Your SlideShare is downloading. ×
An Underground education
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

An Underground education


Published on

Some basic counterintelligence lessons and a look at how hackers can improve their CI posture.

Some basic counterintelligence lessons and a look at how hackers can improve their CI posture.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • examples
  • Counterintelligence: Theory and Practice After the adversary knows there is something to look for, then the game begins. You can’t go back underground. :(
  • Dual pronged approach. On the one hand, learn how the adversary works and attempt to work around those strengths/capabilities On the other, look at organisational weaknesses and address them. Iterative. Best if there is a penetration into the adversary to monitor how they function
  • Colombian narco traffickers used court discovery heavily to discover the Tactics, Techniques and Procedures of the adversary The PIRA started to do the same thing later in their struggles, forcing the .gov to reveal details
  • Adversary has multiple channels for receiving information, have to send fake signals down them all. HUMINT, technical penetrations, open source INT, etc. etc.
  • The capabilities of the adversary are described as “intelligence threats”, that can be used to gain information about the agency.
  • HUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”, to undercover operation, to recruiting someone in place/defections... lulzsec’s collapse ultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
  • FinSpy, etc.
  • Factors that contribute to the groups CI strengths and vulnerabilities.
  • Tightly controlled organisations react slowly and can develop rigid CI practices. This means they’re exploitable.
  • We’ll see that later, with China and Russia.
  • Not really an issue for hackers, but thieves faced a hostile population.
  • The way that adversarial groups learn and adjust to each other’s behaviour is well studied. It is a subset of Organizational Learning -- Competitive adaptation.
  • The way these factors and processes interact is called competitive adaptation, as two adversarial groups learn from and adjust to each other’s strengths and capabilities
  • Setbacks - flaps in “Intel Speak”
  • Perfectly suited for their time, failed to exhibit adaptive denial and learn from competitive adaptation. They were darwinialy selected out of modern society. The lesson here for hackers is simple, either adapt where the thieves didn’t or enjoy your fading golden years...
  • Autocratic groups survive better than democratic groups in the face of adversarial competition
  • Example tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, has item in suitcase already, sees shopkeeper, approaches and demands to see the manager. Is taken to manager, while B collects suitcase and leaves. Thief A is then confused, and walks out.
  • Lots of codes and signs - “nix” for coppers around, changing the conversation to prevent people - always punctual to meetings, only reason to be late is arrest - mob will break up - always call someone at fixed time at end of day, on failure they assume arrest and search
  • “ A professional thief will never say anything dangerous, and someone who is not a professional thief doesn’t know anything dangerous to say”
  • After the adversary changed their game, lost the corruption and the “old style police work”, the professional thieves day’s were numbered. The environment became too hostile to support them in number.
  • Denial, Insight, Manipulation
  • Interesting that 2/3 communities are operating in controlled territory, where they have carte blanche to operate, provided they avoid antagonizing the local authorities.
  • These are the things that hackers most need to be concerned about.
  • Transcript

