset, or even the counterintelligence professional. This knowledge is additionally useful because it can illuminate where modifications might be needed to conduct a complete and thorough investigation. It can also be used to clarify what support is dedicated to an investigation.
Knowledge of Foreign Intelligence Service or Terrorist Group Culture and Tradecraft
It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.
—Sun Tzu, The Art of War
Need we say more?
Basic Investigative and Operational Techniques and Tools
The very nature of counterintelligence activities requires investigators to be proficient in their tradecraft. How much more do cyber-assisted crimes and activities necessitate advanced training? As previously discussed, technology is moving forward unabated and shows no sign of slowing. As technology advances faster than the majority of professionals can keep up, the development of techniques to exploit these new technologies is keeping pace.
The US National Institute of Justice, a component of the Department of Justice, issued a special report, Investigative Uses of Technology: Devices, Tools, and Techniques, in October 2007, which applies today. In this report, the writers outlined forensic and procedural concepts to keep the staff on the cutting edge of new developments in technology. Three areas were universal to tradecraft:
Actions taken to secure and collect evidence should not change that evidence itself, as data required to perform an investigation needs to be maintained in its full initial integrity in order to properly investigate.Activity relating to the seizure, examination, storage, or transfer of electronic evidence should be fully documented, preserved, and available for review. This is needed to ensure that any changes or alterations are documented and the steps known to the investigative team.Specialized training may be required for the examination of many of the devices described in this special report. Appropriate personnel should be consulted prior to conducting any examination. Investigations are often performed by professionals who are not fully certified or trained to handle specific types of data or equipment. This can lead to improper handling of evidence.Asset Development and Handling (Including Difference Between Liaison and Clandestine Sources)
The basic conduit of information is the asset, whether the information is gained through a formal relationship (liaison) or spying (clandestine). Building and maintaining rapport with an asset requires skill and determination. Many factors can sidetrack these efforts. The use of cyberspace is just another conduit by which these ends are achieved. However, there is a slight twist with this statement. The anonymity of the Web creates a challenge regarding confidentiality (privacy of communiqué) and nonrepudiation (the state of information that cannot be challenged)—you are who you say you are, and there can be no question regarding authenticity. Human factors such as skill and tradecraft experience are just as important as the technological aspects, and situational awareness (knowledge of all current data surrounding an event) is a key requirement.
Asset Validation
Building on the previous core competency, we need to be knowledgeable of who we are dealing with in the counterintelligence world. If a supposed asset is forwarding e-mail messages or using a spoofed e-mail address, serious consequences could arise from the exchange. What is the motivation of the asset? Even worse, our assets may not be who we believe they are. The asset could actually be a double agent tasked to collect information from you! Not only is that turn of events rude, but it can also be quite embarrassing in investigative circles. Assurance of who you are dealing with is absolutely essential. How many times has someone been the victim of a spear phishing or spoofing attack, thinking an e-mail came from a relative or another trusted agent, only to fall victim to a cyber crime?
Liaison
Now that counterintelligence professionals understand the organizational structure in which they are employed, they must ensure the requirements of those memoranda of understanding and formal agreements are serviced. Nothing will dampen a strong working relationship faster than ignoring the people with whom agreements for sharing information and resources were made. Much like practitioners nurture a relationship with an asset, the same must be done with their counterparts in partner organizations at all levels. If practitioners work at a high level, proper courtesy and attention must be paid to their peers who are working at the lowest levels, lest information from the field dries up. The converse is also just as important.
Relationships with other agencies fill niche requirements in the counterintelligence community. Organizations like operations and logistics (procurement and human resources) provide a plethora of information to the counterintelligence professional if the lines of communication are open and actively used. Important information—such as who took what and where—must be gleaned externally.
These relationships, even on a rudimentary level, are absolutely essential. How does one get from place to place without logistics support? How does one know where the action is if not for the operations section?
Interviewing and Debriefing Techniques
So many techniques could be captured and enumerated in this section to show the model for a world-class interviewer, or the debriefer, of the individual who identified the initial intrusion or set of events that led to the detection of the threat. First, the interviewer should ask questions that dig beneath the surface; don’t be satisfied with superficial answers. Building on that, the interviewer should know to ask the right questions to start.
These techniques depend on the individual interviewer and rely on interpersonal skills, so interviewing and interrogation skills must be a focus for educational development. However, the single most important factor in interviewing is to know your subject. Know as much as you can about the interviewee, for in that intimate relationship, you will glean what is truly important. You will see past the words, and look into body language and other relevant factors that illuminate truth and lies.
Surveillance and Countersurveillance
So, the big question is who am I watching, and oh by the way, who is watching me watch somebody else? How do you do that with stealth and tact? Many techniques come to mind, like old reruns of Dragnet with Jack Webb as Sergeant Friday and his partners sitting on surveillance in Los Angeles. What a strange twist it would be if where they were sitting was under constant surveillance of closed circuit television (CCTV)? Now Sergeant Friday is sitting watching the movement and actions of his subject and he is the subject of another at the same time!
Of course, Sergeant Friday was too clever to ever be caught in that situation. He had his team out on the street conducting technical surveillance of the area, looking for cameras in the exact area where he was to sit in surveillance of his subject. His team conducted countersurveillance on Sergeant Friday’s subject’s countersurveillance team. Confused yet? Stay with us…
Technical countersurveillance is most commonly referred to as “sweeping for bugs.” The technical countersurveillance folks use technical means to locate and identify a variety of devices, such as listening devices and CCTV locations, but they are also useful in detecting threats in a variety of electronic devices. Perhaps computers come equipped with zero-day exploits (an unknown vulnerability where an exploit has been developed and not made public), or a piece of hardware redirects critical information outside the network to an unauthorized location. Most devices emit electromagnetic radiation in the form of radio waves, but not all do. Some require a combination of devices to activate the capability, and alone, they are very hard to detect. A trained professional will be aware of these things and neutralize the threat.
