If You Can’t Beat ‘Em: The Invisible Data Tussle Engulfing Your Networks
The Internet revolutionized the way in which we approach information. Data surrounding your organization, its structure, history, and the personal lives of every single employee and customer is all swelling around on various social media networks. The rapidly-changing nature of online spaces leads many users into a false sense of security. After all, when was the last time you spared a thought for what you posted 6 months ago?
It’s within this environment that attackers and security teams are actively gathering open source intelligence (OSINT). Everything that’s ever been posted can be found, read, and fed into a larger image of a person, organization, or governmental figure.
What is Open Source Intelligence?
Public information leaks from every facet of daily life. The first wave of OSINT attempts originated from military and intelligence operations throughout the 70s and 80s. The focus was placed upon gathering strategically important information, pertinent to national security. Human sources (HUMINT) were of primary importance, while the second source of digitally-gained information (DIGINT) rose in popularity following the widespread adoption of the internet.
Though still a vital part of military intelligence, OSINT has spread out from its initial military aims. In fact, some of the first to realize its importance outside of combat zones were individuals wanting to extort companies. With the introduction of the internet to modern households from the 90s and onward, OSINT suddenly granted access to far more than military intelligence. Almost every aspect of an organization’s employees and IT infrastructure is visible through your online presence, and social media. Recognizing the danger that this poses, CISO teams have begun employing the same tactics back at potential attackers.
The Silent OSINT Battle
The OSINT process starts small; it may only begin with the name of a target organization. From there, a rapid Google search allows the search engine to return every relevant piece of information, in uber-digestible format. After a few hours spent perusing LinkedIn pages, site domains, and company-hosted data, an attacker will have a fairly accurate image of your organization. The specific data they’re after depends highly on the upcoming attack campaign they’re working on: if the goal is to steal user credentials, then they may be looking to conduct a successful spear phishing attack. For this, they’re likely hoping to produce in-depth profiles on a handful of high-level executives.
Though LinkedIn offers a wealth of information regarding an organization’s structure and hierarchy, other social networks offer even further – highly valuable – information. These disclose information that can include dates of birth; names of pets; and family members. All of this info allows a dedicated attacker to guess passwords, alongside strengthening phishing attack methods. Even completely innocuous information can be warped by OSINT-gatherers looking to cause serious damage. An employee that’s really into surfing will probably express their love for the sport on their private social media accounts. An attacker can abuse this by finding an email address of theirs, then emailing a discount URL for a supposedly new wetsuit store. This may look like a harmless marketing email, but could direct the target’s device to load malware from an attacker-controlled server. When clicked, the consequences for the person – and their devices – can be critical
While attackers desperately skim through mountains of online content to form profiles of their victims, the saving grace is that open source intelligence is publicly available. This means that CISOs are able to use similar methods to assess – and repair – an organization’s attack surface. A people-first focus allows for education on the risks of sharing personal information, while regular assessments of site error codes and server-hosted data can help maintain a hygienic online profile. Furthermore, defensive OSINT allows for security teams to actively monitor an evolving attack field, with tools that scan and report on dark web marketplaces and forums. This can give an idea of the most successful recent breaches, and lends further insight into the attack patterns currently rippling across your industry.
How Much Data Are You Spilling?
The first step to reducing an attack surface is by capturing a clear image of the situation. Thankfully, there are a number of publicly available tools that streamline the data collection process. The ways in which these collate data can be split into two main groups. Passive is by far the most common form of collection; this involves scraping and collating data from various publicly accessible sites, such as the Twitter API. One tool that shows immense promise for researchers is Intelligence X. This archival platform preserves internet pages, in their original state. This preserves any form of online content, regardless of legality or ethicacy. This includes not only data that’s been censored from the wider, public internet, but also pages from WikiLeaks and high-censorship government sites.
More active OSINT tools gain data by interacting directly with networks. In acts increasingly leaning toward penetration testing, tools such as Shodan offer monitoring capabilities across networks. By searching deep web and IoT networks, it’s possible to see any type of device connected to a network. This includes anything from servers, smart devices, and webcams; to traffic lights and water control systems. Finally, the most active forms of OSINT are tools such as Maltego. This open-source platform allows for users to run a scripting mechanism that collates data from multiple sources at once, in order to analyze the real-world relationship between servers, organizations, and individuals. These relevant pieces of the puzzle are then visualized via a thorough network chart, handing an accessible roadmap to any would-be attacker.
By utilizing similar methods as your potential attackers, OSINT provides critical tools through which to protect your colleagues and networks alike. Furthermore, social media has a way of picking up on crisis news hours before mainstream news sources do. With a suite of proactive OSINT methods in place, your organization can keep one step ahead of threats both within and external to your critical networks.