Mar 31

The future is behind us? The human factor in cyber intelligence: Interplay between Cyber-HUMINT, Hackers and Social Engineering

By Dr. Amit Steinhart

In recent years, we have been continuously alerted of the danger posed by various cyber factors. To match this, we see national intelligence agencies and even private intelligence organizations investing vast resources in gathering, analysing and producing intelligence material originating from the Internet and the Darknet.

Many current research highlights the relatively obvious advantage in the hands of attackers regarding the cost and effort of attack versus defence, usually due to the complexity of existent defence technologies, and the surprise factor which usually favours the attackers. National institutions and private companies hire qualified cybersecurity experts on an industrial scale, and often it looks like whoever knows how to operate a computer overnight becomes a cyberwarrior and an intelligence analyst. There is no dispute regarding the vast importance of training cyber personnel on gathering and processing intelligence information, but it seems that especially in the area of intelligence gathering we are ignoring many of our traditional skills, achieved over more than a century of national intelligence organization experience.


Cyber intelligence: The Missing Picture

The industry of cyber intelligence promotes the development of tools for breaking into computer systems and standalone computers. Such activities are taking place within governmental organizations, national intelligence organizations, armies and a long list of private commercial companies such as:  REVULN, VUPEN, NETRAGARD and EXODUS, which openly develop cyberattack technologies. In addition, there are criminal organizations and terror associated factors, as well as private hackers also developing such technologies [1]. Among the entities commissioning such technologies we can find sovereign states, national intelligence organizations, criminal and terror elements, who purchase such attack technologies in designated markets via the visible net and the so-called “Darknet”. The “Darknet” is a collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection. It is an advertised and routed portion of Internet address space that contains the concept of a hidden Internet, outside the borders of the public network [2]. On “Darknet” the online crime market participants have created web platforms where they can virtually meet, discuss, exchange, buy and sell illicit goods and services. These online, illicit markets are very popular (over 20,000 profiles in our case study) and provide an easy way to find co-offenders or to get up-to-date best practices regarding criminal activities [3].

Sometimes when interviewing a “cyber intelligence analyst”, who usually is a graduate of any given national security organization, it is hard not to notice the decisive prevalence of a technological mindset overshadowing and underrating the human factor. Most cyberexperts’ training process  is predominantly focused on technological aspects, while a big part of the classical intelligence training is missing[4]. However, even without the use of methodologies, “The difficulty with social engineering attacks is mostly the ability to identify them. Social engineers target call centre employees.”[5].

The new generation of analysts is often convinced that intelligence gathering is simply “target profiling” – summarized compared information existing on the Internet to other information gathered via other electronic technologies. The place of HUMINT in this new cyber world is often replaced with the concept of a “social engineering” concept, which considered to be on many occasions the HUMINT equivalent in the cyber world.

Countries and private companies invest vast resources, creating technologies for gathering and analysing electronic information and building station defence around their data banks. Systems aiming to discover attackers via disabling their technological capabilities have failed many times due to simple innovation on the side of the attacker.

Furthermore, it seems that systems which are partially meant to collect information and to prevent the entry of hostile factors are not sufficient today. Many cyber experts believe, that the majority of information security products, designed to prevent peripheral attacks on computer systems, while adequate in managing permission and access restrictions, is fundamentally not enough to stop subsequent attacks. The majority of products that exist in cybersecurity are usually able to identify an attack only while it is being conducted – the ability to foresee an attack or an attack intention by hackers or other hostile third parties still remains limited [6].

There is a considerable degree of consent among the experts that the new generation of security systems will focus on attack prevention (proactive systems), while scanning and monitoring large data systems (big data) [7]. Most importantly, the new generation systems will focus on gathering and analysing information regarding the technological and the situational potential of possible attackers. In the race for the latest technological updates, we appear to disregard valid traditional intelligence approaches in areas of data gathering and prevention, used successfully by national intelligence organizations from the end of the 19th century until today.


HUMINT – A dinosaur in a Cyber World?

Traditional intelligence agencies examine the extent of the danger posed by third parties to national security. Rarely the intelligence produced could supply reliable information regarding exact intentions of a third side. In most of these cases we find an intelligence practice known as HUMINT was in play. HUMINT is a blanket definition for a variety of intelligence activities regarding information gathering from human factors, including the recruiting and management of human sources. In many cases, information derived from HUMINT sources is considered the most refined and accurate of most intelligence arsenal products [8].

Although the use of HUMINT is historically deeply rooted, it only developed after the creation of modern national intelligence organizations during the end of the 19th century. From an esoteric amateur activity, it evolved into a complex discipline, richly documented by collective experience, taken partly from social and behavioural studies (regarding issues of understanding and anticipation of human behaviour, and even as part of agent’s recruiting and running methodologies, investigation, etc.) and partially from exact sciences (in relation to intelligence technologies based on encryption, and later on the SIGINT intelligence etc.). Countries such as Great Britain, the United States and the Soviet Union carried out intelligence research, documenting issues such as recruitment, running methodologies, intelligence analysis, as well as teaching the subject in intelligence schools and academies [9].