Principles of Collection and Analysis
Depending on the agency, activity, or country, there are various principles of collection. In our view, they can be summed up in just seven simple principles:
The risk involved in collection must be justified by the gain and operational success.Always use assets under your control (organic collection assets) before considering equipment or support from an external agency.In some cases, agencies external to your organization might be the only ones who have the means for technical or human collection of information. And although you might work in proximity, they may still be the only ones with access to a specific asset or information. Build that rapport!The folks back at headquarters can get collection assistance from other folks in the field to support your mission through information sharing. Share and share alike—you’ll be glad you did.Communication is the key. Collection planning is a collaborative effort between the collector and the intended recipient. Communications is the key (did you get it that time?).Collection planning is a living and dynamic process. Don’t let it wither on the vine. Don’t rely on only one collection method. There could be an unlikely situation where the batteries in the bug die. Now where are you a hero? Redundancy is your friend.In the intelligence community, there are many means for collections. Be creative and strive to understand the different methods so that you will be a good steward of resources.Principles of analysis exist at many levels, strategic through tactical—from the 10,000-foot level to down in the weeds. Regarding the NCIX core competencies, it appears there is latitude for interpretative flexibility. In staying on task, a solid winner returning the best bang for the buck would come from reflecting on the comments of one man, Richard Helms. Helms was the eighth Director of Central Intelligence (1966–1973). He believed in the following six specific principles of intelligence, which transcend time and organizations alike (“The Intelligence Professional Personified, A Life of Intelligence,” by David S. Robarge, in The Richard Helms Collection):
Focus on the core missions: collecting and analyzing foreign intelligence Stick with your bread and butter; don’t be distracted by other tasks and activities.Keep the game honest Finished intelligence (completed and validated assessments) will feed national policy, so do your part. Don’t let policy manipulate intelligence, and don’t manipulate intelligence to guide policy.Never wear two hats Focus on foreign intelligence and do that job. Do not end up in debates or policy discussions. Leave that to the bureaucrats and red-tape manufacturers.Stay at the table Be involved and offer solutions. Not everyone likes the direction that senior management is going; do not become irrelevant. If you need to remind people that you are important, you’ve missed the boat. The US Army Forces Command (FORSCOM) is a major command that reports directly to the Secretary of the Army and is responsible for providing soldiers for combat to the Unified Combatant Commanders worldwide. Here is what they show as their mission statement (www.forscom.army.mil/): “U.S. Army Forces Command trains, mobilizes, deploys, sustains, transforms and reconstitutes conventional forces, providing relevant and ready land power to Combatant Commanders worldwide in defense of the Nation both at home and abroad.” Most of the wind goes right out of their sails when they insist to you that they are relevant. Reminding someone that you are important exposes that small truth that you are out of the game, well, you get the idea…Serve only one President at a time Keep on task with the current boss. Leadership will come and go. Change is inevitable.Make intelligence a profession, not just an occupation Tradecraft does not end when you go home for the day. To do what needs to be done, you need to live it. You have to eat intelligence, and when you go to sleep, you have to dream about intelligence.Research and Technology Protection
Protection of up-and-coming new technologies is absolutely critical to any organization’s future success, and it’s critical to any nation’s national security. Program protection is not just keeping papers locked in the office, but rather keeping folks in line by practicing operations security, which will be discussed shortly. Also included are information security, personal security, physical security, and computer security—all of which can give away the farm. Combinations of these vulnerabilities can do you in, too. Suppose an employee goes home for the day and posts on her personal blog about how boring it is working on the Widget Enhancement Program. Within a couple weeks, the employee is approached by foreign intelligence officers, and eventually, she is questioned about the Widget Enhancement Program—20 million dollars of research and development down the drain…
Operational Cycle for Double Agent Operations
Know, understand, and commit to memory the activities of the people in the field. Many lives depend on professional coordination of their activities. You do not want to tip your hand through poor tradecraft.
Operational requirements mandate that certain people be in specific locations at specified times, so ensure you understand completely and know the basic five Ws (and an H that is always left out):
WhoWhatWhenWhereWhyHowOperations Security
Commonly known as operations security (OPSEC), this art has been around for years. The names may change, but the following five basic steps in the process are still the same, and with the assistance of a counterintelligence professional, the OPSEC program is extremely cost-effective and scalable. (www.fas.org/irp/nsa/ioss/threat96/part01.htm.)
1. Identification of critical information
Each organization must understand what it is trying to protect. Not everything can be protected at the same level—it simply is not cost-effective—so what are those crown jewels? What information is so sensitive that it will sink your company if the adversary gets hold of it? That is something each company must identify on its own.
2. Analysis of threats
Who is the adversary? Who wants what you have? Is it another corporation or hackers looking to steal your intellectual property for resale? Each adversary has its own motivation and intentions. Here is a short list of potential adversaries:
Insider threatsExtremistsForeign intelligence servicesTerrorist groups, foreign and domesticHackers/crackersOrganized crime groupsCriminals3. Analysis of vulnerabilities
A vulnerability is a weakness that your adversaries can exploit if they are aware of it and have the means. If your company throws all of its important research and development records into the trash, that may not be a vulnerability if the adversary is not aware that all your intellectual property is sitting in an open dumpster, but do not be fooled that it probably is a very real vulnerability just waiting for exploitation. What about spear phishing vulnerabilities? The IT department is usually inundated on a daily basis with notifications of vulnerabilities from a number of sources, so what if your adversary has those same notifications? How safe is your IT infrastructure now?
4. Assessment of risk
In the intelligence business, the assessments of risks are called indications or warnings. The world-renowned detective Sherlock Holmes called these things clues. Whatever you call them, the truth is that this activity or information, in conjunction with other observables, tips off the adversary that there is a potential vulnerability—possibly multiple vulnerabilities.
Consider “Domino’s theory.” It had been widely reported that late-night delivery of Domino’s pizza to key government buildings was an indicator, for example:
Delivery people at various Domino’s pizza outlets in and around Washington claim that they have learned to anticipate big news breaking at the White House or the Pentagon by the upsurge in takeout orders. Phones usually start ringing some 72 hours before an official announcement. “We know,” says one pizza runner. “Absolutely. Pentagon orders doubled up the night before the Panama attack; same thing happened before the Grenada invasion.” Last Wednesday, he adds, “we got a lot of orders, starting around midnight. We figured something was up.” This time the news arrived quickly: Iraq’s surprise invasion of Kuwait.
