What Is Human Intelligence (HUMINT)?
Human Intelligence (HUMINT) is a form of “on the ground” information gathering using human sources to collect information. In the context of Threat Intelligence, this can include infiltrating and engaging with threat actors on underground crime networks, forums and marketplaces, chat platforms, and other target environments, to include the dark web.
The goal of HUMINT is to gather information about adversaries and their activity to learn more about the humans behind cyberattacks, including their motivations, targets and techniques. This information, especially when used in combination with data and insights gathered from security tools and other telemetry, can be used to help organizations identify risks and thwart attacks.
It is important to note that HUMINT is a formal discipline that requires specialized tradecraft to not only gather useful information but to also employ operational security (OPSEC) — which are measures taken to protect the researcher’s true identity or their affiliations with a company, organization or government agency.
Expert Tip
What the HUMINT Team Hopes to Learn
The researcher strives to answer collection requirements and fill analytical gaps such as:
- Elicit targets and/or victimization
- Track changes in Tactics, Techniques, or Procedures (TTPs)
- Identify the actor’s network and contacts
- Gather profile data to help attribute the actor(s)
- Assess and test the reliability of claims made by an actor
The Importance of Human Intelligence in Cybersecurity
As threat actors leverage more sophisticated and advanced attack techniques, such as launching signatureless attacks, which are difficult to detect using technology alone, HUMINT has become a necessary component within the cybersecurity strategy.
HUMINT provides several important benefits to organizations and government agencies. These include:
1. Alerting potential victims of an impending attack. Harvesting data from these channels to preempt imminent attacks requires much more than just collecting raw data. With HUMINT, skilled threat hunters can infiltrate these environments to gather more nuanced information about these attackers and their plans and then take the important step of alerting victims to an impending or in-progress attack.
2. Validating data collected from automated intelligence. Adversaries understand the role that security tools play in automating collection of data from target environments. As a result, many have begun to deliberately obfuscate details in posts, such as victim names or domains. HUMINT is needed to discover new trends and validate if data collected by these tools is reliable and complete.
3. Substantiating the attacker’s capabilities. HUMINT also represents extreme value once an organization has been compromised by helping the security team understand claims made by an actor. For example, in the course of a ransomware attack, the actor may claim to have far greater capabilities than they actually do in the hopes of generating a significant ransom payment. In this situation, HUMINT can help the security team validate the actor’s claims and respond accordingly.
4. Supporting law enforcement. Digital crimes are notoriously difficult to investigate and prosecute — especially if the actor is operating in a country other than where the victim is based. HUMINT gathered by a cybersecurity service provider is of extreme value to law enforcement agencies because the security team can share relevant and necessary profile information about the actor. This can include true names, place of residence, citizenship and other important details, when possible.
4 Common Human Intelligence Cybersecurity Use Cases
HUMINT has many functions within the security team. Four common HUMINT use cases include:
1. Digital Risk Protection Service (DRPS): DRPS is one form to proactively protect an organization from cyberattacks. As discussed above, technology alone cannot effectively identify and predict modern, sophisticated attacks. On the other hand, monitoring all underground data with human intelligence alone would be simply impossible. With a combination of automated collection and HUMINT, one can effectively surface relevant information about key threat activities.
2. Incident response (IR), threat actor eradication and ransomware payments: When an attack occurs — particularly in the case of a ransomware attack — knowing the actor and their capabilities will help inform how the organization responds to the attack. For example, during a ransomware attack, the adversary may make big claims on data that has been stolen or how it could be corrupted. HUMINT can help validate these claims and assist in decisions about if a ransom payout needs to be made.
3. New attack discovery: Actors change tactics and techniques continuously. They also leverage underground communities to look for information to help them carry out attacks — such as exploit and malware development. By monitoring and understanding the type of help these actors need, new attacks can be avoided or stopped before they pose a risk to organizations.
4. Actor graduation: When an actor is named, intelligence analysts use HUMINT to understand the ecosystem, capabilities and motivations of the actor. This knowledge is helpful in tracking their activity, as well as assessing an attack this individual or group is responsible for.
