Corporate Intelligence: Bridging the security and intelligence community

Corporate Intelligence

Bridging security and the intelligence community

Overview

• Corporate spying meets security• A corporate spy’s take on the

“Intelligence Lifecycle”– Define Target– Develop Access– Process Intel– Exit

Take Aways

• Corporate Intelligence is like social engineering, network security, operational security, OSINT, wrapped into a spy novel

• Some of the things discussed can directly affect your– OPSEC measures– Malware analysis techniques– Pentesting recon process

Background

• Every fortune 500 organization has an intelligence program under some other title– Competitive intelligence, corporate intel, business

analysis

• Corporate spies are almost never caught, and almost never convicted, and never server more than 1 year in a “corporate spy” prison.

Types of Intel Agents

• Government Employees: – CIA, Marines, Homeland security– Provide intel and counter intel services

• Corporate Competitive Intelligence employees– Work for an organization to provide intel on their competitors– Mostly ethical practices

• Private Corporate Spies– Individuals or private organizations that sell secrets between

companies– Focused, well paid, completely illegal

The Grey Line: Legality/Ethics

• Corporate spying is incredulous in terms of Business ethics

• Many of the things you need to do are not illegal, many are

• CI ops use humans as sources knowing that they are the ones at risk of being arrested

• Some Intel operations are full blown hacking (APT!!)

Example Pentesting Process

Define Target

Gain Access To

Target

Exfiltrate Informatio

nExit

Example Malware Attack Process

Define Target

Develop Code

Collect Informatio

nExit

Intelligence Cycle For Spooks

Define Target

Develop

Access

Process Intel Exit

Define Target

Develop

Access

Process Intel ExitDefine

Target

Defining the target

• Recon: Intel team collects as much information about the target as possible

• Goals: Ideal Target information is defined– Secret codes– Business Plans

• Entry Points: Identify potential human sources

Technical sources of information

Benefits

• Direct unfettered access to intelligence

• No middlemen• Limited risk of

inflation, lying• Lower risk of being

caught

Costs

• More defense measures are in place compared to HUMINT

• Clearly defined laws regarding IP, hacking, etc

Humans as a source of information

Benefits

• Information directly from the source

• Can be the “fall guy”• Can circumvent any

network security measures

• Context for intelligence

Costs

• Narrow circle of people in an organization have access to the information you need

• Possibility for betrayal, lying, or inflating information

• High maintenance for recruitment and running

• Possibility of mental breakdown

Looking For Sources to Turn

• Single Parent Rule: People can justify just about any action, if taken to improve the lot of their children. • Disgruntled Employees:

Employees with cut salaries or got laid off turn bitter and vengeful

Define TargetDevelop Access

Process Intel Exit

Develop

Access

Develop Access

• Create intel sources– HUMINT– TECHINT– OSINT– $otherINT: imagery intel, signal intel,

measurement intel

Developing Access: TECHINT

http://lmgtfy.com/?q=hacking

Developing Access: OSINT

[redacted] :)

Developing Access: HUMINT

• Penetrate social circles making it less sketchy to monitor a person’s interactions

• Study the chosen subject of the source and become adept

• Define personality type and vulnerabilities: – Loud and egotistical – quiet and non-confrontational

4 Principal Motivators for Betrayal

Money: I will pay you $50,000.

Ideology: Do it for the greater good of your country!

Coersion: If you don’t do this, your will will find out about your mistress.

Ego: I’ve been watching you and you’re the best in the business. I need your help.

RC MICE?

• Revenge• Compromise

Interactive Workshop!

Side Note on Attribution

• You’re a spy. Act like it• Non-Attribution != anonymity• Types of non-attribution:– Anonymity: no idea who did it– Spoof: blame someone else– Deniability: oh it was just a bot in China. *shrug*

• Plausible deniability is good enough for corporate intelligence

Define TargetDevelop Access

Process Intel ExitProcess Intel

Collecting Intel from sources

• Problems: – Phone calls, emails, IRL meetings are

basically cleartext– You never want to be attributed to knowing or

contacting your source (technical or human)

• Solutions:– Establish tradecraft including ways of

communicating being turned– Use Access Agents; people proxies

Tradecraft

• Tradecraft: Predefined protocol of interaction between an actor and a handler

• IRL: – Dead drops– Secret meeting points

• Online:– Steganography– Pre-shared key cryptography– (NOT PGP or public crypto!!)

Finding Online People Ready To Turn

• Ask benign questions for secret information• “I’m thinking about buying a new digital

Camera, what is Kodak coming out with?”• “What kind of IDS does Linode use

internally? I’m concerned about sensitive information getting hacked”

• Question sites:– Yahoo Answers– Stack Exchange– Forums

Intel Processing and Analysis

Data Analyzers Dissemination

Content taggingFilteringValidatingTurned employeeNetwork AccessOSINT Data

Report &

Action

Collection Agents

Processing vs Analysis

• Processing: changing, manipulating intel to better fit the operation– Normalizing content– Extracting keywords

• Analysis: Generating new information from an existing intelligence source– Extracting meta-data from images– Determining sex of author

Processing: Natural Language Tagging

[redacted]

Analysis: Data Validation/Tagging

[redacted]

Processing: Data Laundering

• Intel Ops cannot disclose the source• Generalize the information into a

standardized form (e.g. database table structure)• Algorithms can be used to make the

content appear to be from an online open source• Online services provide obfuscation

Define TargetDevelop Access

Process Intel ExitExit

Selling Intel

• Selling information to an organization can never be done to the CEO• Never directly present the findings• Organizations will always want

plausible deniability– Blame a mid level VP

Cleanup

• Decommission operation theater• Spin down connection with

sources–Maintain surveillance after to make sure

they haven’t turned

• Destroy/Scrub all information– See Pee

CONCLUSIONS

Why did this just happen to me?

Example 1: HP Corporate Spying Scandal of 2006

• CNET published details about HP’s long term strategy

• Private investigators SE the phone records of the board of directors and journalists

• Find out that it’s Patricia Dunn who leaked the information

• Patricia Dunn announced her resignation… in 2 years.

• The PI was arrested, submitted a “sealed plea”, sentenced to 3 months in prison for obtaining the SSN of a journalist.

Open Organizations

• Association of Old Crows: Electronic warfare specialists

• Academy of Competitive Intelligence– Have certifications and wargames ($2495)

• Society of Competitive Intelligence Professionals (SCIP)

• Armed Forces Communications and Electronics Association (AFCEA)

Final Points

• Corporate spies run analogous to hacker and malware operations– Specialized teams– Covert strategies– Goal to obtain specific data

Final Points

• A penetration test is very similar to an intel operation– Define target– Perform recon– Establish loot– Exfiltrate

Final Points

• Counter intelligence tactics can be integrated into your operational security plans– Defend against network OSINT attacks– Network security– Human paranoia– Privacy control