Nicola Sotira is the Head of Poste Italiane’s CERT. He has worked in the field of information security and networks for over twenty years, with experience gained in international environments. Contexts in which he dealt with cryptography and security of infrastructures, also working in the mobile and 3G networks. He has collaborated with various magazines in the IT sector as a journalist contributing to the dissemination of safety and technical-legal issues. Lecturer at the Master in Network Security at La Sapienza University and LUISS University.
Member of the Association for Computing Machinery (ACM) since 2004 and promoter of technological innovation, he collaborates with various start-ups in Italy and abroad. Member of Italia Startup in 2014, wherewith some companies, he participated in the development and project of services in the mobile field, collaborates with Oracle Security Council and is General Manager of the Global Cyber Security GCSEC Foundation since 2016.
e are experiencing years where the development of technology is increasingly in an exponential way. Technology that, also, has potential threats in it for us, that is, the specter of a ubiquitous surveillance architecture active 24 hours a day, 365 days a year. Architecture that, we have seen, makes the interests of large OTTs (Over the Top), or those who manage the buying and selling of our personal data and, importantly, the predictive part of our habits and behaviors. A scenario in which Facebook is now one of the authoritative sources of behavioral models. This economic model is defined in Zuboff’s book “The Age Surveillance Capitalism”; a scenario in which data is at the base of real wars and power movements that challenge even democracies.
Analogue agents and intelligence activities.
“You were with the Israelis or with the Americans?” Thus, began the dialogue between Simone Pace, CIA operative agent in Italy, and the journalist of the novel “American Education” by Fabrizio Gatti. The book describes a network of agents that manipulates and influences delicate historical passages and Western democracies. A “covered network that is like a big picture on which unsuspecting citizens move, governments and states where agents paint new figures and add colors.”
In the book, a former spy decides to reveal to the journalist a series of truths about some relevant CIA activities in Europe, reconstructing the work of a special cell of American services that carried out undercover actions, managing politics by interfering and changing the story. The book is an excellent example of how a government’s intelligence works and how they select, recruit information sources and create the assets underlying this activity. The intelligence activity is the product deriving from the collection, evaluation, analysis, and interpretation of the information collected.
The development of an intelligence product requires the collection of information from different sources, sources that must be selected based on the objectives required by the organization.
The product of this activity provides the states with the information necessary to promote their national interests, in the Gatti book, previously mentioned, this aspect is particularly highlighted. Intelligence organizations generally look for information regarding military capabilities, issues that threaten national security, economic programs, and diplomatic positions. In the digital/cyber scenario, similar scenarios are used in order to prevent threats or to gather strategic information; increasingly sophisticated programs are
now part of the defensive/offensive cyber protection strategy both at government level and in companies that are part of critical infrastructures, for the latter, we limit the activities to the defensive one. The intelligence activity is divided into strategic and operational. The first provides information necessary for decision-makers to make choices or make long-term decisions, normally this information must, then, be integrated with information relating to politics, economics, social interactions, and technological developments. Operational intelligence, on the other hand, regards current events or short-term events and does not involve long-term projections.
Information gathering techniques
There are several disciplines used for collecting information. These disciplines include human intelligence (HUMINT), intelligence derived from signals (SIGINT), that deriving from images (IMINT), that deriving from radiofrequency and radioactive emission (MASINT) surveys, and open-source intelligence deriving from open sources (OSINT). About open-source intelligence, it should be noted that the more an organization/state is open, the more successful this type of activity is. Magazines, sites, online databases, social media are often profitable sources of information regarding governmental and commercial activities.
Human intelligence activities, HUMINT, are synonymous with espionage and clandestine activities such as those described in the aforementioned book of Fabrizio Gatti, but the activity carried out by diplomats, and military personnel should not be overlooked either.
