Unconventional Communication Framework

In today's digital environment with state-sponsored threat actors and surveillance programs, there is a growing need for secure and discrete communication from all of the “bad guys” in the world. This article describes a logical structure to get you started with a more secure communication plan. The Unconventional Communication Framework is broken into four phases (Preparation, Toolkit Development, Execution, Recovery) with sub-tasks in each phase. It can be used as a highly detailed process or as a lightweight guide to secure communication.

 

The need to secure information, such as tax documents, banking information, a business plan, or that not-yet-published article, is rising. The question you need to ask yourself is: "What do you have that you need to protect?" This article will set you on the right path to secure communication through planning, using the right applications, and implementing real world techniques that can fit your needs.

 

IBM concluded that 60% of all “attackers” are insiders, either due to malicious intent, carelessness, or lack of knowledge. A lapse in Cyber Security can cost hundreds of millions for big businesses and could force a small business to close up shop permanently. Using freely available tools, the Unconventional Communication Framework can secure business information, personal data and privacy.

 

Everyone in competitive business environments must be prepared for today’s threats. Are a company’s digital copies of important or confidential business documents encrypted? Or are they stored on a personal computer that hasn't been wiped in years, or left vulnerable in an email inbox? Business travelers are prime targets for their competitors and malicious foreign state actors. Are you traveling overseas where your presence isn’t welcomed?

 

Another scenario, a reporter working in a hostile environment where freedom of speech is met with government action needs to understand how to communicate with their sources. How to interact with a source that can't afford to get caught talking to a reporter. Have you considered using encrypted accounts for them? Are they attributable to you or your organization? Do you have means to pass information outside of email and messaging? Non-technical options when the network fails? These are all considerations that need to be planned and prepared.

 

Official personnel living overseas rely on the infrastructure of their host nation, which can be extensions of the host government and its organizations. Foreign governments assuredly gather as much information about foreigners in their country, particularly ones working for outside agencies. Do you have means to encrypt your online activity for talking with family? or banking? Are you communicating with your team via secure means? Do you have a primary and alternate plan? What happens when technical means fail?

 

These examples are simply meant to be used as a representation for thinking about your scenario in a manner you may not have previously considered.

 

Preparation:

Open Source Intelligence

Open Source Intelligence [OSINT] is the collection and analysis of all information freely available, if you know where to look.

 

The critical foundation of secure online activity is knowing and understanding your current digital presence. For years data mining companies have been collecting personal information and selling it online. Big time marketing firms are buying Personally Identifiable Information (PII) like phone numbers, addresses, shopping habits, all for pennies on the dollar. These data miners also sell access to this sensitive information to paying public customers, such as investigative organizations. With a little bit of time and effort, steps can be taken to reduce your digital signature. Open Source Intelligence [OSINT] is a type of intelligence collection that gathers data via open sources, most commonly the internet. Conducting a self-assessment is an effective way to understand what information has been made publicly about you and from what sources. Most of these sources have a means to remove information from their database with a bit of persistence.

 

Self-assessment is an important part of OSINT as it pertains to the Preparation Phase. It is the process of becoming a “harder target” by identifying personal digital information in order to then hide, remove, or eliminate what is found. A good way to approach a self-assessment is change your mindset to that of an investigator. Correlating the data between is what brings context to an investigation. For example, a common address between two accounts creates a link that can be used to build a larger picture. This is good to note later on when considering using alternate names, they need to be completely isolated from true names along with all the associated data (i.e. phone numbers, addresses, etc.)

 

The important factor to understand is there are analysts, employed by governments and trained to perform OSINT research on potential threats. They have vast resources, specific training and experience. Certain foreign nationals are targeted right out of an airport for simply being from a particular country.

 

So, what does COUNTER-OSINT self-investigation/signature reduction look like? Process

 

COUNTER-OSINT Process:

Do not limit your resources, all search engines and other resources offer different advantages.

At the minimum, rotate between search engines (Google, DuckDuckGo, Bing, etc.) and use a Virtual Private Network [VPN] to limit linking any searches to real IP addresses. See “Toolkit Development” below for details on VPNs. Take notes on search results and what services you opt-out of.

