5 Strategies to Hit ISIS Where It Hurts
1) Use cyber technology to perform open-source intelligence gathering.
· Open-source intelligence is a form of intelligence collection that involves finding, selecting, and acquiring information from publicly available sources and then analyzing it to produce actionable intelligence.
· Hackers need to stay on the lookout for Internet-based discussions, posts, and other bits of open-source intelligence that may be of impact to the organization that they are protecting. These hackers can take a variety of actions based on the nature of the intelligence gathered. There are many small, innovative companies that are building technologies like this.
· To facilitate this kind of intelligence gathering, hackers will create tools, like an application, that allows them to search the Internet for sites and content of interest. This kind of tool could enable targeted searching on common sites like Google, Facebook, Twitter, LinkedIn, dating sites, and many others. An aggregate of the intelligence gathered, on an individual, group, or other entities could help fill in gaps and create links that allow analysts to better understand fragmented intelligence, rumored terrorist plans, possible means of attack, and potential targets.
· In light of the recent news that one of the attackers in San Bernardino pledged allegiance to ISIS via Facebook[1], this kind of intelligence gathering could have provided some proactive insights into the attacks and shown potential signs of self-radicalization. Considering that Syed Farook and Tashfeen Malik met online, their dating site profiles would also provide substantial insights into their personal lives[2].
2) Learn from their operations security (OPSEC) manual and their mistakes.
- The OPSEC manual used by ISIS[1] provides advice to jihadists on how to keep communications and location data private. It reads like a hacker’s paranoid privacy blog, recommending the use of applications and services like the Onion Router (Tor) for anonymous web browsing, the RedPhone and Signal applications for encryption phone communications, and Gmail, via Tor or a virtual private network (VPN) for email.
- Pressure social media and messaging companies, like Twitter, Facebook, and Telegram, to take a more proactive and firm stance on taking down ISIS accounts and materials. The CEO of Telegram admitted to being aware of ISIS members using his app but waited until after the attacks in Paris to suspend their accounts[2].
- Recent reports indicate that the San Bernardino attackers, Syed Farook and Tashfeen Malik, took steps to clean up digital breadcrumbs and footprints before launching their attack[3]. Judging from the deleted email accounts, disposed hard drives, and hammer-smashed cell phones, it seems that the Farook and Malik were given advice on how to cover their tracks[4], most likely from cyber-conscious jihadists or sympathizers.
- Although encryption technologies are being blamed for enabling the terrorists to keep their plans secret from law enforcement, it was actually unencrypted data on a cellphone that made it possible for investigators to locate the safe house where an hours-long shootout with suspects took place in the Parisian suburbs. In fact, many of the photos and videos displayed in the news of Abdelhamid Abaaoud, the suspected organizer of the Paris attacks, were not encrypted [3].
3) Encourage social media companies to have a whistleblowing capability.
· Jihadists use social media sites like Facebook and Twitter for a large amount of their public communications before going dark. Instituting a method of communication that allows people who see symptoms of terrorist activities to report them in a confidential manner would substantially limit the ability of jihadists and other terrorists to conduct public communications, which is required prior to going dark.
· A crowdsourcing-based, terrorism-prevention scheme like this would empower social media users to take a community-driven approach to the “see something, say something” philosophy.
· Recent research indicates that people are willing to share terrorism and crime-related information, usually motivated by a desire to contribute to the safety of their community[5].
4) Take advantage of independent ethical hackers.
- Anonymous declared war against ISIS, resulting in ISIS sympathizers distributing a warning message to the jihadists via Telegram. There are other hackers targeting ISIS as well[4]. Not only are these groups nimble, adaptable, and quick, but they have managed to get the attention of ISIS. Identify ways to utilize their capabilities to our advantage.
- Many of the hacker groups joining the cyber war against ISIS have former intelligence, government and military expertise. They know how to protect their anonymity while on the Internet and how to navigate the Dark Web. In fact, they use the same encryption services and tools employed by ISIS; however, many of them have intimate knowledge of the technologies and covert capabilities due to their previous experiences.
- These highly effective groups will use unorthodox tactics such as infiltrating messaging channels, via WhatsApp[5], Telegram[6], and Signal to disrupt communications, cracking into PayPal accounts that fund ISIS activities, and releasing data identifying ISIS members and supporters. Their elusive and decentralized methods enable them to deliver a blow that governments are not able to.
5) Even jihadists can be socially engineered by hackers.
