Corporate Intelligence Bridging security and the  intelligence community
Overview• Corporate spying meets security• A corporate spy’s take on the  “Intelligence Lifecycle”  – Define Target  – Dev...
Take Aways• Corporate Intelligence is like social  engineering, network security,  operational security, OSINT, wrapped  i...
Background• Every fortune 500 organization has an  intelligence program under some other  title  – Competitive intelligenc...
Types of Intel Agents• Government Employees:  – CIA, Marines, Homeland security  – Provide intel and counter intel service...
The Grey Line: Legality/Ethics• Corporate spying is incredulous in terms  of Business ethics• Many of the things you need ...
Example Pentesting ProcessDefine   Gain Access    Exfiltrate                                      ExitTarget    To Target ...
Example Malware Attack ProcessDefine   Develop      Collect                                   ExitTarget    Code     Infor...
Intelligence Cycle For SpooksDefine   Develop    Process                                    ExitTarget   Access      Intel
Define   Develop   Process                             ExitTarget   Access     Intel
Defining the target• Recon: Intel team collects as much  information about the target as possible• Goals: Ideal Target inf...
Technical sources of informationBenefits                       Costs• Direct unfettered access  to intelligence           ...
Humans as a source of informationBenefits                      Costs                              • Narrow circle of peopl...
Looking For Sources to Turn• Single Parent Rule: People can  justify just about any action, if  taken to improve the lot o...
Define   Develop   Process                             ExitTarget   Access     Intel
Develop Access• Create intel sources  – HUMINT  – TECHINT  – OSINT  – $otherINT: imagery intel, signal intel,    measureme...
Developing Access: TECHINThttp://lmgtfy.com/?q=hacking
Developing Access: OSINT[redacted]    :)
Developing Access: HUMINT• Penetrate social circles making it less  sketchy to monitor a person’s  interactions• Study the...
4 Principal Motivators for BetrayalMoney: I will pay you $50,000.Ideology: Do it for the greater good ofyour country!Coers...
RC MICE?• Revenge• Compromise
Interactive Workshop!
Side Note on Attribution• You’re a spy. Act like it• Non-Attribution != anonymity• Types of non-attribution:  – Anonymity:...
Define   Develop   Process                             ExitTarget   Access     Intel
Collecting Intel from sources• Problems:  – Phone calls, emails, IRL meetings are basically    cleartext  – You never want...
Tradecraft• Tradecraft: Predefined protocol of  interaction between an actor and a handler• IRL:  – Dead drops  – Secret m...
Finding Online People Ready To Turn• Ask benign questions for secret information• “I’m thinking about buying a new digital...
Intel Processing and Analysis    Turned   employee                     Content                                tagging     ...
Processing vs Analysis• Processing: changing, manipulating  intel to better fit the operation  – Normalizing content  – Ex...
Processing: Natural Language Tagging     [redacted]
Analysis: Data Validation/Tagging [redacted]
Processing: Data Laundering• Intel Ops cannot disclose the source• Generalize the information into a  standardized form (e...
Define   Develop   Process                             ExitTarget   Access     Intel
Selling Intel• Selling information to an  organization can never be done to  the CEO• Never directly present the findings•...
Cleanup• Decommission operation theater• Spin down connection with  sources  – Maintain surveillance after to make sure th...
CONCLUSIONSWhy did this just happen to me?
Example 1: HP Corporate Spying Scandal of 2006• CNET published details about HP’s long term strategy• Private investigator...
Open Organizations• Association of Old Crows: Electronic  warfare specialists• Academy of Competitive Intelligence  – Have...
Final Points• Corporate spies run analogous to  hacker and malware operations  – Specialized teams  – Covert strategies  –...
Final Points• A penetration test is very similar  to an intel operation  – Define target  – Perform recon  – Establish loo...
Final Points• Counter intelligence tactics can be  integrated into your operational  security plans  – Defend against netw...
Corporate Intelligence: Bridging the security and intelligence community
Upcoming SlideShare
Loading in …5
×

Corporate Intelligence: Bridging the security and intelligence community

1,369 views

Published on

Presentation given at Rochester 2600 about the similarities between competitive intelligence/corporate spying and infosec.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,369
On SlideShare
0
From Embeds
0
Number of Embeds
365
Actions
Shares
0
Downloads
39
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Corporate Intelligence: Bridging the security and intelligence community