—“And Bomb the Anchovies,” Time (August 1990)
5. Application of OPSEC measures
Countermeasures are anything that will reduce the risk to an acceptable level.
Training family members or employees to avoid discussing personal or company information in public placesWhen on vacation, having a trusted friend take in your mail and newspapers, turn on lights, and so onChanging schedules and travel routesUsing encryption, a virtual private network (VPN), Secure Sockets Layer (SSL), and moreWhile traveling overseas, blending in as much as possible (don’t be “that guy”)Legal Aspects of Investigations, Including Executive Order 12333, the Attorney General Guidelines, and the Foreign Intelligence Surveillance Act
Executive Order (EO) 12333 outlines US intelligence oversight requirements and limitations for intelligence activities. The Foreign Intelligence Surveillance Act (FISA) explains procedures for physical and electronic surveillance of foreign powers and agents of those powers. These agents can include citizens, aliens (both legal and illegal), and anyone suspected of espionage or violating US law in the best interest of the foreign power.
The main focus here is to understand the authorities, as well as the limitations, for counterintelligence activities. Each country or corporation has its own rules to limit counterintelligence activities to not invade the rights of private citizens to varying degrees. In some countries, the state has absolute power, masquerading as freedom and liberty for all citizens. Prudence is therefore warranted as the counterintelligence professional conducts operations. Specific attention must be paid to the cyber realm, where activities can go from one country to another in an Internet pursuit of information.
Joint and Interagency Operations
Here is where we use all those cool buzzwords that imply joint efforts are going well. Anytime there is an operation starting up or already in progress, ensure you synchronize, deconflict, coordinate, orchestrate, harmonize, and so on. You get the idea: use those liaison and communication skills you developed in the previous section to be the envy of everyone in your organization.
Listening, Communication, and Writing Skills
Seek first to understand, then to be understood.
—Stephen Covey, 7 Habits of Highly Effective People
One must cede the floor to a true communications hero to succinctly communicate a message on communication.
Communication is the most important skill in life. You spend years learning how to read and write, and years learning how to speak. But what about listening? What training have you had that enables you to listen so you really, deeply understand another human being? Probably none, right?
If you’re like most people, you probably seek first to be understood; you want to get your point across. And in doing so, you may ignore the other person completely, pretend that you’re listening, selectively hear only certain parts of the conversation or attentively focus on only the words being said, but miss the meaning entirely. So why does this happen? Because most people listen with the intent to reply, not to understand.
—Stephen Covey, 7 Habits of Highly Effective People, Habit 5
Do not rush to reply or be heard. We all intuitively want to share our opinion and be heard. There is time for that. Understand first, and all things will come to you in time. As you peel back and analyze each component of data, you will see that there is a larger story to be put together.
Knowledge of CI Terminology
There is much to be said for someone who can talk the talk and walk the walk. When individuals are not knowledgeable of the very basic lingo of their profession, no real professional in that function will take them seriously. It is all about being professional and having presence with professional credibility.
Reporting Procedures and Methods
Every government and organization around the world has its own version of red tape and procedure. Knowing what to do and how to do it will make it easy going when your turn comes to present evidence or information in your investigation, and it turns out that your evidence or information is admissible because you did everything right. Understanding the agreements between organizations is imperative when conducting a joint operation, as your organization might have one requirement that is not strict enough for the other organization.
Classification and Dissemination Rules
Every government and private organization has methods and guidelines for controlling information. Some items are only for the executive staff; other information might be suitable for public release. It is essential to know these rules, and it is the responsibility of the counterintelligence practitioner to disseminate responsibly and correctly. Sometimes there is a question regarding the protection level of a piece of information. When faced with this dilemma, the counterintelligence professional must always choose to side with caution and conservatism. If needed, more information can be released, but you can never put the genie back in the bottle.
Applying Counterintelligence to the Cyber Realm
Now that we have covered some of the most critical aspects of the traditional tradecraft of counterintelligence in times of cyber espionage, or cyber warfare, we need to get you thinking about how various aspects of the preceding information work in the realm of cyberspace.
First, throw everything you’ve learned out the window when it comes to traditional security. Most organizations simply look to take a compromised host offline and then put it back online with a new image of the workstation, hoping they have completely cleaned the host of a malicious infection, while in fact, there is still someone on the other end of the wire watching, waiting, and biding his time.
Almost every action in the cyber realm can be recorded, detected, identified, analyzed, replayed, tracked, and identified. The only thing necessary is for you to know where to look first. You need to be aware of the innate ability to recognize usable intelligence in any form, as everything is observed and can be used against your attacker, adversary, or threat (whatever vernacular you prefer). Every network all too often has its holes and gaps, but you can observe every ground truth and nuance that has occurred by leveraging the various data sources within your enterprise. Without the ability to analyze all of the data points within your enterprise, an intelligence analyst cannot identify efficient or concise taxonomies using link analysis.
Sizing Up Advanced and Persistent Threats
So we’ve talked about the ability to detect, monitor, track, and interact with an active threat, whether it’s persistent or advanced. I already know what you’re thinking: “You’re mad or neurotic.” Alas, I am a little of both, and that is what makes for the perfect security professional.
In Chapter 1, we briefly covered the nine points of observables. In the rest of this chapter, we will drill down into each of these points to enable you to look at the data from the perspective of a cyber counterintelligence specialist. Along with knowing about the nine points of observables, it is important that you also understand the importance of being able to measure your threat or adversary properly, while also measuring your success or shortcomings effectively. This is not a trivial task, but is more a continuous (living) document you use in order to measure each threat and incident. From these documents, you can build up an encompassing security program that incorporates all of your lessons learned: risks, vulnerabilities, and threats.
By performing due diligence each and every time, and taking the time to fill out an evaluation form (which is highly lacking in a reactive security model—a postmortem, or after-the-fact, response to an incident), you will actually begin to learn more about your threats and adversaries, and even get to a point where you will be able to move to a proactive level. At this level, you will be able to identify where your adversaries have been, where they are, where they are heading, and finally, their true objectives. You can do this with a little disinformation, deception, and counterintelligence.
The following table lists the nine observables that we will use for each of the advanced persistent threats and persistent threats covered in this book. The following sections include a rough ranking for examples of each these observables, in the order of 1 to 10, representing escalating threat levels, with 1 being poor and 10 being highly skilled or effective.
