Army’s ‘unconventional warfare’ division signs £8m deal to improve data sources

Credit: Adobe Stock

The Army’s specialist force dedicated to “unconventional warfare” has signed an £8m-plus deal to provide new data sources to support its operations.

According to newly published procurement dcoument, the 6th (UK) Division’s mandate requires it to “monitor and assess the information environment” in which it operates; the unit “orchestrates intelligence, information and partner operations and conducts cyber and electronic warfare activities”.

Its assessment of information sources is “currently achieved through the monitoring of limited data sources provided through OSINT (open source intelligence) collection tools… and other parts of the intelligence community”.

“Through operational experience it has become clear that, in many cases, OSINT sources do not provide great enough fidelity, timeliness or accuracy that commercially procurable data sources could,” the division said. 

The contract, signed with Danish IT firm Netcompany, is intended to fulfil “an immediate requirement to rapidly procure operationally important data sets utilising a commercial partner with significant experience and exposure to the commercial data market for use on military data exploitation platforms”.

The deal comes into effect on 1 November and lasts for an initial period of 12 months, plus two potential one-year extensions.

Related content

During the first year, a confirmed £688,969 will be spent via the deal; if the contract is extended to its full term, further sums of £112,074 and £100,574 will be spent.

The vast majority of the potential worth of the deal – some £7.5m – is not guaranteed upfront, but may be spent on an ad hoc basis.

According to the contract, which was awarded via the G-Cloud 12 framework, the services to be provided by Netcompany include: “data governance and strategy; data architecture; data fabric, data lake, and data warehouse management; business Intelligence, analytics and visualisation management; data science, machine learning and artificial intelligence management; data security management; data quality; big data management; data ops management”.

Requirements to be supported by the IT firm include an initial scoping and feasibility assessment, followed by development and testing of a data-hosting environment. Data sets will be procured “on a case-by-case basis” and should be provided to the Army division within one week. Netcompany will then be expected to provide “data science and academic support” to military personnel using the information.

Work will largely take place remotely, but installation services may be required on-site at Army facilities in Corsham, Hermitage, Andover, Farnborough, and Wyton.

According to the Army, the 6th (UK) Division “prepares and generates forces assured for Army Special Operations and unconventional warfare”.

It added: “[The division] brings together a number of specialists with the skills required to help develop and deliver operations at home and abroad. It provides the British Army’s asymmetric edge.”

Tales from the SOC: A Major Office 365 Compromise

Sometimes when we talk about cybersecurity, it can feel a little intangible, with theory tending to dominate what we read about it. Therefore, learning from real-life instances can often be the best education. Thus, the security operations center (SOC) team of analysts at AT&T Cybersecurity makes it a priority to share certain security incidents for the greater cybersecurity community to learn from. The following story is an actual security incident uncovered by AT&T Cybersecurity SOC analysts. It is part of a larger series that aims to provide insight from the frontline of cybersecurity, including what triggered alarms for indicators of compromise, the investigation process, the APT actors behind the attack and the responses and defense tactics to remediate the threat.  

Welcome to Tales from the SOC.

This second story focuses on an Office 365 threat discovered by the AT&T Cybersecurity Managed Threat Detection and Response SOC analyst team. This is a threat that many other organizations may experience. The team was alerted to several alarms after a customer’s user attempted to send an excessive number of emails, resulting in these emails being blocked within Microsoft Office 365. However, upon further inspection, there was more to the incident than meets the untrained eye… it turned out to be an account compromise and credential abuse attack.

Initially, when analyzing the user’s login behavior, the team discovered abnormal activity as the individual was using foreign IPs outside the user’s typical location when logging in. At this stage, the incident was contained, and the team initiated an investigation into all the activities and systems accessed by this user while engaging with the customer and remediating the compromise before the threat escalated. 

In total, three alarms were raised, and these were triggered by three further security incidents: credential abuse, anomalous user behavior and security policy violation from Office 365 activity. 

For organizations of any size, credential abuse and compromised user accounts are dangerous threats as they could have a wide and negative impact. Hackers will typically use the credential abuse attack method to gain access to other critical assets within an organization’s architecture and exploit its subsidiaries and partners. Additionally, when criminals compromise an account, it can be leveraged to either exfiltrate data or continue infiltrating other systems.

Hackers will also look to exploit the internal email accounts of legitimate organizations to distribute phishing emails to acquire more information and accounts to steal. Threat actors have even been known to set up inbox rules to have sensitive emails forwarded to accounts owned by the hackers externally. 

“Threat actors have even been known to set up inbox rules to have sensitive emails forwarded to accounts owned by the hackers externally”

Dissecting the Triggers for the Three Alarms

Alarm 1 – Credential Abuse:

Upon further investigation, the credential abuse alarm was raised after 12 instances of successful login attempts made from a foreign country and the United States, all within 24 hours. This was unusual as previously, the user had never tried to log in from anywhere else except the United States. 