    • 1. An Underground EducationAn Underground EducationLessons in Counterintelligences fromLessons in Counterintelligences fromHistory’s UnderworldHistory’s Underworld@thegrugq
    • 2. AgendaAgendaCounterintelligenceProcessesThreatsContributing FactorsProfessional Thieves: CIHackers: CI
    • 3. CounterintelligenceCounterintelligence
    • 4. Processes of CIProcesses of CIBasic DenialAdaptive Denial/InsightCovert Manipulation
    • 5. Basic DenialBasic Denial
    • 6. Prevent the transfer of information to theadversaryPrimarily proscriptiveDon’t engage in some behaviorEnough for basic survival
    • 7. OPSECSTFUCOMSECVetting members to prevent penetrations
    • 8. The first breach of security occurs when theopposition becomes aware that informationworthy of targeting exists.
    • 9. Adaptive DenialAdaptive Denial
    • 10. Insight into oppositions techniques/processesDevelop countering tacticsAnalyze security posture for weaknessesDevelop remediationsOngoing process
    • 11. Adjust to remedy unique vulnerabilities and/oradversarial strengthsGreatly benefits from access to adversarialknow-howActive penetrations of the adversary are veryuseful here
    • 12. Covert ManipulationCovert Manipulation
    • 13. Provide the adversary with false informationDeceive the adversary into taking futile actionDeceive the adversary into not taking actionMostly irrelevant for hackersMisdirection could be valuable, maybe.
    • 14. Intelligence ThreatsIntelligence Threats
    • 15. PenetrationsTechnical PenetrationsPassive SurveillanceMedia Exposure
    • 16. InformantsInformants
    • 17. Intel Lingo: penetrationsRecruitedInsertedMost serious threat
    • 18. Technical MonitoringTechnical Monitoring
    • 19. Wiretaps, etcTrojans and monitoring softwareVideo / audio surveillanceAn increasing threatSee: media reports of legal trojans
    • 20. SurveillanceSurveillance
    • 21. Passive observation from local populationDedicated active surveillance teamsNot really a threat for hackers or professionalthieves
    • 22. Media ExposureMedia Exposure
    • 23. Media coverage creates an OSINT footprintCan be dangerous for hackersRaises profile which draws adversarial attention
    • 24. Contributing FactorsContributing Factors
    • 25. Organizational structureControlled territoryPopular supportAdversarial capabilitiesResources
    • 26. Organizational StructureOrganizational Structure
    • 27. Hierarchical vs. FlatFlat can react fasterHierarchical can enforce good practicesFlat leads to poor compartmentationHierarchical increase value of high levelpenetrations
    • 28. Tight vs. LooseLoose, each node has a unique CI signature,harder to attack efficientlyTight, can enforce CI discipline betterLoose, can have poor practices and CIresourcesTight can be rigid, introducing systemic CIvulnerabilities
    • 29. Controlled TerritoryControlled Territory
    • 30. Area safe from adversarial intelligencegatheringReduces incentives to develop robust CI posture
    • 31. Popular SupportPopular Support
    • 32. Active support from the populationHousing, food, etcPassive support from the populationDon’t report activity to the adversary
    • 33. Adversary’s CapabilitiesAdversary’s Capabilities
    • 34. Highly capable adversaryStrong intelligence capabilitiesExperienced and knowledgeableLow capability adversaryFloundering reactionary moves that areineffective and make people angry
    • 35. ResourcesResources
    • 36. Adversarial resources available forPerforming intelligence gatheringAnalysisFollow up actionsAgency resources for counterintelligenceDedicated CI team(s)
    • 37. Organizational LearningOrganizational Learning
    • 38. Competitive AdaptationCompetitive Adaptation
    • 39. Adverse environmentsAdverse environmentsbreed stronger actorsbreed stronger actors
    • 40. Competitive AdaptationCompetitive AdaptationOrganizations are superior to individualsCan afford some losses and still recoverDeeper experience base to draw from (moremetis)
    • 41. Setbacks lead to sense-making and recoveryDamage AssessmentsAdaptive Denial
    • 42. Professional ThievesProfessional Thieves
    • 43. Professional ThievesProfessional ThievesHistorical class of professional griftersFrom 1890s to 1940s in AmericaSelf identify as thieves (honorific)Thieve argot used to demonstrate membershipA large community of practice
    • 44. ThievesThievesCon menLong con, short conCannons (pickpockets)Boosters (shoplifters)
    • 45. Organizational StructureOrganizational StructureFlatLooseSmall “mobs” with great indivudual variation
    • 46. Controlled TerritoryControlled TerritoryOperating inside “fixed” townsSmall meeting rooms
    • 47. Popular supportPopular supportNoneRelied on high level penetrations of lawenforcement apparatus
    • 48. Professional Thief AssetsProfessional Thief AssetsCore skill was “larceny sense”Experience derived cunningAccess to fixers and fencesSocial network with memory for vettingmembers
    • 49. Rules for effective thieveryRules for effective thieverySteal an item at a timeStash it at a drugstore or restaurantMail it back home to a friendNever keep it at home / in carNever grift on the way out
    • 50. Rules, cont.Rules, cont.Never draw attention to a working thiefNever fail to draw attention to an adversarialthreatFailsafe triggers to indicate problems, i.e. arrest
    • 51. Strict rules against informants (“rats”)Violent retaliation against “rats” wassanctioned
    • 52. Heavy investment in fixers to limit handleproblemsLittle/No adaptive denial capabilitiesAdversary maintained fixed capabilitiesNo competitive adaptation
    • 53. HackersHackers
    • 54. Organizational StructureOrganizational StructureFlat hierarchyNo commandersLoose group structureIndividuals pool resources, but act on theirown
    • 55. Controlled TerritoryControlled TerritoryNation state protected hackersRussia, China, etc.Political protection: e.g. USA hacking IranSecure private servers and channelsUnmonitored information transfer
    • 56. Popular SupportPopular SupportNot relevantCyberspace is not a “space”Support requires knowledgeWho, what, etc.
    • 57. CounterintelligenceCounterintelligence
    • 58. Basic DenialBasic DenialVetting of membersPseudonymityLimited compartmentationInternal to a groupBut.. gossip spreads far and fast
    • 59. Adaptive DenialAdaptive DenialLimited sensemaking from colleagues’ bustsOver reliance on technical protectionsNo case, ever, of a hacker penetration of LEOResulting in actionable intel to adapt
    • 60. Covert ManipulationCovert ManipulationOccasional poor attempts at framing othersProFTP AcidBitches hackNation state level, certainly happensFalse flag attacksWhat is the cost of a VPS in Shanghai?
    • 61. Hacker Community of PracticeHacker Community of PracticeInformal communitySocial groups connected via social mediumsSharing of metis via formal and informal meansZines, papers, blogposts, chats
    • 62. Communities of PracticeCommunities of PracticeThree main hacker communitiesEnglishRussianChineseClustered by language of information exchange
    • 63. Communities of PracticeCommunities of PracticeOperate inside controlled territoryRussianChineseOperate in hostile environmentEnglish
    • 64. Comm of P. CIComm of P. CIControlled territory provides protection againstadversarial intelligence collectionDiscourages robust operational securitypracticesHostile environments force adaptationDarwinian selection
    • 65. Favorable elements in any operational situationshould be taken advantage of, but not by relaxingvigilance and security consciousness.Soviet doctrine on clandestine operations
    • 66. Learning DisabilitiesLearning DisabilitiesHacker communities of practice have severelearning disabilitiesIncurious about why colleagues got bustedNo lessons learnedNo damage assessment
    • 67. Learning DisabilitiesLearning DisabilitiesHacker groups are too compartmented for infosharingNot compartmented enough to preventintelligence collection
    • 68. Lessons LearnedLessons Learned
    • 69. IdentityOperational secretsWhenHowCritical SecretsCritical Secrets
    • 70. Hacker CIHacker CIFocus on Basic DenialCreate virtual controlled territoryPolitical cover for hacking
    • 71. ConclusionConclusion
    • 72. Adapt or dieAdapt or die
    • 73. Thank you.Thank you.