Criminals wishing to remain anonymous must adopt counterintelligence (CI) techniques. There are three basic principles they need to worry about in order to remain out of sight.
This is according to The Grucq, whose presentation at the 8th annual ITWeb Security Summit was entitled: "An underground education: lessons in counterintelligence from history's underworld".
He said the three key elements are, firstly, basic denial, or the prevention of transfer of information to your adversary. Second is adaptive denial, or learning about the intelligence strength of your adversary, and using that to adapt. Finally, he cited covert manipulation, or attempting to get your adversary to believe false information.
For basic denial, he advised to follow the simple advice: Don't talk, and don't write things down - this is enough for basic survival. "The first breach of security occurs when the operative becomes aware that information worthy of targeting exists."
For adaptive denial, techniques are more advanced. It involves insight into how opposition functions - the techniques and tactics they use. Analyse their security for weakness and develop remediations.
Speaking of covert manipulation, he says you need to deceive your adversary into taking futile action, or deceive them into not taking action.
Intelligence threats
The Grucq says there are four main intelligence threats: penetration, technical monitoring, passive surveillance and media exposure.
"Informants remain a problem. There are two kinds; the first being recruitment, where you find someone already in a position to give information, and convert them. In this way, many hackers who get caught end up having to assist law enforcement. Inserted penetration is when law enforcement is sent undercover to catch the criminals."
Technical monitoring would include technology such as wiretaps, Trojans and other monitoring software and video or audio surveillance.
Media exposure, he says, creates awareness and an undesirable footprint. It can be dangerous for hackers as it raises their profiles, drawing unwanted adversarial attention.
Good counterintelligence
Robust CI is dependent on several factors: organisational structure, controlled territory, popular support, and adversarial capabilities and resources.
"For example, when an organisation's structure is hierarchical, it can enforce good CI practice. However, when it's flat, it can react faster. When hierarchical, it increases the value of high-level penetrations, and when flat, it can lead to poor compartmentalisation."
A controlled territory reduces measures to develop robust CI, and the adversaries' capabilities and resources make a difference, as a capable adversary, who has experience and knowledge, such as the CIA or FBI, is far more dangerous. In terms of resources, adversaries who are capable of performing intelligence gathering and analysis will be more able to act.
Staying anonymous
Hackers need to follow certain steps to remain undetected. Firstly, they must vet members before allowing them to join. They need strong 'pseudonimity' or cover. They should limit who knows what, and realise that talk spreads far and fast.
Finally, they must look at what went wrong for other hackers. Too often, hackers have the perception that only idiots get caught, and 'it won't happen to me'. Rather learn from others' mistakes to avoid falling into the same trap, he advises.
Share