PG - Incorporating Human Intelligence (HUMINT) into An Information Security Team - Aamil Karimi

so we'll start off with just a quick agenda but we'll be covering today just a quick intent and purpose why I'm doing this for you all today we'll start off with a a couple of stories is to get things started of actual real human intelligence operations that have contributed to decision making supplementing information intelligence and data from appliances firewalls things like that we'll go into how human intelligence supplements a mature security team well and with one more quick story and then we'll go hello we'll finish off with how human is actually plays a valuable role in information security and data collection and then we'll open the floor for questions so just a quick background I

started my career in the United States Army Reserves as an all source intelligence analyst awesome awesome like in this crowd already thank you thank you deployed to Afghanistan for 11 months worked in a detention facility alongside interrogators as their human intelligence analyst so basically they would get information from detainees I would corroborate it or deny it with information that was being collected from the fields pretty much telling the interrogators hey your detainee is a high-value target or he's just full of we need to move on after I came back from that I joined I didn't join I got a position with Air Force OSI went to Afghanistan to work for them for four years and then after I

was done with the Air Force I went over to US so calm still in Afghanistan for another two years in a human intelligence analysis capacity so a lot of time in Afghanistan came back to the private sector in 2012 and here we are today so human intelligence broken down real simply it's just data and information that's collected from human sources right so today we're going to demonstrate the value and role of human intelligence and I'll be showing you this through you know stories and life scenarios of how human intelligence has played an important position in information security as well as how leaders can explore developing a human intelligence function within your information security team awesome so the

for the for the first story we'll get started there's actually a practice in certain countries where individuals usually based in the US they contact someone another country based of their home country India is pretty prevalent in this one and they hire what we call a proxy interviewer basically this candidate really doesn't have the job skillset for the position they're applying for they'll go online there's a network of people that actually do a pay-to-play type thing where the candidate will pay an individual money to sit in and do the interview for them and this is actually very this is this works very well for remote positions because many times you're their HR representative if your hiring manager

really doesn't see the employee face to face when the remote so they take advantage of these vulnerabilities by calling somebody to sit in for them during the interview and the person that's interviewing the candidate who's really the proxy has no idea that that's not the person that's actually applying for the job so we had a group of researchers that came across a situation like this they actually got contact information and they reached out to one of these proxies via whatsapp so you can just kind of see the chatter it's a little blurry this was actually taken from a burner phone and it's kind of an older model so we couldn't just sideswipe and get the copy pasted we had

to take a picture of the screen and it's a little blurry because of that but there's just basic introductory chatter hey I'm interested in a DevOps position what do you got what can you do for me and during the course of the conversation these researchers are able to get a full scope of what the threat actors a pricing structure was what tools and expertise that the proxy himself was specializing in and then also just video samples of previous interviews that this proxy interview her interviewer had done before and while the conversation was going on you know there was questions and answers going back and forth the products actually just gave these researchers two urls one

was you can book me page which was pretty much just it's pretty much as a scheduling service so you go on to this guy's you can book me page and you schedule what time your interview is what date and with who and with what company so the guy has all the information he needs and then he also provided a Google Drive repository of all the videos that were recorded of his previous interviews and there was like twelve hundred of these videos that he's done so this guy was like this guy was like racking up money because I think his pricing was like a hundred bucks an hour or something that's over the course of how many years he's been doing it he

was probably racking up 8090 grand and this guy's living in India so he's he's doing okay so this is just a screenshot of us you can book me page you know you know he can you can see he's proud of himself he's the king of proxies he can crack any interview it's just an introduction to where he lives he's got ten plus experience in the industry ten plus years experience in the industry these are all the technologies that he's proficient in so there's Azure this Jenkins Tomcat all that good stuff so if you know what job you're applying for you just look at his his own little resume here and you can say okay I'm

gonna hire this guy because he knows what he's talking about he's got a success rate of 95% so basically out of the 1200 videos that he's allegedly done if not more 95% of these people have actually gotten a job with that organization that they were hiring for and this is just a screenshot of the the Google Drive repository the one unfortunate thing about this is that they are they aren't titled the way they would like it for it to be titled where we can say that okay it was for you know the candidates name or the company's name because then we can quickly say hey this video is for this organization we can notify them that hey if you hire

this individual he's probably not your guy you guys need to do some investigation or background checks on him cuz he's not who he says he is so pretty much we took a few videos downloaded them watched a couple of them they're like you know about an hour or so long for the interview so at the end we you they were able to get the names of the employers and the companies that the videos were actually the interviews for so towards the end they were wrapping up the conversation the proxy actually called the researchers on the on the burner phone and based like I said the proxy was from India so fortunately my team had a guy that could

