xorl %eax, %eax

The role of linguists in threat intelligence teams

with 2 comments

DISCLAIMER: Just to be clear, the following do not represent my employer and the examples are not from my employer. Threat intelligence is something I really enjoy doing and for this reason I get the opportunity to help many organizations.

No matter how good your malware and intelligence analysts are, in most occasions during an intelligence operation you will end up having to deeply understand a foreign language. The language of your target. Whether this is something as simple as finding the right communication media (forums, messengers, social media, etc.) for collection, or interacting with a threat actor to elicit information, the fact is that a linguist can play a key role to the success of a threat intelligence team.

Like most people in this field, I am constantly trying to learn about foreign cultures relevant to the intelligence requirements. However, that cannot replace the role of a skilled intelligence linguist who is not only an expert in the specific language(s), but they also fully understand things that are much harder to grasp such as: Local culture, customs, habits & traditions, slang, different accents, history, etc. So, although knowledge of foreign languages is a plus for simple tasks, they cannot replace the role of an experienced linguist.

I know that many people enjoy some good ol’ war stories… So, I’ll share with you three quick ones from my personal experience which show the value of having that skillset in your threat intelligence team.

Slang terms
Years ago, I had almost no knowledge of the Russian language and I was collecting intelligence on a Russian-speaking threat actor. The first challenge was identifying and getting access to all the forums the threat actor had access to. And I still recall this… It was the first time I came across one of the most common slang terms in Russian-speaking threat actors, the term “Логи” (literal translation is: logs). I still recall that it took me a few hours to figure out this simple term. For those curious, “Логи” is used to describe compromised data such as accounts with credentials, cookies, etc. typically collected from a piece of malware. So, if someone wants to buy compromised accounts for Example.com derived from a malware they might make a post titled “куплю логи Example.com” (literal translation is: buying Example.com logs). For an intelligence linguist that would have taken them less than a second because it’s such a commonly used slang term.

Local communities
Some years ago I was working on the threat landscape of a foreign company operating in a specific domain in a region of China. For this reason, I spent quite some time trying to become familiar with local threats as well as local threat intelligence experts to get their perspectives. Even though I was physically located in this region of China, it was very challenging since people didn’t trust me, a foreigner, with potentially confidential information and it took a lot of effort from my side. Eventually, one day I managed to build rapport with a local person and within hours that person gave me so much information that it was impossible to collect in months. If a linguist was available at that time, they would have already knew at least 60% of what this person told me, and be able to find the other 40% much faster and cheaper than me due to their skillset.

Historical/cultural information
I recall once an investigation where I was helping with the attribution of a cyber-criminal where we had been able to collect a decent amount of information from the threat actor and we were in the analysis phase of the intelligence cycle with the requirement being de-anonymization/attribution. One of the collected information was a screen recording of the threat actor performing their illegal activity. At some point in the video recording, there were literally two frames where an Arabic language text appears. It was blurry and unclear. However, using a linguist, they informed us that this was a specific expression used by a very specific group of people. This tiny piece of detail helped us uncover the identity of the target. However, that knowledge would be impossible to know without very deep understanding of the local culture and history.

I understand that many of my readers might not have the capacity to have dedicated linguists for all the languages their threats are originating from in their intelligence teams. So, what can you do in this case? Here are some suggestions:

  • First identify the most prominent languages relevant to your intelligence requirements
  • At a minimum encourage and support your threat intelligence personnel to learn those languages by providing trainings, budget, and learning tools
  • If deemed safe, allow your personnel to travel and stay in those foreign countries for sufficient time to understand, at least partially, the culture, habits, customs, etc.
  • There are companies and government organizations offering cultural awareness trainings for different countries. Use those as a means to get your personnel familiar with their targets’ culture and mindset
  • As the team grows, hire dedicated analysts native in the targets’ language(s) and potentially even split the teams to relevant areas of responsibilities (LATAM, APAC, MENA, etc.)

In conclusion, before adding more reverse engineers or DFIR analysts to your intelligence team, I would highly encourage you to consider having some dedicated intelligence linguist(s). That skillset can be a force multiplier for an intelligence team. And if you cannot hire such experts, at a minimum, support your people to grow their intelligence linguist skills as described above.

Written by xorl

August 20, 2020 at 11:03

2 Responses

Subscribe to comments with RSS.

  1. Hey, just wanted you to know this article will be featured in the upcoming OSIRIS Brief as a particularly insightful article worth reading about Online Society, International Relations, and Information Security. The OSIRIS Codex (of which Briefs are the most common part) is targeted at mid-level and senior decision makers, and I believe this article highlights valuable observations these decision makers should know about ways to improve their organizations security in the modern world. I must also confess that as a linguist of both the computer and human language variety, I personally feel that too few people recognize the degree to which each complements the other, especially in cybersecurity. Feel free to check out the Brief when it appears at https://osiris.substack.com.

  2. Thank you!


    August 23, 2020 at 13:55

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: