About This Blog: This blog is jointly authored by Sean O’Connor, co-author of SANS FOR589: Cybercrime Intelligence, and Jon DiMaggio, Author of the Ransomware Diaries, Analyst1. The blog will explore Human Intelligence’s (HUMINT) role in cybersecurity, detailing its implementation, benefits, and potential risks. We'll highlight real-world examples of HUMINT's effectiveness and address the challenges organizations face when conducting HUMINT operations. One of the focal points of the SANS FOR589 course is how to safely and securely engage with cybercriminal adversaries for the purpose of HUMINT collection.
Introduction
Modern cybercriminals are sophisticated and ever-changing, rendering traditional reactive defenses insufficient. Human Intelligence (HUMINT) is a vital yet underutilized discipline in cybersecurity that can provide organizations a proactive advantage against today's cyber threats. When combined with Cyber Threat Intelligence (CTI), HUMINT can significantly enhance intelligence collection and supports an active defense strategy.
This blog explores HUMINT's role in cybersecurity, detailing its implementation, benefits, and potential risks. We'll highlight real-world examples of HUMINT's effectiveness and address the challenges organizations face when conducting HUMINT operations.
What is HUMINT?
HUMINT is the collection of information derived from human sources. While there are several forms of HUMINT operations, we'll focus on those related to the cyber domain. In the cyber domain, HUMINT operations involve direct interaction with cybercriminals, making it riskier than other intelligence disciplines. However, when conducted with proper operational security (OPSEC), HUMINT provides invaluable intelligence rarely obtained through other means, such as signals intelligence (SIGINT) or open-source intelligence (OSINT), which don't require active engagement with another person.
In order to have a strong HUMINT capability, you need experienced operators to support your operational objectives. The individual conducting the HUMINT engagement is called the HUMINT "operator." They're responsible for creating and managing Sockpuppets—online personas used to engage with the real-world cybercriminals who are behind malicious activities. Sockpuppets are a HUMINT operator's best friend and are the primary medium used to engage with target criminals. Sockpuppets are as crucial to a successful HUMINT operation as are the operator's skill and experience. These personas must be believable and credible, and the operator needs strong linguistic, technical, and interpersonal skills. It's worth noting that HUMINT engagements often span long periods of time, as they require building rapport and trust with threat actors.
Despite the higher risks, HUMINT offers unique insights into the individuals and activities behind crimes like data theft, malware development, and ransomware. It can reveal an attacker's mindset, helping you understand their motivations, desires, and ambitions—sometimes even providing information about attacks before they occur. This unique insight is why the rewards of HUMINT operations often outweigh the associated risks.
HUMINT provides context to information gathered from SIGINT, OSINT, and other automated collection technologies that otherwise lack meaning and significance. Often, it takes a human source to fill intelligence gaps and provide valuable insights—this is where HUMINT proves its worth. Still, HUMINT must be balanced well with automated collection capabilities. The more efficiently you balance and complement your collection resources, the more polished and complete your intelligence output will be.
Goal of HUMINT
Many cybersecurity organizations rely on various technical and data-driven methods to gather evidence for their intelligence products. While this approach is often sufficient for less sophisticated, non-persistent threats, it falls short when dealing with advanced threats. These threats pose a greater challenge for organizations, as the data-driven model fails to capture the human element driving the attack. This leaves a significant blind spot in our understanding of these threats.
HUMINT shines a light on this “blind spot” and plays a crucial role alongside advanced technologies. The primary goal of HUMINT is to supply valuable insights into human adversaries, including their intentions, strategies, plans, and motivations, highlighting the importance of the human element in proactive threat detection. For example, you may use HUMINT to establish a relationship with a threat actor to acquire access to infrastructure, forums, data, exploits, and malware, to name a few. The human context/depth that’s acquired cannot be obtained with SIGINT or OSINT alone.
The primary goal of HUMINT is to supply valuable insights into human adversaries, including their intentions, strategies, plans, and motivations, highlighting the importance of the human element in proactive threat detection.