speak the native language you can probably guess who it is so he was able he he answered their phone and just they basically just had a very casual conversation that hey what's up yeah this is the job I'm looking for why are you in the US why did you move these are actually basic casual conversations that people in India have with you know amongst each other like are you in the u.s. for school that your parents move whatever so my cultural background actually really helped and we were fortunate that he was able to provide this information to us based off a report that was being built with the research team and the proxy on the other

side and again I think the the main reason we believed he was trying to call was to verify the identity make sure there wasn't somebody on the other line just bullshitting and trying to get information because I think these guys are pretty squirrelly about the people they talk to so moral of the story how did human intelligence help here basically human intelligence was able to identify particular threat actor or network of threat actors what they were doing how they were doing it and they were able to take all that information and pass it on to clients and their own organization telling them the hey these are vulnerabilities in remote hiring processes if these are if they're these

are the same gaps that we have we're hiring managers and HR managers are just interviewing employees over video but they're never seeing them there might there needs to be a workaround where the employees or the candidates actually go to whether it's satellite officers or you flying fly a min just to make sure that these people are who they say they are so you don't end up with a possible insider that might have malicious threat or somebody that has no idea what they're doing and then the whole functionality of your team just falls apart because you have somebody that's applying for a senior position and he doesn't know another quick story before we get into how to implement

human intelligence so there's an annual activist operation called out Baker as some of you may have be aware of it it's a anti banking activist operation it happens every year most bigger banks aren't vulnerable to this because they use derivative tools and I'll kind of get into that in a few slides here so one member of the information sharing and analysis Center does show one of the iSight community members sent out an email just to everybody on the distro saying hey we're seeing a bunch of sequel injection high level basically high level meaning very basic cross-site scripting scans anyone else seeing this can anyone corroborate what we're seeing in our event logs so there was a team of

researchers on that email chain as well and during the same time that these that this member on the iSight district was saying they were seeing sequel injection there was actually an ongoing act of his campaign going on the reason they knew that is because they actually had built out a source network on social media so they knew that this thing happens every year and the timing of the email just was coincidental with the timing of the operation now just because you have two pieces of information that corroborated doesn't they're related right just because a is happening it doesn't mean it's related to B you have multiple you need multiple sets of data and information to actually

form a full intelligence picture so just because they had hey there's somebody that's seeing a high level of sequel injection attacks oh there's a bigger is going on it's because of op occurs you can't do that because you're you're gonna you're gonna you can have incorrect information you're gonna get head spinning and people are gonna make the wrong decisions within the organization so I actually use this quote a lot when I'm sending emails to clients clients that I'm good with and familiar with as well as to leadership that hey we're seeing this and we're seeing this I'm not rolling out the jump to conclusions not just yet but here's what I think is happening just so I have

a little bit of hey I didn't say it's because of this it's just my assessment so in addition to the events that were happening a log in the logs as well as the events of op Icarus this research team also identified a target list which included a list of banks that were going to be targeted during op occurs and a github repository of the tools that were going to be launched during Baker's so like I said earlier the researchers had already established a network of hacktivists and criminals and whatever so they just restarted to a couple of them saying hey what's going on but are you guys doing is this really happening what's your guys is you know usual

initial entry point for these operations I guess again they didn't use those words but they were able to finagle an answer out of that they reached out to a set of three actors in 2017 as well as in 2018 and the twos to separate thread of actors confirmed the same information where sequel injection cross-site scripting is actually the very initial steps during their you know pen testing against companies and targets that they go after during these operations so you have three pieces of information they're starting to line up right now this is just a screenshot of the github repository for a picker is that a couple of activists had posted a few years back you may not be able to read it from the

back but there's a few tools on here that kind of stand out to me personally there's are you dead yet which is Rudy it's very old I think it's derivative slowloris but it's been out since like 2010 2011 it's not a very powerful tool in in 2018 it doesn't really do much unless you have small mom-and-pop shop and they just can't take even a little bit of bandwidth coming at their website you have Xerxes you have stuff like kill Apache dot pie most of these are Python script at DDoS tools most of them are dated but there was also a separate section where there was homemade customized sequel injection cross-site scripting tools that seemed to line up

with some of the events that this eye site member was seeing in their logs as well and this is actually chatter from one of the convert a screenshot of one of the conversations that the researchers were having with a threat actor for those of you that can't see the actual screenshot in the back I kind of typed out what the conversation is the spelling mistakes are on purpose just so it's you know we're not typing in perfect English and we're being getting called out as you know Pheebs or something Pheebs and meaning feds so basically you have a you know the bad guy on this on the left side here saying hey looking for vulnerable banks I found

