an underground education
DESCRIPTION
TRANSCRIPT
![Page 1: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/1.jpg)
An Underground Education
Lessons in Counterintelligences from History’s Underworld
@thegrugq
![Page 2: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/2.jpg)
Agenda
Counterintelligence
Processes
Threats
Contributing Factors
Professional Thieves: CI
Hackers: CI
![Page 3: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/3.jpg)
Counterintelligence
![Page 4: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/4.jpg)
Processes of CI
Basic Denial
Adaptive Denial/Insight
Covert Manipulation
![Page 5: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/5.jpg)
Basic Denial
![Page 6: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/6.jpg)
Prevent the transfer of information to the adversary
Primarily proscriptive
Don’t engage in some behavior
Enough for basic survival
![Page 7: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/7.jpg)
OPSEC
STFU
COMSEC
Vetting members to prevent penetrations
examples
![Page 8: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/8.jpg)
The first breach of security occurs when the opposition becomes aware that information worthy of targeting exists.
Counterintelligence: Theory and Practice
After the adversary knows there is something to look for, then the game begins. You can’t go back underground. :(
![Page 9: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/9.jpg)
Adaptive Denial
![Page 10: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/10.jpg)
Insight into oppositions techniques/processes
Develop countering tactics
Analyze security posture for weaknesses
Develop remediations
Ongoing process
Dual pronged approach. On the one hand, learn how the adversary works and attempt to work around those strengths/capabilitiesOn the other, look at organisational weaknesses and address them.Iterative. Best if there is a penetration into the adversary to monitor how they function
![Page 11: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/11.jpg)
Adjust to remedy unique vulnerabilities and/or adversarial strengths
Greatly benefits from access to adversarial know-how
Active penetrations of the adversary are very useful here
Colombian narco traffickers used court discovery heavily to discover the Tactics, Techniques and Procedures of the adversaryThe PIRA started to do the same thing later in their struggles, forcing the .gov to reveal details
![Page 12: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/12.jpg)
Covert Manipulation
![Page 13: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/13.jpg)
Provide the adversary with false information
Deceive the adversary into taking futile action
Deceive the adversary into not taking action
Mostly irrelevant for hackers
Misdirection could be valuable, maybe.
Adversary has multiple channels for receiving information, have to send fake signals down them all. HUMINT, technical penetrations, open source INT, etc. etc.
![Page 14: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/14.jpg)
Intelligence Threats
The capabilities of the adversary are described as “intelligence threats”, that can be used to gain information about the agency.
![Page 15: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/15.jpg)
Penetrations
Technical Penetrations
Passive Surveillance
Media Exposure
HUMINT, SIGINT, ... OSINT
![Page 16: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/16.jpg)
Informants
![Page 17: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/17.jpg)
Intel Lingo: penetrations
Recruited
Inserted
Most serious threat
HUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”, to undercover operation, to recruiting someone in place/defections... lulzsec’s collapse ultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
![Page 18: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/18.jpg)
Technical Monitoring
![Page 19: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/19.jpg)
Wiretaps, etc
Trojans and monitoring software
Video / audio surveillance
An increasing threat
See: media reports of legal trojans
FinSpy, etc.
![Page 20: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/20.jpg)
Surveillance
![Page 21: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/21.jpg)
Passive observation from local population
Dedicated active surveillance teams
Not really a threat for hackers or professional thieves
![Page 22: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/22.jpg)
Media Exposure
![Page 23: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/23.jpg)
Media coverage creates an OSINT footprint
Can be dangerous for hackers
Raises profile which draws adversarial attention
![Page 24: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/24.jpg)
Contributing Factors
Factors that contribute to the groups CI strengths and vulnerabilities.
