An Underground education


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

An Underground education

  1. 1. An Underground EducationLessons in Counterintelligences from History’sUnderworld@thegrugq
  2. 2. AgendaCounterintelligenceProcessesThreatsContributing FactorsProfessional Thieves: CIHackers: CI
  3. 3. Counterintelligence
  4. 4. Processes of CIBasic DenialAdaptive Denial/InsightCovert Manipulation
  5. 5. Basic Denial
  6. 6. Prevent the transfer of information to theadversaryPrimarily proscriptiveDon’t engage in some behaviorEnough for basic survival
  7. 7. OPSECSTFUCOMSECVetting members to prevent penetrationsexamples
  8. 8. The first breach of security occurs when theopposition becomes aware that informationworthy of targeting exists.Counterintelligence: Theory and PracticeAfter the adversary knows there is something to look for, then the game begins. You can’t goback underground. :(
  9. 9. Adaptive Denial
  10. 10. Insight into oppositions techniques/processesDevelop countering tacticsAnalyze security posture for weaknessesDevelop remediationsOngoing processDual pronged approach. On the one hand, learn how the adversary works and attempt towork around those strengths/capabilitiesOn the other, look at organisational weaknesses and address them.Iterative. Best if there is a penetration into the adversary to monitor how they function
  11. 11. Adjust to remedy unique vulnerabilities and/oradversarial strengthsGreatly benefits from access to adversarial know-howActive penetrations of the adversary are veryuseful hereColombian narco traffickers used court discovery heavily to discover the Tactics, Techniquesand Procedures of the adversaryThe PIRA started to do the same thing later in their struggles, forcing the .gov to revealdetails
  12. 12. Covert Manipulation
  13. 13. Provide the adversary with false informationDeceive the adversary into taking futile actionDeceive the adversary into not taking actionMostly irrelevant for hackersMisdirection could be valuable, maybe.Adversary has multiple channels for receiving information, have to send fake signals downthem all. HUMINT, technical penetrations, open source INT, etc. etc.
  14. 14. Intelligence ThreatsThe capabilities of the adversary are described as “intelligence threats”, that can be used togain information about the agency.
  15. 15. PenetrationsTechnical PenetrationsPassive SurveillanceMedia ExposureHUMINT, SIGINT, ... OSINT
  16. 16. Informants
  17. 17. Intel Lingo: penetrationsRecruitedInsertedMost serious threatHUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”,to undercover operation, to recruiting someone in place/defections... lulzsec’s collapseultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
  18. 18. Technical Monitoring
  19. 19. Wiretaps, etcTrojans and monitoring softwareVideo / audio surveillanceAn increasing threatSee: media reports of legal trojansFinSpy, etc.
  20. 20. Surveillance
  21. 21. Passive observation from local populationDedicated active surveillance teamsNot really a threat for hackers or professionalthieves
  22. 22. Media Exposure
  23. 23. Media coverage creates an OSINT footprintCan be dangerous for hackersRaises profile which draws adversarial attention
  24. 24. Contributing FactorsFactors that contribute to the groups CI strengths and vulnerabilities.
  25. 25. Organizational structureControlled territoryPopular supportAdversarial capabilitiesResources
  26. 26. Organizational Structure
  27. 27. Hierarchical vs. FlatFlat can react fasterHierarchical can enforce good practicesFlat leads to poor compartmentationHierarchical increase value of high levelpenetrations
  28. 28. Tight vs. LooseLoose, each node has a unique CI signature,harder to attack efficientlyTight, can enforce CI discipline betterLoose, can have poor practices and CIresourcesTight can be rigid, introducing systemic CIvulnerabilitiesTightly controlled organisations react slowly and can develop rigid CI practices. This meansthey’re exploitable.
  29. 29. Controlled Territory
  30. 30. Area safe from adversarial intelligence gatheringReduces incentives to develop robust CI postureWe’ll see that later, with China and Russia.
  31. 31. Popular Support
  32. 32. Active support from the populationHousing, food, etcPassive support from the populationDon’t report activity to the adversaryNot really an issue for hackers, but thieves faced a hostile population.
  33. 33. Adversary’s Capabilities
  34. 34. Highly capable adversaryStrong intelligence capabilitiesExperienced and knowledgeableLow capability adversaryFloundering reactionary moves that areineffective and make people angry
  35. 35. Resources
  36. 36. Adversarial resources available forPerforming intelligence gatheringAnalysisFollow up actionsAgency resources for counterintelligenceDedicated CI team(s)
  37. 37. Organizational LearningThe way that adversarial groups learn and adjust to each other’s behaviour is well studied. Itis a subset of Organizational Learning -- Competitive adaptation.
  38. 38. Competitive AdaptationThe way these factors and processes interact is called competitive adaptation, as twoadversarial groups learn from and adjust to each other’s strengths and capabilities
  39. 39. Adverse environmentsbreed stronger actors
  40. 40. Competitive AdaptationOrganizations are superior to individualsCan afford some losses and still recoverDeeper experience base to draw from (moremetis)