one laugh out loud and the researcher here you know hahaha sequel injection again so this was actually very key sequel injection again it was actually it was a leading question in order to drive a particular response we were so they're trying to confirm whether or not it was sequel injection by saying sequel injection again it sort of has that leading question where the throat actor can fend for Mart deny it and yes he you know fortunately confirmed it was sequel injection and then they go on laugh out loud I hope it wasn't select one equals one she's thrown out that you know command hacker jargon whatever just to show that hey we you me same same we

know what we're talking about you know he confirms maybe laugh a lot but whether or not he confirmed it was select one equals one he's still confirmed that yes sequel injection is what we usually throw out and that's what we were doing recently so how did how did human intelligence help here we had four pieces of information that corroborated each other basically they took the information that was provided by the I sac member which was the event logs they took the information they gathered from their sources and their source networks which was a big versus going on here's the tools here's the techniques and here's the time frame that we do all these operations and then they were able to

take that information put into a nice pretty report send it to all the members of the is a community also to their clients to their organization and give them a idea of hey you guys are seeing this it may be because of this that we're seeing going on it's op Icarus and based off that information organizations can actually make a more informed decision that hey this 90% chance its op Icarus and it's activist tools this is how we can mitigate it so people aren't just running around their head spinning saying what do we do about what's going on all right we'll take a break from some of these stories and we'll just kind of go into how human

intelligence kind of fits into an information security team you guys bear with me this is the f3 EAD cycle it's the intelligent cycle that was created by the USO comm Department of Justice Department defense they all use this in offensive counterterrorism intelligence operations in the battlefield basically you have six functions defined fixed finished exploit analyze and disseminate and the reason I think this works pretty well is in information Security's you can take all the functions of an information security team and fit them perfectly within each of these steps in the cycle so for the find the initial identifying the target you have your teacher have your Intel teams you have your priority intelligence requirements which is what your intelligence team

generates you have your initial sock their analysis team that are actually sitting monitoring the logs so the first ones that actually get the information and get the events and see what's going on and the cycle just goes on where you keep passing information to certain teams and everybody knows what what responsibilities they have in order to get the final product which is to disseminate the information in a nice coherent intelligence product in order for leadership and your clients to make better informed decisions that's pretty much the ultimate takeaway for in intelligence collection platform is to drive operations and drive decision-making there's actually a simpler model which I've adopted and this is the Air Force OSI targeting

model it's very similar to the F 3 EAD cycle that we saw earlier it only consists of four steps in this in Disciple defined fixed track neutralized basically performs the same in essence it's the same thing it's just a little bit more simpler more neater for me it works better that's what I use in my team where I am so you have to find fixed track phases of the cycle and that actually serves as the detection function to me to where you have the intelligence team your malware analysis team their analysis all these guys that are front getting the information getting the data as it's coming in and then the last step the neutralize actually serves two

functions and actually served a prevention which is where your vulnerability assessment content delivery sin those guys come in and then remediation which is an event has already happened now we're just cleaning up and that's where countermeasures again Incident Response patch management forensics kind of step in and you know take part in that now it sounds a little complicated you have all these teams that are trying to work in unison you have an intelligence function and you're trying to adapt it into information security the best the best thing that I've that pretty much works for me and it's very important in the military as well is is communication if you don't communicate either your operation won't

be successful or people are going to get hurt or people are gonna have no idea what to do when an event is actually happening so communication to me I break it down in in five simple steps who what where when and why I learned that's probably one of the few things I took away from grade school but when you talk about the five W's when you're communicating it just gives everybody a full picture of what's going on when it's going to happen why is it happening and it gives leadership and your clients or whoever you're sharing that information with a better idea of what's going on in the greater threat scape and the threat landscape all the information

you've collected and if there's anything they need to do about it so make so communication is one of the biggest thing that makes intelligence operations in information Security's as successful as it is and here's just a graphic of the Air Force OSI model like I said it's cleaner it's nicer it works for me so one last story before we clean things up here any of anyone here heard of the dark overlord it's pretty common so his claim to fame is actually he's done a lot he's been active since about 2014 2015 is a cyber criminal basically he compromises organizations most RDP is a specialty brute-forcing RDP he takes sensitive data credentials that were improperly stored or improperly secured

