Partner Perspectives  Connecting marketers to our tech communities.
6/22/2015
01:30 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Open Source Intelligence

Do you know what information out there is putting you at risk?

The Internet allows for information to be readily available at your fingertips. However, it also allows for the same information to be accessed by malicious threat actors who are targeting your organization with cyberattacks. The recent explosion of social media has only increased the information available, and with it the risks to your corporate data, intellectual property, and brand. Some organizations call the awareness of this risk “threat intelligence,” but we have found that organizations need to focus on more than just current threats. Organizations can leverage an emerging intelligence-gathering capability to determine data leakage, employee misbehavior, or negative brand exposure at a higher level than threat intelligence using Open Source Intelligence, or OSINT.

OSINT is a discipline that pertains to intelligence produced from publicly available information such as data, facts, social messages, or other material published or broadcast for general public consumption. Examples of open sources include websites, social networks, blogs, comments, underground forums, blacklists/whitelists, chat rooms, archives, and numerous other sources.

The mission for an OSINT program is to minimize risk and prevent threats by identifying and assigning credibility to potential cyberthreats, leaked confidential business information, company or customer personally identifiable information, and any sensitive or proprietary data from open sources. Conversely, attackers use open source information to maximize their attack potential. For example, they may execute a passive email phishing campaign by knowing the likes and dislikes of an organization’s employees. In one targeted phishing campaign, attackers knew from social media that IT employees always had lunch at a particular Chinese restaurant, so the attackers posed as the restaurant with a new menu in the form of a malicious PDF file attached to emails.

OSINT is a cycle that requires constant tuning in order to get greater value out of the process. The first step is to develop a set of keywords to serve as the foundation for your custom search criteria. Some examples are names of affiliated companies, IT vendors for software or hardware, internal IP schemes, common naming conventions for network segments, document marking standards, or internal project names.

You then leverage intelligence-gathering tools and techniques to scrape websites and the deep Web for specific information. The team conducting the OSINT analysis should have its own custom database of known malicious groups, sites, blogs, chats, and paste locations that they have built and use while running the program. You should use another set of tools to scan social media sites such as Twitter, Facebook, YouTube, and Google+. Most likely, you will only need to concentrate on current information being discovered and may not need to analyze information that was made public prior to a year ago, unless the information is confidential or potentially damaging to your organization.

Passive Monitoring

Your OSINT program should passively monitor while not actively participating in ongoing communications. For example, you should listen to chat rooms and watch forum posts, but don’t engage, as it would tip the attackers off that you are watching them. If they find out that you are listening to their conversations, then they will “go dark” to where you cannot listen in, and then you will not get any information.

The last step in the OSINT cycle is reporting. The goal of the program is to provide your operational personnel and leadership with the information they need to properly assess and react -- keep in mind that this requires packaging in a way that’s easily “translatable” for those on the leadership team that are further removed from day-to-day security practices. Regardless of whether you found anything of perceived value, a standard periodic report (weekly or monthly) should be prepared and distributed to appropriate stakeholders containing the identification and analysis of your findings so they get in the routine of reviewing and reacting to the data.

If in any situation you find information that could indicate an eminent cyber or physical threat or attack, you should have an emergency escalation plan in place and put it to use. The escalation plan should have appropriate contact information and procedures on whom to call for what type of circumstance. For example, if you find that a hacktivist group is planning to DDOS your public websites, you should inform your Web management team, your third-party website hosting provider, and your infrastructure team.

The third-party website hosting provider can watch for IP addresses that are targeting the website and block them; your infrastructure team can block IP addresses that are putting suspicious stress on routing devices around your Web systems; and the Web management team can have backups of the website ready to push out to new landing pages to replace any defacements if they occur in conjunction with the DDOS.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.