NOTE
There will be times when one or more of these points of observables will not be discernible, and will need to be left blank or based on some of the other observables. You can use qualitative measurement based on what is observed and/or known about each threat.
| Attack origination points | 1–10 |
| Numbers involved in attack | 1–10 |
| Risk tolerance | 1–10 |
| Timeliness | 1–10 |
| Skills and methods | 1–10 |
| Actions | 1–10 |
| Objectives | 1–10 |
| Resources | N/A |
| Knowledge source | N/A |
This ranking approach demonstrates that you need to be able to have some level of metrics when weighing each and every threat. If you are able to assign some level of measurement to each instance of a threat, you will be better equipped to handle the most dangerous threats first. In any military or physical security organization, you are trained to shoot down the closest target, and then take the rest down as they draw closer. With observable information collected and used in the appropriate fashion, you can learn a lot about a threat. Especially with control of your own network, you can deploy, insert, combine, and redirect your threat using your own enterprise resources, if you are watching. Well, what if you are capable of drawing threats closer to you (through control or deceptive trust by the focus) and shutting them down at your own time of choosing? Let’s talk about the observables, and then we’ll dig into choosing your ground of battle in Chapters 7, 8, and 9.
Attack Origination Points
One of the most important components of dissecting a threat is knowing that you have a threat within your enterprise, how the adversaries were able to enter your enterprise, and where the attacks originated from. The dependence our world has on information technology has convoluted and mixed many of the traditional intelligence collection methods. With evolution comes additional lessons, threats, vulnerabilities, and adversaries, who can now walk into your organization without needing to be physically present, and get in and out without being seen. This is why understanding the origination of an attack is so important to being able to identify your weaknesses.
The table at the end of this section provides examples as a guide to weigh the overall origination points according to their threat level (from the lowest severity of 1 to the highest severity of 10). Each of these examples is a means of asking yourself how much effort went into the penetration of your organization’s infrastructure. Was it a random act by a random attacker, or was this a highly personalized and tailored attack against the highest ranking stakeholders or officials within your organization?
One higher-level threat is the insider-implemented infection, which may relate to the constant presence of some level of disgust or antipathy for what your organization is doing. As an example, consider the events that led an enlisted military intelligence analyst to leak numerous sensitive documents based on his personal beliefs.
When someone opens a known infected file inadvertently in an environment that is not protected from these types of threats, this is a lower-level threat. For example, a forensic investigator might accidentally execute malware on her system, and not within a sandbox. So when weighing this threat’s sophistication, it receives a low rating, as the threat was known and the execution was accidental.
Another example is whaling, which personally targets the heads of an organization or someone in a critical position with access to numerous components of an enterprise. This type of attack takes some actual research, tailoring, and work on the end of the attacker, so you can infer it is directed specifically at your organization. This is a very serious threat.
Between the accidental and directed threats, we have the professional, organized criminals who want as much access to as many networks as possible for monetary gain. This type of threat is the mother of all fear, uncertainty, and doubt (FUD), because money corrupts absolutely, and any intelligent criminal will know when he has acquired something (system, network, or enterprise) of value that can be sold to a third party.
| 1 | Accidental opening of a known infected file |
| 2 | Digital device infection (brought in from an external location) |
| 3 | Random (opportunistic) client-side exploit against a browser |
| 4 | Infection via a social networking site |
| 5 | A custom server-side exploit kit (generally professionally driven) |
| 6 | A custom (tailored for your organization) client-side exploit against a browser |
| 7 | Insider-implemented infection |
| 8 | Custom-tailored attachments with embedded infectors |
| 9 | Direct-tailored spear phishing e-mail, which includes horizontal phishing (employee-to-employee infection) and vertical phishing (employee-to-leadership infection) |
| 10 | Direct-tailored whaling e-mail |
Numbers Involved in the Attack
In our modern age of technology, cyber criminals can automate millions of computers to perform multiple attacks against a single enterprise, while a coupling of computers performs separate missions or tasks. This is an observable component that is highly difficult to measure, as the numbers involved in any attack can be for different purposes. Attackers may want to steal information from just a specific person or from an entire organization, and the system involved in the attack will always vary. The target may be you, your employer, or quite possibly information from your organization, such as what is being developed or worked on. The level of information that is being searched for could be on one system or spread across the globe, stored in various systems or even across multiple organizations. However, using victimology with the numbers involved in an attack will give you a deeper understanding of the sophistication, motive, and intent of an adversary or threat.
Victimology is the study of the victim in an incident or attack. This generally includes the relationships between the victims and inferred offenders. In the cyber world, this science also includes the analysis of victims and the nature of the information that was stored on the victim’s system or specifically targeted. One of the most significant components is the victims themselves. What type of organization was attacked or infiltrated, and what function or roles does this organization play in the world? Has this location been targeted once, or has there been a recurrence of attacks targeting this location of the enterprise or organization (a history or hot spot)? The target may be sensitive government information, trade secrets, sensitive corporate projects, financial records—the list just goes on. This is why analyzing the victims of the attack from a measurable and scientific perspective is highly important.
| 1 | The system of a low-level employee |
| 2 | The system of a low-level manager |
| 3 | The system of a network administrator |
| 4 | The forward-facing systems of your organization (DMZ, boundary, web application servers) |
| 5 | The system of an administrative assistant who generally e-mails, scans, prints, and coordinates leadership information |
| 6 | The DNS servers of your organization |
| 7 | The mail servers of your organization |
| 8 | The primary file or database servers of your organization |
| 9 | The systems of your organization’s security team |
| 10 | The systems of C-level executives, core stakeholders, or organization leadership |
Risk Tolerance
When analyzing an incident, another important observable that needs to be weighed is how much effort the offender, threat, or adversary put into not getting caught. Did the attacker not even take time to alter the victim system’s logs, not caring if information was recorded about these actions?
This component of an intrusion will sometimes also indicate the aptitude of attackers and infer their motives and intent. If the attackers have a high risk tolerance, then they do not care as much about being detected and move throughout your network with the feeling of impunity. If the attackers have a low risk tolerance, then they do not want to get caught, and want to maintain the persistent remote connection or control of your organization’s enterprise. At its core, risk tolerance is the analysis of the offenders’ decision to commit a crime or continue committing a crime with the risk of being detected, and their threshold for detection versus completing their objectives.
