The Nexus Analyst: Understanding your Customer’s Requirements

Nexus is ‘an important connection between the parts of a system’, according to the dictionary. In an intelligence environment, OSINT has the same function. Another example of how OSINT can provide important leads for HUMINT and SIGINT in Afghanistan.

Open Source Intelligence (OSINT) is all about perseverance and following bread crumbs that lead to key findings. To be honest, you won’t always find the smoking gun and in some cases you might miss it. That’s one thing I have learned: No matter how hard you look, you are always likely to miss out on something. That is why the OSINT community on Twitter is so important. New tools and techniques are shared there and help broaden your own set of skills on a daily basis. Another important lesson, is to always have clearly defined objectives, the so-called Key Intelligence Questions (KIQ), when conducting OSINT research. What specifically is your intelligence customer asking for? This means you have to understand the ultimate goal and your customer’s mindset to a certain extent.

My concept called Interdisciplinary Intelligence Preparation of Operations (I2PO) relies on OSINT to support other intelligence collection types (ICT), such as Signals Intelligence (SIGINT) or Human Intelligence (HUMINT), and vice versa. Therefore, the OSINT analyst must understand the specific requirements for each ICT. If you deliver a phone number or email address to a HUMINTer, he might give you puzzled looks. Again, I would like to demonstrate my point with an OSINT case that might easily happen this way in military intelligence and intelligence services. In a previous blog post, we had HUMINT information as a starting point for OSINT. This time, we have a couple of Key Intelligence Questions.

Imagine we are forward deployed OSINT analysts in Afghanistan. We not only provide information on the general situation in our area of operations, but also support the adjacent HUMINT and SIGINT teams. Our HUMINTers want to know a little more about the family ties of their intelligence targets and the networks surrounding these people (KIQ 1). The SIGINTer just needs some selectors such as phone number and email addresses, which he could task in his SIGINT systems (KIQ 2). One of the intelligence targets happens to be Mohammad Atta Noor, a key power broker in Northern Afghanistan.

We start out with a simple Google search and we soon find an interesting site containing bios of Afghan VIPs: afghan.bios.info. The entry on Mohammad Atta Noor is quite detailed and also reveals the name of one his sons, Tariq Noor.

Next up we conduct a Google search on Tariq Noor in combination with the name of his father. This leads us to Tariq’s Twitter account, where he is pictured together with his father.

1.png

Twitter also suggests further accounts to follow, one of them being Khalid Noor. It turns out that this is another son of Mohammad Atta Noor.

2.png

So far, we have names and pictures of two sons. Knowing that Mohammad Atta Noor has even more children, we could continue our search and identify the other children, while trying to obtain pictures and more data on them. However, let us focus on Tariq and Khalid first. As their father is a successful businessman, it is likely that his sons have businesses of their own, or are maybe even connected to their father’s companies.

To check this, we again have a look at the Afghan company register (www.acbrip.gov.af). Since we cannot search for individuals here, we assume that Tariq and Khalid have companies named after themselves. This search within the Afghan company register produces good results. The first result when looking for Khalid Noor even gives us the phone number of Mohammad Atta Noor and a bit of his family history with the names of Mohammad Atta Noor’s father and grandfather.

3

Mohammad Atta Noor is the president of the Khalid Noor LTD and states his father’s name is Haji Noor Mohammad and his grandfather’s name is Mirza Mohammad Gul. In Arabic and Central Asian countries, this information is valuable when distinguishing same-named persons. A look into the shareholders of this company reveal not only that Khalid is a shareholder, but also mentions other business partners (and their family history, as well as phone numbers). All this information helps build a network chart including the relevant family ties. This is the information our HUMINT team was looking for (KIQ 1). Of course, the phone numbers answer the Key Intelligence Question our SIGINT Team had (KIQ 2). A query for Tariq Noor produces similar results, including phone numbers of Tariq and his business partners.

4

All in all, following OSINT bread crumbs led to amazing key findings. Now this information can be used for HUMINT operations, when trying to infiltrate the networks around Mohammad Atta Noor and, as mentioned, also to task SIGINT operations. A perfect example of I2PO!

