Monday, June 08, 2009

Counterintelligence Options for Digital Security

As a follow-up to my post Digital Situational Awareness Methods, I wanted to expand on the idea of conducting counterintelligence operations, strictly within the digital security realm. I focus almost exclusively on counter-criminal operations, as opposed to actions against nation-states or individuals.

Those of you who provide security intelligence services (SIS), or subscribe to those services, may recognize some or all of these. By SIS I am not talking about vulnerability notices repackaged from other sources.

Note that some of these approaches can really only be accomplished by law enforcement, or by collaboration with law enforcement. Even taking a step into the underground can be considered suspicious. Therefore, I warn blog readers to not try implementing these approaches unless you are an experienced professional with the proper associations. The idea behind this post is to explain what could be done to determine what one sort of adversary (primarily the criminal underground) knows about your organization. It obviously could be extended elsewhere but that is not the focus of this post.

  1. See who is selling or offering to sell your information or access to your information. This approach is similar to identifying places where credit cards or personally identifiable information are sold. Stepping into the underground and seeing where your company is mentioned is one way to estimate how prevalent your data might be outside your control. This is a passive approach.

  2. Solicit the underground for your organization's data or for access to your organization. By taking this step you ask if anyone would be able to provide stolen data or access to the organization. This is a dangerous step because it may motivate the underground to go looking for data. On the other hand, if your data is freely available you're simply unearthing it. This is the first of the active approaches.

  3. Penetrate adversary infrastructure. By this step I mean gaining entry or control of command-and-control channels or other mechanisms the adversary uses to exploit victim organizations. Security intelligence services do this all the time, but gaining access to a server owned by another organization is fairly aggressive.

  4. Infiltrate the adversary group. An underground organization usually functions as a team. It might be possible to infiltrate that group to learn what it knows about your organization. Acting with law enforcement would be the only real way to more or less "safely" accomplish this task.

  5. Pose as an individual underground member. In this capacity, other criminals with access to your organization's data might come to you. This is exceptionally dangerous too and would only be done in collaboration with law enforcement.

None of these steps are new; you can review success stories posted by the FBI and other organizations to know they work. However, I post them here to reinforce that asset-centric mindset and not just the vulnerability-centric mindset in digital security.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.


Author, Planet Heidi said...

Yep, this is a useful but seldom examined strategy.

I'm doing a whole talk on this theme next month at Toorcon.

Also explore this idea in my Heidi comics.

Peter said...

Certainly a thought provoking post. The increasing sophistication and motives of attackers and defenders is making reading the daily security news like something out of science fiction.

The changing landscape is keeping things interesting that's for sure.

Phil Agcaoili said...

The challenge here is measuring your counterintelligence activity and gauging its effectiveness.

Pentesting/Vuln scanning yields metrics, so do the number of events, alerts, and incidents.

This idea has merit though, but doubt I'd get funding to sustain it.