Why humans are necessary to the threat hunting process

Get a copy of the upcoming book "Secure Operations Technology"

For thousands of years, humans have worked to collect intelligence on their enemies. Intelligence gathering is not a new practice; in fact, it is one of the oldest war tactics dating back to biblical times, when warlords and army commanders used it to gain advantages over their rivals.

However, the methods have changed as new technologies and new forms of “warfare” have been developed. In recent years, cyber-attacks have led to an entirely new host of intelligence challenges, especially for corporations, who are not accustomed to the practice of intelligence gathering the way governments are. Yet, Cyber Threat Intelligence (CTI) can be critically important to how organizations defend against attacks and uncover their cyber adversaries.

There are many different forms of intelligence gathering, including Open Source Threat Intelligence (OSINT), Machine Intelligence or Signals Intelligence (SIGINT), and Social Media Intelligence (SOCMINT). However, one source of intelligence that’s often overlooked is Human Intelligence (HUMINT).

“HUMINT” can be defined as the process of gathering intelligence through interpersonal contact and engagement, rather than by technical processes, feed ingestion or automated monitoring. It’s a risky practice that requires a very particular set of skills, but it can provide you with the most valuable intel.

As threat actors’ TTPs and attack strategies change, the one constant behind all attacks is that they are human-driven (at least until Skynet becomes self-aware). Understanding an attacker’s motives and tendencies can help organizations make the right strategic cybersecurity decisions.

Automated vs. manual intelligence gathering

In most processes, the more automation you can leverage the better. This is certainly the case when it comes to cyber intelligence, as automation can help you identify and mitigate threats faster. For example, if any employee email credentials are leaked online, having a system that can automatically identify that leakage then reset their passwords can significantly reduce the time to mitigate that threat. This is an example of operational or tactical intelligence, where a specific threat or risk is identified, and there are specific actions needed to mitigate that threat. There are thousands of other examples like this, so building a strong foundation of automation is critical to the success of your cybersecurity program.

However, tactical and operational intelligence are not the only forms of intelligence. Strategic intelligence deals with the who and the why behind a cyberattack, which enables you to make better strategic cybersecurity decisions to defend against your adversaries. For example, you might discover that a phishing website was setup to lure your employees to give away their login credentials. That’s tactical intelligence, where you might respond by approaching the domain registrar and requesting a takedown. But that activity doesn’t help defend your organization long term, as another phishing domain could be setup the very next day. However, discovering that this phishing domain was setup by a state-sponsored Chinese APT group trying to conduct cyber espionage is much more valuable long-term intelligence. This information can help you make longer term strategic decisions to defend against future attacks from this group.

Strategic intelligence is often a manual process done through human-to-human threat actor engagement. It’s not possible for a bot or algorithm to engage with threat actors online and blend in as a fellow hacker. It will be sniffed out immediately. This is why manual intelligence gathering and human involvement is necessary to the threat hunting process.

The challenges and risks of HUMINT gathering

Just like in any undercover situation, engaging with your adversary is risky. Gaining trust is key, so you need to have the right story, the right skills and the right background to blend in effectively. If you don’t appear to be a fellow hacker (e.g. use the same slang, have a particular skillset, operate at odd hours of the day), the community will identify you as an outsider, immediately ban you, and may even try to attack back at you to expose your true identity. Every dark web community has its own culture and rules of engagement, so you need to be intimately familiar with that culture and language to appear as a fellow threat actor.

For example, my team recently completed a research report titled The Dark Side of Asia, where we used our different avatars and established sources to gain access and conduct research on various Asian dark web communities. To do this, we had to visit chat rooms, black markets, dark web forums and other web channels to engage with threat actors in those regions. By doing so, we were able to uncover some of the primary motivations, common goods and services for sale, and the most influential threat actors across this growing Internet community.

As threats become more global, it’s important to know your adversaries’ motivations, tendencies and tactics, and this intelligence can be uncovered through threat actor engagement and HUMINT gathering.

Conclusion

A cyber intelligence program is all about uncovering the who, what, where, when, why and how behind a cyberattack. Tactical and operational intelligence can help identify the what and how of an attack, and sometimes the where and when. But it’s difficult to discover the who and why behind an attack without human involvement and manual intelligence gathering. HUMINT can be used to support longer term, strategic cybersecurity decisions, and should supplement any other intelligence gathering, feed ingestion and cyber reconnaissance activities your team is doing.

Therefore, manual and automated intelligence gathering are not mutually exclusive, but rather, complementary. Both are necessary for an advanced cybersecurity operation, which is why human-to-human research will always be a critical part of the threat hunting process.