Open-source intelligence (OSINT) tools were then utilized to better understand the foreign IPs, and it was revealed that the IPs belonged to a foreign telecommunications company that had been previously blacklisted. Tools like OSINT are vital during investigations as they can help ascertain ownership, location, history of abuse and malicious activity surrounding an IP address or domain.

Alarm 2 – Anomalous User Behaviour:

The anomalous user behavior alarm was raised because an excessive number of outbound emails were generated in Outlook 365. In fact, the logs showed 53 outbound emails had been sent in the 24-hour period from the foreign IP address – this was a 1000% increase for this individual.

At this point, the intrusion prevention system (IPS) came into action and put on restrictions to prevent the user from sending emails. The systems also sent another alarm on the network to request a review of this suspicious activity. Having IPS is critical, especially in this scenario, as it stopped the possibility of data being exfiltrated from the compromised email account. 

Alarm 3 – Security Policy Violation:

The final alarm sounded was the security policy violation which warned that there was potential Office 365 abuse and email restriction due to irregular login activity by the user. Due to the odd login location, the number of login successes and failures, and the resulting email activity from the IP addresses, the system escalated the threat, which notified the security team.

Scanning for Further Compromise

As with any cyber-attack, system scanning needs to be conducted to ensure no further compromise of systems. The AT&T Managed Threat Detection and Response analyst team increased all search ranges to cover a 30-day timespan to detect any other suspicious activity. Thankfully, the searches and extended log activities did not uncover any further signs of compromise.

Once the investigations were complete and the information correlated, the customer was contacted to inform them of the findings in accordance with their incident response plan (IRP). Once the facts were explained, the customer contained the threat by isolating the affected assets and revoking the user’s account credentials. 

Fortunately, the customer had some important and necessary security tools in place that helped to identify this Office 365 compromise before it impacted the entire system. Organizations are also advised to deploy multi-factor authentication (MFA) and geofencing to reduce the threat. Furthermore, security best practices pertaining to password and account usage should be followed, including using different passwords for accounts and refraining from using work emails for non-work purposes or accounts.

Open Source Intelligence (OSINT) is Great for Catching Bad Actors; But It Can Also Be Used Against the Good Ones – You and Me

Open Source Intelligence (OSINT) is Great for Catching Bad Actors; But It Can Also Be Used Against the Good Ones – You and Me

Most people have heard of open source these days – after all, it has conquered every aspect of computing, with the possible exception of the desktop. But Open Source Intelligence (OSINT) may be less familiar. It was brought to prominence by the Bellingcat group, which describes itself as “an independent international collective of researchers, investigators and citizen journalists using open source and social media investigation to probe a variety of subjects – from Mexican drug lords and crimes against humanity, to tracking the use of chemical weapons and conflicts worldwide.” Its name comes from the fable about a group of mice afraid of a fierce cat, which put a bell around its neck to warn them of its arrival. According to the founder of Bellingcat, Eliot Higgins, “We’re teaching people how to bell the cat.” Here’s how Bellingcat carries out its OSINT investigations:

As smartphone technology has become more available, people are recording and sharing every aspect of their lives. They give away a huge amount of information, everything from their day-to-day activities to war crimes and some of the most horrific acts you can imagine. Some of that is done on purpose, and sometimes it’s just accidental or incidental. But because that’s all online, it’s all information that we can use to piece together what happened around a wide variety of events.

Using this publicly-available information, Bellingcat have helped understand who shot down the MH17 passenger plane, and who poisoned the MI6 double agent Sergei Skripal and his daughter. Those are obviously valuable contributions to public understanding of important events. But there is a darker side to the use of OSINT tools. After all, it is not just bad actors who post huge amounts of personal information online: we all do. This means that potentially anyone with the right software can piece together this digital jigsaw puzzle to discover much about our daily lives.

The Intercept has an important article about two such tools, Kaseware and SocialNet, and the use of them by the Michigan State Police. Kaseware is a case management platform designed for law enforcement agencies. It allows surveillance data to be monitored, mapped and analyzed using a variety of tools. The platform typically holds zip codes, addresses, GPS coordinates, geotags, and satellite imagery, as well as a wide range of socio-economic data. It also allows the use of more specialized tools like SocialNet from the company ShadowDragon. SocialNet pulls in data from a large collection of public social media networks, Web sites, RSS feeds, data dumps and dark Web locations – over 120 according to The Intercept article. The basic idea of the software is summed up well as:

Bad Guys share too much information online. Use it against them.

Like most of us, criminals enjoy the benefits of online activities and social networking. SocialNet captures these digital tracks, maps against their aliases, and explores their connections in near real time to expedite your investigations and threat analysis.