In conclusion, this way to work makes me refer to an OSINT analyst within military and intelligence services as a ‘Nexus Analyst’, an analyst in between ICTs. Someone that knows what HUMINT or SIGINT really need to conduct their missions successfully and who takes this into account when browsing the web.

Matthias Wilson / 28.11.2018

I2PO – From HUMINT to OSINT to SIGINT

Sometimes even seemingly irrelevant information leads to key findings. In this case, the mere existence of a company led to unraveling the phone number of the son of Afghan Vice President Abdul Rashid Dostum.

Interdisciplinary Intelligence Preparation of Operations, I2PO, is a concept on combining the different types of intelligence collection to achieve the best results. In the following example, I will demonstrate a perfect case of an intelligence workflow that starts with Human Intelligence (HUMINT), utilizes Open Source Intelligence (OSINT) and lastly provides leads for Signals Intelligence (SIGINT).

Imagine you are part of a SIGINT team, dedicated to Afghan politics. While reading some HUMINT reporting, you come across a report regarding Batur Dostum, the son of the Vice President of Afghanistan, Abdul Rashid Dostum. The report informs about Batur’s businesses in Northern Afghanistan. One of the businesses mentioned is Batur Mustafa LTD.

This provides a starting point for OSINT research. While googling this company will not produce any notable results, a query within in the Afghan Central Business Registry (ACBR) might lead to some useful information. Luckily, the database in is English, so we will not have to use any translation tools. The ACBR database does not enable you to search for individuals, but we have the company name.

1

The result of this query gives us plenty of relevant data. Not only do we receive information on the company itself, but also on its shareholders and their personal data. This includes names, father names, phone numbers and residencies.

2

This is our target! Batur Dostum, the son of Abdul Rashid Dostum. He owns 50% of the company shares and his phone number is listed. The next step would be to task his phone number in our SIGINT collection. While we are at it, we should also task the phone number of the other shareholder and vice president of the company.

3

It is highly likely that this phone number might also produce decent SIGINT results.

As you can see, a piece of information that might seem irrelevant to start with led to a key finding and the possibility to enable further intelligence operations.

Matthias Wilson / 19.11.2018

Harvesting Intel on India’s Nuclear Command – When OSINT meets SIGINT

Using OSINT to enable SIGINT. Imagine you are a SIGINT analyst keeping track of India’s nuclear forces. Luckily, you have some OSINT skills, which enable you to find selectors related to the former commander-in-chief of these forces. This could be a door opener to the current leadership…

So far, I have written short posts on how OSINT can support military decision makers as well as being a vital part of HUMINT operations. The key statement is that each intelligence collection type (ICT) requires a certain amount of OSINT to successfully prepare and conduct operations. This is a concept I call ‘Interdisciplinary Intelligence Preparation of Operations’, in short: I2PO.

One of the most secretive ICTs is Signals Intelligence (SIGINT). In many cases SIGINT services or SIGINT branches within services are isolated from other ICTs, thus making a cooperation between them challenging. This is one reason why SIGINT should incorporate dedicated OSINT capabilities, especially when doing preparatory research on new target areas or specific target decks.  On the one hand, OSINT could provide general information on the telecommunications infrastructure of a target area and on the other hand, OSINT could actually provide valuable selectors to task.

There are many different ways on how to support SIGINT with OSINT using the vast variety of OSINT tools and skills. In the following example, I would like to point out how to acquire additional selectors for a certain target deck.

Let us assume we are SIGINT analysts working on the India target desk, specifically the desk tasked with conducting SIGINT against India’s nuclear forces. A country’s nuclear forces are among the most highly protected and secretive assets. Finding SIGINT leads and selectors to gather credible information is an almost impossible task in this context. I assume the direct communication of these forces is secure and hardened. As a result, collecting official military communications from their dedicated channels can be ruled out. What other chances do we have to gather intelligence on our target?

SIGINT, as all other ICTs, feeds off mistakes that our targets make. If people were OPSEC-aware, we would not find so much information on the internet, HUMINT sources would not be so talkative and eavesdropping in on communications would not reveal that much. With this in mind, let us find a hands-on, doable approach towards our target. Sometimes people use non-secure communications to transmit confidential information. Our targets might do the same. So our first step would be to identify targets and their non-official selectors, hoping these could be tasked and provide valuable intelligence.

