The world of intelligence collection is comprised of a multitude of “INTs”. They run the gamut from, Signals Intelligence (SIGINT), Imagery Intelligence (IMINT), Measurement and Signature Intelligence (MASINT), and Geospatial Intelligence (GEOINT), to Open-source Intelligence (OSINT).
Yet there is one “INT” that may be the most valuable in determining if an organization’s cyber security posture has been compromised; and that is Human Intelligence (HUMINT). No method of intelligence collection can better interlace actionable data through the collection of disparate bits of seemingly unrelated data than HUMINT.
With a general increase of 42% in targeted cyber-attacks in 2012, and approximately 10% of all cybercrime originating from inside the workforce, the insider threat is an issue that is too often disregarded by organizations when considering economic espionage. After all, who better to access internal accounts than a trusted insider?
HUMINT has traditionally been the one element in intelligence and military operations that, if leveraged correctly, can tip the balance of power significantly. This is true primarily since the intrinsic frailties of the human psyche lend themselves to being undermined. This also supports the commonly held tenant that the human element is the weakest link in cyber security.
The Psychology of Exploiting HUMINT: While physical pressure may elicit a response from some, this form of elicitation may be counterproductive in that the ultimate goal is to maintain a source in place from the perspective of feeding misinformation. Most people, particularly those that are untrained or non-professional operatives, want to talk while under duress. Therefore, they are more apt to respond to an interrogator whose approach is based in kindness and understanding. Traits to be leveraged are that many cultures are predisposed to responding to authority figures, those whose value systems most mirror their own, or those whose experiences or knowledge base most closely resemble theirs. Other tactics combine various forms of flattery, exonerating someone from guilt, and/or an interrogator that places routine emphasis on a critical topic to be extracted.
The inducement to collect sensitive data, whether it is for a governmental master or a corporate one, can be generally categorized into the following predominant motivational types…monetary, ideological, compromise-based, or ego-related. Of these, only the compromise-based type needs a bit more clarification. Compromise can take the form of blackmail, either via a financial situation, an addiction or a sexual proclivity or indiscretion. The other often-used compromise tactic is the threat to/intimidation of family members; this particularly effective in closed societies.
Utilizing HUMINT, counterintelligence professionals can identify those that practice the surreptitious removal of sensitive information. Various forms of clandestine transfer can be employed to move data to handlers and on to sponsoring entities. These can take the form of Dead Drops (an easily approachable site for filling and emptying and one that is not easily observed). Prearranged signals alert the collector that data is ready for collection. A Brush Pass is a form of physical exchange either with both sides engaging in the deception or one side being unaware of the deception; typically by engaging a pick-pocket to retrieve data. Another method is the Car Toss, wherein data is tossed into the open window of a passing/slow moving vehicle. While such methods have their intrinsic vulnerabilities, if utilized by professionals with requisite training, their employment can appear quite natural and be simplistically effective.
On the more technical end, utilizing Microphotography, Encryption, and Plain Language Code (less suspicious, although very limited in its ability to transfer more than simple content) can facilitate data flow. Also, utilizing Steganography (hiding information “in plain sight” within a more complex communication), Spread Spectrum Communications (information sent, in parallel, at very low levels through a set of frequencies and when a given frequency will actually carry content). Frequency-hopping Spread Spectrum is a related technique (doesn’t use any one frequency long enough for interception).
Just as a card professional can read the idiosyncrasies of an opponent (known as a “tell”), so counterintelligence professionals can read the “tells” of surreptitious collectors. In addition to the above more traditional techniques, the following constitute a perpetrator profile. These include the particular work habits of an individual; specifically, the person continuously working non-standard or uncompensated late hours, or the person that has asked to assist someone outside their area of expertise. Even the amount of data an individual is uploading to discs or flash-drives or even activities as rudimentary as the amount of paper copying an individual is doing might be indicators of nefarious activity. Other tells may take the form of simply possessing burst transmission equipment (utilized for minimizing the amount of signal time), or high gain and/or directional antennas.
Estimates upwards of $500 million in U.S. secrets are misappropriated each year, sapping the lifeblood from the American economy. To exacerbate an already intolerable situation, it is common knowledge that countries such as China and Russia have official government policies for stealing U.S. assets for economic gain. This creates a particularly fertile breeding ground for data exfiltration by trusted insiders.
Many times cyber actors can even coordinate an external attack to obfuscate the activities of an internal plant to mask the internal asset, thus concealing their source for future compromise or system infection. In many instances, the investigation is halted when the external hack is discovered. This can also apply to rouge insiders working with independent hackers or Hactivists.
Near Future State: With the use of personal cell phones by workers approaching 50%, and employees conducting more and more company business on such devises, the risks of compromise have literally skyrocketed. The Global System for Mobile Communications (GSM) architecture specifically highlights the fragility of our global cellular infrastructure.
Relatedly, the loss of such devices is keeping IT security professionals awake at night. There are seven (7) million smartphones lost each year; only 500,000 are recovered. This, in conjunction with the BYOD (Bring Your Own Device) trend becoming more prevalent and many organizations even encouraging such for cost containment, the problem becomes glaringly apparent and the threat posed by internal bad actors or plants even more crippling. Add to this the sophistication and utilization of the KVM (Keyboard, Video and Mouse) switch, a hardware device that allows a user to control multiple computers from one or more keyboard, video monitor and/or mouse, and the concept of a low risk, high financial yield cyber-enabled crime tool emerges.
“Twelve men have been arrested over an ‘audacious’ alleged plot to steal millions of pounds from a bank by remotely taking control of a computer. A bogus engineer fitted a device called a keyboard video mouse (KVM) to a machine in the Surrey Quays branch of Santander, south-east London, which would have enabled a gang to download data. A KVM typically allows a person to control a number of different computers from a distance.”1
“News that London police have arrested eight men in connection with a £1.3m robbery that allegedly involved taking control a Barclays Bank computer from a branch on 5 April this year, via a KVM switch, comes soon after the Met arrested a separate gang in the same month for plotting the same type of cybercrime to branches at Santander.”2
Unless neutralized from the onset via implementation of the aforementioned strategies, the infiltration of the malicious insider (particularly those emboldened by emerging technologies), will continue to have a devastating impact on U.S. financial solvency.
1Arrests over ‘cyber plot’ to steal from Santander bank; By: Staff, BBC News-London, September 13, 2013 – http://www.bbc.co.uk/news/uk-england-london-24077094
2Barclays Bank £1.3m KVM Switch Robbery: ‘Banks Weak on Physical Security in Cybercrime Fight’; By: Lianna Brinded, International Business Times, September 20, 2013 – http://www.ibtimes.co.uk/articles/507715/20130920/barclays-eight-arrested-1-3m-kvm-switch.htm