A topic that’s gathering buzz in information security circles these days is open source intelligence, or OSINT. OSINT basically involves gleaning “intelligence” (aka data) from publicly accessible sources like the media, web-based communities, government and other reports, and/or geospatial data from maps to geo-tags on photos.
What can you do with OSINT? Some organizations, like Jigsaw (now part of data.com) use it to aggregate and sell contact and company information to help drive sales and marketing activities. Hackers and cybercriminals use it to target sensitive organizational data with social engineering, spear-phishing and other attack vectors.
At Pivot Point Security, we saw this trend taking shape about five years ago, when our clients began experiencing a spate of reputational risk related issues. For example, several customers were troubled by data that was in the public domain: in third-party databases like Google, Internet registrar services, you name it.
We developed a service offering we call Deep Internet Reconnaissance – DIR for short. It’s fundamentally a methodology for identifying technical risks, reputational risks and organizational risks inherent in the ambient “open source” data.
DIR’s main purpose is to educate our clients about what’s out there that relates to them, and what to do about mitigating similar risks in the future. It’s not a pleasant surprise to rely on certain data being sensitive and/or secure, only to find that it’s all over the place. And once data’s gone public it’s pretty hard to call it back.
Over the years we’ve refined DIR considerably. Say we start with the domain name of your company. We’ll hunt down e-mail addresses associated with it, tie them to names, tie those to company roles, then look on social media and check activity. Are these legacy accounts? General shared accounts? Do they relate to current employees? We focus our research on C-level and senior technical management, and staff with “security” in their title.
From the domain name we also figure out what IP address blocks are allocated to your company and how they’re registered. Can we move your domain name or IP addresses away from you? Did your CEO use his home phone number in the registration info?
Once you aggregate some data it’s amazing what you can do with it. With one DIR customer we used geo-tagged photos taken at company birthday parties and such in the Flickr accounts of employees to build a pretty accurate layout of their facility. I’ve also seen things like login/password data in the router configuration data that IT admins have posted to the Cisco support forum.
Sensitive data often changes hands “innocently” when somebody is looking for help – and suddenly your business is vulnerable to a data breach. Awhile back we were asked to do an assessment for a utilities organization. They wondered if their security was sufficient to thwart access to their member companies. It took less than five minutes to talk a help desk staffer into providing complete account data and admin-level access for a power company that was part of the system – using public domain data and no authentication.
Social engineering and spear-phishing attacks work because people naturally don’t want to be seen as holding things up; they want to be helpful and they want to avoid confrontation. If somebody sounds and looks genuine, they’re rarely questioned.
Part of our job at Pivot Point is to raise peoples’ awareness so they’ll push back when something isn’t aligning with their firm’s security posture. Because you don’t know what you don’t know until somebody tells you.