Posts by Team Echo

Using OSINT to Stop Human Trafficking

Human trafficking is a growing worldwide problem. According to the International Labor Office in Geneva, the 2017 estimate of worldwide human trafficking was 40 million people, including 25 million victims of forced labor and 15 million victims of forced marriage. One in four of these victims are under the age of eighteen.  

While the United States has a record of sustained efforts to investigate and prosecute cases of human trafficking, there is still a long way to go, both with victims trafficked within the U.S. and with victims who are brought from outside the country. 

Often, victims of human trafficking are not free to ask for help. Their ability to contact others is controlled and monitored by their victimizers. Victims may have access to cell phones or social media but not be allowed privilege to speak freely online or to reach out to lifelines. Some victims may not even be aware that they are victims, let alone that there is help available for them. Their victimizers can brainwash them, punish them, threaten them, and—if the victim manages to escape—stalk them and blackmail them into returning. 

When a victim is underage, it can be particularly difficult for them to realize they can find a way out or that a better life is available if they do. 

Prevention of underage human trafficking becomes a struggle with two separate issues: how to identify the victims and how to collect the evidence critical to legally proving that human trafficking has occurred.  

Open-Source Intelligence (OSINT) techniques can help with both issues by identifying the victims and through collecting evidence necessary for law enforcement officials to build a case. 

OSINT is the use of Publicly Available Information (PAI) to produce actionable intelligence and includes such commonly used vehicles as social media accounts and website traffic information. Many tools have been created to take advantage of public information, which allows law enforcement and those who assist them to identify victims and collect evidence faster than ever before. 

One of the biggest capabilities developed for connecting law enforcement needs to OSINT experts is the Torch Initiative. The Torch platform is a collaborative effort between Echo Analytics Group and All Things Possible Ministries, uniting expertise in OSINT with expertise in helping victims of human trafficking to shine light in the darkness and create a solution. 

1. What is human trafficking? 

Human trafficking is a version of modern-day slavery that exploits victims through force, fraud, or coercion to obtain some type of labor or commercial sex act. While most victims of human trafficking perform sex work, other types of human trafficking include agricultural labor, domestic and commercial cleaning services, construction, manufacturing work, and more.  

Advertising for trafficked labor and services often occurs online, whether on the dark web or on public social media and other public sites. The Internet was not originally well-regulated with regards to the advertising and sales of sexual services. After laws like the FOSTA-SESTA Act were put in place, it became less difficult to hold traffickers accountable. Unfortunately, like many other types of criminals, traffickers will always find creative workarounds to regulations and after being shut down, quickly return to recruiting, advertising, and controlling their victims online.  

Social media is often used by traffickers to accomplish their goals. Social media is used to recruit multiple victims by posting misleading job advertisements. It is also used to recruit individual victims by posing as a romantic interest or by pressuring victims to bring their friends into the same scheme. 

A wide variety of techniques are used on social media against human trafficking victims to make them easier to control. In the past, it was usual to remove the victim’s access to cell phones, smart phones, and the Internet. These days, more victims are reporting that they are allowed to keep restricted access to various methods of communication, but victims’ social media use may be restricted or monitored. Their accounts may be hacked, or they may be forced to make posts reassuring others of their safety. They may be stalked or harassed by their victimizer or forced to stalk and harass other members of the same schemes if they show any signs of wanting to escape. 

Because of brainwashing and other manipulative tactics that can be used by traffickers, it can even be difficult for the victims to identify that they are victims at all, thinking that the situation they are in is one they can control—until it is too late. 

The intersection of the sex trade and human trafficking of underage victims is both particularly important to identify and sets clearer boundaries for proof. It can be difficult to prove that force, fraud, or coercion is being performed against an adult victim. However, with an underage victim the burden of proof lies only in the validation that they are under the age of consent. 

1. What is OSINT? 

Open-Source Intelligence (OSINT) is the collection and use of Publicly Available Information to produce actionable information. This Publicly Available Information can include social media posts, likes, friends, timestamps, location data, relationship statuses, and more, as well as a wide range of different types of information from other sources, such as broadcast media, newspapers, public records, website data, and more.  

This information can be collected using multiple tools, many of which were developed as an open-source project and published free of charge for public use. Once collected, the information can be processed to correlate seemingly random bits of data into the information needed. Echo Analytics Group has built a dashboard tool, the Cyber Intelligence Dashboard, to handle many types of OSINT research and analysis tasks and to make the process more efficient.  

Many law enforcement agencies from the Federal to the local level have partnered with or are training OSINT experts to collect evidence, track suspects, run background checks, perform due diligence on vendors, and more. These agencies are discovering the benefits to having access to OSINT expertise, saving them time and money across many different types of investigations. 

OSINT approaches are often based on collecting Publicly Available Information on the human level, that is, where information consists of names, locations, and statements posted online, and merging it with information found the machine level, such as IP addresses, timestamps, and user agents.  