Unfortunately, none of the current leadership of India’s nuclear forces, the Strategic Forces Command (SFC), is overt enough to provide us with additional non-official selectors. To start, we look at the former leadership, expecting that they might still be in contact with some of the current administration. Press reporting indicates that the previous commander in chief of the SFC, Lieutenant General Amit Sharma, handed over his command in July 2016. This is close enough for us to assume that General Sharma will still occasionally get in touch with his former comrades.

Next up is an extensive Google search on General Sharma. As a high-ranking former member of the military, he might have directorships or board memberships in civilian companies. In our case he does not, so searches in company databases remain negative.

One of my favorite Google dorks is ‘filetype’, specifically looking for PDFs or PPTs. PDFs and PPTs often contain a lot of information, which helps give an overview of the target and sometimes provides leads for further research.

india google results

This search results in several hits, mainly being studies and conferences in which General Sharma participated. However, the first hit is actually the gold nugget we have been looking for. In India, the Department of Public Enterprises hosts a database containing former CEOs, directors and government officials; including short résumés.

Let’s have a look a General Sharma’s résumé:

bio data

Now we have a private email address and a mobile phone number belonging to General Sharma. These two selectors are tasked and a metadata analysis is conducted on both. Maybe he is in contact with his old comrades in the Strategic Forces Command. This is the door opener we needed to successfully approach our goal. We can also look up the address, which seems to be his home address. Sometimes this will also lead to further selectors.

I also hope that General Sharma did not use Dropbox to save the nuclear launch codes. Haveibeenpwnd lists his email and password as one of those hacked in the Dropbox data leak mid-2012.

As this examples shows, it is essential for SIGINT analysts to include OSINT research into their daily workflow.

Disclaimer: Although the data shown is real, the complete scenario described here is fictional. I have no idea if this information is known or used by intelligence services, nor do I have any insight on the assumption that India’s Strategic Forces Command is an intelligence target.

Matthias Wilson / 08.10.2018

I2PO: OSINT in Support of HUMINT Operations

In a previous post I explained a concept I named ‘Interdisciplinary Intelligence Preparation of Operations’ and how this could be used to support military operations.

This post will concentrate on the use of OSINT to prepare and monitor HUMINT operations. I will not distinguish between military intelligence HUMINT and sources used by law enforcement agencies or journalists. In both cases, getting access to a source and the preparatory work needed for this are quite similar. Each HUMINT operation starts with the identification and selection of a potential source, thus finding someone in vicinity of our actual intelligence target, who is able to consistently report key intelligence. In the past, even the acquisition of a source was accomplished by HUMINT means. A case officer heard or knew of someone who might have access to specific information and he then talked his way around to finally approach the potential source.

With more and more information being available online, especially through social networks, this approach can be done virtually in some cases. Scavenging Facebook, VKontakte, Instagram, but also LinkedIn and Xing can prove very valuable when searching for potential sources. Of course, this always depends on how outgoing a potential source is on the internet. Sometimes an approach solely through social media could be sufficient, at other times this will not produce any results at all.

The following diagram in theory depicts the steps for OSINT support to a HUMINT case. This scheme is roughly based on the general intelligence cycle with its different stages. We have planning & preparation, collection, processing and evaluation and lastly dissemination covered. In our case the information will be disseminated to the HUMINT operation, which itself will start the whole intelligence cycle over again.

HUMINT-OSINT-Intel-Cycle

For a better understanding, I have created a fictive case (well, some of it is true…). Let us assume we are part of police special commission in Hamburg focused on the Albanian mafia. The recent shooting of an Albanian national and member of the local Hells Angels, with ties to the Albanian mafia, caused an upstir among different mafia groups operating in the area. So far, no information has emerged on the background of the shooting and existing police sources struggle to provide any intelligence on this topic. The Key Intelligence Questions (KIQ) are ‘What are the current activities of the Albanian mafia in Hamburg?’ and ‘Are there signs of an uprising conflict between different mafia groups?’

Therefore, our special commission has decided to attempt to win additional sources within this network of mafia groups. The higher leadership in a mafia network will not easily cooperate, so someone on the perimeter, with insight into the core, has to be found. Instead of the traditional approach on the streets, we will use OSINT to pave the way ahead of any physical approach.

