"Crime is common. Logic is rare. Therefore it is upon the logic rather than upon the crime that you should dwell."
-- Sherlock Holmes in "The Adventure of the Copper Beeches"
Human Intelligence and the Cyber Domain
NATO's definition of HUMINT (Human Intelligence):
"A category of intelligence derived from information collected and provided by human sources."
In traditional intelligence operations, HUMINT consists typically of interrogations and conversations with the target person in an effort to acquire useful information. But in today's day and age, computers have become an increasingly common interface between targets. Not only has technology changed the game, it has ushered in the need to reexamine some of the classic methodology behind HUMINT collection and analysis. In other words, if we want to apply HUMINT in Cyberspace successfully, we must adapt.
Some of the main factors to take into consideration include:
- Body Language (or lack thereof)
- Operations Security (OPSec)
- Empathy and Emotional Measurement
- Language & Culture
The term "cyber" should be defined as domain, specifically the fifth domain that tends to encompass all other domains:
The HUMINT of old requires skills pertaining to interpersonal interaction, social sciences, and psychology. This doesn't necessarily change when interfacing with an online target, but it does raise issues of inferred information versus established information. To counter these issues in cyberspace, we need to conduct preliminary online investigations and compile our information for analysis. Social network analysis can support our efforts to establish general personal relationships. Link analysis is also crucial because it can enable us to assess trusted relationships, activities, resources, and goals. Link analysis tools like Maltego offer automated analysis that generates connections such as domains, websites, email addresses, and other artifacts and their relationships.
In many cases, online HUMINT is useful for interacting with actors who are conducting suspicious activity, as these types of interactions require trust. Many of these actors interact with actors who are conducting suspicious activity, as these types of interactions require trust. Many of these actors interact within groups via forums, chat platforms, emails, and other common forms of online communication. The following skills and initiatives can help us engage more effectively with actors online while facilitating the long-term success of our HUMINT operations:
- Applying social sciences with technologies is crucial. Concepts such as modeling groups and their behaviors can help us strategically obtain possible predictive outcomes
- Like threat modeling in the information security field, mapping a target's or group's behaviors and motivations is an essential starting point in preparing for online HUMINT operations
- Above all else, strategic planning is always a requirement for success
Threat Type Taxonomy
Before we dive into the purely human aspect of cyber intelligence, we need to understand the existing operational online threat types we face an analytical perspective.
When trying to taxonomize basic online threat indicators, an analyst could apply this hierarchical view:
Figure 1: Threat Type Categorization
- Network Indicators
- DNS domains
- IP addresses
- Command and Control Locations
- Host Indicators
- Windows Registry Modifications
- File Modifications
- Little "t" threats
- Exploits/rootkits etc.
- Metasploit with SQLMap
- Mirai DDoS Botnet
- Big "T" threats
- People or group with intent (money, damage, etc.)
Information that leads to:
- Given Birth Name(s)
- Social Security Numbers
- Passport/ID Information
- Biological Fingerprint
- Home Address
- Phone Number
Other important concepts for an analyst include:
Observable: An observable is an event or artifact that may be observed such as an IP Address, file modification, registry key, or network request.
Indicator: An indicator is a pattern of relevant observable activity that is accompanied with contextual information regarding its interpretation and handling. Examples would be:
- Compromised domain
- Spoofed email
- File Hash associated with a specific Trojan
In other words, observables capture what has been seen; the indicator explains why this observable pattern is of interest. 
Today, what many consider to be typical "threat intelligence" simply accounts for network observables, host observables, and other associated artifacts such as discovery time, identified malware type, and additional context. When combined, these components establish indicators.
Most basic threat feeds use both observables and indicators to detect malicious activity on a network or host. When archived over time, this information can build up a searchable history that then can be referenced to classify Little "t" threats and big "T" Threats. Software such as ElasticSearch can help establish this functionality rather quickly.
Example: The little "t" could be the components the adversary uses collectively. The big "T" could include actor classification, such as "APT-28". But before we reach this point we must gather observables and indicators to determine the adversary's tactics, techniques, and procedures (TTPs), otherwise known as the storyline.
Tactics, techniques, and procedures represent a cyber adversary's behavior and method of operation. TTPs often include:
- Attack patterns
After gathering an incident's TTPs we can then begin profiling the adversary. At this point, it becomes possible to track the activities, such as attack campaigns, associated with a specific threat actor. In this manner, TTP's fall into little "t" Threats and assist in establishing the big "T" threats classifiers.
Example: SpyEye Malware
To show a benign (non-active) example of this approach, let’s look at some analysis from an old case regarding SpyEye malware. 
Figure 2 lists the number of globally compromised assets collected over time from SpyEye campaigns  which exhibit pattern similarities for the botnet's C2, admin panel setup, and the binary upload for drive-by use.
Figure 2 Tracking "Warrior" Pattern
Noting the “warrior” path usage in the URLs in Figure 3 showing collected SpyEye campaign URL patterns, we classified this pattern as a common behavior for a specific operator of SpyEye. To go from little “t” to big “T,” we clustered the data together and established a timeline of activity. We named the threat actor and his serial campaign activity “WarDefenderRusky.”