This discipline represents the oldest method for collecting information and remains, until the end of the twentieth century, the main source of intelligence for governments/organizations. The activity of HUMINT includes manifest, sensitive and clandestine activities with the use of people who control, supervise and support the necessary sources. Explicit activities are openly managed, in this case, the persons collecting the information can be diplomatic, military personnel, members of official delegations who participate or manage unclassified publications or conferences. The clandestine activity requires, on the other hand, agents who are infiltrated in the country/organization by performing undercover roles. The management of this discipline requires a significant number of staff, both among those who collect information and between those who support and coordinate the various activities
HUMINT in the digital domain
Today both threats actors and professionals working in the field of information security have access to increasingly efficient and lethal technologies. Together with these tools, we have the tools that can be considered the most useful of all, knowledge and human experience. For these reasons, it is easy to understand how the use of HUMINT is fundamental both for those who work to identify cybercriminals and for those who deal with the management and prevention of threats. Understanding motivations, trends, and reasons behind the opponents is key to any type of war, including cyber warfare. As the literature on the subject confirms, one must know one’s enemy by becoming their enemy; it must always be kept in mind that the enemy in this cyber war can be virtual, anonymous, but never invisible. The technique used in the digital world is similar to that used in the physical world, a Threat Hunter to be successful in using HUMINT must learn and think like the actors that implement the threats, identify tools, techniques used and understand their goals. All this requires a good ability to infiltrate among the actors that generate cyber threats, gain their trust, and learn how they work. The same commitment as the one put in place by the agencies when they insert an undercover agent to infiltrate a criminal organization. It is a scrupulous work, which puts a strain on our nerves, identifying the digital places where the actors of the threats meet to share information, dark web forums, IRC chats, virtual rooms, and the black market. A dangerous activity like the one that takes place in the physical world, no matter how experienced or qualified you are. When one enters these dark sides of the network, where there are actors who come from all parts of the world and who are often in conflict with one another, one is constantly analyzed. In these forums, administrators or moderators examine everything that concerns us in order to determine if we are an infiltrator. The mere suspicion causes at least our banishment. Certainly, before starting this activity it is important to take precautions by managing your own security very well, the Threat Hunters need tools that hide their real identity; simple tools like a VPN, TOR, up to proxies and virtual machines. Being unmasked can pose a serious threat to yourself and to the organization you work for. In these activities, it is also possible to clash with the police, with some particular activities, without counting the possible clash with the legal department of your company. The collection of data through HUMINT techniques can be very time-consuming, and it is, therefore, necessary to rely on cutting-edge technologies, always keeping in mind the objectives and targets of the organization, ie, the infrastructure and critical processes of business. To manage HUMINT initiatives, you should not only rely on them, but I strongly suggest working in teams with computer security companies that are reliable and, in general, the more information you have, the better is the quality of our work. The information comes from multiple sources, dark web, social media, etc. for this, it is essential to create the right mix of analysts, internal and external. Very important is the management of activities and objectives. The work that is carried out cannot be based on the random search for actors in the dark web, and we must arrive at qualifying specialized sources on the assets that are of interest to us. For example, in the financial sector, it could be useful to have sources among developers who exchange and purchase information on credit cards or PINs as well as forum moderators in this area. On Jabber, there are lists, and on this decentralized messaging system, questions are asked, or clues to be investigated are sought. In this activity, you also need to manage and maintain a series of avatars, each of which has its own list of people you can contact on Jabber. Clearly, one must be careful not to do anything illegal, not to buy anything and not to handle illegal material. Another point that needs to be resolved are the timetables, if you want to maintain the credibility of the avatars you have to get out of the 9 to 5 pm paradigm, the absence of the avatar would surely make our sources suspicious. To be credible a constant presence on the network is required, the presence of avatars must also be guaranteed outside office hours and access also on Saturdays and Sundays.
Software, tools and technologies change quickly, but even in this complex scenario the human factor exists; all cyber-attacks are led by men. Precisely for this reason, knowing the motivations of the adversaries, the trends behind campaigns and attacks can help us define strategic decisions and direct the investments that best protect our infrastructure. As described, the activity of HUMINT can be a fundamental part of our cyber defense strategy, but it can also be incredibly dangerous. Care should be taken to hide one’s identity and goals. To begin with, you can certainly start from intelligence platforms that also include this service or rely on companies that offer this type of service. Traditional and tactical HUMINT instruments combined together offer us the possibility of identifying criminal behavior and allow us to move towards a more proactive approach to cybersecurity, an approach that focuses on preventing attacks because the best form of mitigation is to stop the threats before they affect our infrastructure and our critical processes.