an organization takes it leaks it demands a ransom were just sells it to the net you know the highest bidder most famously he's known for leaking the newest season of orange is the new black of last year so that's where he actually gained most of his fame there was a group of researchers again they had contexts and underground marketplace forums and social media and basically they were interacting with people that were in the game of buying and selling data and sensitive information so here comes a dark overlord he's got all this information he wants to sell it threat threat researchers here the human team actually had a set of personas that they decided to use as a middleman

basically they were going to be the data broker between the seller who was a dark overlord and a potential buyer which they claimed they had for the dark overlord so they reached out to the dark overlord they had already built a rapport they had their reputations on these underground websites so the dark overlord was actually pretty receptive to them reaching out to him saying hey we got a buyer for you how much are you selling it for what do you have can you get a sample so we can know what you has actually legitimate what he didn't do is send a sample but what he did provide to the team was a screenshot of some of the

data that he had now what he did there we go so he showed a screenshot of the information that he allegedly had and basically what he messed up on was scrubbing the information he actually gave away the server name of the organization that he had targeted and that was compromised and as well as admitting that yeah I did it via RDP brute-forcing these companies are stupid blah blah blah and based off the unscrew improperly censored screenshot that he provided they were able to narrow down the the victim organization as a health care provider in Georgia and Tennessee all right so how did human children's help you're basically three key pieces of information we had the victim we had

the threat actor and with the attack vector now the attack vector was being probably the most important part because if you have the victim and the third actor and you don't know how the compromise happened it's easy for another throw actor to come by and do the same thing and the victim have no idea how it happens so knowing what the attack vector was allowed the organization to actually close their security vulnerabilities that they had the information was put together it was passed to law enforcement the FBI it was provided to the client and the the one that the reason I take this one I should a little bit personally is because six weeks after the breach was you know

privately disclosed to the client and law on four I personally got a letter in the mail saying your personal information may have been exposed as a result of a breach and it was because of this breach that happened here the chiropractor's office I was seeing that somewhere was part of this health care provider that's why I got it so how does human play a valuable role in information security raw data from human sources it's very unique it's not appliances it's not signals intelligence information security is very signals heavy you have firewalls you have appliances you know all the latest and greatest appliances she's gonna throw you can throw at your environment this is strictly talking to humans

people on the ground that are right there knowing exactly what's going on and when it's going to happen before it actually happens it provides that cotton.you those nuances and context like I said early indication of possible warning and a warning possible threat you have the threat actors intent pretty much what the third actor hopes to accomplish as well as the motivation why is that the reactor doing this is there a way we can prevent this from happening in the future as well and then again you can track and assess directors future operations based off pattern analysis so this is actually the meme that started this whole presentation for me sickened and humans actually have a very friendly

rivalry in the DoD as well the Department of Defense is very signals heavy and usually it's what a Sagan say ok cool what is humans saying well whatever even though most of the time we corroborate what sagan says it's never what does humans say first always the signals part and that's how I kind of feel information security is as well so like I said not for not a not necessarily a friendly rivalry between humans signals intelligence that DoD information security is also very sick and oriented so human actually comes in as that value added data to supplement I'm not saying signal intelligence firewalls and appliances are bad it's just that it's just one set of data and

you add human intelligence and you put those two together now you have multiple sets of data now you what I have now you have what I call threat intelligence so hashtag their intelligence is bad but when you actually take multiple sets of data then you can say hashtag their intelligence we actually took multiple pieces of data we put it together and we actually have a pattern of what's happening why happening and from my experience 100% of the time when I work with veterans that have been in this intelligence industry in the past you have someone that's been deployed to Iraq and Afghanistan for 12 18 months doing human intelligence or intelligence analysis for 1215 hours a

day seven days a week they come back with this experience that somebody straight out of school house just doesn't have for somebody with that experience just doesn't have so we have people in the veteran community there are excellent add-ons to information security and it's a very niche environment it's not fully realized to recognize just yet but all it takes sometimes is a good leader with a vision that's how I got my start I had an individual that knew what human intelligence was all about he took a chance and now we're growing as a team and these are just some ambassadors of human intelligence cyber intelligence people that I consider my mentors or people that I respect a lot we had Fred

Stone who is one of the pioneers of cyber intelligence most of you are probably familiar with the gesture he did a lot of good work with taking down al-qaeda and Isis websites in the past my mouse is actually reverse a malware reverser and a First Sergeant and the signals a signals person but she was my early mentors information security and then you have this right here that's me forty miles from the Pakistani border back in 2011 I was running around having fun in Afghanistan so you can find me on Twitter I go by Bouguereau I don't really do too much professional work-related tweeting but you're more than welcome to message me and ask questions and if nobody has any

questions right now that concludes my presentation thank you so much thank you so much [Applause]