Our understanding of the “why” behind an intrusion can also be weighted by using risk tolerance. The decision process behind an intrusion can be derived in multiple ways. The attacker is under duress, following orders, or driven by some other motivation. This will be discussed in more detail in Chapter 10.
Keep in mind that in the world of espionage, deception, and disinformation, things are not always what they seem. Sometimes the level of risk tolerance is not what it seems. This is why you need to look at all of the observables surrounding the detection of the threat. Using the information gained from across your enterprise to be able to detect and analyze the attacker is a powerful tool. However, you don’t know what you don’t know until you perform a thorough investigation on all of the data points.
| 1 | No logs were altered |
| 2 | Login/access logs were altered |
| 3 | Connection logs and times were altered |
| 4 | Entire system logs were wiped (surrounding the attacker’s interaction periods) |
| 5 | Entire system logs were corrupted |
| 6 | Operating system security services were disabled |
| 7 | Specific security applications were disabled |
| 8 | Specific applications were corrupted |
| 9 | Operating system was corrupted |
| 10 | Entire system was wiped clean (corrupted and/or permanently disabled) |
Timeliness
The timeliness aspect of an intrusion reflects how much understanding of your infrastructure your attackers have of your organization. The following are the kinds of questions you need to be asking when you are analyzing an intrusion:
How much time have they been able to spend learning about the individuals, operations, locations, functionalities, and types of secrets within your network?How much time did they spend exfiltrating data from your enterprise?How quickly did they go through each system?How well did they know where to look for the exact information they were seeking?Was data taken during specific hours?How often did the threat or adversary remotely connect to your network?Is there a pattern to the connection times? Does it seem the times were associated in a pattern similar to a common workday?When it is observed that an attacker has knowledge of your environment, there are generally two primary explanations. One is that the attacker has been inside your network for much longer than you have been aware of (perhaps with help from an insider within your organization). The other is that the attacker found or stole a laptop belonging to a system administrator and has all the sensitive information necessary, without having been inside your network.
The timeliness of an attacker’s actions is highly important to evaluating the following:
Knowledge of your environment, including system locations, system functionality, folder and file locations, and personnel and their rolesKnowledge of the operating systemGrasp of commands, options, and argumentsWhether the attack is organized or disorganized, which helps build a clearer picture of the intent and motiveWhether or not the attack is scriptedYour security team can measure and observe these pieces of information by analyzing the utilization of each compromised system by the threat. This specific component of information will tell you a lot about your threat.
| 1 | Multiple systems were accessed for long periods of time (threat was searching) |
| 2 | Multiple systems were accessed for long periods of time in specific locations |
| 3 | Multiple systems were accessed for long periods of time surrounding specific applications |
| 4 | A few systems were accessed for long periods of time, and specific information was grabbed |
| 5 | A few systems were accessed on a regular basis targeting specific file types |
| 6 | A few systems were accessed on a regular basis (occurring only within a specific team) |
| 7 | A few systems were accessed a few times (occurring only within a specific team) |
| 8 | A single system was accessed on a regular basis briefly (involving a specific member of a team) |
| 9 | A single system was accessed a few times and briefly targeted (involving a specific member of a team) |
| 10 | A single system was accessed directly and briefly (involving only a specific individual) |
Skills and Methods
When observing attackers’ skills and methods, you are also weighing the victimology and attack origination in combination. Why do we do it this way? Well, there is an easy answer for that one: injection and propagation techniques.
The skills of each attacker will vary, and the more skill shown, the more attention should be paid. Also, if you see a single threat using a lot of skills and techniques that infers more than a single individual is behind the observed events.
Having the ability to observe the skills and methods of each threat is critical. This requires a blend of traditional host-based and enterprise-based security solutions that provide the ability to see not only what occurred on the host, but also what happened over the network. How were they able to get into your network, get out, and then maintain persistence?
The following information needs to be weighed when evaluating a threat’s skills and methods:
Attack (the exploitation and remote control of your enterprise systems)The vulnerability/exploit and its disclosure history (was this a known exploit?)The methodology, signature, content, and patterns (is this a known threat that has attempted to exploit or exploited your enterprise before, or is there a specific pattern surrounding the attack that would help attribute the threat to a specific individual or group?)Tools usedUtilization of access (how did the threat use each system?)Data transfer techniqueLogging alteration or deletion techniqueThese observable details can also provide deeper insight into the individuals behind the other end of the keyboard. For example, keystroke analysis, also known as text-based analysis, can be used to determine the gender, age, and intelligence of a threat behind a specific incident. Research based on behaviors can identify gender and when genders switch in the middle of an intrusion. Using keystroke analysis at the session layer, you can infer the age and intelligence of the individual behind the events, based on the usage of commands, options, arguments, methodology, and content analysis.
With behavioral profiling, the observables at the scene of the crime can be related to the behavior of that individual in real life. When combined with the other observables of an event, behavior can be further analyzed by tracking affiliations, position types, backgrounds, and experiences.
| 1 | Open source publicly available tools freely downloadable using basic techniques |
| 2 | Open source publicly available tools freely downloadable using some custom techniques |
| 3 | Open source publicly available tools freely downloadable using completely custom techniques |
| 4 | Customized open source tools freely downloadable using completely custom techniques |
| 5 | A combination of customized open source and commercial (cracked) tools using custom techniques |
| 6 | A combination of customized tools and commercial (cracked) tools using professional techniques |
| 7 | A combination of customized tools and commercial (cracked) tools using professional techniques along with observable patters and signatures of previous intrusions |
| 8 | Completely customized tool suite with mid-level knowledge of operating system commands, options, and arguments for use specifically within your environment |
| 9 | Completely customized tool suite with in-depth knowledge of operating system commands, options, and arguments that would work only against your environment |
| 10 | Customized/tailored tools that have never been seen in the wild, demonstrating that the operator is well aware of your enterprise composition and has a firm grasp of the operating system commands, options, and arguments for use specifically within your environment |
Actions
Okay, what just happened? This is one of the two “so, what” factors you or your leadership will want to know. What did the attackers do while in your enterprise? You need to know every system they touched and which may have a backdoor (a malicious agent or module that runs on an infected system that allows for remote control by the attacker).