- Junaid Hussain, the suspected leading member of the CyberCaliphate and skilled hacker connected to ISIS, was killed earlier this year by a U.S. drone attack [7]. British and US intelligence identified his location after getting him to click a malicious link sent via an encrypted messenger app[8].
- The ISIS OPSEC manual and underground jihadi web sites warn jihadists about being socially engineered by hackers and consider it an effective threat. According to these underground sites, ISIS members are vulnerable to being duped into downloading Trojan software made to look like the encryption software used for communications. Also, they are vulnerable to opening phishing emails, appearing to contain links to news articles but actually being links to malicious software. There are also reports of members being susceptible to clicking on malicious PDF documents because they have enticing names, like moving the Paris plans, that when opened installs a remote administration tool which can be used to take total control of the system.
- Hacking humans is still the most highly effective way to gain access into a system, even if it belongs to a terrorist group. For example, when analyzing an organization, our team searches for individuals that could serve as potential targets for a spear phishing campaign. We investigate the targets online and aggregate personal information that they share on the Internet. Once you know what topics trigger the person’s interest, it is simple to craft a strategy that uses malicious software. Once the malicious code is delivered, it can be used in a multitude of ways and can lurk within the target’s computer for years. Most major cyber breaches include some element of social engineering. Social engineering works because it takes advantage of the weakest link of the Internet – the human element[9].
[1] http://www.wired.com/wp-content/uploads/2015/11/ISIS-OPSEC-Guide.pdf
[2] http://money.cnn.com/2015/11/18/technology/telegram-isis-shutdown/
[3] https://theintercept.com/2015/11/18/signs-point-to-unencrypted-communications-between-terror-suspects/
[4] http://money.cnn.com/2015/11/20/technology/isis-ghost-security-group/index.html
[5] WhatsApp is a cross-platform mobile messaging app that allows you to exchange messages without having to pay for SMS. Communication between the user’s mobile phone and the WhatsApp servers is encrypted. However, the messages can be read by WhatsApp.
[6] Telegram is a cloud-based mobile app that focuses on security and speed. It uses multiple layers of encryption to ensure that no one other than you and the intended recipients can read your messages. In fact, Telegram hosts a competition, giving $300,000 to hackers if they are able to hack the encryption.
[7] http://www.wsj.com/articles/hacker-killed-by-drone-was-secret-weapon-1440718560
[8] http://www.birminghammail.co.uk/news/midlands-news/isis-terrorist-junaid-hussain-killed-10069425
[9] http://www.thealphapages.com/content/how-to-hack-any-organization-by-understanding-the-weakest-link-the-human-el
[1] http://www.cnn.com/2015/12/04/us/san-bernardino-shooting/index.html
[2] http://www.bustle.com/articles/127513-9-revealing-details-about-syed-farook-from-his-online-dating-profiles-give-a-closer-look-into
[3] http://www.breitbart.com/big-government/2015/12/04/san-bernardino-jihadis-cleared-online-trail-attack/
[4] http://www.breitbart.com/big-government/2015/12/04/san-bernardino-jihadis-cleared-online-trail-attack/
[5] http://cocoa.ethz.ch/downloads/2015/09/2168_UbiComp_WMSC_15_final.pdf
On Friday, November 13th, the Islamic State also referred to as ISIS, carried out a series of near-simulataneous attacks in Paris, France, resulting in at least 129 dead and 350 wounded[1]. The "act of war" implemented by eight gunmen and suicide bombers has left the world in a state of shock and solidarité (French for solidarity)[2]. The targets included bars, restaurants, a concert, and a high-profile soccer match.
In response, the French police arrested seven people, put heavy alert on borders, and initiated an international investigation. France has declared a state of emergency and broadened police powers for the first time since the 2005 riots on the outskirts of the city. Well recognized landmarks, like the Eiffel Tower and the Louvre were closed. This tragic event has signaled to the rest of the world that the Islamic State is expanding its reach far beyond the Middle Eastern battlefields, prompting substantial increases in physical security.
After claiming credit for the deadly attacks in Paris, the Islamic State suggested that the targeted locations were accurately chosen and threatened that this was the "first of the storm"[3]. The attacks in Paris show that the Islamic State is thinking in a decentralized, non-hierarchical fashion, similar to that of hackers. It seems chaotic and unorganized but was highly coordinated, requiring months of planning and training.
