OSINT, open source intelligence, is a great tool for companies looking to find threat information on the web. The wealth of information available can be overwhelming, clunky, and difficult to incorporate into a threat intelligence program, however.
Bill Dean, Director of Computer Forensics and Security Assessments at Sword & Shield Enterprise Security says OSINT is a critical part of organizations’ threat intelligence, especially when it comes to people, a risk element easily forgotten in companies’ quests to find information on the latest vulnerabilities, malware, and cyber attacks. The adage, “People do the darndest things,” couldn’t be more true when it comes to the internet. Here, Dean provides some advice for organization that want to beef up their OSINT efforts and include people searches into their daily intelligence gathering.
Why are organizations missing the boat if they’re not incorporating people (employees, contractors, partners, etc.) into their OSINT hunting?
Most organizations are aware of the static information related to their internet presence: internet accessible hosts, email server information, domain name system (DNS) servers, organizational data, etc. They know this because they put it there and need it to run the business. For the most part, this information and the systems on which it is contained is somewhat fixed and seldom changes. This makes it easy for IT departments to manage but provides value to potential attackers from an infrastructure reconnaissance perspective; once an attacker finds vulnerable systems, they can bet the systems will remain where they are, how they are for (at least) the short term. Those same systems and endpoints, though, can, if under the guidance of a skilled and thorough security and IT team, be tested and vulnerabilities remediated before they’re exploited. They’re static, and therefore easier to keep watch over.
People, however, add a dynamic component to the security threats an organization faces. Extreme value is obtainable from social networks and help forums, even on those individuals who are diligent about privacy settings and don’t consider themselves avid users of social media. If I want to social engineer someone via phishing or pretexting, what better way to gather that information than to use LinkedIn to determine targets and organizational structure, then compare that against other social networks to learn individuals’ interests? Doing so allows me to create a believable story including personal details about the person, and greatly increases the probability the person will fall for my phish.
Help forums, too, can be most valuable to an attacker once a person’s online handle—username or ID—is determined (many people use the same handle from site to site, making it easier for the attacker to identify). Technical teams often use these forums as a way to quickly get advice on a pressing problem from a large group of people. This social method certainly has its advantages, but an attacker can use the information gleaned from the postings to learn much more about the organization. Technical issues reveal quite a lot about an organization, including the technologies it uses and the problems they’re facing. An attacker can use this public information to hone in on known vulnerabilities or issues with the technology and use it to his advantage. Pastebin is a treasure chest of information for an attacker due to the details posted by IT people. It can almost serve as a sort of newsfeed for attackers, who just need to sit back and watch as people post highly sensitive information in a very public place.
Where does social media fit in? How can organizations monitor it more effectively?
Social media has definitely created numerous issues for organizations on many fronts. Government agencies, in particular, must be aware that their employees are using social media and develop policies that prohibit the discussion of projects dealing with security-related issues. For most organizations, the danger of oversharing sensitive information is a constant risk. Most employees do not realize how the tiniest tidbit of information provides the attacker useful details when planning his attack. While monitoring the social media activities of all employees is a near impossible task, there are passive methods for organizations to monitor their brand using the right approach. One of the best, basic things a company can do is set up email alerts for search engines such as Google and Bing. When brand-related terms are found, the team receives an email and can look into it: Is it applicable? Actionable? Does this demand attention right now? In addition, repositories such as Pastebin offer keyword alerts, and teams can learn a lot from what’s posted in these types of more technically-oriented forums.
Aside from Google searches, what free tools are available?
As a starter, most people are very inefficient with Google. Typical searches performed create a great deal of “noise” that add no value. Second, Google is arguably the best known search engine but not the only search engine of value. For example, Google does not index and provide information on FTP servers, previous versions of websites, your IoT devices that you do not know are internet accessible, nor people-specific searches. While Google inventories information, websites such as Shodan and insecam provide inventories of devices that are publicly accessible (some without password protection).
Learn to effectively use OSINT to not only perform periodic self-assessments, but create the ability to know and be alerted when things of concern may be related to you or your organization’s employees. While time and effort is needed on the front end, my experience indicates that it is well worth the investment. Searches and feeds can be automated so that once they’re set up and alerts are being received by the correct person or team within the organization, they only need to be refined over time, not created anew.
What are some “gotchas” companies should consider when they start digging into background on employees/contractors/partners?
Understand that some of the information found may be hearsay, completely inaccurate, or even the wrong target of investigation. I can’t tell you how many times during an investigation I find some “incriminating evidence” at first, only to correlate it with other found information and learn that the “evidence” is related to a completely different person in a different part of the world having nothing to do with the case I’ve been hired to investigate.
I always recommend that my students use the tools to research themselves to get a feel for the accuracy of OSINT techniques. From that point, they can use the particulars discovered as pieces of data to assist in the opinion rather than the judgement for the decision. As with any alert received, it’s inadvisable to jump on the problem before assessing the entirety of the situation. Because the internet is so vast, not always accurate, and most names are not unique, be careful to not jump to conclusions too quickly. Users must cross correlate OSINT so that they’re sure of what they’re taking action against. Thankfully, there’s a lot of OSINT available; you just need to harness it correctly