Discerning actions is one of the most difficult tasks when simply relying on the host (the compromised system) and what malware was on the machine. In today’s modern world of threats, adversaries, and espionage, everything you want to know about (such as social engineering, exploitation, data theft/exfiltration, and persistent remote control) occurs over the network. You are attempting to identify in total the sum of systems that were touched, at what times, so you can identify a possible pattern, which can also be identified through skills and methods, as described in the previous section.
You want to know how attackers made it into your network, how often they used your network, how they used your network, and how deep your enterprise is hemorrhaging. Also, by analyzing the actions, you can add that as a weight to the possible motives, intent, and objectives.
| 1 | Threat is using your system as a training point—just poking around without causing any harm or attempting to steal any information |
| 2 | Threat is storing peer-to-peer files for torrent seeds (such as porn, movies, and music) on the system |
| 3 | Threat is an infector worm spreading itself across files stored on the systems involved |
| 4 | Threat is a standard infection to your system from a random infector site |
| 5 | Threat is using your system as a part of a larger criminal botnet |
| 6 | Threat is using your system as a part of a larger criminal network and stealing information |
| 7 | Threat is using your system to coordinate attacks against external systems to your enterprise |
| 8 | Threat is using your system to coordinate attacks against internal and external systems to gain a larger foothold across your enterprise, partners, customers, and random external entities |
| 9 | Threat is using your system to coordinate attacks against internal and external systems, and is targeting specific types of information critical to your organization’s operations |
| 10 | Threat is using your system to coordinate attacks against internal and external systems, targeting specific types of information critical to your organization’s operations, and selling access to specific nefarious groups around the world |
Objectives
The objectives component is one that no stakeholder feels comfortable discussing ever. This is because these are the moments when your team gets together and tries to figure out what has been lost. The only time you should ever be happy about your data being stolen is when you have set up a deception operation and allowed your attackers to exfiltrate information in order to mislead them or feign in battle.
When true adversarial objectives have been met is never a happy moment for any organization. Everything you have been working toward has, in total or in part, been lost to a competitor or criminal of some sort. Billions of dollars worth of sensitive, corporate, and personal information have been lost over the past decade. These are the objectives of your adversaries. Whether they’re posed by some pimply teenager in his parent’s home or a foreign intelligence service, threats are out there (we did say there would be plenty of FUD).
What has been taken is a very important piece of information to know. Once you’ve identified the objectives, affiliations of the threat can be attributed. Whether the objectives were financial or information-based can be a significant indicator as to who is behind the attack or intrusion.
Observable objectives can go wide and deep, such as monitoring e-mail, logistical information, your supply chain, and other areas of your organization that can be used against you to your adversaries’ advantage. What are they doing? What pieces did they get? Which sections are they in? What do they know? These are the questions you generally ask when thinking of your adversaries’ objectives.
| 1 | Seemingly curiosity |
| 2 | Targeting login information |
| 3 | Targeting organizational information (e-mail, logins, and so on) |
| 4 | Targeting organizational, partner, and customer information |
| 5 | Targeting organizational user’s personally identifiable information (PII) |
| 6 | Targeting organizational user’s financial information |
| 7 | Targeting organizational financial information |
| 8 | Targeting organizational operational, financial, and research information |
| 9 | Targeting specific high-profile organizational members’ information |
| 10 | Targeting specific high-priority, organizational sensitive, and classified information, and all of the above, as this infers the threat is going for all the eggs in your basket |
Resources
The ability to measure the resources of an attacker is not an easy task. However, it is possible to gain this information through all of the observables collected across your enterprise, such as the following:
The period of time spent moving through your enterpriseThe types of tools used in the event, such as open source, publicly available, freeware, commercially, or illegally purchased (Zeus, SpyEye, and other tools can cost $10,000 or more)The types of information being taken/stolenThe methods used to exfiltrate your information into their possessionThe payoff of an insider to infect your enterpriseThese facets of information can convey a significant portion of intelligence about a threat. By understanding the lengths attackers have gone to infiltrate your network, you can infer their resources. Understanding your own enterprise and the levels of security implemented in the locations that were infiltrated and evaded by a threat is also an important factor.
This component can also be measured by level of education, which ties back to resources. Some threats snoop only because they can for ego purposes. Some threats have a very specific mission or target. Some threats are simply attempting to pump and dump as much as possible for resale on the underground digital black market (this is where most foreign intelligence services reside to procure data from organized criminal groups).
This is one of the most difficult observables to ascertain. Without having an understanding of what is actually going on within your enterprise, you will not be able to weigh all of the needed intelligence to make this assumption. Measuring the resources of the threat is highly difficult and can never be completely accurate without insider information into the threat itself (by infiltrating the circle of trust of the individual or group, for example). Due to these factors, there is no measurable list of possibilities. You’ll need to combine the frequency, timeliness, numbers involved in the attack, and skills and methods used to get a clearer picture and determine whether the threat is lower on the criminal food chain or right up there with a state-sponsored cyber threat (SSCT).
Keep in mind that another human is at the other end of the keyboard and needs to research the best tools, tactics, and methods to get into your enterprise. Attackers also must have the appropriate skills and education to carry out specific operations (for example, was this self-paid or more of a trained skill?) across your enterprise. Also consider the times of access. Does it look like the threat is doing this as a spare-time venture or for work-related purposes?
Knowledge Source
Many public sources can be used to track most threats. Fortunately, over the past few years, there has been an explosion of public forums and channels used for criminal activity. Most of these sites are located outside the United States; a few underground sites are hosted within the United States, but generally do not last long. The lion’s share of underground forums is hosted on servers across the Asian continent, specifically Eastern Europe and Southeast Asia. Some are hosted in the Middle East, but those are more radical and fundamentalist-driven sites sponsoring Jihad.
There are numerous forms of knowledge sources you can use to learn more about, attribute, and track a specific threat. These include public security sites, underground forums, public forums, hacker group private sites, and even social networking sites, where individuals and groups may post information about their interests, skills, support for other criminals (under the guise of research purposes), and their friends or crew.