There’s an interesting blog post by the founder of ShadowDragon, Daniel Clemens, in which he runs through a basic link analysis, and shows how it can be used in investigations. As he puts it, it enables “the story of complex relationships to be told with a picture, which can make trends and connections more obvious.” The analysis is not that sophisticated – it is simply finding connections between data held in many disparate sources. Its power derives from the size and number of those databases, and the computing power brought to bear on finding links. That is, the success of this automated OSINT analysis – as opposed to the human kind conducted by Bellingcat – is largely a function of Moore’s Law. This allows unprecedented amounts of data to be ingested and digested to produce useful information.

It’s not a new idea. It’s precisely what Edward Snowden revealed the NSA and its UK equivalent, GCHQ, have been doing for years. The full Internet flows across international cables were collected and then analyzed. There are even older precedents for this approach to surveillance. Back in 2003, the US Information Awareness Office operated a system called “Total Information Awareness“. It was designed to correlate information in order to spot and prevent terrorist incidents before they happened. It was defunded in late 2003, because of fears that it might be used to carry out large-scale surveillance of US citizens.

Since the tools are relatively straightforward conceptually, it seems likely that foreign governments have created similar systems, kept secret for obvious reasons. But these are not the only threat to privacy today. The new commercial versions like SocialNet mean that anyone anywhere that uses the Internet can be investigated by trawling through the even-larger quantities of OSINT that are available today. Compared to the older systems, or those created by foreign governments, the costs are relatively moderate, and no special equipment is needed. The real problem is not that these services exist, but that we all leave such revealing data trails as we use the Internet. Avoiding that would require a massive re-design of the online world – something that seems an unlikely prospect. Until then, the best we can do is to be more circumspect in our use of these services that provide such rich raw material for OSINT analysis.

Featured image by pxhere.

VPN Service

NGA taking a ‘try before you buy’ approach to commercial solutions

WASHINGTON — Using a little known contracting method, the National Geospatial-Intelligence Agency is now able to test out the commercial capabilities it’s interested in before it buys them.

NGA Head of Commercial GEOINT Dave Gauthier says the use of bailment agreements is helping the service get access to commercial solutions and integrate them with existing systems and processes faster. Bailment agreements are a contracting tool that essentially allows the agency to purchase commercial services for a brief period of time, test them out, and provide feedback to the provider.

Bailment agreements can be set up in less than two to three weeks using standard language, and the contracts usually only run for about two months, but can run as long as a year. When the agreement ends, NGA can either pursue a long-term contract with the company or go in a different direction.

“I think it’s a tool that’s been available, and has been, I would say, rarely used in the history of working with commercial industry. And you know in 2018, one of our ambitious action officers basically said, ‘Why don’t we start trying to use bailment agreements to get access to some of these commercial solutions quicker, and help us do evaluations to see if they’re able to meet our mission needs?’ And so we gave it a shot,” said Gauthier.

The agency’s use of bailment agreements has picked up quickly. Starting with just three in 2019, the agency issued another five in 2020 and is set to issue 20 by the end of this year.

And the new “try before you buy” approach is already bringing new commercial services online for the agency.

On Sept. 15, NGA announced it had issued Geospark Analytics a contract for its artificial intelligence solution, which uses machine learning to process open source intelligence — news reports, social media, economic data, weather and more — to provide real-time insights and threat forecasts. But before it issued the company a contract, it tested out the new capabilities with a bailment agreement. Assessing the AI tool against a variety of the NGA’s mission areas, the agency found it could provide significant value.

And in another case, NGA was able to leverage a study contract issued by the National Reconnaissance Office to test out a new product. Using a 2019 study contract with Hawkeye 360 on the company’s commercial radio frequency data service — which uses satellites to locate and identify RF emissions all over the world — NGA was able to launch the RF GEOINT Pilot program to test out the newly available data on a trial basis. That pilot program led to an official request for proposals for commercial RF capabilities, and on Sept. 30 Hawkeye 360 announced it had won a contract from NGA.

In addition to pilot programs and bailment agreements, NGA has followed in the footsteps of other agencies and DoD organizations in adopting the use of Other Transaction Authority agreements to fuel rapid prototyping. That effort has helped the agency find new partners and solutions, such as turning to a company with expertise in check scanning to save and digitize its massive, deteriorating film collection.

The agency can use bailment agreements for any kind of service or data industry wants to provide, including emerging commercial capabilities such as space-based synthetic aperture or analytics.

Bailment agreements have also helped the agency get used to adopting commercial solutions on a cultural level, something that’s been difficult for an agency used to having a monopoly on satellite imagery analysis. Gauthier said he’s found letting NGA analysts test and work with commercial products in a limited environment increases their willingness to adopt those products later on.

Gauthier said he hopes NGA’s success with bailment agreements leads to conversations with its intelligence agency and Department of Defense partners, encouraging more of them to use “try before you buy” approaches.

“We’re trying to inform each other what it was used for, whether it had good mission utility, whether we have good customer feedback. We’re all trying to learn as best we can from each other, as we engage the commercial market,” said Gauthier.

Nathan Strout covers space, unmanned and intelligence systems for C4ISRNET.

4 Uses of Geospatial Intelligence

4 Uses of Geospatial Intelligence