Upload
antitree
View
802
Download
1
Embed Size (px)
DESCRIPTION
Presentation given at Rochester 2600 about the similarities between competitive intelligence/corporate spying and infosec.
Citation preview
Corporate Intelligence
Bridging security and the intelligence community
Overview
• Corporate spying meets security• A corporate spy’s take on the
“Intelligence Lifecycle”– Define Target– Develop Access– Process Intel– Exit
Take Aways
• Corporate Intelligence is like social engineering, network security, operational security, OSINT, wrapped into a spy novel
• Some of the things discussed can directly affect your– OPSEC measures– Malware analysis techniques– Pentesting recon process
Background
• Every fortune 500 organization has an intelligence program under some other title– Competitive intelligence, corporate intel, business
analysis
• Corporate spies are almost never caught, and almost never convicted, and never server more than 1 year in a “corporate spy” prison.
Types of Intel Agents
• Government Employees: – CIA, Marines, Homeland security– Provide intel and counter intel services
• Corporate Competitive Intelligence employees– Work for an organization to provide intel on their competitors– Mostly ethical practices
• Private Corporate Spies– Individuals or private organizations that sell secrets between
companies– Focused, well paid, completely illegal
The Grey Line: Legality/Ethics
• Corporate spying is incredulous in terms of Business ethics
• Many of the things you need to do are not illegal, many are
• CI ops use humans as sources knowing that they are the ones at risk of being arrested
• Some Intel operations are full blown hacking (APT!!)
Example Pentesting Process
Define Target
Gain Access To
Target
Exfiltrate Informatio
nExit
Example Malware Attack Process
Define Target
Develop Code
Collect Informatio
nExit
Intelligence Cycle For Spooks
Define Target
Develop
Access
Process Intel Exit
Define Target
Develop
Access
Process Intel ExitDefine
Target
Defining the target
• Recon: Intel team collects as much information about the target as possible
• Goals: Ideal Target information is defined– Secret codes– Business Plans
• Entry Points: Identify potential human sources
Technical sources of information
Benefits
• Direct unfettered access to intelligence
• No middlemen• Limited risk of
inflation, lying• Lower risk of being
caught
Costs
• More defense measures are in place compared to HUMINT
• Clearly defined laws regarding IP, hacking, etc
Humans as a source of information
Benefits
• Information directly from the source
• Can be the “fall guy”• Can circumvent any
network security measures
• Context for intelligence
Costs
• Narrow circle of people in an organization have access to the information you need
• Possibility for betrayal, lying, or inflating information
• High maintenance for recruitment and running
• Possibility of mental breakdown
Looking For Sources to Turn
• Single Parent Rule: People can justify just about any action, if taken to improve the lot of their children. • Disgruntled Employees:
Employees with cut salaries or got laid off turn bitter and vengeful
Define TargetDevelop Access
Process Intel Exit
Develop
Access
Develop Access
• Create intel sources– HUMINT– TECHINT– OSINT– $otherINT: imagery intel, signal intel,
measurement intel
Developing Access: TECHINT
http://lmgtfy.com/?q=hacking
Developing Access: OSINT
[redacted] :)
Developing Access: HUMINT
• Penetrate social circles making it less sketchy to monitor a person’s interactions
• Study the chosen subject of the source and become adept
• Define personality type and vulnerabilities: – Loud and egotistical – quiet and non-confrontational
4 Principal Motivators for Betrayal
Money: I will pay you $50,000.
Ideology: Do it for the greater good of your country!
Coersion: If you don’t do this, your will will find out about your mistress.
Ego: I’ve been watching you and you’re the best in the business. I need your help.
RC MICE?
• Revenge• Compromise
Interactive Workshop!
Side Note on Attribution
• You’re a spy. Act like it• Non-Attribution != anonymity• Types of non-attribution:– Anonymity: no idea who did it– Spoof: blame someone else– Deniability: oh it was just a bot in China. *shrug*
• Plausible deniability is good enough for corporate intelligence
Define TargetDevelop Access
Process Intel ExitProcess Intel
Collecting Intel from sources
• Problems: – Phone calls, emails, IRL meetings are
basically cleartext– You never want to be attributed to knowing or
contacting your source (technical or human)
• Solutions:– Establish tradecraft including ways of
communicating being turned– Use Access Agents; people proxies
Tradecraft
• Tradecraft: Predefined protocol of interaction between an actor and a handler
• IRL: – Dead drops– Secret meeting points
• Online:– Steganography– Pre-shared key cryptography– (NOT PGP or public crypto!!)
Finding Online People Ready To Turn
• Ask benign questions for secret information• “I’m thinking about buying a new digital
Camera, what is Kodak coming out with?”• “What kind of IDS does Linode use
internally? I’m concerned about sensitive information getting hacked”
• Question sites:– Yahoo Answers– Stack Exchange– Forums
Intel Processing and Analysis
Data Analyzers Dissemination
Content taggingFilteringValidatingTurned employeeNetwork AccessOSINT Data
Report &
Action
Collection Agents
Processing vs Analysis
• Processing: changing, manipulating intel to better fit the operation– Normalizing content– Extracting keywords
• Analysis: Generating new information from an existing intelligence source– Extracting meta-data from images– Determining sex of author
Processing: Natural Language Tagging
[redacted]
Analysis: Data Validation/Tagging
[redacted]
Processing: Data Laundering
• Intel Ops cannot disclose the source• Generalize the information into a
standardized form (e.g. database table structure)• Algorithms can be used to make the
content appear to be from an online open source• Online services provide obfuscation
Define TargetDevelop Access
Process Intel ExitExit
Selling Intel
• Selling information to an organization can never be done to the CEO• Never directly present the findings• Organizations will always want
plausible deniability– Blame a mid level VP
Cleanup
• Decommission operation theater• Spin down connection with
sources–Maintain surveillance after to make sure
they haven’t turned
• Destroy/Scrub all information– See Pee
CONCLUSIONS
Why did this just happen to me?
Example 1: HP Corporate Spying Scandal of 2006
• CNET published details about HP’s long term strategy
• Private investigators SE the phone records of the board of directors and journalists
• Find out that it’s Patricia Dunn who leaked the information
• Patricia Dunn announced her resignation… in 2 years.
• The PI was arrested, submitted a “sealed plea”, sentenced to 3 months in prison for obtaining the SSN of a journalist.
Open Organizations
• Association of Old Crows: Electronic warfare specialists
• Academy of Competitive Intelligence– Have certifications and wargames ($2495)
• Society of Competitive Intelligence Professionals (SCIP)
• Armed Forces Communications and Electronics Association (AFCEA)
Final Points
• Corporate spies run analogous to hacker and malware operations– Specialized teams– Covert strategies– Goal to obtain specific data
Final Points
• A penetration test is very similar to an intel operation– Define target– Perform recon– Establish loot– Exfiltrate
Final Points
• Counter intelligence tactics can be integrated into your operational security plans– Defend against network OSINT attacks– Network security– Human paranoia– Privacy control