The following sections describe a short list of sources that can be used to learn more about threats, both active and historic. For easier digestion, these are divided into the categories of public security data sources and forums, underground forums, and social networking sites. All of these sites can be used to learn more about threats, operators, actors, new threats in development, and the subtle nuances of the underground community.
Public Security Data Sources and Forums
There is a plethora of information out there to be collected, analyzed, and leveraged when attempting to better understand each threat as it moves throughout your enterprise. Some of the sites mentioned here are centered around specific areas or niches of security (malware, phishing, botnets, rootkits, and so on). When combined, these will help enable you to put all of the pieces together, analogous to a puzzle.
The following sections describe some of the sites you can use to your benefit when performing cyber counterintelligence against an active threat. For each data source, you’ll find a rating for its value from a tactical and operational level (in our humble opinion), as follows:
| Fair |  |
| Good | |
| Excellent | |
NOTE
None of these sources are useless in any way. Some simply provide more information into the who, what, and why portions of the cyber counterintelligence approach to help you understand where the bad guys are and where they’ve been. If we have left out your site (and we know there are dozens), let us know, and we’ll add you to our companion website as a public knowledge source. And no, we don’t use our own machines to analyze data sources (we know you bad guys love to send us malware and naughty links).
Shadowserver This data repository is a great resource that can be used to track specific botnets, criminal networks, and cyber-criminal campaigns. This group is based mostly in Europe, with contributors throughout the world working together to detect and track botnet and criminal networks. It’s located at www.shadowserver.org.
| Excellent | |
Malware Domain List This data repository is a great resource that can be used to track cyber-criminal campaigns. It’s maintained by a group of security professionals who pool their resources together to discuss via forums. It also provides hourly updated lists of malicious domains and analysis of those malicious domains and IP addresses. Each domain or IP address has a lot of good analysis as to what crimeware family and/or group it may be associated with. When consuming this data, you need to keep in mind that the attribution of the groups lies in the URI. You need to always look at the URI strings in order to attribute specific activity to a group you may already be tracking. The repository is located at www.malwaredomainlist.com.
| Excellent | |
Abuse.ch This data repository is one of the best public resources (in our professional opinion) that can be used to track specific botnet command-and-control (CnC) domains and IP addresses, criminal networks, and cyber-criminal campaigns. This group is based mostly in Europe, with contributors throughout the world working together to detect and track botnet and criminal networks. Abuse.ch offers not only information about the CnC activity, but also all sorts of data related to the binaries, versions, URI, history, uptime, type of server, geolocation, and whether the CnC is still online. This repository is located at www.abuse.ch/.
Roman Hüssy is one of the focal analysts behind abuse.ch and is a great asset to the international security community. He helps run multiple trackers, such as the following:
DNS Blacklist, which tracks fast-flux crimeware networks (https://dnsbl.abuse.ch)ZeuS Tracker, which tracks Zeus bot-related CnC and file update sites (https://zeustracker.abuse.ch/)SpyEye Tracker, which tracks SpyEye bot-related CnC and file update sites (https://spyeyetracker.abuse.ch)Palevo Tracker, which is a remotely controllable worm based on Mariposa bot code (https://palevotracker.abuse.ch/)AmaDa, which is a catchall that tracks anything not related to the specific crimeware families mentioned (amada.abuse.ch); although AmaDa was discontinued in early 2012 the online resource itself was very powerful| Excellent | |
Clean MX This data repository is a good resource for analyzing phishing campaigns, infector sites, and crimeware update sites. It is useful for trying to attribute infector sites to a specific group or crimeware campaign. This is a data source to help support identification of possible infection vectors. It is located at www.clean-mx.de.
| Good | |
PhishTank This data repository is a good resource for phishing campaigns, domains, and IP addresses. This site is pretty much focused on phishing (as per the name), and it’s an awesome resource if investigating phishing campaigns is one of your responsibilities. It is regularly updated, maintained, and validated. You’ll find the PhishTank at www.phishtank.com.
| Good | |
ThreatExpert This website provides a plethora of information relating to the gamut of crimeware dating back years. It can help you distinguish between benign and malicious network traffic and/or suspicious samples. This site honestly does stand on its own, which you will see for yourself once you visit it. Find it at www.threatexperts.com.
| Excellent | |
Contagio Malware Dump This is a good site to look for information about SSCTs, known hostile IP addresses related to APTs hitting international governments. It also has numerous articles that can be digested to learn more about specific crimeware families and/or criminal operators. Some of the content is more US cyber-driven, but overall, there is a lot of consistent content that can help any cyber intelligence analyst. The site is located at contagiodump.blogspot.com.
| Good | |
DNS-BH—Malware Domain Blocklist This site offers a daily listing of known malicious domains that can be downloaded and used for noncommercial purposes. This is a good resource to identify malicious domains, and some, but not all, are associated with specific crimeware families. Sometimes the site’s operators do get things mixed up a little, but overall, when they label a domain as malicious, you can wager they are spot on. It’s located at www.malwaredomains.com.
| Good | |
Microsoft Malware Protection Center This data repository is a good resource that can be used to identify specific tactics of crimeware and better define what the malware does and how it behaves. Microsoft is like a 2-ton elephant hiding under the rug. We don’t have anything negative to say about this public resource, beyond that it could be a little more in depth with associating lists of domains/IP addresses with specific crimeware families and/or groups. Find this site at www.microsoft.com/security/portal/.
| Good | |
Anubis This data repository is a good resource for analyzing crimeware samples if you do not have a malware analysis system. Anubis is similar to VirusTotal (a website that analyzes suspicious files against 43 antivirus engines), but provides much more information and context about the sample itself. It’s located at anubis.iseclab.org.
| Good | |
Malware URL This data repository is a good resource that can be used to validate specific URLs. You can also search by other criteria, but this data source is focused mostly on malicious URLs. It is possible to register for a trial feed of the data, and the site says a corporation can purchase a feed of these malicious URLs. The data feed is especially useful for infector sites, exploit kits, and phishing sites. There are other crimeware families included in the list, but the data has not been updated daily (more like weekly or biweekly) and can’t be used to actively track any specific operators. The site is located at www.malwareurl.com.
| Fair | |
Other Public Data Sources
The following are some additional public data sources. They are not at the top of our list for tactical use, but are handy and offer services and/or products related to the type of content they provide. Some are better than others (they are not listed in any specific order).
