Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Terrorist, Hacker, Consultant Spy: Applying Intelligence and Counterintelligence Techniques to Cyber Network Operations (CNO)

Joseph Hesse

4 vote(s)

Modern cyber network operations, whether defensive or offensive suffer from a unique predicament. As professionals in the field of cybersecurity we are inundated with information overload, defining return on investment, metrics, and politics. All the while we seek the same goals as our physical-world intelligence and counterintelligence counterparts, which is to protect the secrets that allow our organizations to provide for our way of life. By reframing the context of our daily cybersecurity duties into an intelligence and counterintelligence perspective, regardless of the offensive or defensive nature of the work, we can better protect our organizations by leveraging and applying centuries old, well established fundamentals and practices of the intelligence and counterintelligence professions.

In recent years thwarting enemies in cyberspace has been sold to cybersecurity professionals by vendors increasingly as innovative solutions to the age old problems of criminal ventures, espionage, and destructive tendencies. Terminology, products and services have been created, branded, and marketed to disillusioned and sometimes panicked teams to turn a profit rather than offer what is of real value, actionable intelligence and applicable counterintelligence. Let’s turn the page and step up the game on the industry, demand more from our vendors, but most importantly from ourselves.

By building a team and using know how and technology to lever the full range of intelligence domains including SIGINT, HUMINT, OSINT, and COMINT and applying them to the cyber context that we live daily we can better enhance our insight, capabilities, and overall understanding of our environments, the threats we face, and the solutions we require to adapt in a quickly developing landscape. This diverse team-based approach in turn drives decision making across the board but more relevantly in regard to budgets, resource utilization, and helps refocus the priority on security as a proactive domain rather than a reactive action or afterthought. In this session we will demonstrate some examples of how this work is already done, from both a defensive and offensive perspective.

The theories and practices of counterintelligence are no different and you may discover that the very foundations of security itself are the roots of the disciple just as cyber security is. It isn’t specifically counterespionage we are discussing; we will be providing case studies of specific incidents and analyzing how counterintelligence practices were applied, from both a defensive counterintelligence perspective as well as an offensive counterintelligence perspective. As typical with cases of this nature, as you know from your own work, you don’t ever here about the successes, but you do hear about the failures. Unfortunately we will have to use these failures as examples in our work.

Of particular value to red teamers and blue teamers alike in this session will be the concept of “the intelligence lifecycle” and in particular how it is edified in the cyber operations domain. We will show how to apply the lifecycle to the performance of incident response as well as a typical penetration test. A brief discussion of national security and its definition and uses and how that context can be shifted into organizational or corporate security. We are going to briefly describe multiple domains of intelligence, how those domains are valid for the purposes of cybersecurity, and furthermore how they theory and practices can be applied in everyday use by reframing the context of our missions to those that support specific information objectives.

The attendee will leave with an understanding of defensive counterintelligence and how the basic tenants of counterintelligence are commonly overlooked by security teams, but most importantly why. We are going to leverage the case study of Ahmed Mansoor and how principles of defensive counterintelligence, unknowingly applied to a cyber threat, prevented a successful intelligence collection effort from occurring against an individual within a human rights organization.

Finally we will discuss tenants of offensive counterintelligence and the principles applicable to cybersecurity specifically detection, deception and neutralization. We will share why you should adopt strategies and techniques of counterintelligence professionals into your organizations and how once the perspective of a counterintelligence officer is assumed personnel can overcome the common pitfalls of routine, politics, and ‘tunnel vision’ in their daily lives. We will specifically look at a successful, criminal operation that allowed for the theft of proprietary technologies from a high profile organization and how the operation was successful due to a lack of insight regarding detection and neutralization of the threat. We will also discuss technologies that can be leveraged in environments to assist in neutralizing threats.

About Joseph Hesse

Joseph Hesse works for Cyber Network Defence at DarkMatter.