  41. 41. Setbacks lead to sense-making and recoveryDamage AssessmentsAdaptive DenialSetbacks - flaps in “Intel Speak”
  42. 42. Professional ThievesPerfectly suited for their time, failed to exhibit adaptive denial and learn from competitiveadaptation. They were darwinialy selected out of modern society. The lesson here for hackersis simple, either adapt where the thieves didn’t or enjoy your fading golden years...
  43. 43. Professional ThievesHistorical class of professional griftersFrom 1890s to 1940s in AmericaSelf identify as thieves (honorific)Thieve argot used to demonstrate membershipA large community of practice
  44. 44. ThievesCon menLong con, short conCannons (pickpockets)Boosters (shoplifters)
  45. 45. Organizational StructureFlatLooseSmall “mobs” with great indivudual variationAutocratic groups survive better than democratic groups in the face of adversarialcompetition
  46. 46. Controlled TerritoryOperating inside “fixed” townsSmall meeting rooms
  47. 47. Popular supportNoneRelied on high level penetrations of lawenforcement apparatus
  48. 48. Professional Thief AssetsCore skill was “larceny sense”Experience derived cunningAccess to fixers and fencesSocial network with memory for vettingmembersExample tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, hasitem in suitcase already, sees shopkeeper, approaches and demands to see the manager. Istaken to manager, while B collects suitcase and leaves. Thief A is then confused, and walksout.
  49. 49. Rules for effective thieverySteal an item at a timeStash it at a drugstore or restaurantMail it back home to a friendNever keep it at home / in carNever grift on the way out
  50. 50. Rules, cont.Never draw attention to a working thiefNever fail to draw attention to an adversarialthreatFailsafe triggers to indicate problems, i.e. arrestLots of codes and signs - “nix” for coppers around, changing the conversation to preventpeople- always punctual to meetings, only reason to be late is arrest - mob will break up- always call someone at fixed time at end of day, on failure they assume arrest and search
  51. 51. Strict rules against informants (“rats”)Violent retaliation against “rats” wassanctioned“A professional thief will never say anything dangerous, and someone who is not aprofessional thief doesn’t know anything dangerous to say”
  52. 52. Heavy investment in fixers to limit handleproblemsLittle/No adaptive denial capabilitiesAdversary maintained fixed capabilitiesNo competitive adaptationAfter the adversary changed their game, lost the corruption and the “old style police work”,the professional thieves day’s were numbered. The environment became too hostile tosupport them in number.
  53. 53. Hackers
  54. 54. Organizational StructureFlat hierarchyNo commandersLoose group structureIndividuals pool resources, but act on theirown
  55. 55. Controlled TerritoryNation state protected hackersRussia, China, etc.Political protection: e.g. USA hacking IranSecure private servers and channelsUnmonitored information transfer
  56. 56. Popular SupportNot relevantCyberspace is not a “space”Support requires knowledgeWho, what, etc.
  57. 57. CounterintelligenceDenial, Insight, Manipulation
  58. 58. Basic DenialVetting of membersPseudonymityLimited compartmentationInternal to a groupBut.. gossip spreads far and fast
  59. 59. Adaptive DenialLimited sensemaking from colleagues’ bustsOver reliance on technical protectionsNo case, ever, of a hacker penetration of LEOResulting in actionable intel to adapt
  60. 60. Covert ManipulationOccasional poor attempts at framing othersProFTP AcidBitches hackNation state level, certainly happensFalse flag attacksWhat is the cost of a VPS in Shanghai?
  61. 61. Hacker Community of PracticeInformal communitySocial groups connected via social mediumsSharing of metis via formal and informal meansZines, papers, blogposts, chats
  62. 62. Communities of PracticeThree main hacker communitiesEnglishRussianChineseClustered by language of information exchange
  63. 63. Communities of PracticeOperate inside controlled territoryRussianChineseOperate in hostile environmentEnglishInteresting that 2/3 communities are operating in controlled territory, where they have carteblanche tooperate, provided they avoid antagonizing the local authorities.
  64. 64. Comm of P. CIControlled territory provides protection againstadversarial intelligence collectionDiscourages robust operational securitypracticesHostile environments force adaptationDarwinian selection
  65. 65. Favorable elements in any operational situation shouldbe taken advantage of, but not by relaxing vigilanceand security consciousness.Soviet doctrine on clandestine operations
  66. 66. Learning DisabilitiesHacker communities of practice have severelearning disabilitiesIncurious about why colleagues got bustedNo lessons learnedNo damage assessment
  67. 67. Learning DisabilitiesHacker groups are too compartmented for infosharingNot compartmented enough to preventintelligence collection
  68. 68. Lessons Learned
  69. 69. IdentityOperational secretsWhenHowCritical SecretsThese are the things that hackers most need to be concerned about.
  70. 70. Hacker CIFocus on Basic DenialCreate virtual controlled territoryPolitical cover for hacking
  71. 71. Conclusion
  72. 72. Adapt or die
  73. 73. Thank you.