HUMINT Use Cases
There are many ways HUMINT is used in cybersecurity collection. Next, we will highlight several use cases to detail the benefits provided to cybersecurity operations.
Use Case 1: Gain Insight into Ransomware Operations
Actor | |
Goal | Engage with the gang’s core members to gain insight into inside tactics used in its ransomware operation. |
Benefit | Traditional cyber operations yield information from attack data and intelligence analysis, however, HUMINT offers a deeper insight into the inner workings of criminal operations, thus providing far richer intelligence than conventional methods. |
Details | In January 2023, Jon DiMaggio conducted a HUMINT operation using Sockpuppets to infiltrate the LockBit ransomware gang. By engaging with the gang's leadership—who believed the researcher was an up-and-coming criminal hacker—the researcher earned the trust of LockBitSupp, the group's leader, and one of its key affiliates, Bassterlord, who was responsible for significant crimes conducted by the group. DiMaggio identified previously unknown aspects of how the group conducted attacks and gained access to its updated admin panel and newly developed ransomware variant. DiMaggio assessed its capabilities before its use in real-world attacks and shared the information with law enforcement and government intelligence agencies. Later DiMaggio published the findings, allowing private sector organizations to better defend against and understand the human motivations behind LockBit’s ransomware crimes. |
Use Case 2: Deanonymize Criminals and Support Law Enforcement Investigations
Actor | The Dark Overlord (TDO) |
Goal | Identify the real-world identity of criminal hackers in support of a law enforcement operation. |
Benefit | Proper security defenses can prevent many attacks, but this will not mitigate a persistent human attacker. Using HUMINT to infiltrate the operation and obtain information leading to the identity and arrest of the group's leadership, however, will permanently abolish the threat. |
Details | HUMINT operations can provide access to high-level criminals and penetrate the inner circles of criminal gangs, revealing the real-world individuals behind them. A notable example is Vinny Troia's use of HUMINT to gather information that helped deanonymize the members of "The Dark Overlord" (TDO), a notorious hacker group. TDO leveraged stolen data to lend credibility to false breach claims against companies such as Netflix and Disney and subsequently attempted to extort the organizations. The intelligence Troia obtained through HUMINT engagements played an important role in supporting the indictment and arrest of the gang's leadership. |
Use Case 3: Access and Validate Stolen Data
Actor | |
Goal | Leverage HUMINT operations to acquire access to a human attacker and data so that extorter’s claims can be validated. |
Benefit | Organizations can use HUMINT to gain access to criminals who steal data and attempt to extort victim companies. The access gained in HUMINT operations allows victims to validate claims made by an attacker. Further, validating the authenticity of both the threat actor and the data stolen allows organizations to assess the damage associated with its sale or exposure. Without HUMINT, organizations would have to rely solely on the word of a criminal threat actor in these situations. Armed with information from HUMINT operations, organizations can make informed decisions on how to best proceed and protect their interests. |
Details | In January 2024, Jon DiMaggio of Analyst1 used HUMINT to gain the trust of the criminals behind RansomedVC (rVC), a ransomware gang claiming to have breached State Farm Insurance. rVC demanded that the insurance company pay an extortion fee, threatening to sell its customers' personally identifiable information (PII). Through HUMINT, DiMaggio obtained inside information from the gang's leader, who admitted the acquired data contained no PII and granted DiMaggio access to the data. This access allowed DiMaggio to confirm that the entire operation against State Farm was a scam designed to trick the organization into paying a ransom. |
Use Case 4: Gain Access to Criminal Forums
Actor | Multiple |
Goal | Gain access to closed services and extract intel from inside criminal forums. |
Benefit | Obtaining access to these criminal forums can be a great source of information for cybersecurity investigations. |
Details | Criminals often plan, recruit, buy/sell stolen data, and obtain attack resources on dark web forums that have restricted access. Some criminal forums require another vetted forum member, usually a criminal, to vouch for you before you will be granted access. As a security researcher, you can't simply ask a criminal to provide you with a recommendation or invite you to join the forum. You can, however, conduct a HUMINT operation in which you develop a well-crafted Sockpuppet to gain the trust of a criminal present on the forum and convince them to provide access. This is a common method HUMINT operators use to gain access to closed services in the cyber domain. |
