Some interesting lessons on how a modern New York City drug delivery service
uses basic tradecraft to create a reasonable security posture.
The Source
This Vice article
provides the source of the information for this blog post. Using some
basic background knowledge on how covert groups operate, it is simple to parse
and analyze the drug delivery service tradecraft.
Recruitment
a friend of mine solicited hardcore drugs for a Manhattan drug kingpin, who was looking for a new pot delivery guy. My friend encouraged me to try out for the job.
As with many covert groups, the recruitment process relied on personal connections.
This social network grounded approach to expanding a covert organisation
is generally good for initial security. The recruits are unlikely to be agents
sent to infiltrate the organistation as the long standing social ties between
members and recruits both establishes trust and serves as vetting.
Developing a covert organisation based on social network ties provides a
means of rapid expansion and easy security clearance. The downside is that once
a single member of the organisation is compromised, the adversarial security forces
can easily roll up the whole network. The poor compartmentation of a social network
based covert organisation is its Achilles heel. The security of the organisation
is critically dependent on the security of each individual member.
ProTip: Expand your covert network with individuals who are passionate about
your ideological beliefs. Ensure strong compartmentation, starting with recruitment.
Leverage
He asked me to provide documentation of my current address and phone number as an insurance policy. If I ran out on him, he warned me he’d hold my friends responsible for the deficit funds and/or drugs.
The principal of the organisation “Nathan” requires that the recruit provide
a verifiable address and means of contact, along with dire warnings of consequences
in the case of infractions. This is very basic control principles, typical of
covert organisations.
The major security problem with this approach, of course, is that the records
maintained by the network’s principal are a high value target for the adversary.
Compromise of the principal’s records will lead to total collapse of the network,
and interdiction for every member involved. There is no chance of evasion.
ProTip: No logs, no crime. Do not keep records of the members of your covert
organisation. These records are extremely sensitive.
Operational Actions
the transaction and exit should be as swift as possible. “You aren’t here to hang out,” she said. “It’s not a social call, and they aren’t your friends. You want to walk in and be friendly and make conversation but also get to the business at hand and get out of there quickly.”
The illicit operation, the drug sale, is intended to be rapid and minimize
the period of vulnerability for both parties. Interestingly, this is possibly a
poor choice if the threat is surveillance. There are few reasons a random individual
would enter a domicile for a short duration. Also of note, the covert organisation
provides no reasonable cover story for why the agent (the drug courier) is entering
the residence of the client. A simple “what were you doing?” type question would
likely completely blow the whole operation.
ProTip: Minimising the period of vulnerability improves the chances of operational
success. Always make sure your agents are capable of delivering plausible cover
stories. Cover for action
Cover for Status
Nathan forced me to wear a button-up shirt and slacks, shave my face, and keep my hair conservatively short. He believed this uniform would attract little attention as I walked around with thousands of dollars worth of pot in a laptop case slung over my shoulder.
The covert organisation has, surprisingly enough, chosen to enforce a uniform
that makes their agents blend in with the mainstream. This is completely inline
with the typical operational disguises employed by covert organistations operating
in controlled territory the world over. (See: Moscow Rules go with the flow
;
Murphy’s Laws of War: don't stand out, it draws fire
)
ProTip: They got this one exactly right.
All phones are bugged
Although I used my flip-phone constantly at work, I was never given clients’ addresses over the phone. Clients calls would go to a dispatcher—a third party who took the call, traced the number through a database of numbers, and then returned the call from a different phone to confirm their request for drugs. After their request was confirmed, I received a call from another phone. The dispatcher only told me, “You got Nick,” or “You got Lucy.” I was banned from responding with anything besides a murmured “OK.”
Each operational use of the phone provides the adversary with minimal value.
There is a unique identifier for the client (e.g. “Lucy”), and the agent
acknowledges receipt of the directive (“OK”). The dispatchers interaction
with the client is itself run over multiple phone lines and kept to short,
simple, normal statements.
ProTip: This is very much inline with all covert organisations’
guidelines for using phones. Never use keywords, keep the content as vague as possible,
minimize the period of vulnerability – get off the phone!
OPSEC FAIL: attracting attention
Each day I was given a stipend of $40 for cabs. No one knew if I didn’t spend the $40. Instead of taking cabs, I ran around in a frantic state that negated every other measure I took to not draw unwanted attention
This is an instance of preference divergence, a common problem for covert
organisations. The financial resources provided to the agent of the principal
are siphoned off and directed towards non-operational uses (the drug courier
skims and pockets his cab stipend.) There doesn’t appear to be any consequence
to this operational security failure, however it jeopardizes the entire organisation.
If “Nathan” were a more disciplined principal he would monitor his agents more
closely and ensure they are conforming to the organisational security requirements.
Strangely, drug dealers are not strict disciplinarians.
ProTip: if the securit of the entire organisation is dependent on the security
of each individual agent – enforce the operational security requirements strictly!
Aliases
I shook his hand and said, “I’m Jack.” He gave me a knowing grin. “So that’s the name you’re using?” he asked.
The agent is using an alias to provide pseudonymity from malicious clients. This
provides some minimal level of security. It is definitely better than not having
any cover at all. However, as noted above, it should be combined with a robust
cover story for why the agent is visiting a residential home for a brief period.
Discharging the agent
After a promotion, the drug courier decides to find a new line of work. If the
organisation was stricter in their OPSEC practices, the departure of an agent
wouldn’t place anyone else in jeopardy. As it stands, it seems clear that the
agent who is now drawing attention to himself by writing about his experience
in a national magazine(!) still retains sufficiently sensitive information to
unravel the network.
ProTip: compartment early, compartment often. It is safer than any alternative.
TL;DR
Compartment your covert organisation from recruitment through to operational
action so that when your agents leave or are compromised they are unable
to compromise the organisation. Ensure that your operational activities have
good cover for status (e.g. a disguise) and cover for action (e.g. a strong cover story).
Strong compartmentation, strong cover, and be aware of the risks of using social networks
for building a covert organisation.