 

1. Start with the big search engines and generate some starting points with the following searches:

• Full Name
• Email address
• Phone number

 

Make note of results and combine with other known data points such as:

 

• Hometown
• High school/College
• Employer
• Social Media

 

Example:

 

Google> Jane Smith Yahoo > 921-555-8293

Google> [email protected]

Bing > Jane Smith America College 1998

Bing > 921-555-8293 Myspace

Google> 921-555-8293 Dallas

Google> 921-555-8293 Seattle

 

2. From the data collected, identify what databases to be removed. Common databases:

 

www.spokeo.com

www.pipl.com

www.whitepages.com

www.beenverified.com

 

 

3. Follow the opt out process, typically found on their FAQ page, and it usually involves a verification email.

 

4. Lockdown social media accounts, if you don’t NEED it, REMOVE it:

 

?      Remove all unnecessary data

- Phone numbers, addresses,

?      Remove / change the email address you are using for your bank

- Create separate email for banking | social media | business| personal

?      Remove sensitive photos

?      Remove any location data

?      Make all accounts private if possible

?      End all currently signed in sessions

 

4. Verify that the data was removed and social media accounts cleaned up and hardened, cross-reference with notes.

 

In the Special Operations Forces [SOF] community, intelligence drives operations. Without good information, operations have a higher percentage of failure. Similarly, good OSINT will allow a solid foundation of a secure digital presence and drive communication operations.

 

Planning

Planning consists of understanding the end-state, creating a strategy with milestones, and working through a viable path to move forward to reach those milestones.

 

Before an operation even starts, planning will dictate whether or not it will be successful or a disaster. Successful planning identifies what hardware and software is required, and research the best options based on how well it blends into the environment / your persona, secure data, and any budgetary considerations.

 

Secure communication is founded on understanding the required means and methods of communication. These operational requirements will drive the rest of the operation.

This needs to go further than a secure email service or messaging app. One of the best methods is to write down what application or service you use every time you touch something digital during a day.

 

?  Weather application

?  Bluetooth in vehicle

?  Note taker

?  Music stream

?  Internet browser

?  Camera

 

All of these applications have significant vulnerabilities associated with them. Weather applications constantly use GPS data, vehicles maintain Bluetooth (BT) connectivity logs, most note taking applications are unencrypted by default, and so on... Creating a comprehensive list, up front, of necessary application or means of communication is a key to success in discrete communication. A basic rule in information security is to only have the necessary software/hardware installed on your device. Less 'ware’= less attack surface for threat actors.

 

Taking this a step further is to understand the operational environment. Similar to how American vehicles would stand out in Europe, American apps will stand out in different countries as well. Facebook is not very popular in Western Europe, however a very similar app “Vk”, does exist. If traveling to Asia, WeChat is used like SnapChat in America. This is an important consideration when asking locals to download apps to communicate that may be rare and stand out in the area.

 

An important component of planning is determining a baseline of the digital environment. What are the devices on the network? Blending into an environment is usually the best practice. Researching smart phone, laptop and other device sales to determine popularity. Devices are all identified with a hardware address (MAC), which identifies devices on a network and can tie a US phone to the US. This can be an issue when attempting to blend into a foreign environment. A better option would be to use equipment acquired in the environment, or at least from a region that frequents the area. The Execution phase goes deeper into these options. Some other components to research and consider during planning are:

 

?    SIM cards (some countries request a passport to buy a SIM card)

?    Internet Services Providers

?    Data plans, contracts, payment options

?    Used devices

?    Supply Chain Vulnerabilities

 

Planning is extremely important and should be conducted as thoroughly as possible within time constraints.

Threat Modeling

Threat Modeling is the processes of determining vulnerabilities, threats, and likelihood of exploitation to determine levels of security and privacy.

Thinking like an attacker, having knowledge of culture, and placing value on information are all necessary in a robust threat model. A person traveling to France for business with little need for external communication has a very different threat model than someone traveling to Pakistan as an aid worker. The Unconventional Communication Framework pertains to both of these examples and is a combination of risk assessment, digital signature, operational requirements, and threat analysis (local/global). This holistic view allows data in context to influence phase 2 [toolkit development] based on risk

Example. Jane Smith is a financial auditor traveling from the US to Romania to partake in an onsite audit. She will need constant reach-back to her company and personal connections. She also plans to make professional connections for future business development and coordination.

 

?      What is the current socio/pol relationship with Romania?

?      What is Romanian [civ/gov] sentiment towards her company/Americans?

?      What is Jane's publicly available information?

?      Does Jane's company provide a laptop? VPN? secure email?

?      What information will she be storing / sending professionally / personally?

 

These are just some basic questions that will influence Jane's level of security and privacy. Threat models are unique to every person and environment. The level of detail is a personal decision based on the value of information and repercussions of compromise.

 

 

Toolkit Development:

Isolation

Isolation phase is meant to separate personal and professional personas and eliminate any linkage between them.

Isolating your personas can be extremely difficult process depending on your threat model. Nation states and law enforcement adversary have extensive reach and nearly unlimited resources which you must be aware. Some of the biggest dark web store owners have been caught because of very small links between their real identity and their illegal activities.