Use Case 5: Blend HUMINT and Digital Risk Protection Service (DRPS) for Improved Threat Response
Actor | Multiple |
Goal | Combine HUMINT with Digital Risk Protection Services (DRPS) to identify risks and threats to targeted organizations and individuals. |
Benefit | Using DRPS monitoring technology to guide a HUMINT operator to potential forums or markets selling stolen data of interest can reduce the time involved in identifying, validating, and alerting an organization when its data may be compromised. |
Details | The combination of DRPS technologies and HUMINT operations allows organizations to quickly identify the sale of sensitive stolen data and provides context into the severity and risk if the data is leaked. Monitoring technologies provide quick leads to identify potentially sensitive stolen data. However, DRPS technologies can only provide partial information and do not validate the data’s authenticity. According to Kurtis Minder, the CEO of GroupSense, "HUMINT provides the context and insight that automated systems often miss, turning raw data into actionable intelligence. By combining automation with human expertise, DRPS can more effectively respond to current threats and stay ahead of evolving risks." For example, an organization can use DRPS to identify the forum or market where data is sold. Using HUMINT operations, an operator can pose as a criminal interested in purchasing stolen data and obtain sample data, allowing them to validate its authenticity. The intelligence value derived from both DRPS data and the intelligence gained from HUMINT collection is far greater when used conjointly. |
Use Case 6: Perform Overt HUMINT Collection
Actor | Multiple |
Goal | Overt HUMINT collection is when an organization or individual uses their actual likeness and does not attempt to mask or deceive a target to believe they are someone else. In some rare situations, you may find the need to use your or your organization's authentic identity to engage with threat actors. The goal of these operations vary but include building rapport, negotiating, and conducting journalistic interviews, to name a few. |
Benefit | The benefit of overt HUMINT operations is to leverage your or your organization's reputation. Journalists will use overt HUMINT to converse with threat actors leveraging their journalistic reputation to obtain information. Similarly, ransom negotiators often mask their own identity during negotiations, however they rarely mask the identity of their employer, the victim organization. |
Details | Two common situations where overt HUMINT is used include ransom negotiation and situations where a researcher or journalist leverages their personal reputation to accelerate the timeline necessary to build rapport and trust to obtain information from an adversary. Example 1 - Researchers and overt operations If a researcher uses covert operations to deceive a criminal and publishes their findings publicly, those covert resources are now exposed and the published research will likely get the adversary's attention. In such situations, a researcher could start a new covert operation to continue investigating the same criminal element. However, the criminal is likely now suspicious of the researcher, making it difficult to deceive them a second time. Instead, in the right circumstances, a researcher could approach the criminal directly, as themselves, to continue the relationship. The criminal may be more open to talking when they know who they're dealing with and aren't concerned about being deceived, allowing the researcher to maintain the relationship. This is exactly what Jon DiMaggio did in the Ransomware Diaries with the LockBit criminals. Journalists often act similarly when contacting criminals for interviews or information related to a story they are writing. Example 2 - Negotiating an extortion overtly In most cases, ransom negotiators do not reveal their identity to the criminal extortionist associated with a ransomware gang. The negotiator does, however, overtly operate as a representative of the victim organization. The criminal understands that the individual is negotiating for the company whom they represent. The company is not masking their identity, is talking to a criminal, and is obtaining information from their attacker. For these reasons, ransom negotiations such as this are considered overt HUMINT operations. Remember, overt operations have the most risk and should only be conducted after careful consideration and a thorough risk assessment is conducted. |
These examples highlight the critical role of HUMINT in cybersecurity operations. HUMINT proves especially valuable in scenarios such as warning potential victims of imminent attacks—discovered through interactions with threat actors—or assessing an attacker's capabilities. By leveraging HUMINT, organizations can more accurately evaluate threats and gain unique intelligence insights, enhancing their overall security posture.