This leaves us with our initial intelligence objective: Recruiting a HUMINT source within this network to answer the KIQs. Before we start our hunt for sources there are a couple of things we need to know. Who are the key players, do they have nicknames? We should have in-depth knowledge about our targets, e.g. is there target-specific behavior or a specific language used? Having this information gives us a baseline, which we can use to start our OSINT research. Our first step is to identify the known key players and their online profiles. Luckily, most of them are active on Facebook and Instagram and they like showing off their flamboyant life style. Clubbing, exotic cars, girls and champagne seem to be a vital part of the thug life in Hamburg.

Hamburg-Network

This chart depicts the results of the OSINT research on the core network of Albanian mafia in Hamburg, as it is visible on Facebook and Instagram. Now that we have found our potential intelligence targets online, we can survey their activities and figure out who is linked to them. There are many people surrounding this core network, so how can we identify someone who might be worth recruiting as a HUMINT source?

While reading comments to the pictures that these guys post, we stumble upon an individual who constantly idolizes the mafia leadership and their henchman und who frequently asks when he will be a part of ‘the inner circle’. ‘Soon’ is the most common reply and over the course of time he seems to get annoyed. Furthermore, a quick check in police databases reveals that he was registered  on minor crimes and was not yet linked to the Albanian mafia. Let us draw a quick conclusion: We have a person with a criminal record, who has contact to senior leadership of the Albanian mafia and is increasingly aggravated on the fact that he is not fully accepted in the organization yet. That sounds like a promising HUMINT source to me!

Keep in mind that this whole procedure, especially the actual HUMINT work done afterwards, takes time. No quick success will come from this. Once we have acquired the source and he is reporting from within the network, our OSINT work does not stop. Now is the time to evaluate the HUMINT information with OSINT. As we have already seen, our targets are very active on social media and this also applies to our source. If our source tells us he had met with one of the bosses on a specific date or time, it could be validated through a Facebook or Instagram post.

One day our source tells us, that in the aftermath of the shooting, the Albanian mafia leadership had met with Chechen mafia leadership the previous evening. At first, this seems unbelievable, as we had assumed that these two groups were currently opposed to each other. One of the Albanian leaders posted about this the following day on Facebook:

Hamburg-Meeting

This picture not only shows the Captains of the Albanian mafia, but also senior leadership of the Chechen mafia and our HUMINT source. We now know the meeting took place and we have the statement of our source on the topics of the meeting. It is vital that the source does not know we are tracking him and others on social media. We would not want any of this to be staged to back his statements and purposely give us false leads.

This short and fictive case shows how to use OSINT to enable HUMINT and to support HUMINT while an operation is ongoing. Of course, these techniques could also be applied by military HUMINT as well as journalists, as long as the targets and the potential sources are able to be located online.

OSINT supporting HUMINT: Another example of ‘Interdisciplinary Intelligence Preparation of Operations’, I2PO in short.

Matthias Wilson / 03.09.2018

Strava als Ermittlungstool

Strava, ein Soziales Netzwerk zum Tracking sportlicher Aktivitäten mittels Wearables,  war in der Vergangenheit in Verruf geraten, weil aus seiner Globalen Heatmap anhand der aggregierten Aktivitäten der Nutzer unzählige militärische Basen, Patrouillenwege sowie geheime Einrichtungen diverser Nachrichtendienste abgelesen werden konnten. In die Heatmap hineingezoomt, gelangte man sogar zu den Profilen der einzelnen Sportler. OPSEC sieht anders aus.

Der Aufschrei war groß, etliche Militärs erwogen kurzerhand ein generelles Verbot der Fitness-Tracker. Strava reagierte umgehend, aktualisierte die Heatmap und verpflichtete sich, „die Privatsphäre unserer Sportler zu respektieren und eventuelle Bedenken bezüglich der Sensibilität einzelner Informationen zu adressieren“.