Gathering and running intelligence officers acting as HUMINT personnel usually involves two streams of operatives. There are the ones who act under diplomatic cover, enjoying diplomatic immunity, with sometimes mitigating the inherent risks of intelligence work. The other group includes HUMINT personnel who act covertly and without immunity, usually using false identities such as businessmen, tourists, and professional experts. The so-called HUMINT Officers are usually subjects for a few years of professional, theoretical and practical instruction, they specialise in subjects such as encoding and deciphering techniques, manipulation strategies, fabricating identities and impersonating skills, overt and covered investigation methodologies, etc. [10].

Collecting HUMINT intelligence requires a great deal of time and resources for creating assets, running them, analysing the intelligence information, etc. There is no doubt that the HUMINT use of intelligence production requires financial expenditure and a great deal of complex effort. The intelligence officers require learning foreign languages, assets detection techniques, surveillance and surveillance avoidance abilities, recruitment skills, weaponry skills, etc. [11]. Proportionally to the high  training cost of a HUMINT professional, intelligence organizations evaluates Humint intelligence gathering product, as a higher-level of quality, than most technological intelligence gathering, including cyber intelligence [12].

 “Social engineering” as a HUMINT replacement?

In cybersecurity terms, we find that “social engineering” often replaces HUMINT as a concept. “Social engineering” is a term encompassing random methodologies related to the exploitation of qualities, weaknesses and inbuilt biases in human thinking patterns.

The “older generations of cyber criminals, known as hackers, were mostly motivated by fame, peer recognition and a desire to learn more and test the limits. [13]” At the end of the 1990s hackers began “taking more and more advantage of the criminal opportunities that the Internet provides. This is reflected in a recent research which shows that criminals now use the cyberspace to commit bank fraud, extortion through denial- of-service attacks, intellectual property fraud as well as identity fraud [14]“, In many cases, hackers are working in groups, when members of the group do not know each other personally.

We can find “social engineering” used mainly in the short term decision making process spectrum. The main purpose is to allow its users (frequently hackers) to bypass technologies and security mechanisms in order to obtain key information or privileges. Often, the main purpose of “social engineering” is to obtain password and access data to secured systems. “Social engineering” routinely exploits the inbuilt human tendency to trust others, especially when the other is conceived of as likable, authoritative or professional. The need for social conformity stands at the basis of “social engineering” attack methodologies.

Often before they attack, “hackers rely on social engineering attacks to bypass technical controls by focusing on the human factors. Social engineers often exploit the natural tendency people have toward trusting others who seem likeable or credible, deferring to authority or need to acquiesce to social conformity”[15].

The use of “social engineering” techniques allows the attacker to bypass technological control systems by attacking the human factor. Data gathering, while watching computer or mobile users in the public domain, impersonation, persuasion, insertion of Trojan horses are just some of the approaches used by “social engineers”. “Social engineering” relies on techniques detached from the computer world, such as garbage can scan and actual physical stealing. “Social engineering” requires a great deal of skills in the telecommunications and an ability for improvisation and quick thinking. Having said that, scanning the last twenty years, we could not find an organized methodology of “social engineering” based on empiric findings or documented experience, presented in a way similar to what national intelligence organizations have done with the concept of HUMINT [16].

Practicing “social engineering” often depends on the user’s personal abilities, and as such, is closer to an art form than to a discipline. Regarding professional intelligence activities such as source running, infiltration, manipulation, activities which are practiced both in “social engineering” and HUMINT mode of operation, there is a built in advantage in favour of HUMINT experts. When comparing the level and sustained skill of operational readiness, fake identity building, manipulation techniques, etc., I believe that the relative advantage turns to the side of HUMINT operators [17].

Many years of training and a rooted HUMINT organizational system support, allowing most HUMINT professionals, wider variety of skills and technologies, then most hackers practice “social engineering” methodologies. Many HUMINT success stories are understandably classified and even those which are public are regularly censored, omitting key details regarding the modus operandi, technologies and precise strategies used. It is hard to locate credible literature dealing with HUMINT, both academic or popular literature [18]. Often HUMINT literature is touched with disinformation for the obvious reason of safeguarding “secrets of the trade”. On the other hand, hackers using “social engineering” tactics habitually document and publish generous information regarding their work techniques, successes and even their victims. At this point we can mark one of the basic differences between HUMINT experts and those who deal with “social engineering”. The practice and experience of HUMINT experts support self-control, secrecy and professional ethics, at a much higher level than the standard, which is accepted by most “social engineering” users. However, it is important to remember that despite the lack of a structured methodology, hackers widely use psychological biases. These are reflected on the fact that the “individuals make themselves even more vulnerable to social engineering attacks by not expecting to ever be a victim of such an attack, and many will never know that they were a victim of such an attack. The majority of the public are not aware of this technique, and do not fully comprehend the extent to which these techniques obtain information, can be used, and the potential it holds for dire personal, economic and social consequences and losses for the individual and the institution [19]“.