Note: In addition to use cases detailed here, you can find additional examples and information about HUMINT collection in Intel471’s HUMINT blog, “Gaining the Intelligence Advantage with Cyber HUMINT”.
Risks & Challenges
Not every organization conducting cybersecurity operations should engage in HUMINT. While HUMINT can add incredible value to an organization's intelligence capability and significantly contribute to an active defense, it should only be undertaken after thoroughly defining, understanding, and evaluating the associated risks. Risk-averse organizations may outsource HUMINT collection to better fit their needs. Regardless of how HUMINT collection is obtained, it's important to understand the associated risks and decide what is best for your organization's requirements. Below are some common risks associated with HUMINT operations:
Risk | Description |
Retaliation from the targeted criminal | Even the most skilled HUMINT operator will likely make a mistake at some point in their career. If this error allows the target to unmask the operator or the organization behind the operation, the criminal may seek revenge. As a result, your company could become the target of a sophisticated attacker. |
Accidental infection | HUMINT operators spend a lot of time on malicious forums and engaging with criminals. Due to the nature of the work, you could inadvertently become infected with malware even when taking precautions. Accidental infection is more common than you would think and can happen simply by visiting a compromised website or clicking on something you mistakenly believe is harmless. |
Misinformation | If an attacker is suspicious of your operation, they might feed you misleading or false information, resulting in flawed intelligence. This can waste resources and damage the credibility of your organization. The risk is particularly high when dealing with adversaries who possess counterintelligence capabilities. In situations like this, HUMINT operators can use the "Admiralty System”, which we will discuss later in this blog series. For context in this blog, understand that you can use the Admiralty System to "evaluate the quality of your sources and the information they provide”. |
Legal issues | When HUMINT operations involve downloading and validating stolen data, it's important to ensure compliance with privacy and consent laws. While organizations are typically aware of their data handling limitations, it's essential to stay informed about the specific laws and regulations in your jurisdiction to avoid legal complications. Legal issues are the primary reason many organizations outsource HUMINT collection. |
Personal risks | In situations where an operator is deanonymized, they may face doxxing, where their personal information is exposed by a malicious actor. In extreme cases, they might even receive threats of physical harm. It's important to remember that you're interacting with unethical criminals who are often unstable or mentally ill. HUMINT operations carry significant risks, which escalate dramatically when OPSEC mistakes occur. If you choose this line of work, you must understand the potential worst-case scenarios and take steps to protect yourself. |
These are just a few common risks associated with HUMINT operations, but the list is not exhaustive. Organizations should continually assess the risks specific to their HUMINT operations. Understanding these risks is crucial, and it's equally important to recognize mistakes that can amplify them. Common HUMINT errors that increase risk include:
- Using company-associated resources to conduct HUMINT operations
- Employing unskilled operators without the proper training and experience
- Lacking operator OPSEC discipline
- Lacking preventive safeguards in place to identify mistakes before they take place
- Missing documentation and standard operating procedures for HUMINT operations
- Allowing personal emotions or beliefs to influence HUMINT engagements
OPSEC: Taking Appropriate Precautions
OPSEC is the best approach to mitigating operational risk. Always remember that OPSEC is the primary defense separating you from your target and should be considered the most important aspect of HUMINT engagements. As previously stated, everyone makes mistakes, but with proper OPSEC, the impact of those mistakes can be significantly reduced.
While it's beyond the scope of this blog to detail every OPSEC precaution, it's important to highlight some of the safeguards you should implement in all HUMINT engagements.
- Conduct operations on an unattributable network that is completely isolated from company systems and data. Also, ensure no personal data or artifacts from previous operations are present on the systems for the current engagement.