Doch auch nach der Aktualisierung der Heatmap, lassen sich aus den von Strava veröffentlichten Daten sensible Informationen gewinnen. Strava selbst weist auf seiner Webseite explizit darauf hin, dass trotz eingeschalteter Erweiterter Privatsphäre „Aktivitäten immer noch an öffentlichen Orten wie dem Flyby, Gruppenaktivitäten und in Segmenten sowie in öffentlichen Clubs und Herausforderungs-Bestenlisten sichtbar sind.“ Im Klartext heißt das, über die Segmentbestenlisten gelangt man zu den Namen und Profilen der einzelnen Sportler.

Wie lässt sich diese Erkenntnis nun für Ermittlungen verwenden?

Stellen wir uns folgendes Szenario vor: Am sogenannten Amphibientümpel im Forstenrieder Park südwestlich von München wird am 18.07.2017 eine unbekannte Männerleiche gefunden. Anhand der gefundenen Spuren lässt sich mit Sicherheit sagen, dass das Opfer am späteren Fundort getötet wurde. Durch die Obduktion kann der Tatzeitraum relativ genau eingegrenzt werden: am späten Nachmittag des 16.07.2017.

Der Forstenrieder Park ist bei Sportlern äußerst beliebt. Tagtäglich sind Dutzende Läufer, Wanderer und Radfahrer auf dem Waldweg, neben dem die Leiche gefunden wurde, unterwegs. Möglicherweise hat einer von ihnen am Tattag etwas Auffälliges beobachtet?

strava1

Die in OSINT geschulten Ermittler prüfen unter anderem auf Strava, ob der besagte Waldweg ein Lauf-Segment ist. Und tatsächlich wurden auf dem Segment am ermittelten Tattag zwei Bestleistungen erzielt. Über die Bestenliste gelangen die Ermittler zu den vollständigen Namen der Sportler und darüber zu den Nutzerprofilen inkl. Profilbildern.

strava2

Einer der beiden Sportler hat die Erweiterte Privatsphäre aktiviert, so dass man seine Aktivitäten auf seiner Profilseite nicht einsehen kann, wenn man ihm nicht folgt. Dazu müsste der Nutzer seine Erlaubnis geben.

Der andere Sportler dagegen hat alle Informationen öffentlich gemacht. Er nutzt Strava schließlich, um sich mit anderen Sportlern zu messen. Die Ermittler können sich durch seine Aktivitäten klicken und sehen, dass er den Lauf, bei dem er auf dem Segment die Bestzeit aufgestellt hat, um 16:59 Uhr startete. Er war zum vermuteten Tatzeitpunkt also ganz in der Nähe des Tatorts.

strava3

Dank der Klarnamen ist es den Ermittlern ein Leichtes, den Sportler ausfindig zu machen. Sie kontaktieren ihn umgehend und bitten ihn um Mithilfe bei der Aufklärung des Verbrechens. Der Läufer hatte von dem Fund der Leiche noch gar nichts mitbekommen. Aber er erinnert sich, dass ihm bei seinem Lauf etwas aufgefallen war: In unmittelbarer Nähe des Amphibientümpels, halb zwischen den Bäumen, hatte ein Kleintransporter eines örtlichen Handwerksbetriebs gestanden. Das war ihm zwar merkwürdig vorgekommen, er hatte der Beobachtung aber keine weitere Bedeutung beigemessen. Doch dieser Hinweis führte schlussendlich zur Ergreifung des Täters.

Die Quintessenz: OSINT sollte integraler Bestandteil aller Ermittlungen sein. Im vorliegenden Fall konnte durch OSINT-Methoden ein Zeuge ermittelt werden, der die entscheidenden Hinweise zur Aufklärung des Gewaltverbrechens lieferte. Dazu bedarf es aber versierter Ermittler…

Sebastian Schramm / 24.08.2018

Interdisciplinary Intelligence Preparation of Operations – (I2PO)

Whether you are

  • a HUMINT case officer in military intelligence,
  • a detective in the police force,
  • a SIGINT analyst in an intelligence service,
  • an investigator supporting or conducting due diligence businesses cases,
  • or a journalist researching for a new article,

you should have extensive knowledge of OSINT techniques.

Now why should these roles, especially the HUMINTer or SIGINTer, be proficient at OSINT? The following article will explain a concept of work that I call ‘Interdisciplinary Intelligence Preparation of Operations’, I2PO in short. The basic idea is that every element working within an intelligence cycle requires OSINT knowledge to either prepare, enable, conduct or support operations. In the future, I will also make a point on how this concept easily transfers to business cases, such as due diligence checks, and journalism as well.