![Page 25: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/25.jpg)
Organizational structure
Controlled territory
Popular support
Adversarial capabilities
Resources
![Page 26: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/26.jpg)
Organizational Structure
![Page 27: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/27.jpg)
Hierarchical vs. Flat
Flat can react faster
Hierarchical can enforce good practices
Flat leads to poor compartmentation
Hierarchical increase value of high level penetrations
![Page 28: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/28.jpg)
Tight vs. Loose
Loose, each node has a unique CI signature, harder to attack efficiently
Tight, can enforce CI discipline better
Loose, can have poor practices and CI resources
Tight can be rigid, introducing systemic CI vulnerabilities
Tightly controlled organisations react slowly and can develop rigid CI practices. This means they’re exploitable.
![Page 29: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/29.jpg)
Controlled Territory
![Page 30: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/30.jpg)
Area safe from adversarial intelligence gathering
Reduces incentives to develop robust CI posture
We’ll see that later, with China and Russia.
![Page 31: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/31.jpg)
Popular Support
![Page 32: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/32.jpg)
Active support from the population
Housing, food, etc
Passive support from the population
Don’t report activity to the adversary
Not really an issue for hackers, but thieves faced a hostile population.
![Page 33: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/33.jpg)
Adversary’s Capabilities
![Page 34: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/34.jpg)
Highly capable adversary
Strong intelligence capabilities
Experienced and knowledgeable
Low capability adversary
Floundering reactionary moves that are ineffective and make people angry
![Page 35: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/35.jpg)
Resources
![Page 36: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/36.jpg)
Adversarial resources available for
Performing intelligence gathering
Analysis
Follow up actions
Agency resources for counterintelligence
Dedicated CI team(s)
![Page 37: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/37.jpg)
Organizational Learning
The way that adversarial groups learn and adjust to each other’s behaviour is well studied. It is a subset of Organizational Learning -- Competitive adaptation.
![Page 38: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/38.jpg)
Competitive Adaptation
The way these factors and processes interact is called competitive adaptation, as two adversarial groups learn from and adjust to each other’s strengths and capabilities
![Page 39: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/39.jpg)
Adverse environments breed stronger actors
![Page 40: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/40.jpg)
Competitive Adaptation
Organizations are superior to individuals
Can afford some losses and still recover
Deeper experience base to draw from (more metis)
![Page 41: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/41.jpg)
Setbacks lead to sense-making and recovery
Damage Assessments
Adaptive Denial
Setbacks - flaps in “Intel Speak”
![Page 42: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/42.jpg)
Professional Thieves
Perfectly suited for their time, failed to exhibit adaptive denial and learn from competitive adaptation. They were darwinialy selected out of modern society. The lesson here for hackers is simple, either adapt where the thieves didn’t or enjoy your fading golden years...
![Page 43: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/43.jpg)
Professional Thieves
Historical class of professional grifters
From 1890s to 1940s in America
Self identify as thieves (honorific)
Thieve argot used to demonstrate membership
A large community of practice
![Page 44: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/44.jpg)
Thieves
Con men
Long con, short con
Cannons (pickpockets)
Boosters (shoplifters)
![Page 45: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/45.jpg)
Organizational Structure
Flat
Loose
Small “mobs” with great indivudual variation
Autocratic groups survive better than democratic groups in the face of adversarial competition
![Page 46: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/46.jpg)
Controlled Territory
Operating inside “fixed” towns
Small meeting rooms
![Page 47: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/47.jpg)
Popular support
None
Relied on high level penetrations of law enforcement apparatus
![Page 48: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/48.jpg)
Professional Thief Assets
Core skill was “larceny sense”
Experience derived cunning
Access to fixers and fences
Social network with memory for vetting members
Example tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, has item in suitcase already, sees shopkeeper, approaches and demands to see the manager. Is taken to manager, while B collects suitcase and leaves. Thief A is then confused, and walks out.
![Page 49: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/49.jpg)
Rules for effective thievery
Steal an item at a time
Stash it at a drugstore or restaurant
Mail it back home to a friend
Never keep it at home / in car
Never grift on the way out
![Page 50: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/50.jpg)
Rules, cont.
