HUMINT and cybersecurity

Why are we talking about cybersecurity? After all, HUMINT is mainly used to obtain information from people, recruit useful contacts, and many other interesting things. Cybersecurity is usually associated with computer networks, hackers, servers, and other hardware and software.? You may think of various phishing scams, social engineering, and similar techniques that are used to create vulnerabilities in the system through the human factor. And that would be correct. But it can be much more interesting even without specific techniques.?

I had two interesting cases that made me think a lot about everything that was happening at the time and about the further development of my own career path.? ?

So, here's case number 1.?

Almost at the very beginning of my career, I was tasked with researching the state of the cybersecurity products and services market in Ukraine. To make a thorough analysis of popular systems, current challenges, and certification. Simply put, to ask anything from experts in the field who work in different companies. We used to joke that we were going to play call center because the client (we were doing it for USAID) had agreed on a rather long list of questions to ask each expert. And there was more than a dozen of them. Everything seemed simple: we look for experts in top companies in various industries, get their contacts, call them to answer a few questions (this was the first "HUMINT trap" because there were more than 30 questions), ask permission to record the conversation (so that we could write everything down and do analytics), and then follow the script.?

Why am I writing all this if everything is so easy and, frankly, not that interesting? The most exciting thing was the way the "Cybersecurity Experts" reacted. You'll understand why I put it in quotation marks a little further on.?

What did the situation look like from the HUMINT specialist's point of view? We found experts, contacts and were ready to make calls. We were working openly, so there was no mystery shopper, so we didn't have to worry about the cover story. We just take the person from the list, look at the contact phone number and call or pre-arrange it via email, there were different options. We introduce ourselves, say that we work for USAID (to be honest, there were a few other partners there, but I don't remember them) and then follow the script. Have you noticed what could go wrong??

Now let's imagine how it looked from the perspective of a cybersecurity expert. Some unknown number calls and an unknown person says that they work for USAID, they are doing a very important study and "your opinion is very important to us." With email, everything was clearer, but the general idea remains the same. What do you think the expert should do? I suggest you answer in the comments.?

In our case, either because we were such young and cool huminters, or who knows why, almost all the people we called answered us. For about 30 minutes, they hung on the phone and answered our questions. Some more, some less. Some experts were contacted solely through acquaintances and recommendations. But! Out of the entire list of people (there were more than 20), only 1 expert asked for an official letter confirming that we were working for USAID! As if it was supposed to work that way, we confirmed our cooperation and then received important information. Everything was at hand, you just had to ask.?

I was shocked, I didn't believe that it was possible to get quite interesting information from people so easily. If I remember correctly, the official letter was requested by an expert from Arterium company, for which I am very grateful and honored. In other cases, there were quite often answers like "Oh, so you work for USAID, interesting, and what do you want from me?"? ?

There were also some interesting moments when we asked how the cybersecurity system was organized at the enterprise, like what systems you trust and so on, and the answer was "No way, we have a sysadmin, we told him to do everything, he did it. Now we use Gmail. Because the previous mail was hacked."?

I will talk about the second, even more interesting case next time. I think there is something to think about here, too.? ?

??

How often do you trust unfamiliar contacts? ?

P.S. There was another interesting point: we decided to try a "mystery shopper" and see what would happen. And it worked! Imagine a situation where someone writes to you in a LinkedIn from a promoted profile, asking for help. It's cool, you've been approached by an expert, and that's nice, but there may be someone else behind it all. How can you counteract this and not become completely paranoid? This will be discussed in a one of the future posts. ?

And this is only from the point of view of quite ordinary tasks for an analyst and HUMINT expert. Imagine the possibilities of a conventional thief who is not limited by anything??