Reverse Deception: Organized Cyber Threat Counter-Exploitation (27 page)

The following sections describe the 19 items that the NCIX study identified as skills every counterintelligence professional should have, as presented in
Fundamental Elements of the Counterintelligence Discipline
,
Volume 1; Universal Counterintelligence Core Competencies
, published by the Office of the National Counterintelligence Executive and Office of the National Counterintelligence Institute (January, 2006).

Knowledge of National CI Structure and Agency Missions

Knowledge of the counterintelligence structure and agency missions is a basic but critical component for counterintelligence professionals. Any corporate organization or government agency has new employees attend an orientation of sorts. This is what the individual needs to know in a rudimentary way to be successful in the organization. The mission at all levels must be communicated clearly and understood for success. This competency speaks to the fact that this information will also enlighten an individual as to where additional counterintelligence support is coming from within the community, and the structure of the counterintelligence activity with missions and functions.

Knowledge of Interagency Memoranda of Understanding and Procedures

To protect everyone involved, every individual in the community should have a clear understanding of all standing agreements for a number of reasons, not the least of which is to understand the limitations and boundaries for the practitioner. This could be the subject, an asset, or even the counterintelligence professional. This knowledge is additionally useful because it can illuminate where modifications might be needed to conduct a complete and thorough investigation. It can also be used to clarify what support is dedicated to an investigation.

Knowledge of Foreign Intelligence Service or Terrorist Group Culture and Tradecraft

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle
.

—Sun Tzu,
The Art of War

Need we say more?

Basic Investigative and Operational Techniques and Tools

The very nature of counterintelligence activities requires investigators to be proficient in their tradecraft. How much more do cyber-assisted crimes and activities necessitate advanced training? As previously discussed, technology is moving forward unabated and shows no sign of slowing. As technology advances faster than the majority of professionals can keep up, the development of techniques to exploit these new technologies is keeping pace.

The US National Institute of Justice, a component of the Department of Justice, issued a special report,
Investigative Uses of Technology: Devices, Tools, and Techniques
, in October 2007, which applies today. In this report, the writers outlined forensic and procedural concepts to keep the staff on the cutting edge of new developments in technology. Three areas were universal to tradecraft:

Actions taken to secure and collect evidence should not change that evidence itself, as data required to perform an investigation needs to be maintained in its full initial integrity in order to properly investigate.

Activity relating to the seizure, examination, storage, or transfer of electronic evidence should be fully documented, preserved, and available for review. This is needed to ensure that any changes or alterations are documented and the steps known to the investigative team.

Specialized training may be required for the examination of many of the devices described in this special report. Appropriate personnel should be consulted prior to conducting any examination. Investigations are often performed by professionals who are not fully certified or trained to handle specific types of data or equipment. This can lead to improper handling of evidence.

Asset Development and Handling (Including Difference Between Liaison and Clandestine Sources)

The basic conduit of information is the asset, whether the information is gained through a formal relationship (liaison) or spying (clandestine). Building and maintaining rapport with an asset requires skill and determination. Many factors can sidetrack these efforts. The use of cyberspace is just another conduit by which these ends are achieved. However, there is a slight twist with this statement. The anonymity of the Web creates a challenge regarding confidentiality (privacy of communiqué) and nonrepudiation (the state of information that cannot be challenged)—you are who you say you are, and there can be no question regarding authenticity. Human factors such as skill and tradecraft experience are just as important as the technological aspects, and situational awareness (knowledge of all current data surrounding an event) is a key requirement.

Asset Validation

Building on the previous core competency, we need to be knowledgeable of who we are dealing with in the counterintelligence world. If a supposed asset is forwarding e-mail messages or using a spoofed e-mail address, serious consequences could arise from the exchange. What is the motivation of the asset? Even worse, our assets may not be who we believe they are. The asset could actually be a double agent tasked to collect information from you! Not only is that turn of events rude, but it can also be quite embarrassing in investigative circles. Assurance of who you are dealing with is absolutely essential. How many times has someone been the victim of a spear phishing or spoofing attack, thinking an e-mail came from a relative or another trusted agent, only to fall victim to a cyber crime?

Liaison

Now that counterintelligence professionals understand the organizational structure in which they are employed, they must ensure the requirements of those memoranda of understanding and formal agreements are serviced. Nothing will dampen a strong working relationship faster than ignoring the people with whom agreements for sharing information and resources were made. Much like practitioners nurture a relationship with an asset, the same must be done with their counterparts in partner organizations at all levels. If practitioners work at a high level, proper courtesy and attention must be paid to their peers who are working at the lowest levels, lest information from the field dries up. The converse is also just as important.

Relationships with other agencies fill niche requirements in the counterintelligence community. Organizations like operations and logistics (procurement and human resources) provide a plethora of information to the counterintelligence professional if the lines of communication are open and actively used. Important information—such as who took what and where—must be gleaned externally.

These relationships, even on a rudimentary level, are absolutely essential. How does one get from place to place without logistics support? How does one know where the action is if not for the operations section?

Interviewing and Debriefing Techniques

So many techniques could be captured and enumerated in this section to show the model for a world-class interviewer, or the debriefer, of the individual who identified the initial intrusion or set of events that led to the detection of the threat. First, the interviewer should ask questions that dig beneath the surface; don’t be satisfied with superficial answers. Building on that, the interviewer should know to ask the right questions to start.

These techniques depend on the individual interviewer and rely on interpersonal skills, so interviewing and interrogation skills must be a focus for educational development. However, the single most important factor in interviewing is to know your subject. Know as much as you can about the interviewee, for in that intimate relationship, you will glean what is truly important. You will see past the words, and look into body language and other relevant factors that illuminate truth and lies.

Surveillance and Countersurveillance

So, the big question is who am I watching, and oh by the way, who is watching me watch somebody else? How do you do that with stealth and tact? Many techniques come to mind, like old reruns of
Dragnet
with Jack Webb as Sergeant Friday and his partners sitting on surveillance in Los Angeles. What a strange twist it would be if where they were sitting was under constant surveillance of closed circuit television (CCTV)? Now Sergeant Friday is sitting watching the movement and actions of his subject and he is the subject of another at the same time!

Of course, Sergeant Friday was too clever to ever be caught in that situation. He had his team out on the street conducting technical surveillance of the area, looking for cameras in the exact area where he was to sit in surveillance of his subject. His team conducted countersurveillance on Sergeant Friday’s subject’s countersurveillance team. Confused yet? Stay with us…

Technical countersurveillance is most commonly referred to as “sweeping for bugs.” The technical countersurveillance folks use technical means to locate and identify a variety of devices, such as listening devices and CCTV locations, but they are also useful in detecting threats in a variety of electronic devices. Perhaps computers come equipped with zero-day exploits (an unknown vulnerability where an exploit has been developed and not made public), or a piece of hardware redirects critical information outside the network to an unauthorized location. Most devices emit electromagnetic radiation in the form of radio waves, but not all do. Some require a combination of devices to activate the capability, and alone, they are very hard to detect. A trained professional will be aware of these things and neutralize the threat.

Principles of Collection and Analysis

Depending on the agency, activity, or country, there are various principles of collection. In our view, they can be summed up in just seven simple principles:

The risk involved in collection must be justified by the gain and operational success.