Vulnerabilities / Threats

02:44 PM

Tech Insight: Better Defense Through Open-Source Intelligence

Corporate defenders can use the same publicly available information sources that attackers do, but to better secure their data

The ease in which attackers are compromising users through client-side and social-engineering attacks, plus the onslaught of BYOD efforts, are clear indicators that perimeter security is not enough to protect enterprise data. That's not to say there isn't value in beefing up an enterprise's perimeter defenses. Definitely not. However, security strategies need to be updated to meet the changing threat landscape and devolution of the perimeter.

The nature of today's corporate computer use has changed the perimeter to be the user's desktops and mobile devices. End users' constant interactions with cloud-based services and social networking sites are making traditional defense moot. To adapt, security professionals must meet new security challenges head-on by considering their defensive measures as an attacker might.

How? By putting on their offensive hat.

When we take a look at the typical attack process, it includes reconnaissance, scanning, exploitation, maintaining access, and cleaning up. For attackers to be successful, they have two choices. They can go for the target of opportunity that's easy and doesn't require much preparation to attack (sometimes something they simply stumble on). Or they can go for a targeted attack that requires research and, often, patience.

Reconnaissance, while commonly overlooked and discounted, is a key phase providing successful targeted attackers (and penetration testers) with information about the target, the target's server and application technologies in use, employees, location, and much more. Often called OSINT, or open-source intelligence because it uses publicly available sources, the recon phase is anything that can help the attacker obtain his goal. Security pros can leverage the same tools and techniques as the attackers to identify unintentionally exposed devices on the Internet and users leaking sensitive information via social networking sites, and address those issues before they're used during an actual attack.

Where to start? The simplest starting point is Internet search engines like Google, Bing, and Yahoo. Searches for company name, key file names, employee numbers, and other unique information can turn up leaked files, dumped data on Pastebin, or plans to attack the company in the coming weeks. Over the years, I've seen searches turn up everything from accidental disclosures of personal patient and employee information on company sites, to evidence of compromises by user credentials and server names in an online bulletin board.

It's important to note that using search engines is not a one-shot deal because the content changes over time. Maybe the search engine's crawler hasn't found and indexed the website hosting the content, or it could be the content hasn't been published yet. Either way, this isn't a quick few hours of work and you're done forever, which is why researchers from Stach & Liu have developed a suite of tools called "Search Diggity" to help security professionals with better, more targeted searches that can be automated.

Social networking sites have contributed quite a bit to the change in the perimeter and the ability for employees to post revealing information and interact with practically anyone, including attackers, around the world. Some of the interesting things include co-workers' names, office locations, pictures inside of company buildings (like data centers), and personal information (i.e., birthday, spouse, kid names). Attackers can then use that information to social-engineer users into giving up passwords over the phone or get past the questions required to reset an account password.

Tim Tomes, senior security consultant at Black Hills Information Security, spoke about the recon process during his talk, "Next Generation Reconnaissance," at Hack3rCon 2012. During the discussion, he released Push Pin, a recon tool that specifically targets information posted on social networking sites Twitter, YouTube, Flickr, Picasa, Instagram, and Oodle.

The more fascinating aspect about PushPin is that it searches those sites not for a specific search term, but by location. Want to look up information potentially posted by employees at a particular office location? Plug in the GPS coordinates of the office, and out comes posts to Twitter, pictures on Flickr and Instagram, and videos on YouTube. Tim has made the Python-based tool freely available here.

Other sources of data include DNS and network information published on sites like Robtex where IP addresses, network ranges, and domain names can be searched. There's also the excellent Shodan computer search engine that contains service banners from Internet-accessible servers all over the world. Security pros can find all sorts of juicy information, like internal network and host names exposed through DNS, or unintentionally exposed services that Shodan has found without scanning or touching the target network.

Besides the Web interfaces to those sites, several tools exist to make queries faster and scriptable. Dnsrecon is an excellent example for DNS research, and the PushPin tool also queries Shodan based on location information. Additionally, there is the shodan_search module in Metasploit (written by yours truly), and an iOS app developed by Erran Carey.

Just as all of these resources can be used for evil, enterprise security teams should be taking advantage of them to help secure their networks. Information published on social networking sites can often be removed quickly and the responsible person identified and counseled on the proper use of such sites. Exposed services found through Shodan can quickly be taken down or blocked with a quick firewall change.

These resources are out there and being used by attackers and penetration testers. Why not do the same and use them before they're used against you?

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.