One example of how this combined OSINT approach can work in the human trafficking realm is PhotoDNA, which compares photos as they are uploaded with known sources of underage pornography and advertising for the sex trade. Social media sites can set up automatic checking of all photos uploaded to their sites against known images of underage sex trafficking, then forward all possible cases to a human OSINT professional for further research in collaboration with Law Enforcement. These collaborative efforts can help to identify the victim and collect evidence of their age, providing law enforcement agencies with critical information to support the rescue of trafficking victims and the arrest of their traffickers. 

Many people have explored the power of the Internet and specifically social media to research other people, from identifying an unknown number on their caller IDs to looking up former classmates online. An OSINT analyst starts with the same techniques but expands their searches into more obscure and more technical areas, using a wider array of tools and skillsets. OSINT analysts combine research expertise, computer and networking expertise, and forensics techniques to uncover the “needle in the haystack,” the one piece of critical information buried under a mountain of data. 

1. Using OSINT to identify underage human trafficking victims. 

Human traffickers are very clever in how they target their victims and how they advertise to clients. They often recruit or advertise jobs or services on public social media using legitimate-appearing front businesses, then take potential victims and clients to another site to “close the deal.” The second site might be on the dark web or a more secure site, or it may simply be on a different public social media site or chat application. The act of switching sites helps break up any patterns that might cause the site’s or app’s algorithms to flag the conversation.  

However, OSINT researchers can still establish patterns of behavior of potential traffickers, such as when a trafficker contacts a high number of user profiles of underage people over an extended period on a messaging app, then follow potential traffickers between sites, even if they change their user IDs. Identifying potential traffickers can lead researchers to potential victims or networks of victims. The researchers can also start by establishing patterns of behavior of victims. 

Once a potential victim has been identified, the person’s age can be researched using their social media profile and the profiles of others on their network. Public records and other OSINT techniques—such as extracting the date a photo was taken—can supplement social media results. 

Evidence proving the person is a victim of human sex trafficking can be established the same way, although such a search may extend into the dark web, where it is vital that an OSINT researcher practice good attribution management, that is, covering up their digital “trail” to ensure their research activities cannot be tracked. Human traffickers are not always digital experts, but they can be just as skilled in OSINT techniques as the people who hunt them. 

Regardless of where the OSINT researcher is searching for information, it is vital that they do so in a manner that doesn’t cause further danger to the victims and that provides information in a way that is legally usable by law enforcement agencies. Independent OSINT researchers, though well-intentioned, may not provide information admissible in a court of law. 

1. The TORCH Initiative 

Echo Analytics Group and All Things Possible Ministries have partnered to create the TORCH Initiative, which seeks to work with law enforcement agencies to track down victims of human trafficking, using proven methods that both protect the victims and provide usable evidence. 

Echo Analytics Group, a Quiet Professionals company, is known for its innovation in the OSINT field. Founder Buddy Jericho is a former member of the U.S. Intelligence Community and pioneered OSINT methods for use in counterterrorism activities for Special Operations Forces. Jason Jones, Director of Operations, also leads in OSINT innovation, developing the Torch case management platform, the first of its kind, in collaboration with All Things Possible Ministries. 

All Things Possible Ministries is a non-profit organization known for locating and rescuing victims of human trafficking in some of the least accessible areas of the world and providing resources for victims to make their way back into safe communities. All Things Possible Ministries and founder Victor Marx have extensive experience in working with all types of groups across cultures, defying stereotypes and crossing battle lines to defend the defenseless. They have a history of working closely with law enforcement agencies and understand what they need in order to move forward on human trafficking cases.  

The OSINT analysts working with and trained by Echo Analytics Group have been skillfully trained in using techniques to swiftly identify trafficking victims. These analysts have also set up several proven workflows to quickly establish the ages of victims online, even when the answers aren’t obvious. They are experts in conducting their research in ways that not only protect the victim from punishment but ensure traffickers don’t get off on a technicality due to poor evidence collection.  

The Torch Initiative is an excellent example of how using OSINT can be beneficial in helping underage human trafficking victims and in holding their traffickers accountable. Law enforcement agencies that are not already working with an OSINT expert may wish to consider partnering with one, or in investing in training for their own team members.  

Likewise, OSINT experts—whether professional or amateur—should consider contacting the Torch Initiative or a similar group to volunteer their talents and use the amazing resources at their fingertips to help rescue human lives.  

… 

Let us know here if you are an OSINT professional or amateur researcher and are interested in working with Torch. If you are interested in learning how to become an OSINT researcher or analyst, we provide online and in-person classes. Click here to sign up for OSINT training. 

