HUMINT cycle and the recruitment of insiders

Posted on by

Author: Paul Curwell

Introduction

Employees are an organisation’s most important asset: they are what enables organisations to generate value, respond to opportunities and threats in the operating environment, and create a positive culture which attracts other would-be employees and potential customers. Employees are also crucial to security: when conditions are right, employees help build a positive security culture which enables management to quickly identify and respond to security threats.

In the same manner that security would not be necessary if people did not exist, a security program cannot be successful without the support and active participation of its employees. It goes without saying then that an employee who ‘goes rogue’ and becomes malicious (i.e. intends to do harm), or an employee who doesn’t care about their employer or its security practices (i.e. a complacent employee) can do real harm if approached by an external individual or group wishing to gain ‘inside access’ to the organisation and its assets.

What is the HUMINT cycle and who uses it?

Human Intelligence, or HUMINT, techniques are an example of the tactics typically deployed in this scenario to exploit human vulnerabilities. HUMINT refers to the collection of intelligence by humans – principally spies and agents using methods that involve 1:1 contact.

The HUMINT cycle involves four main steps (illustrated below) which might commence with a broad scan of all employees at an organisation, for example, but rapidly narrow down to one or more individuals with both (1) the access to the desired assets or information and (2) the personal characteristics or ideological sympathies which make them amenable to recruitment (See Sano, 2015)

Importantly, undertaking HUMINT and the use of HUMINT techniques is not limited to governments, but also commonly employed in business by ‘competitive intelligence’ practitioners or ‘Private Intelligence Collectors’. ‘Private Intelligence Collectors’ and unscrupulous competitive intelligence professionals often use HUMINT techniques, as well as any other intelligence collection mediums in their toolbox, to collect confidential information that will either be sold to another party (such as the highest bidder) on commission, or which is collected under the paid instruction of the intended recipient.

For a classical HUMINT example, consider a woman who seduces a male chemist at a pharmaceutical company to provide, or facilitate access to, details of a new blockbuster drug compound under development by the pharmaceutical company (referred to in the trade as a ‘honey trap‘). Other threat actors who use HUMINT techniques include organised crime groups, issue motivated groups and terrorists.

How can the HUMINT cycle be leveraged for insider threats?

Once the HUMINT collector has identified (spotted) their target, they begin engaging with them to build a rapport and develop a relationship. Importantly with HUMINT, it may not be necessary to actually recruit the target (or someone who has access to the ultimate target) in order to achieve their objectve. In some instances, the required information can be obtained without the need for a formal and risky recruitment pitch.

It is particularly important to incorporate these learnings into any insider threat awareness training, as employees who are aware of steps taken by HUMINT collectors are more likely to be aware to them, and to be able to seek help early. Examples of ways (vectors) HUMINT collectors might obtain the information they require can include:

  • Infiltration – getting an ‘agent’ or sympathiser of the HUMINT collector (or their cause) into the organisation through standard recruitment processes, as a contractor, or via a supplier
  • Elicitation – refers to techniques used by HUMINT collectors to obtain information from a target without them knowing or realising it, which results in them volunteering the information rather than being asked directly
  • Social engineering – involves the use of deception to manipulate someone into disclosing confidential information, either in a business or personal context
  • Spear Phishing and Phishing scams – can involve the use of legitimately-appearing emails (or even SMS messages, in the case of vishing) to introduce malware into an otherwise secure computer network, allowing later exfiltration of that information. Unlike Phishing which is more general, Spear Phishing is highly targeted and focused on an individual with access to the target, such as a senior executive

There are a variety of forums in which HUMINT collectors operate, including via ‘official’ or business-events, and through social personal interaction. These might include:

  • Conferences and trade shows
  • Professional Associations
  • Clubs and social associations
  • Universities
  • Social Media platforms
  • Emails
  • Unsolicited phone calls

When performing any insider threat or security related risk assessments, organisations need to consider what are their most critical assets, who might be interested in them, and how might they obtain them (i.e. what forums, mediums or platforms). Once this is thoroughly understood, awareness training and incident reporting mechanisms can be clearly established and targeted.

What can organisations do to manage this threat vector?

Complacency is a big driver of insider threat incidents, so it is critical that organisations develop a good security culture and that ‘at risk’ employees have a good understanding of the threats and tactics which may be used against them.

The regular use of security awareness training across the organisation as a whole, supported by targeted training for ‘at risk’ teams, is critical to ensuring these threats remain front of mind.

Staff in ‘at risk’ teams, as well as managers, should be familiar with insider threat behavioural indicators which can suggest an employee or contractor is experiencing some difficulty in their personal life, which might make them vulnerable to exploitation. Early identification of these problems, when raised properly (such as through employee wellbeing programs), might mitigate these risks.

Photo by Sora Shimazaki on Pexels.com

Good security culture is also critical for organisations, ensuring employees understand why security is important, what the threats may be to their organisation, and what they can do to help protect their organisation. For employees to play their part, they often also need to feel trusted and engaged with their employer, otherwise complacency may set in and potential threats selectively ignored.

The preceding paragraphs focus on what organisations can do to mitigate insider threats once they are already in the organisation (i.e. employed or contracted), however equally important is the use of employment screening (‘background investigations’ or ‘background checks’) to prevent individuals with vulnerabilities or unwanted character traits joining the organisation in the first place. Any discussion on background checks is an article in itself, and will be addressed through a future post, however readers who want to more detail (including a model process) can read the chapter on ‘due diligence’ in my recent book co-authored with Oliver May.

Further Reading

Sano, J. (2015). The Changing Shape of HUMINT, AFIO’s Intelligencer Journal, Vol. 21, No. 3, Fall/Winter 2015. www.afio.com

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.