The company has just hired a new manager and in the excitement has already issued a press release. The new manager is also excited and flaunts the new position on social media… And with that, cybercrooks have all the information they need to craft a highly targeted phishing attack. Why do it the hard way when there’s all this publicly-available information that the company so willingly divulged?
That’s the power of open-source intelligence (OSINT) in the wrong hands.
Think of OSINT as the gathering of information from publicly available sources. And all too much data has been made freely available through search engines, social media, and official company websites. Then there are many OSINT tools that can automate the entire process. Such tools are meant to help security teams detect weak points in an organization. However, OSINT is a double-edged sword – it’s just as easy for bad actors to identify and exploit a company’s weaknesses.
Know how attackers use OSINT
Reconnaissance is the first step of the famous cyber kill chain, and attackers widely use OSINT to know everything about their potential targets. And before they even get to the more sophisticated OSINT tools, they’ll use what’s called “Google Dorking,” the use of Google searches to find security loopholes in an organization.
For example, someone can craft a query to search for all spreadsheets that have a company’s name and the word “password.” If one of the company’s admins has ever exposed such a spreadsheet accidentally, it’s now in the hacker’s hands.
OSINT tools make the job easier
With tools like "The Harvester," cybercriminals can harvest email addresses and gather other information like hostnames and IP addresses belonging to a company. They can use the Shodan website to see what kind of internet-facing machines, namely servers, scanners, and routers that organization uses. They can find information about software versions, open ports, and default passwords. They can also search for the company's hardware and software vendors and dig in some more to find supply chain vulnerabilities. They can use Censys, another popular OSINT tool, that's even more precise when it comes to searching for vulnerabilities associated with a company's devices.
There are several other advanced tools, such as Spiderfoot, which has a reporting feature that highlights issues that need immediate remediation, such as open cloud storage buckets. Another one called Spyse, gets used to spot exposed SSL/TLS certificates. These tools make it a breeze for attackers to find points of vulnerability in a network. Ideally, the company's security team would use the same tools to spot weaknesses before they are weaponized.
Leverage OSINT for red teaming
It’s important that the company have its security teams periodically perform red teaming exercises that use OSINT tools. Stay proactive and aggressively use these tools to identify and patch the loopholes and minimize the company’s attack surface. Many OSINT tools that are available today have overlapping functionality. But security pros can choose a combination that can optimize OSINT research while giving the team a holistic view of the company’s attack surface.
And while doing that, it’s important to have a secure setup so the company doesn’t end up exposing itself or its machine while conducting OSINT research. I recommend using a separate machine sitting behind a firewall for OSINT. And within that isolated machine, the security team can set up multiple virtual machines to create a sandbox just in case they touch a malicious website during the process. Finally, make sure that the team turns on a VPN on the virtual machine to obfuscate the IP of origin.
Don't forget the users
Security strategies are not complete without considering the human element. The "work-from-home" situation creates an even greater threat, and "bring your own device" adds to the mix. The company should establish security requirements for employees’ devices, so employees aren’t using vulnerable devices with open ports or default passwords.
Attackers will learn a lot about the company’s employees through social media and their professional profiles. Educate them about the risks of posting personal information, photos, and videos. All it takes is a single click, so make sure employees are trained to identify the latest phishing techniques and encourage them to report on anything suspicious.
Because of its data collection capabilities, cybercriminals widely use OSINT in the underground. The dark web consists of many compromised systems and credentials for sale. Even novices are just one payment away from buying credentials to hack into any company thanks to do-it-yourself kits and SaaS-like business models. Sophisticated cybercriminals will search high and low for entry points the majority of which are achieved via social engineered phishing tactics. Get to those vulnerabilities first. For that, remain fully aware of the company’s digital footprint and educate employees to use technology responsibly.
Stu Sjouwerman, founder and CEO, KnowBe4