Leveraging Traditional HUMINT Methodologies in Cyberspace

The field of intelligence gathering has gone through tremendous changes – shifting drastically as, in the era of cyber, most intelligence gathering today takes place online. This shift to the virtual world has led to the adoption of new methods, techniques and tactics, that replaced the ones traditionally used in espionage.

To a large extent, many of the old approaches to intelligence gathering have been replaced. But has this had an impact on the success of the intelligence? More specifically, are traditional HUMINT methodologies still relevant, in a time when cyberspace is the main arena for espionage?

In this post, we’ll have a look at the contrast between (1) classic strategies of HUMINT, and (2) intelligence gathering that relies on some of the classic HUMINT methodologies but adapts them to work in cyberspace.

HUMINT Defined

Human intelligence, or HUMINT, is a term that traditionally refers to intelligence gathered through interpersonal contact – in contrast to disciplines like signals intelligence (SIGINT), imagery intelligence (IMINT) and measurement and signature intelligence (MASINT), which are much more technical.

Typically, HUMINT activities involve human sources and human handlers – interactions with “assets”– i.e., traditional espionage strategies. What’s key here is that classic HUMINT relies on personal meetings and engagements with people that create trust and lead to powerful, long-term relationships, with a high degree of commitment and devotion.

What is Cyber-HUMINT?

Cyber-HUMINT is a different concept, referring to the skills used in the digital space to gain access to interesting or critical information – using a range of deceptive tactics.

Cyber-HUMINT is frequently understood to mean social engineering activities – which, in the context of security, means the psychological manipulation of people into divulging confidential information, or performing actions they do not want to do. On the hacker’s side, these activities are conducted primarily for the purposes of information gathering, fraud, or restricted system access. Frequently, social engineering is used so that hackers can obtain the sensitive information of their targets – like passwords, credit cards, or any information that is valuable to the hacker, and that can be potentially sold or traded online.

On the side of cyber security experts and intelligence analysts, Cyber-HUMINT is leveraged for counterintelligence purposes. At CyberProof, for example, our cyber threat intelligence professionals operate by using Cyber-HUMINT to identify individuals or groups that are secretly trading sensitive information belonging to CyberProof’s customers, as well as those who are conducting other forms of malicious activity.

Applying HUMINT Strategies to Cybersecurity

Cyber-HUMINT has two aspects to it: on the one hand, there are espionage methodologies such as agent recruitment and information gathering through deception; and on the other hand, there is Cyber-HUMINT – the deception methodologies that are commonly referred to as social engineering.

Most professionals involved in cyber security strategy tend to focus on the more technological side of the work, i.e., social engineering. Generally, they neglect espionage methodologies. But by leveraging and combining the two kinds of intelligence work, security professionals operate more effectively – locating potential assets and targeting criminal cells before they reach the stage of developing full attack abilities.

Why Espionage Strategies are Crucial to Cyber-HUMINT

Professional cooperation between HUMINT professionals and cyberwarriors with social engineering experience means leveraging skills that include false identity creation, the identification of human sources, and complex information manipulation – to create a human intelligence structure in the cyberworld.

One of the reasons this is so powerful is that, by combining the HUMINT with social engineering, security and intelligence professionals can operate proactively. They move out of a typically static state of defense – joining hacker communities, darknet forums, and other underground platforms under cover.

Cyber-HUMINT means putting into action the information passively gathered by intelligence analysts and operatives.  Threat intelligence professionals go on the offensive, conducting target profiling and analyzing the target or threat actor, then gaining trust, engaging with the threat actors, and uncovering crucial information that provides preemptive protection from cyberthreats.

This type of intelligence operation contains a lower degree of risk. While physical HUMINT in the “real” world relies on fast decision-making, interactions online generally allow professionals to think through their actions and decisions more carefully.

Avatars Facilitate the Work of Cyber Threat Intelligence Specialists

Avatars – virtual identities, depicted as personalized graphical illustrations representing real-life identities – are used extensively online and are integral to Internet chat and communication platforms. They are inherent to Cyber-HUMINT because, using avatars, people can have an unlimited number of identities and can rapidly create new, assumed identities seamlessly – without requiring the kind of complex operations and extensive resources needed for classic HUMINT.

In counterintelligence efforts, threat intelligence specialists use avatars to impersonate particular hacker profiles or particular people, in order to engage with threat actors and reach the target. Very specific jargon is used in impersonating hackers and other assets that have sensitive information – in different language areas, such as Russian and Chinese.

The Importance of HUMINT in Business Intelligence

The integration of traditional HUMINT methodologies is crucial when hunting down cyber-criminals and identifying cyber security threats to businesses. That’s because the highest level of intelligence gathering requires human interaction and contact – a sensitive process that requires an intuitive and honed ability to understand and analyze people.

Companies can use HUMINT in cyber security incident management in several important ways. They can lower the risk of a potential attack by engaging with threat actors and gaining greater context and a deeper understanding of threats – learning about new hacker tools, tactics, and attacks before they have a chance to cause damage.

If an attack takes place, companies can use Cyber-HUMINT methodologies to engage with threat actors during the investigation of the attack, to gain more information – i.e., to reveal the extent of the damage and its broader impact. When a breach takes place, communicating with threat actors allows companies to understand the extent of the breach and learn how the attacker got into the system. HUMINT methodologies also help companies figure out the source of a leak and, in an extortion attack, it allows companies to identify whether an attacker’s demand for ransom is legitimate.

Thus, the tools and tactics of traditional HUMINT combined with the capabilities provided by the virtual world open up opportunities for identifying criminal behavior. They facilitate taking a more proactive approach to cybersecurity – an approach that focuses on the prevention of attacks, because the best form of mitigation involves stopping the bad actors before they’ve even had a chance to begin.

For an in-depth look at how the CyberProof combines HUMINT (Human Intelligence) tactics with OSINT (Open Source Intelligence)  to contribute to a proactive cyber security defense, download our whitepaper, Why Virtual HUMINT is Vital to Effective Threat Intelligence.

HUMINT whitepaper