Cyber-HUMINT

CyberHumint refers to the set of skills used by hackers, within Cyberspace, in order to obtain private information while attacking the human factor, using various psychological deceptions. CyberHumint includes the use of traditional human espionage methodologies, such as agent recruitment, information gathering through deception, traditionally known as Humint, combined with deception technologies known as Social engineering.

Background
Intelligence gathering involves a range of specialized approaches - from Signals intelligence (SIGINT), Imagery Intelligence (IMINT), Measurement and Signature Intelligence (MASINT), and Geospatial Intelligence (GEOINT), to Open-source intelligence (OSINT). In many cases, information collected from human sources is still considered highly reliable by intelligence analysts, especially while transforming a collection of disparate data strands into an actionable prevention plan. Mark Lowenthal, a leading intelligence thinker, argues that traditional HUMINT is still considered a crucial element in intelligence, that can significantly tilt the balance of power.

CyberHumint methodology was first coined by Ed Alcantara AFX DBI in Feb 2010. Amit Steinhart argued that the cooperation between skilled HUMINT experts trained with specific HUMINT capabilities, and computer security specialists, who apply "social engineering" techniques, is one of the main advantages of CyberHumint. Steinhart offered a new model of information security strategy that imports concepts from HUMINT espionage, and combines it with social engineering strategies, such as the usage of avatars for agents operating in cyberspace, or information and disinformation spreading through cyberspace.

HUMINT experts often argue that in comparison to the relatively young social engineering concept, HUMINT practices, which had been developed for many years by professionals working at national intelligence services, hold the higher ground in terms of experience, technologies, and practices. New form of cyber capability was created when the technical capabilities of computer experts were combined with the intelligence experience of HUMINT experts.

Strategy orientation
CyberHumint is aimed to effectively defend organizations against APT (Advanced Persistent Threat) attacks. In the beginning of the 2010s, organizations such as the American NSA and British GCHQ have started to invest significant resources into acquiring technological and intelligence capabilities, to help identify cyber aggressors and assess their abilities and tactical skills.

Recently, information security has shifted from building firewalls to build systems, in order to provide real-time intelligence. Most near-future scenarios suggest that organizations who fail to adapt to the systematic cyber approach will find themselves in a critical situation.

In 2011, Andress and Winterfeld drew the attention to the fact that while cyber security experts can deliver extensive reports on Internet risks, most of the alerts are still general, unspecific and do not actually meet the expectations of the specific organization. In addition, cyber security companies locate hackers or cyber attackers only when the attack is already in progress or worse - after a given system has already been damaged or compromised.

The majority of cyber security defenders currently use automatic network scans as a routine measure. A human analyst becomes involved only at the final stage of data-gathering, which means the bulk of the available data will not be analyzed in real time.

Hackers and CyberHumint
The majority of cyber security companies has no access to human operators within the Dark Web. Hence, they do not benefit from the key input of informants and agents provocateurs. These companies do not apply the methods of agent recruitment and agent management, which various national intelligence organizations have developed and used effectively for years.

New information technologies allow hackers to acquire the upper hand in any confrontation with the targeted organization. A case in point is APT ñ Advanced persistent threat, which in impact and devastation equals to a military strike against a civilian entity. Many peripheral defense systems are not capable of recognizing indications of incoming attacks in advance, and cannot intercept the attack during its course. The majority of security systems can only acknowledge the attack after the damage has already occurred.

Most organizations prefer to focus their security efforts on inward-facing protection strategies, in an attempt to prevent attackers from entering the organization's network. Their defense protocols are not designed to protect from attempts to exploit the organization's employees, who have become the main target for willful intelligence gathering. Personal behavior, compromising private situations, work habits, passwords and other private and business information can be easily harvested and used to facilitate an attack against the organization.

The interface between Cyber Experts and CyberHumint
The concept of CyberHumint allows cyber experts and human intelligence specialists to use real-life human sources, both in the gt and within many public or secret online social networks and operating systems. By investigating authentic human sources, intelligence experts and cyber experts can explore the various possible aims of potential attackers and their abilities, by monitoring their electronic activities. Outcomes usually leave much to be desired. Attackers are only identified after the attack has started. In just a handful of cases did companies manage to alert their clients against a pending attack.

CyberHumint involves recruiting human agents and deploying them with strategic efficiency to provide the organization with a clear, focused picture of likely threats and hostile actors with the intention of harming the organization. CyberHumint uses classic HUMINT tactics that had been practiced for more than half a century by the national intelligence agencies. It combines them with hackers' social engineering concepts.

Using CyberHumint requires qualified computer professionals who are well-versed in the behavior patterns, linguistic nuances and conventions accepted within the Darknet, as well as other online networks and subcultures. Conversant computer experts and intelligence specialists work in synchrony to uncover indications of intent, long before it develops into an attack plan, so organizations can decide how, where, and when to expose or incapacitate the potential attackers.