Understanding the Cyber Intelligence Ecosystem

Technology Evolution

The intelligence world has undergone dramatic change in recent years. The growth in traffic, online platforms, applications, devices and users has made the intelligence gathering process much more complex and challenging.

Today, each individual makes multiple simultaneous online appearances. We operate social media accounts, such as Facebook and Twitter (in Russia there is VK and Odnoklassniki and in China RenRen and QZone). We are also active on professional networks, such as LinkedIn. We participate in discussion groups and forums. We share pictures and videos via dedicated websites, and we process transactions by way of ecommerce sites, etc. This makes it much harder today to track the online footsteps of an individual and connect the dots between his diverse online representations, especially if he uses multiple aliases and email addresses.

Man versus Machine

In today’s virtual world, web-crawlers and automated collection tools have limitations. Don’t get me wrong – they are very important and we are dependent on automated tools in our daily work, but in some areas they simply cannot compete with a human analyst.

I will give you an example – in order to access a particular Russian closed hacking forum, you must write 100 posts, receive a recommendation from the administrator of the forum and finally, pay 50 dollars in Bitcoin. Such a task cannot be accomplished by a crawler or an automated tool. You must have an analyst that understands the relevant ecosystem and who is also familiar with the specific slang or lingo of the forum members. You must know that “Kaptoxa” (“Potato” in Russian) on a deep-web hacking forum does not really mean “Potato”, but rather refers to the BlackPOS – a Point-of-Sale (POS) malware used in the Target attack at the end of last year.

BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)
BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)

Cyber Activity Areas

If we take a look at the threat actors in the world of cyber security, we can roughly divide them into four categories: hacktivists (such as Anonymous-affiliated groups around the world); cyber terrorists (for example, the cyber unit of Hezbollah, and lately we have seen clear indications of al-Qaeda (AQ) attempts to develop a cyber unit within their organization).

Collaboration between Al-Qaeda and Tunisian hackers
Collaboration between Al-Qaeda and Tunisian hackers

A third category is cyber criminals (we have recently heard about cybercrime activities organized by groups in Ukraine, Eastern Europe, China and Latin America). The final category is governments, or state-sponsored groups (such as the Chinese PLA Unit 61398, also known as APT1, or the Izz ad-Din al-Qassam Cyber Fighters, an Iranian hacker group that launched “Operation Ababil” two years ago against the American financial sector).

Today, it is clear that every industry or sector is a potential target for cyber attack, or, as the Director of the FBI said two years ago, “There are only two types of companies: those that have been hacked and those that will be.”

And indeed, we are witnessing attacks on media organizations, public records (and in recent months attacks against healthcare services, mainly for the purpose of extortion), academic institutions, banks, the energy sector, and, of course, government agencies.

These diverse threat actors use the Internet to chat, plan their attacks, publish target lists, and even upload and share attack tools. But where can we find them? They have different online platforms.

Unlike APT campaigns that have almost no online footprint, the strength of hacktivism is its capability to recruit large masses for its operations, using social networks. In recent hacktivist campaigns we have identified Facebook as a “Command and Control” (C&C) platform for the attackers, where they plan the operation, publish a target list and share attack tools.

OpFIFA 2014 Campaign
OpFIFA 2014 Campaign

Cyber terrorists are mostly active on closed, dedicated forums where you must login with a username and password after receiving admin approval. We have experience with such forums in Arabic, Persian and even Turkish.

Cyber criminals, on the other hand, can be found on Darknet platforms, where you need to use a special browser to gain access. They can also be found on password-protected forums that sometimes require an entrance fee, payable in Bitcoin or other crypto-currencies. On these platforms we can find sophisticated attack tools for sale, pieces of advanced code, zero-day exploits, stolen data dumps and more.

Silk Road - the infamous online market on Darknet
Silk Road – the infamous online market on Darknet

Regarding governments or state-sponsored groups, I do not believe that they chat online, and generally speaking they do not leave footprints on the Web. However, we occasionally uncover activities by nation-state actors, such as the Syrian Electronic Army (SEA) or Iranian-affiliated groups.

I would like to argue that in today’s world we must use traditional methods of intelligence gathering, specifically operating covert agents, or virtual spies, throughout the Web – in closed discussion rooms, on secret Facebook pages, in the deep-web and Darknet platforms – in order to obtain quality, relevant and real-time intelligence.

SenseCy is Coming to RSA 2014 to Launch our Cyber Intelligence Portal

Hi All! We are very excited to announce that we are going to the RSA 2014 conference in San Francisco next week, to meet the industry’s brightest and launch our Cyber Intelligence Portal. SenseCy is focused on delivering effective cyber intelligence – our operation is based on strong OSINT and deep Virtual HUMINT capabilities, delivering actionable and relevant intelligence to our customers. Our new Cyber Intelligence Portal, currently in the Beta stages, supplies feed-based intelligence focused on hacktivism, cyber crime and cyber news.

The Hacktivism Feed is generated using our intimate knowledge of hacktivism and hacktivist groups. We are able to provide updates regarding global hacktivist operations, including time-sensitive alerts regarding planned activities (future “Ops”), current activities and traces of past activities (defacements).

Our Hacktivism Feeds include the following elements:

  • DDoS Alerts/Notices
  • Defacement Alerts/Notices
  • Campaign Alerts
  • Hacktivism Tools
  • Data Leakage Alerts
  • Group Alerts

Our Cybercrime Feed provides continual updates with regard to intent, trends and customer information or property being sold or distributed. Our analysts have successfully established the credibility of our virtual entities, resulting in their access to the most restricted underground areas.

The Cybercrime Feeds include the following elements:

  • Malware
  • Exploits/Vulnerabilities
  • Exposure of Client Data on the Underground
  • Certificates

The News Feed is the result of the work of SenseCy analysts, who continuously and meticulously collect information from a wide variety of sources, including cyber security blogs, professional forums and discussion groups, IT security vendor announcements, research papers and academic publications. This constant stream of information is automatically aggregated and then filtered by cyber security experts, to ensure that our clients receive only pertinent information and a concise news feed.

If you are interested in meeting us, or just chatting, drop us a line at info@sensecy.com

See you there!