Protecting Critical Infrastructure with OSINT

Ransomware and other malware attacks are on the rise. Criminals are constantly probing online systems to discover their vulnerabilities to hold systems hostage. Meanwhile, U.S. foreign adversaries are increasingly targeting assets in digitally accessible spaces to achieve their political goals.  

Open-Source Intelligence (OSINT) is being used by both attackers and cyber security professionals to find ways to exploit critical systems and functions. Often, attackers and cyber security experts must use the same tools to search accessible online spaces for pieces of publicly available information that, when combined, might provide keys into an organization’s systems.  

OSINT is a powerful tool being re-engineered by 21st century cyber-security professionals to identify and disrupt vulnerabilities before they can be exploited.  

Attackers are becoming more sophisticated, targeting specific entities for disruption rather than merely taking the “low-hanging fruit” approach to selecting targets. They are not only targeting systems but people, using Human Intelligence (HUMINT) techniques—also known as “social engineering”—to extract valuable pieces of information from staff, vendors, and other human partners—people who may not understand how vital the information they provide may be. 

Of particular interest to both criminal and nation-state attackers are organizations that serve as critical infrastructure for the U.S. and allied nations. Because these organizations are important pieces of the day-to-day operations and defense of a nation, they make for high-value targets. In addition, some organizations involved in critical infrastructure tend to have weaker defenses against ransomware and other malware attacks due to the nature of their industry and the fast pace of technological innovation used during malware attacks.  

In other words, what was not understood to be a point of vulnerability yesterday is now known to be vulnerable today. 

Cyber security professionals of organizations involved in critical infrastructure must become more aware of basic security procedures to protect themselves. Further, because their organizations are such high-value targets, they must take extra steps to secure their most valuable resources against threats.  

Organizations must learn to integrate OSINT into their security plans. They must assess what resources, people, and systems are most vulnerable and most valuable to attackers, then prioritize plans to ensure that their most critical resources are the best defended and most resilient to attack. 

1. What is OSINT? 

Open-Source Information (OSINT) is the use of Publicly Available Information (PAI) to develop actionable intelligence—that is, the information needed to achieve specific goals, such as covertly accessing a network and implanting malware there.  

Ransomware attackers first performs reconnaissance against an organization by researching their public information, including the personal information of key employees, online. In order to find the best way to get into a target system and plan what to attack once they get in, the attacker uses OSINT techniques.  

When an organization researches their own vulnerabilities to malware attack—and whether their vendors are vulnerable to that type of attack—the organization is using OSINT techniques. 

There are a wide variety of tools and techniques that can be used to research and develop OSINT, from tools developed by curious amateurs researching how systems work, to for-profit businesses that develop business analytics tools to determine what their customers are saying about them, to national security programs that develop malware to spy on, and sabotage, other nations’ systems. 

These tools are constantly changing and evolving for a variety of reasons. As social media platforms change, as new operating system exploits are discovered, and as recent technologies connect systems, users, and devices, OSINT tools evolve to best discover what information is available to be used. 

While some information that is being shared publicly by an organization can be controlled, once it has been released to the public, it can be found online forever. Even after controlling what information is available in the future, it is important to know what information an organization has shared with the public in the past and how that information might be used. 

1. What is critical infrastructure and why is it vulnerable? 

Critical infrastructure is the collected systems and institutions needed to keep our nation operational and to defend it in an attack. The Cybersecurity and Infrastructure Agency (CISA) has defined sixteen areas of critical infrastructure: 

• The chemical sector 
• The commercial facilities sector, including sites that facilitate crowds, like open spaces, concert venues, and hotels 
• The communications sector 
• The critical manufacturing sector 
• The dams sector, covering over 90,000 U.S. dams 

• The defense industrial base sector 
• The emergency services sector 
• The energy sector 
• The financial services sector 
• The food and agricultural sector 

• The government facilities sector 
• The healthcare and public health sector 
• The information technology sector 
• The nuclear reactors, materials, and waste sector 
• The transportation systems sector 

• The water and wastewater systems sector 

Our economy and lives depend on the various elements of these critical infrastructure systems. Ransomware and other malware attacks against them give attackers a disproportionate amount of leverage. Often, those organizations’ leaders, eager to halt the threats to people’s lives and welfare, can be more likely to cooperate with the attackers.  

Making critical infrastructure even more tempting for attackers, some elements of our critical infrastructure are outdated and therefore particularly vulnerable to attack.  

The designers of the outdated systems had no idea how their systems would be abused in the future. They certainly could not have anticipated the OSINT tools used to perform reconnaissance and exploitation against their systems.  

While some sectors of our infrastructure are aware of the possibility of harm—such as the defense, information technology, and financial sectors—other sectors may be less prepared to defend themselves from attack.  

They may not understand the dangers posed by outdated software and equipment being used. They may not be aware of how recent technology can cause unexpected disruption throughout critical technologies and may not be structurally prepared to address those threats. And even the best prepared organizations may struggle to educate and prepare their workforce on the shielding of critical personal information that can be used to guess passwords or to send emails, texts, or voice messages from a seemingly legitimate source.  