At the bare minimum, create new accounts only to be used in the operational environment. The idea is to use new devices that blend in to the environment you will be going to which will only be used with your operational toolkit. The most important thing to remember is to not associate names / numbers of anyone that can link you back to your real life. It is important to understand that the recipients of communication also need new accounts. For example, Jane uses a new device acquired in country X with all new accounts on it. She gets pulled over for suspicious activity and her device gets confiscated. Jane gets forced to either unlock her phone or get taken to jail (not all countries have rules protecting individual rights). In Jane’s email, there are several messages to her family’s real email, this creates linkage. This linkage is intelligence analyst’s gold, and all the work Jane did to isolate her real life gets thrown down the drain.

Things to consider:

?      Email accounts

?      Phone numbers

?      Social media accounts

?      Family and friend contacts

?      Foreign contacts

?      Cloud and internet services

Understanding where your compromising information is located and how that it can link back to you is a hefty challenge; however, a necessary one in limiting the linkage between your personal and professional personas. The environment, and the adversaries lurking within it are just a few of the big factors impacting how much isolation and separation is needed.

Foundation

Foundation configures devices and infrastructure, setting a hardened baseline before moving into Toolkit Development and any account creation.

Prior to getting online and creating a slew of accounts and sending them to your contacts, a couple steps need to be taken to facilitate isolation. Again, some threat models may require this step to occur in the target environment.

After identifying the hardware and software required, a sanitation process should be conducted if these devices were used by you before. Typically, a factory reset or operating system reinstall should suffice, but more extreme measures may be required.

Following a fresh install, immediately harden the device. This process requires going into settings and sometimes deep into system configurations and make changes to secure the device of potential vulnerabilities. Hardening the device will also get you very familiar with your device. Note that after installing applications, a secondary hardening may be needed as most apps will make system changes or you may need to restrict application access to system information (i.e. location data, contacts, etc.). A simple rule-of-thumb is to deny and restrict system settings until it “breaks” a function you may need.

Following a system hardening, the infrastructure can begin to grow. Arguably the most important part is the use of a Virtual Private Network (VPN). A VPN, in short, encrypts your traffic from your device to a shared exit node where it then routes to where it needs to go across the internet. A VPN is a mandatory staple in any toolkit, even in day-to-day life. A paid VPN service is preferred over a free option. A good rule to live by when it comes to applications is that if you are not paying for a product, you are the product. If you are not paying for a VPN, that VPN is likely selling your information to the highest bidder.

Full Disk Encryption (FDE) is another key component to this phase. FDE needs to be enable on your devices, most new devices come with a FDE option in the operating system. MacOS (FileVault2), Windows (BitLocker), and most new phones encrypt when a passcode/password is enabled to unlock the device. Removable media devices (external hard drives, SD cards, etc.) also should be encrypted unless disinformation or obfuscation is a goal. FileVault2 and BitLocker can provide encryption capabilities on these devices. VeraCrypt is an alternative to these organic solutions. VeraCrypt can be used to provide FDE, but it can also create smaller secure “containers” inside a hard drive. Containers can be created inside an already encrypted drive, offering double encryption with different encryption algorithms/protocols and can also allow a small container to be buried in the file system if needed.

After a solid hardening process, encryption and VPN are all set… start account creation.

Validation

Validation is ensuring all of your requirements have been met, your information for your accounts is accurate, and the devices are working properly.

The Validation portion is to give piece of mind prior to rolling out. The military calls this Pre-Combat Checks and Inspections (PCC/PCI) which is the last step before execution.

If the plan dictates that you acquire equipment in the environment you are going to, the Foundation and Validation phases are still needed, except in very specific cases. Before using the devices to communicate, harden and prep the devices then create and configure accounts.

 

 

Execution:

Infil

It is well known that one of the most sensitive and vulnerable phases of an operation is the infiltration. Getting into an environment, especially an unknown one is stressful. Special Operations Forces have learned over the years how important it is to produce a detailed plan, with a special focus on contingencies before an operation. The key to success here is doing some research on any processes you will be going through, having a reasonable excuse for anything you have out of the ordinary and, as always, blending into to the environment where you can.

 

Situational Awareness

High-Threat Areas are the hot spots to be mindful of, where situation awareness and the Unconventional Communication Framework are your best bet for information security. The Framework will make you a harder, more aware target in the following high-threat areas:

 

?   Border Crossing & Customs - Good research and proper preparation will help navigate through customs. Know what customs agents do at initial screening, or secondary screening. Understand how you can be “of interest” to customs agents (i.e. original location, business, any items on your person).

?   Transportation (rental, taxi, train) - Do not trust a rental car. Do not trust a taxi driver. Common sense and a healthy dose of paranoia should be employed.