The Islamic State: An Organization that Values Hacking
Al Qaeda was the first major jihadist network to understand the true value of using the Internet to further its agenda. Today, the Islamic State uses the Internet and social networking platforms to overtly market their activities and distribute their information materials, especially via mainstream platforms like Twitter, Facebook, and YouTube.
But like malicious hackers, for potential new recruits and active members, concealing their identity and location is a priority. Most Islamic State members and recruits are tech-savvy and know how to write code - many of them are hackers.
The New York Times is reporting that the Islamic State picked up a few vital spycraft techniques from the NSA classified documents leaked by Edward Snowden[4]. Although these claims cannot be verified, it isn’t far-fetched. To minimize risk exposure, commanders within ISIS now use human couriers and specialized encrypted channels, similar to that of the NSA, which makes intercepting their correspondence harder to access.
Most of the digital caliphate's business is conducted online, from recruiting to battlefield strategy and implementation. As suggested by Abdel Bari Atwan (2015)[5], most people in or attracted to the Islamic State are in their late teens and early twenties. They have made it a point of recruiting IT specialists and people with online marketing expertise. As a result, it's important for Western intelligence communities to understand the mindset of these hackers.
The Islamic State's recruiting is largely done online. One effective method is interjecting their message into Twitter hashtag storms and including links to their materials via anonymous text sharing platforms like Justpaste.it. They also make use of instant messaging apps like Telegram messenger (an encrypted messenger), Kik and WhatsApp. Skype is another favorite means of communication because it allows real-time dialogue between recruiters and potential recruits. Secret discussions, especially via encrypted channels are extremely difficult for parents and the authorities to police, which makes them the perfect recruiting instruments. These channels combined with their use of the Dark Web make it complicated for the Intelligence services and policing agencies to cover all of their correspondence - each of which could include plans for another attack like the one in Paris.
Here are a few thoughts on how the Intelligence services and policing agencies will respond to the Islamic State attacks in Paris [from a cyber perspective]:
1) Knowing the Enemy: Immediate strategy should include seeking to understand the culture and mindset that drives the adversary. In the case of the Islamic State, it’s the hacker culture and mindset. An effective strategy will include monitoring the various channels of covert communications which they employ. An important element of the hacker culture and mindset is mastery and command-and-control. Going forward, Intelligence services and policing will monitor and collect information from various communication channels and social media platforms being heavily used by the Islamic State.
2) Segmenting the Forces: The critical elements of cyber war, in addition to technical and political capabilities, are adaptability and speed. The ability to move and make decisions faster than the adversary is key. To do this effectively, Intelligence services and policing agencies should seek support from trustworthy ethical hackers to break their efforts into independent groups that can operate on their own. This helps make their efforts elusive and less centralized.
3) Hitting Them Where It Hurts: All groups have a source of power on which they depend. For the Islamic State, Intelligence services and policing groups will look below the surface for their center of gravity, which is the use of technology for information dissemination and recruitment. They will look for ways to perform monitoring functions, intercept important planning communications and instructions, analyze distributed ISIS information, and perform disruptive activities. They depend on these things for fluent breathing and maintenance of life, outside of extortion and selling oil. Much of the focus will be on disrupting their breathing.
4) Gaining Insights from the Inside: All government agencies involved, especially Intelligence services, will take advantage of any human intelligence that they can gain from sources within or close to the Islamic State. These could include people who were arrested or unknowingly being monitored which could lead to new arrests and new information.
5) Building Predictive Models: Shortly after an event like this, once the first suspects are identified, Intelligence services and policing agencies will begin performing link analysis and data mining with the intent of identifying patterns in human behavior and gaining analytical insights into the Islamic State’s next moves. Performing this kind of analysis can sometimes start with a small piece of information that can be acquired from computers, smart phones, and other devices potentially used during the planning. This analysis will play a large role in strategic and tactical plans.
[1] http://www.bbc.com/news/world-europe-34820016
[2] http://www.elle.com/culture/career-politics/a31901/solidarite-the-world-pays-tribute-to-paris/
[3] https://ent.siteintelgroup.com/Statements/is-claims-paris-attacks-warns-operation-is-first-of-the-storm.html
[4] http://www.nytimes.com/2015/07/21/world/middleeast/isis-strategies-include-lines-of-succession-and-deadly-ring-tones.html?hp&action=click&pgtype=Homepage&module=first-column-region®ion=top-news&WT.nav=top-news
[5] http://www.amazon.com/Islamic-State-The-Digital-Caliphate/dp/0863561950