 In the field of “social engineering”, there are some highly sophisticated experts, combining technological knowledge and a sharp understanding of psychological biases, which enables them to seriously compete against intelligence organizations. [20] These selected individuals are particularly careful regarding their anonymity and security, but they are exceptional in the hacking world. Most hackers do not operate with such outstanding talents and are further hobbled by having to act in an anomic or hostile social and professional space, without proper organizational backing.” There are many types of social engineering attacks, and the variety and scope of these attacks are limited by only one factor – the creativity of the attacker.

Social engineering attacks are effective because they target the weakest link of any organization – the people. A successful social engineering attack can bypass millions of dollars of investment in technical security to expose an organization’s critical information. [21] There are numerous types of social engineering attacks including but not limited to ”Trojan  and fishing  email messages, impersonation, persuasion, bribery, shoulder surfing, and dumpster diving”[22]. A large number of current cybersecurity personnel have learned to think and act within a constantly expanding and ever more complicated technological context, so it is only natural that their first tendency when responding to security threats should be focused on technological solutions. This is precisely why there is a palpable need for the integration of different, human-factor-focused thinking patterns and methodologies into their skill set [23].


Conclusion: “Cyber HUMINT”

It is possible that combining HUMINT traditional methodologies with the intuitive innovation at the heart of “social engineering” might move cyber defenders from an inert state of defence against oncoming attacks to the offensive into rival territory. Combining HUMINT and “social engineering” could in some cases locate potential intruders prior to the stage of developing full attack abilities, and in many cases prior to developing specific attackers intentions. The surveillance, recruiting, managing and manipulating human information sources as practiced in HUMINT, can become a significant advantage in the field of information security and cyber intelligence.  Although some intelligence organizations have already begun HUMINT experiments in cyberspace for targeting and running human sources and infiltrating terror and criminal cells, it is still not clear if there is any documented discipline, which is accumulated from the interactions between HUMINT officers and cyber operatives. One of the fundamental differences between the classical use of HUMINT and its implementation in cyberspace derives from the multiple levels of anonymity allowed by the Internet. This comes with significant advantages for HUMINT operatives and makes complex procedures in the field, such as “identity building”, disguise, etc., much easier; but it also requires new additions to existing methodology – e.g. cyberspace requires special adaptation periods both methodological and operational. In recent years, we have been able to observe professional cooperation between experienced HUMINT professionals and cyberwarriors, skilled in defence technologies and social engineering. The innovation proposed here is the development of a new direction, which I refer to as: “Cyber HUMINT”, the system, in which human-factor mainstays like false identity creation, recruiting, human sources, complex information manipulation, are exploited by cybersecurity and HUMINT experts together. The expected outcome, when given the necessary time and resources, is the creation of a human intelligence structure in the cyberworld. Such a structure can survey attackers from the stage of reconnaissance prior to their decision, up to launch of  an actual attack. One of the present deficits in cybersecurity is the lack of professional HUMINT analysts, whose experience can stretch the limits of information security. The added value of qualitative information gathered from human sources is the interplay between existing cyber technology and professional experience placed in the hands of HUMINT experts.


1. Andress, J. & Winterfeld, S. (2011). Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. Boston, MA: Syngress.

2. Carr, J. (2011). Inside Cyber Warfare: Mapping the Cyber Underworld. Sebastopol, CA: O’Reilly Media Incorporated.

3.F. Barbhuiya, S. Biswas, N. Hubble, and S. Nandi, “A host based DES approach for detecting arp spoofing,” in Computational Intelligence in Cyber Security (CICS), 2011 IEEE Symposium on, April 2011

4. Hadnagy, Christopher, Social Engineering: The art of Human Hacking. Indianapolis, Indiana; Wiley Publishing Inc., 201

5. Lowenthal, Mark M. Intelligence: From Secrets to Policy. 5th Ed. Washington, DC: CQ Press, 2012.

6.M. Tavallaee, E. Bulgaria, W. Lu, and A. Ghorbani, “A detailed analysis of the odd cup 99, Computational Intelligence for Security and Defence Applications, 2009. CISDA 2009. IEEE Symposium on, July 2009

7. Margolis Gabriel,  The Lack of HUMINT: A Recurring Intelligence Problem,  Global Security Studies, Spring 2013, Volume 4, Issue 2

8.S. Yu and D. Dasgupta, “An effective network-based intrusion detection using conserved self pattern recognition algorithm augmented with near-deterministic detector generation,” in Computational Intelligence in Cyber Security (CICS), 2011 IEEE Symposium on, April 2011

9. Steele, Robert D. Advancing Strategic Thought Series, HUMAN INTELLIGENCE:



10. Wang, Q., W. T. Yue, and K. Hui. (2012) “Do Hacker Forums Contribute to Security Attacks?” Lecture Notes In Business Information Processing 108

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>