- Use clean virtual machines and revert to the initial clean build after every engagement. Artifacts and data obtained should be stored and moved off the HUMINT operational network promptly.
- Always use a trusted VPN and know who manages the service and what information is logged. Some VPN providers make claims about the information they collect and expect you to take their word they are telling the truth. Trusted providers, however, allow for regular auditing by third parties to ensure their claims are accurate. It is important to use a trusted provider and to understand any government or jurisdictional affiliations the provider may have.
- Never use personal attributes or preferences to develop Sockpuppets. We are human, and it's natural to use what is familiar to us. However, you need to ensure this does not happen when it comes to HUMINT.
- Remember, the devil is in the details. Ensure your time zone and keyboard preferences match the attributes and region relevant to your puppet. Do not use a browser-based translation service, as they can easily be identified by administrators of forums and websites. These small details put your operation at risk. If there is a good reason this is not possible, use the proper tools to remove and/or mask these elements to match your puppet's attributes. Further, understand your limitations. Regardless of how you mask or use an online translator, for example, adversaries will quickly identify someone using a translator vs a native speaker in an active engagement. Always assess your online details and your actual capabilities to determine how you approach HUMINT work.
A Day in the Life of a HUMINT Operator
Working in HUMINT is both exciting and fulfilling, but it’s not suited for everyone. When working an engagement, HUMINT operators can’t just clock out at the end of a typical workday. Active operations require a 24/7 commitment, often involving long hours, early mornings, and weekend work. Adhering to a standard 9-to-5 schedule in your time zone can quickly compromise your cover. Before pursuing this career, it’s important to understand that it is highly stressful. You’ll be interacting with real-world criminals and convincing them that you are one of them. They may say and do things that you find offensive, and you must go along with it. Over time, this can take a toll on you.
For example, paranoia is a common—and often necessary—mental state for HUMINT operators. Rather than viewing it negatively, paranoia can be harnessed to maintain operational discipline and ensure operator safety. Embrace it as a tool; don't shy away from it.
Due to the work challenges, burnout is common among HUMINT operators. To thrive in this field, working for an employer who understands the mental toll of HUMINT work is crucial. Employers should recognize that operators need ample time off between active engagements. Acknowledging the demanding nature of HUMINT operations and providing flexibility for adequate downtime is essential for maintaining an operator’s mental health. While this may seem daunting, it's worth noting that those who excel in HUMINT love what they do and find it extremely rewarding.
You may ask yourself, with so many negatives, why would anyone want to be a HUMINT operator? The answer is simple: There is no better feeling than preventing a ransomware attack, stopping the theft of sensitive stolen data, or deanonymizing a notorious criminal resulting in a major federal indictment. You will be tired, paranoid, and anxious, but you won't find a more satisfying profession where you can actually make a difference. HUMINTers make a difference.
HUMINT Sources
Establishing sources is one of the most challenging aspects of HUMINT operations. There are tools and frameworks available to help understand how to exploit human vulnerabilities to establish a source, which we will discuss later in this blog series. For now, let's discuss some of the higher-level operational aspects you will likely encounter when establishing a source in the cyber domain.
One of the most significant challenges many new HUMINT operators face is dealing with criminals who are racist, sexist, or homophobic, and have extreme views. This challenge often crosses boundaries you would never face in traditional cybersecurity work. However, it's important to remember, as a HUMINT operator, you are not you. You are whoever your target needs you to be. This is crucial to understand if you want to establish long-term credible sources. After identifying, profiling, and assessing your potential target, you need a game plan.
Begin by identifying your goals and strategizing how to approach the target. This is where your profiling homework in the previous step proves invaluable and plays a crucial role in developing an effective game plan. Every situation is unique, and your approach should be tailored accordingly. For instance, if your goal is to obtain access to data or a resource the target is selling, they expect inquiries, and you may decide to engage without spending much time building rapport. However, if you're trying to infiltrate a criminal gang, you may need to invest considerable time in building rapport before attempting to obtain sensitive inside information—otherwise, your target may perceive your approach as suspicious.