First, let us define what OSINT actually is. Open Source Intelligence is acquiring information from generally  accessible sources. This includes data found on the internet as well as within traditional print media, TV- and radio broadcasts. I tend to use the term ‘generally accessible’ as opposed to ‘publicly available’ or ‘openly accessible’, as the data is accessible, however, sometimes in closed networks, behind paywalls or not traceable without extensive knowledge of OSINT. This, in my opinion, rules out the use of ‘publicly’ or ‘openly’, which implies that everyone could access the data easily.

Another important aspect is the term ‘intelligence’ within OSINT. Merely collecting data is not OSINT. Connecting the dots, looking for missing links, assessing the data and producing customer driven reporting is what makes intelligence out of it. This requires knowledge, experience and instinct; a combination which is very hard to replicate using fully automated OSINT tools. Thus, the most important element of OSINT is the analyst, no matter how many software-based tools and gadgets he or she uses.

Before considering how OSINT should be used in combination with other intelligence collection types (ICT), I want to point out some of the advantages when working with OSINT. OSINT data is usually available the moment you start working on a case and often published in near- or real-time, especially when following events on social media. Cases in which you work in a real-time environment, with changes occurring momentarily, bring us to the most important OSINT rule:

If you see it, save it!

You will never know if the data will still be there the next time you intend to look for it.

Depending on the case, you will also be dealing with mass data (or big data). This is where a certain degree of automation might be helpful, keeping in mind that the final assessment shouldn’t be performed solely by an AI. When speaking of quantity, you must consider the quality of the collected data as well. Especially in times like these, verifying information and filtering out disinformation is vital!

After years of work within government intelligence structures and working on business cases, I have therefore developed the concept of I2PO to define my work. This is also something I use as a theoretical basis in the OSINT and INTEL classes I teach. As mentioned before, the general idea is that many different jobs require OSINT skills in order to successfully achieve their goals. Therefore, I highly recommend an interdisciplinary approach. This means not only relying on one ICT, but also having an understanding on how OSINT can support HUMINT and SIGINT operations, police investigations and business cases and vice versa, just as well as OSINT provides information for decision makers as a standalone ICT.

In the following weeks, I will post examples of I2PO in different lines of work (e.g. SIGINT, HUMINT, police investigations, due diligence, journalism and more) to emphasize and further explain this concept.

To start out, I’ll describe I2PO when applied in a military intelligence environment supporting military operations.

I2PO to Support Military Operations

Military operations, such as the ongoing coalition missions in Afghanistan and Iraq, have heavily relied on intelligence collection through SIGINT and HUMINT in the past. These two ICTs demand a large amount of preparatory work and in times in which our adversaries are more cautious and OPSEC-aware, these two ICTs are hitting boundaries. HUMINT sources are having a harder time receiving information from core target networks and communications encryption is on the rise, creating new challenges for SIGINT. At the same time, the amount of information available through the extensive use of social media, even in the aforementioned crisis areas, is vastly growing on a daily basis. In Syria for example, information on troop movements or combat actions find its way across Twitter in near real-time.

In order for decision makers on the battlefield to react to situational changes in a timely manner, it is essential to have forward deployed intelligence elements able to conduct OSINT as it happens. In many cases, this work is done by special OSINT teams, many of them not even being in the actual combat zone. This will always lead to a time delay when disseminating information to the final intelligence customer and decision maker. As with tactical SIGINT or HUMINT, which are close to or in some cases organic to their intelligence customers, tactical OSINT is the answer. Sending a dedicated OSINT analyst forward to support operations is one solution. However, training existing intelligence personnel, enabling them to independently conduct OSINT on a case-by-case basis is another option. On these terms, the training would enable personnel to answer requests for information as they come in, rather than relaying these requests to another element, thus again resulting in a time delay.

This is what I understand as I2PO. Having an all-source analyst who is able to conduct OSINT research and to immediately verify the collected information when needed in time critical situations to support before, during and after military operations. In this example, two different skill sets (one being the all-source analytical expertise) being used in an interdisciplinary approach is the core factor of I2PO.

Matthias Wilson / 16.08.2018