For example, some farms do not necessarily have a standalone IT department with an OSINT expert on hand, available to anticipate and respond to malware attacks, even as they add sensors to their equipment that may open their networks to outside attack.  

Some industries tend to respond quickly to public perception of having insecure technology, if only because the loss of customers due to lack of confidence can quickly spiral out of control. Other critical infrastructure sectors that are not as sensitive to public opinion may be understandably more conservative about adopting recent technology—and its associated growing pains and expenses. 

However, ransomware and other high-tech attackers do not wait for the bugs to be worked out of critical infrastructure systems before they attack. 

1. Who targets critical infrastructure? 

Critical infrastructure is targeted by two main groups: criminals and nation-state actors. Both will use the same types of OSINT tools to research and exploit their victims, but the two groups have different purposes, and therefore target different elements of the systems they infiltrate. 

Criminals attempt to take down critical infrastructure for money. Their primary goal—generally via ransomware—is to make normal operations difficult to pursue. They halt critical functions to put pressure on an organization to pay their ransom. 

Their goals are to encrypt information to prevent it from being used, to destroy or encrypt backups, and to halt systems long enough to collect payment. They wish to cause inconvenience and disruption to make a profit. Recently, attackers have begun to export, or “exfiltrate,” substantial amounts of data that can be used later as blackmail material or sold for additional profit on the dark web’s black markets.  

Nation-state actors often have more insidious goals. 

When a nation-state uses malware to attack critical infrastructure, often the goal is not to gain a profit, but to collect information that is otherwise difficult to obtain, to embarrass the target nation, or to prevent it from using critical infrastructure to achieve its own goals. Nation-state malware has or may have been used to collect sensitive information of other nations, disrupt energy grids, disrupt oil pipelines, close schools, and more.  

But organizations cannot assume that they will not be targeted by nation-state attackers; critical infrastructure is always of interest, and the malware used by nation-state actors has been known to spread outside the attackers’ original intent. 

Nation-states have also been known to purchase the exploits found by malicious actors, the source code of viruses, and the information exfiltrated by criminals on the black market. Often the most dangerous time for an element of critical infrastructure is after they have been hacked, as nation-states leverage information obtained by criminals to cause further damage. 

1. How can OSINT be used to protect critical infrastructure? 

With critical infrastructure both uniquely vital and uniquely vulnerable to attack, it is important to prioritize protection. Organizations should seek out experts in OSINT to partner with their own IT, security, and leadership representatives to assess the organization’s vulnerability to attack.  

Identifying which systems and information are critical is a key step of choosing which defenses to prioritize.  

Plans for protecting critical systems and information should start with the most vital functions and communications of the organization. Teams should review systems and information to determine which systems would be considered most critical, in light of both criminal and nation-state attacks. A criminal attacker may target different vulnerabilities and capabilities than a nation-state attacker. 

Plans should include: 

• Removing or mitigating vulnerabilities as possible. 
• Backing up data in a location not vulnerable to spreading attacks. 
• Creating procedures and methods to identify reconnaissance and attacks in real-time. 

• Training for staff on how to handle suspected reconnaissance and attacks. 
• Investigation of third-party partners and vendors as potential routes for attack.  
• Responding during an attack, including reporting the attack to the FBI. 
• Returning critical systems to operation in case of an attack. 
• Preserving data about the attack. 

• Researching the attackers to assess how the attacked occurred, who the attackers are, and how to prevent further attack. 
• Prevent any stolen information from being used against your organization. 

Organizations must take the attitude that discovering that they have been the victim of an attack means that they are at immediate and long-term risk of follow-on attacks and reinforce their use of OSINT tools to monitor for follow-on indicators of reconnaissance, release of their data, and attack. 

In the past, many elements of critical infrastructure have been slow to change and adopt modern technology. This slowness can happen for multiple reasons, including avoiding public perception of waste. Resistance to change is understandable, but it can result in a less robust level of security as organizations attempt to modernize.  

Organizations can help safeguard critical systems from ransomware and other malware attacks by adding OSINT expertise to their incident response teams. OSINT experts have a fundamental understanding of how malicious actors identify and leverage publicly available information to infiltrate systems and accomplish their goals.  

Because of the public trust that is put into organizations providing critical infrastructure, it is essential to fully protect those systems as soon as possible. Criminals and nation-state actors will certainly not wait for securing critical systems becomes more convenient.  

… 

Interested in our expertise? Read more about Echo Analytic Group’s OSINT services here. Interested in working with us as an OSINT expert? Check out our careers here. 

Interested in our expertise? Read more about Quiet Professionals’ services here. Interested in working with us as one of our experts? Check out our careers here.