  1. 1. Corporate Intelligence Bridging security and the intelligence community
  2. 2. Overview• Corporate spying meets security• A corporate spy’s take on the “Intelligence Lifecycle” – Define Target – Develop Access – Process Intel – Exit
  3. 3. Take Aways• Corporate Intelligence is like social engineering, network security, operational security, OSINT, wrapped into a spy novel• Some of the things discussed can directly affect your – OPSEC measures – Malware analysis techniques – Pentesting recon process
  4. 4. Background• Every fortune 500 organization has an intelligence program under some other title – Competitive intelligence, corporate intel, business analysis• Corporate spies are almost never caught, and almost never convicted, and never server more than 1 year in a “corporate spy” prison.
  5. 5. Types of Intel Agents• Government Employees: – CIA, Marines, Homeland security – Provide intel and counter intel services• Corporate Competitive Intelligence employees – Work for an organization to provide intel on their competitors – Mostly ethical practices• Private Corporate Spies – Individuals or private organizations that sell secrets between companies – Focused, well paid, completely illegal
  6. 6. The Grey Line: Legality/Ethics• Corporate spying is incredulous in terms of Business ethics• Many of the things you need to do are not illegal, many are• CI ops use humans as sources knowing that they are the ones at risk of being arrested• Some Intel operations are full blown hacking (APT!!)
  7. 7. Example Pentesting ProcessDefine Gain Access Exfiltrate ExitTarget To Target Information
  8. 8. Example Malware Attack ProcessDefine Develop Collect ExitTarget Code Information
  9. 9. Intelligence Cycle For SpooksDefine Develop Process ExitTarget Access Intel
  10. 10. Define Develop Process ExitTarget Access Intel
  11. 11. Defining the target• Recon: Intel team collects as much information about the target as possible• Goals: Ideal Target information is defined – Secret codes – Business Plans• Entry Points: Identify potential human sources
  12. 12. Technical sources of informationBenefits Costs• Direct unfettered access to intelligence • More defense measures• No middlemen are in place compared to• Limited risk of inflation, HUMINT lying • Clearly defined laws• Lower risk of being regarding IP, hacking, etc caught
  13. 13. Humans as a source of informationBenefits Costs • Narrow circle of people in• Information directly from an organization have access the source to the information you need • Possibility for betrayal, lying,• Can be the “fall guy” or inflating information• Can circumvent any • High maintenance for network security recruitment and running measures • Possibility of mental• Context for intelligence breakdown
  14. 14. Looking For Sources to Turn• Single Parent Rule: People can justify just about any action, if taken to improve the lot of their children.• Disgruntled Employees: Employees with cut salaries or got laid off turn bitter and vengeful
  15. 15. Define Develop Process ExitTarget Access Intel
  16. 16. Develop Access• Create intel sources – HUMINT – TECHINT – OSINT – $otherINT: imagery intel, signal intel, measurement intel
  17. 17. Developing Access: TECHINThttp://lmgtfy.com/?q=hacking
  18. 18. Developing Access: OSINT[redacted] :)
  19. 19. Developing Access: HUMINT• Penetrate social circles making it less sketchy to monitor a person’s interactions• Study the chosen subject of the source and become adept• Define personality type and vulnerabilities: – Loud and egotistical – quiet and non-confrontational
  20. 20. 4 Principal Motivators for BetrayalMoney: I will pay you $50,000.Ideology: Do it for the greater good ofyour country!Coersion: If you don’t do this, your willwill find out about your mistress.Ego: I’ve been watching you and you’rethe best in the business. I need yourhelp.
  21. 21. RC MICE?• Revenge• Compromise
  22. 22. Interactive Workshop!
  23. 23. Side Note on Attribution• You’re a spy. Act like it• Non-Attribution != anonymity• Types of non-attribution: – Anonymity: no idea who did it – Spoof: blame someone else – Deniability: oh it was just a bot in China. *shrug*• Plausible deniability is good enough for corporate intelligence
  24. 24. Define Develop Process ExitTarget Access Intel
  25. 25. Collecting Intel from sources• Problems: – Phone calls, emails, IRL meetings are basically cleartext – You never want to be attributed to knowing or contacting your source (technical or human)• Solutions: – Establish tradecraft including ways of communicating being turned – Use Access Agents; people proxies
  26. 26. Tradecraft• Tradecraft: Predefined protocol of interaction between an actor and a handler• IRL: – Dead drops – Secret meeting points• Online: – Steganography – Pre-shared key cryptography – (NOT PGP or public crypto!!)
  27. 27. Finding Online People Ready To Turn• Ask benign questions for secret information• “I’m thinking about buying a new digital Camera, what is Kodak coming out with?”• “What kind of IDS does Linode use internally? I’m concerned about sensitive information getting hacked”• Question sites: – Yahoo Answers – Stack Exchange – Forums
  28. 28. Intel Processing and Analysis Turned employee Content tagging Report Network Access & OSINT Validating Filtering Action DataCollection Agents Data Analyzers Dissemination
  29. 29. Processing vs Analysis• Processing: changing, manipulating intel to better fit the operation – Normalizing content – Extracting keywords• Analysis: Generating new information from an existing intelligence source – Extracting meta-data from images – Determining sex of author
  30. 30. Processing: Natural Language Tagging [redacted]
  31. 31. Analysis: Data Validation/Tagging [redacted]
  32. 32. Processing: Data Laundering• Intel Ops cannot disclose the source• Generalize the information into a standardized form (e.g. database table structure)• Algorithms can be used to make the content appear to be from an online open source• Online services provide obfuscation
  33. 33. Define Develop Process ExitTarget Access Intel
  34. 34. Selling Intel• Selling information to an organization can never be done to the CEO• Never directly present the findings• Organizations will always want plausible deniability – Blame a mid level VP
  35. 35. Cleanup• Decommission operation theater• Spin down connection with sources – Maintain surveillance after to make sure they haven’t turned• Destroy/Scrub all information – See Pee
  36. 36. CONCLUSIONSWhy did this just happen to me?
  37. 37. Example 1: HP Corporate Spying Scandal of 2006• CNET published details about HP’s long term strategy• Private investigators SE the phone records of the board of directors and journalists• Find out that it’s Patricia Dunn who leaked the information• Patricia Dunn announced her resignation… in 2 years.• The PI was arrested, submitted a “sealed plea”, sentenced to 3 months in prison for obtaining the SSN of a journalist.
  38. 38. Open Organizations• Association of Old Crows: Electronic warfare specialists• Academy of Competitive Intelligence – Have certifications and wargames ($2495)• Society of Competitive Intelligence Professionals (SCIP)• Armed Forces Communications and Electronics Association (AFCEA)
  39. 39. Final Points• Corporate spies run analogous to hacker and malware operations – Specialized teams – Covert strategies – Goal to obtain specific data
  40. 40. Final Points• A penetration test is very similar to an intel operation – Define target – Perform recon – Establish loot – Exfiltrate
  41. 41. Final Points• Counter intelligence tactics can be integrated into your operational security plans – Defend against network OSINT attacks – Network security – Human paranoia – Privacy control

×