?   Living conditions (hotels, rental house, business held housing) - These all have vulnerabilities associated with them.

?   Social environments (bars, restaurants, social events) - Prepare for the environment you are planning on entering. What devices are you bringing? Who will be there? Define your threat model.

?   Meetings (sources, coworkers, clients, contacts) - Depending on the relationship and context, this could be a very high threat situation or can be somewhat mundane. Plan for contingencies, plan for an exit.

 

There are endless variables of what determines a high-threat area, these are common.

 

Example:

Public access points, like Wi-Fi at coffee shops or hotels, are an enormous attack vector. These networks give attackers or surveyors a large advantage because they get to be put on the same network as other users and can directly interact with all those other devices. Some networks do have security measures in place where devices cannot interact with each other, but you should never rely on 1 layer of security alone. Defense is like an onion, it should have multiple layers to it. The first decision to be made is whether or not to use the free access point in the first place. The best option in some locations is to acquire an unlimited data mobile device plan. A phone can be used as a secure hotspot, which can also run a VPN, forcing network traffic to flow through an encrypted tunnel. If this option is unavailable and public Wi-Fi is the only path, a VPN is absolutely mandatory. Without a VPN, a hotel router (which has unknown physical access control) logs all traffic flowing through it. At the very least, it knows the source IP address (which is tied to a room# or customer account) destination IP address, and what protocols are being used. In some networks, ANY network computer can monitor network traffic. This data can be collected and analyzed, tying a room number to websites visited which become social engineering pretext information. Pretext information is vital to a successful social engineer attempt:

 

 

 

Scenario:

Bob is a target. Bob is in his hotel room surfing the internet for a new laptop on a few websites that typically sell tech devices. Unknown to Bob, a team is monitoring him for reason xyz. The team is following him from the airport in his "upgraded" rental car to his hotel. He receives his room key and checks in, gets to his room and connects to the internet to look up some new laptops because his was so heavy to lug around the airport. While he was checking in, the team accessed the hotel network (because they know all the authentication protocols of the hotel networks already) and started monitoring for new IP addresses. Boom, new IP address pops up soon after Bob checks in. They filter all data for his IP and see he is looking at some tech distributors, maybe they already have set up a man-in-the-middle attack and are viewing all the images that Bob has on his screen or keystrokes as he logs into his banking website. Now they know an interest of Bob’s. The team gets a device Bob is interested in and while Bob is down at the Hotel bar having a beer, a nice young lady comes and sits near him and pulls out that shiny new device. One thing leads to another and now Bob is having a conversation with one of the team’s more attractive members. Pretext information makes starting a relationship with a target easy, it is a tool to be used. This is the reason privacy is an important aspect of discrete and secure communication.

 

Communicate

There are endless ways to communicate; across the internet, cellular network, radio frequencies or any other way your imagination can create. Wireless hard drives are great tools, Near-Field Communications (NFC) cards can be used, dark web chat rooms, or even combining non-technical signals with digital solutions… the list goes on. Researching the possibilities and the associated vulnerabilities will drive the solutions you choose.

 

 

Recovery:

Exfil

Recovery is the process of planning and executing a course of action to exfiltrate any required information. This can be as simple as emailing an idle secure email account, or extensive as hiding a small text document inside a video file. It is all dependent on the level of security and determined threat model.

?      Low Security:

?      Encrypted Hard Drive

?      Cloud Service, Encrypt files prior to upload)

?      Medium Security:

?      Encrypted Hard Drive (Small form factor hidden / concealed)

?      Secure Email / Email Attachment

?      High Security

?      Encrypted Hard Drive (hidden digitally with steganography / similar methods)

?      Cloud / Email not recommended unless redundancy trumps security

 

Wipe

The last step to close out an operation is to wipe, reset, purge all devices that were used or associated. Devices used under your professional persona should be considered compromised until thoroughly cleaned and wiped.

Maintaining discipline throughout the entire process and operation is important. The weakest link, or laps in discipline can be the difference between secure and exposed.

  

Final Notes:

The Unconventional Communication process is meant to give structure to a secure communication plan over multiple platforms and broad enough to be relevant in all situations. Security is a process, it is not a 1-stop shop, and certainly not an annual requirement at the office. Finding value in digital security can be different based on audience, perceived threats, and a variety of factors. Start the process today, start before the breach.

 

Protect your data.

 

———————————————————————————————————

 

They say to write what you want to read, and after much research we decided that this type of reference is simply not available to many audiences that have an absolute use-case for secure communication. We hope this resource will be used to help those of you who need it.

 

For more training, services, or general questions > [email protected]

or www.securemeasuresgroup.com

 

You can reach Gavin > [email protected]

You can reach Lucas > [email protected]