Never draw attention to a working thief
Never fail to draw attention to an adversarial threat
Failsafe triggers to indicate problems, i.e. arrest
Lots of codes and signs - “nix” for coppers around, changing the conversation to prevent people
- always punctual to meetings, only reason to be late is arrest - mob will break up- always call someone at fixed time at end of day, on failure they assume arrest and search
![Page 51: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/51.jpg)
Strict rules against informants (“rats”)
Violent retaliation against “rats” was sanctioned
“A professional thief will never say anything dangerous, and someone who is not a professional thief doesn’t know anything dangerous to say”
![Page 52: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/52.jpg)
Heavy investment in fixers to limit handle problems
Little/No adaptive denial capabilities
Adversary maintained fixed capabilities
No competitive adaptation
After the adversary changed their game, lost the corruption and the “old style police work”, the professional thieves day’s were numbered. The environment became too hostile to support them in number.
![Page 53: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/53.jpg)
Hackers
![Page 54: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/54.jpg)
Organizational Structure
Flat hierarchy
No commanders
Loose group structure
Individuals pool resources, but act on their own
![Page 55: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/55.jpg)
Controlled Territory
Nation state protected hackers
Russia, China, etc.
Political protection: e.g. USA hacking Iran
Secure private servers and channels
Unmonitored information transfer
![Page 56: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/56.jpg)
Popular Support
Not relevant
Cyberspace is not a “space”
Support requires knowledge
Who, what, etc.
![Page 57: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/57.jpg)
Counterintelligence
Denial, Insight, Manipulation
![Page 58: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/58.jpg)
Basic Denial
Vetting of members
Pseudonymity
Limited compartmentation
Internal to a group
But.. gossip spreads far and fast
![Page 59: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/59.jpg)
Adaptive Denial
Limited sensemaking from colleagues’ busts
Over reliance on technical protections
No case, ever, of a hacker penetration of LEO
Resulting in actionable intel to adapt
![Page 60: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/60.jpg)
Covert Manipulation
Occasional poor attempts at framing others
ProFTP AcidBitches hack
Nation state level, certainly happens
False flag attacks
What is the cost of a VPS in Shanghai?
![Page 61: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/61.jpg)
Hacker Community of Practice
Informal community
Social groups connected via social mediums
Sharing of metis via formal and informal means
Zines, papers, blogposts, chats
![Page 62: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/62.jpg)
Communities of Practice
Three main hacker communities
English
Russian
Chinese
Clustered by language of information exchange
![Page 63: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/63.jpg)
Communities of Practice
Operate inside controlled territory
Russian
Chinese
Operate in hostile environment
English
Interesting that 2/3 communities are operating in controlled territory, where they have carte blanche tooperate, provided they avoid antagonizing the local authorities.
![Page 64: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/64.jpg)
Comm of P. CI
Controlled territory provides protection against adversarial intelligence collection
Discourages robust operational security practices
Hostile environments force adaptation
Darwinian selection
![Page 65: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/65.jpg)
Favorable elements in any operational situation should be taken advantage of, but not by relaxing vigilance and security consciousness.
Soviet doctrine on clandestine operations
https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol9no1/html/v09i1a06p_0001.htm
![Page 66: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/66.jpg)
Learning Disabilities
Hacker communities of practice have severe learning disabilities
Incurious about why colleagues got busted
No lessons learned
No damage assessment
![Page 67: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/67.jpg)
Learning Disabilities
Hacker groups are too compartmented for info sharing
Not compartmented enough to prevent intelligence collection
![Page 68: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/68.jpg)
Lessons Learned
![Page 69: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/69.jpg)
Identity
Operational secrets
When
How
Critical Secrets
These are the things that hackers most need to be concerned about.
![Page 70: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/70.jpg)
Hacker CI
Focus on Basic Denial
Create virtual controlled territory
Political cover for hacking
![Page 71: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/71.jpg)
Conclusion
![Page 72: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/72.jpg)
Adapt or die
![Page 73: An Underground education](https://reader038.vdocuments.net/reader038/viewer/2022103014/54b775434a795985568b46c4/html5/thumbnails/73.jpg)
Thank you.