Intelligence and activity aimed at mitigating the threat posed by hostile intelligence actors

What is Counterintelligence?

Counterintelligence can refer to:

  • An intelligence discipline: Intelligence derived from, or intelligence activity geared towards, the collection and processing of information relating to hostile intelligence actors and activity; and

  • A category of intelligence: Intelligence and intelligence activity aimed at identifying and mitigating the threat posed by hostile intelligence actors.

Counterintelligence agents will assess the activities, capabilities, and intent of hostile intelligence actors and the vulnerabilities of and threats to the customer are assessed. This is done in order to understand which measures need to be put in place to prevent hostile intelligence actors obtaining intelligence from or about the customer.

The Counterintelligence Cycle

The counterintelligence cycle consists of three stages:

  • Counterintelligence analysis: Analysis of the threat posed by hostile actors, the vulnerabilities of the customer, and the effectiveness of their current counterintelligence measures;

  • Counterintelligence advice: Advice given with the aim of mitigating the threat posed by hostile intelligence actors; and

  • Counterintelligence activity: Activity conducted with the aim of mitigating hostile intelligence activity.

When the counterintelligence activity is being or has been conducted, its effectiveness should be analysed, restarting the cycle.

A diagram of the counterintelligence cycle

Example of the Counterintelligence Cycle

A counterintelligence specialist conducts counterintelligence analysis on a customer’s computer and determines that it is vulnerable to attack as it does not have any anti-virus or anti-malware software installed;

The CI specialist delivers counterintelligence advice the customer by telling them to install an anti-virus and anti-malware program;

The customer conducts counterintelligence activity by installing the recommended program.

In a subsequent check-up three months later, the specialist conducts analysis and determines that the software needs updating, starting the cycle off again.

Counterintelligence Analysis

During the analysis stage, the following may be analysed:

Hostile Intelligence Actors: Hostile intelligence actors should be analysed to identify their capabilities and the threats they pose, as well as to understand their intent. Hostile intelligence activity may be:

  • Targeted: If a HIA is is trying to obtain intelligence specifically from or about the customer, they are conducting targeted intelligence activity.

    An example of this would be a “spear phishing” attack on a politician to obtain compromat; or

  • Opportunistic: Criminals or malicious actors who commit breaches for financial gain or fun. These will not be aiming to obtain information from anyone or anything in particular, rather they will try to obtain information from anyone or anything with inadequate security procedures in place (like a thief trying car doors and stealing from any that are unlocked).

    An example of this would be a “phishing” email sent out to a mailing list of thousands, with the idea being that a percentage of recipients will fall for the scam.

Current and Emerging Threats: Counterintelligence analysts should be aware of current and emerging threat trends across the globe The more prevalent or effective a technique or capability becomes, the more likely it is to be used against the customer

New technology inevitably means new threats and new attack vectors, for instance:

  • ATMs gave rise to the “Lebanese Loop”;

  • Email led to the emergence of “Phishing”; and now

  • CGI is now so good that deepfakes are a serious threat

The Customer's SCI Measures: The customer’s SCI measures should be assessed to understand their effectiveness and vulnerabilities. This will allow appropriate counterintelligence advice to be given so the customer understands how they can be improved. This can be done in one of two ways:

  • The customer gives the analyst full unfettered access to their policies and SCI measures so they can be evaluated; or

  • Through a process known as “Red Teaming”.

Red Teaming

Red teaming is a practice in which a the counterintelligence practitioner (or team) acts as though they were a hostile intelligence actor and attempts to obtain information from the customer. They will then produce a report for the customer which details:

  • The vulnerabilities in their SCI measures;

  • How they breached their SCI measures;

  • The information they managed to obtain; and

  • How to improve their SCI measures.

Red teaming can be conducted against:

  • Physical security: For instance, by attempting to gain access to restricted areas in the customer’s premises;

  • Personnel: For instance, by befriending an employee in order to trick them into handing over information; or

  • Network security: This involves trying to gain access to a customer’s computer systems in a process known as Penetration Testing, or Pen Testing for short

A Target's SCI Measures: While counterintelligence is generally a defensive practice, counterintelligence practitioners may be employed to assess a target’s security and counterintelligence measures in order to assist the customer in planning and conducting operations against the target.

This is more difficult than assessing a customer’s SCI measures, as a target is unlikely to provide unfettered access to their systems and premises.

Attack Vectors: Whether conducting counterintelligence analysis for defensive or offensive purposes, counterintelligence analysts will look to assess the likely attack vectors that HIA’s will use to obtain intelligence from or on the target. Broadly speaking these can be broken down into the following categories:

  • Network: Gaining access to a target’s computer network and systems;

  • Premises: Physically gaining entry to a target’s property;

  • Individuals: Compromising personnel or relations of personnel;

  • Materiel: Exploiting equipment belonging to or made by the target; and

  • 3rd Parties: Targeting companies and individuals with which the target has a trusted relationship

Counterintelligence Advice

After conducting CI analysis, the recommendations need to be passed on to the customer so they can implement them to increase their security. As with any intelligence, this needs to be delivered in a format that is clear and easy to understand for the customer. This is particularly important when it comes to advice around network security, as the chances are the customer will not be swept up on IT jargon or technical terms.

As well as telling the customer what steps need to be taken, they also need to be told how to implement those steps. For example, rather than telling them “You need to install a firewall”, they should be shown the different types of firewall, explained their strengths and weaknesses, and shown how they can be installed, maintained and tested.

Counterintelligence Activity

Counterintelligence Activity is the manifestation of CI Advice, where the recommendations made by the CI practitioner are put into practice to strengthen the customer’s security.

While the exact procedures and measures that need to be put into place will vary from organisation to organisation, those listed in Principles of Intelligence: Security apply almost universally and should be implemented as a matter of urgency if they have not already.

Once the CI Activity has been implemented, it should be analysed by a CI practitioner to ensure it has been implemented properly and is sufficient to keep the customer safe from HIAs, therefore starting the CI cycle over again.

Even if the advice has been implemented perfectly, the SCI measures of an organisation should continually be analysed, both to ensure good SCI practice is being maintained by employees and to keep up with the ever-evolving threat from HIAs.

Found this interesting? Feel free to follow me on LinkedIn for more intelligence content.

Join the conversation

or to participate.