Team Cymru (www.team-cymru.org)The Ethical Hacker Network (www.ethicalhacker.net)YGN Ethical Hacker Group (yehg.net/lab/#home)Wepawet (wepawet.iseclab.org)The Day Before Zero (blog.damballa.com)VirusTotal (www.virustotal.com)Antivirus Tracker (www.avtracker.info)Securelist (www.securelist.com)Exploit Database (www.exploit-db.com)Malc0de Database (http://malc0de.com/dashboard/)Robtex (www.robtex.com)It would be wise to spend a few minutes just hitting some of these sites and seeing what content they provide (if you’re not already familiar with them).
Underground Forums
Literally hundreds of websites host underground forums, where all of our BFFs post information in plain sight for the world to see (EP_0XFF, we know who you are ), but without enough tangible evidence to allow them to actually be prosecuted. Once you register with some of these forums, you will get a great deal of information about the bad guys. It is up to you to get closer to them by building a reputation within their groups.
), but without enough tangible evidence to allow them to actually be prosecuted. Once you register with some of these forums, you will get a great deal of information about the bad guys. It is up to you to get closer to them by building a reputation within their groups.CAUTION
In these forums, you will need to use a nonproduction system, because you will find some of them attempt to exploit you. Some of these sites are safe to surf, and others are not safe. They all change over time, so it is difficult to be sure of the infections and which sites cause them, although malvertising has popped up here and there.
Some of these sites freely advertise the subleasing of botnet infrastructures, and some go so far as to specify individual organizations, enterprise networks, net blocks, and top-level domains (such as .gov, .mil, and gov.cn). You can even get close enough to see ratings of specific operators by previous customers and the operators’ service-level agreements. This is all quite interesting when trying to tie a threat to an individual or group. Most of these criminals live in countries that don’t respond well to law enforcement requests, so they post freely about what they do and how well they do it.
The following are some underground forums that may be useful. This list doesn’t include the URLs, but we hope you’ll do your own cyber sleuthing and look them up yourself. Just be cautious when visiting these sites.
Hack ForumsWildersecurityZloy forumsl33t hackersKosovo-hackers GroupDmoz.org—Addressed SMBRootkit.com (before it was popped)By perusing some of these forums, you will be able to gain a lot of good knowledge. But the cyber samurai need to supply some disinformation to get closer to the cyber ninjas. To gain the trust of most underground knowledge sources, you need to make posts and raise your rank in various security and subculture skill sets. This may allow you to talk to the right people to learn about the tools used to attack a specific target or the masses, for monetary gain or other purposes.
These are some of the places where the digital underground runs free, and a portion of badness happens. Once you get deeper into these areas, you will learn where all of the shadier deals are done. For example, the jabber, IRC, and ICQ networks are commonly used for direct communication with those wanting to do what you may be interested in learning about.
If you do not check out these sites, you need to throw away most of your security products, because you are not doing them any justice, as you are not keeping yourself up to date on how the bad guys do what they do. This true especially of the host-focused products, in a time when hundreds of IT security vendors are receiving more than 50,000 unique malware samples a day, and only a percentage of these generate any network activity.
There is something broken somewhere, and it is mostly due to most organizations not following the defense-in-depth approach properly. This is a layered approach to security that you can learn more about through the National Security Agency (NSA) document at www.nsa.gov/ia/_files/support/defenseindepth.pdf. Security professionals should take some time to read through this document. It will make a difference and hopefully wake you up a little.
If you know and understand the beast, you will be better able to combat the beast, or as they say, “knowing is half the battle.” Assign a portion of your time each day to look at a handful of underground forum sites. Everyone has a demanding schedule, but you need to take the defense-in-depth approach. Learning more about the opportunistic criminals can lead you to the targeted and more nefarious ones.
Here are two different public underground sources where the not-so-ethical entrepreneur can find out how cyber criminals do what they do:
Public Social Networking Sites
When working to gain full attribution of an individual or group, you can do all sorts of things that the bad guys do. Go to the following sites and attempt to learn more about bad actors who make it a habit to have an account for their online identities, and invite their group members and friends to join their account and actively open a dialogue.
NOTE
None of these sites are bad or malicious by nature. They are simply the types of public knowledge sources that can be leveraged to learn more about active threats that are operating against you or your clients.
There are many other social networking sites you can use to find information. If the bad guys do this to learn more about you or people within your organization, why can’t you do it to them?
There are terms-of-service agreements you must accept for most social networking sites, but when it comes to the defense of your enterprise, erring on the side of asking forgiveness is better than first asking permission. (I’m not telling you to go and do it, but if you do, don’t publicize it.)
Conclusion
The ability to counter active threats to your enterprise is the basic topic of this book. We’re talking about actively pursuing your threats in ways that have been reserved for law enforcement and intelligence agencies around the world. You’re not going to go out and shoot anyone, but you can build a dossier on a threat and use that when you do decide to get law enforcement involved (if you go that path). Some organizations simply use these methods to collect intelligence on threats so they have a better understanding of the actual threat they face.
This chapter walked you through the tradition of counterintelligence and its benefits, and then addressed converting these age-old, tested, and true methods to the cyber world. You should have a better understanding of some basic metrics that you can use to gauge each threat. We covered how to use the collected information against threats in ways they use against us every day (payback time, anyone?). Each contributor to this book is interested in proactive security (an offensive-based defense, where we pursue threats versus waiting for them), attribution, and counterintelligence against active threats, or we wouldn’t be writing this manual of best practices for you in one concise edition.
In the next chapters, you’ll learn more about profiling a threat and methods that will be useful to your legal team and/or law enforcement. But you need to maintain the edge while doing so—collecting, recording, logging, and so on. In order to look forward, you need to know what’s occurred and what is occurring. Never forget that. Attempting to better understand threats can increase your awareness of your enterprise’s protection needs. One way to do this is to study both cyber- and noncyber-based criminal case studies that illustrate habitual or serial-based offenders and their personalities. You can find such case studies at www.cyberlawclinic.org/casestudy.asp.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.