Figure 3: Collected SpyEye Campaign URL Patterns
This example demonstrates how collecting observables, extracting context, performing pattern analysis on the indicators, identifying and classifying the actors’ TTPs enables us to build a profile and track campaigns for an adversary. A substantial amount of additional work gathering information on the adversary’s infrastructure and establishing a relationship with the threat actor led to the attribution and arrest of the developers of SpyEye. 
What About Attribution?
To understand attribution, one needs first to understand the goal, its value, its pitfalls, and how to establish efficient methodologies.
Goals of Attribution
Some wonder about the ultimate effectiveness of attribution, but it is critical for those with handcuffs or cruise missiles. Law enforcement and the military are most likely to be the main audience of useful and accurate attribution information.
However, attributable information is also useful in other ways, such as for tracking similar activity across other properties. Sometimes, articles are used for public relations and marketing purposes that contain attributable information. These are some additional goals for attribution that can help businesses manage risk, such as understanding the adversary’s motivation and the likelihood of their threat. Understanding an adversary’s intent, capabilities, motivations, and patterns will always help deliver more thorough intelligence to support business decisions decision. General goals and benefits of attribution can include:
- To identify and attribute ongoing attacks or intrusions against an individual or group
- To recognize key identifiers or markers that alert on the continuance of action or new actions of an attacker/threat/adversary
Consequently, the steps in adversary attribution to extract observables are:
- Hypothesize potential adversaries or malicious acts
- Identify threats and adversary missions
- Identify the means that would have to be used or have a high probability of being used
- Develop observables for those means
- Identify the most probable individuals or groups based on validated data behind the occurred events
Earlier, we discussed collecting observables and indicators to establish effective TTPs to classify the activity. Some of the challenges you may face typically depend on your role. For example, threat analysts may receive information regarding Indicators of Compromise (IOCs)s but they likely won’t receive timelines of the activity on a hard drive. Digital forensics or incident response teams, however, may have access to this timeline but may not understand how the binaries on the system work—this area of knowledge usually falls under the jurisdiction of a malware analysis team.
Since many indicators, observables, and components of evidence are multifaceted, gleaning their full context, significance, and value often requires cross-functional collaboration among different teams and departments. What would happen if, for example, threat actors were to hack a container? Is there an individual on your or another team with expertise in handling Docker swarms? In situations like these, the different pieces of information provided are siloed from one another. Knowing the limits of the information in your possession is very important, as it can be easy to get caught up in cognitive bias based on a lead you may have. As attribution has many working parts and many players involved, it’s not as simple as gathering only your view of the evidence.
Regardless of your role, having a comprehensive understanding of the following elements of identity can help in achieving attribution:
- Attributed Identity
- Place of Birth
- Biometric Identity
- DNA Profile
- Dynamic Signature
- Biographical Identity
- Life Events
- How a person interacts with structured society
- Education and Qualifications
- Employment History
- Registration of marriage
- Mortgage account
- Property ownership
Classifying groups, behaviors, and motives can help us to better understand these elements of identity.
Classifying Groups, Behaviors, and Motives
The science of behavioral profiling of an online threat actor requires analysis and classification of the patterns of individuals or groups. An example of group classification can start with a very high-level observation that can fit into two categories:
An organized group is a set of actors organized together with different functions to meet a collectively common goal. Examples of these include:
- Organized Cyber Criminal Enterprises
- Cyber Paramilitary factions
- Espionage rings such as APT28
A chaotic group is a set of actors that are not necessarily motivated to collectively enhance the group, but rather are affiliated with the group without a specific driver or goal for the collective. Examples of these include:
- Underground Carding Forums
- IRC established hacking groups
- Cyber Insurgencies i.e., Anonymous
Once we establish group categorization, we can conduct further investigations in an attempt to establish the following actor profiling components:
Figure 4: HUMINT Indicator Analysis Chart
An analysis chart such as the one above provides a methodology to profile actors and groups with a focus on behavior, skills, resourcefulness, motivation, and complexity. When conducting threat analysis, it’s important to consider the victim—such as the nature of the information targeted, the victim system functionality, and the history of the victim. This type of information may provide insight regarding the adversary.
When analyzing a threat, consider the following elements:
- Nature of Information Targeted
- Victim System Functionality
- Similarity to other incidents
- MO, Signature, Content, Patterns
- Utilization of Access
- Data Transfer Technique
- Logging Alteration/Deletion Technique
TTP mapping can lead you to find other incidents that were conducted by the same actor. An example of a TTP mapping methodology is below.
HUMINT collection is vital to understanding today’s threat types. Beyond collection, classification and analysis are also vital not only for achieving concrete results that may lead to attribution but also in helping to defeat the cognitive bias that commonly occurs simply because we are human. As intelligence collection comes from multiple points of sources, including forensics, incident response, honeypots, and general information sharing, understanding what you have and what you’re missing will play well into establishing a full understanding of the threat in front of you.
Part 2 of this series will discuss online perception management and psychological operations (psyops/stratcom) in the online world.
 AAP-6 (2004) - NATO Glossary of terms and definitions
Lance will teach a two-day workhop on how to turn threat intelligence into a defensive component within your overall security program at InfoSec World 2018 in Orlando, Florida. Check out the details on our event website.