Remember that not all targets make good sources. Assess the validity, accessibility, and reputation of your potential source. This can be done by assessing the source’s "placement and access," combined with assessing their credibility and reliability. Both contain HUMINT frameworks which we will cover in a later blog in this series. If they have a history of lying or providing misleading information, it's crucial to identify these traits early in the engagement. These are just a few factors to consider in HUMINT operations. As you become more skilled in this process, you'll increase your chances of establishing reliable sources. Bruce Lee's philosophy aptly applies to HUMINT work: "Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle." This mindset is essential for a HUMINT operator.
What Questions can HUMINT answer?
HUMINT is not intended to be a single collection resource but instead complements other intelligence capabilities such as SIGINT and OSINT. Analysis of HUMINT combined with data from other collection methods produces higher-quality finished intelligence products. Since HUMINT is the only collection capability unrelated to electronic data collection (threat data, email, IOCs, etc.), it can answer questions that other methods can't. HUMINT is particularly useful in filling information gaps left by other collection methods.
In the "Ransomware Diaries" published by Analyst1, researchers used CTI data and HUMINT to uncover many details about the LockBit ransomware operation. However, some questions remained unanswered. For example, Analyst1 wanted to know how quickly affiliates were able to respond to victims, which was unusual at the time. Affiliates were responding within minutes of the victim's message appearing in the negotiation panel, and it seemed unlikely that they were monitoring the site 24/7. HUMINT provided the answer. Through direct engagement with the gang's leader, Analyst1 learned that affiliates received text messages to a Voice Over Internet Protocol (VOIP) number whenever new activity occurred in the negotiation panel. This is just one example of the details uncovered through HUMINT, which, when combined with data analysis from other sources, led to significant findings revealed in Analyst1’s report.
Another effective use of HUMINT is to gather information about new threat actor tactics, techniques, or procedures (TTPs) before an attack occurs. As shown in the figure below, HUMINT operators frequently spot TTP changes early, when the attacker is in the planning stages or gathering resources needed to carry out the new tactic. When relying solely on data collection, the TTP is typically only identified during the analysis of incident response data after an attack has taken place.
The time saved through HUMINT enables organizations to defend against attacks more effectively.
One more excellent use of HUMINT is identifying an attack before it happens and notifying potential victims. In 2023, a researcher from Analsyt1 conducted a long-term HUMINT engagement with a high-level affiliate associated with several ransomware gangs. By building trust and rapport with the criminal, the HUMINT operator obtained information about two upcoming attacks against US hospitals, including the exact infrastructure the criminals planned to breach and the vulnerabilities that would enable their success. The researcher contacted law enforcement and notified the potential victims. Both hospitals remediated the vulnerabilities and hardened their infrastructure, preventing the attacks. HUMINT made this happen.
Conclusion
Human Intelligence (HUMINT) is a valuable yet often overlooked collection capability in the cyber domain. HUMINT offers valuable insights into human adversaries, including their intentions, strategies, and motivations. It complements traditional data-driven cybersecurity methods and can be used to gain access to criminal forums, de-anonymize threat actors, verify stolen data claims, support law enforcement investigations, and even identify potential attacks before they occur.
One of the most important aspects of HUMINT is source selection. Spending time converting a criminal into a source is meaningless if they are unreliable and provide erroneous or misleading information. Profiling and assessing potential sources adequately are the most effective methods to reduce the probability of wasting time on a poor source selection. When you have a high value target you believe will be a good source of information, HUMINT operators will still need to understand how to exploit their motivations and use various HUMINT techniques and strategies to influence the target successfully.
Despite the challenges involved in HUMINT work, few professions are as thrilling and gratifying as being a HUMINT operator. You will have adventures that most people will never experience.
.png "CTI_Blog_part_1_(1).png")
