Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Leak Hunters

Cyber researchers prowl the Web for evidence of misdoings by employees, hackers, or competitors

Would you know if one of your employees was giving away insider information in a Web chat room? Would you know if a phisher was using your company's email template to fake messages to customers? Or if a competitor or reseller was misusing your company's brand to further their business?

If you're like most companies, you probably answered "no" to all three questions. True, all three of these are activities that take place on the public Internet. But who has time to track all of that Web activity?

Increasingly, the answer is cyberintelligence companies.

For a fee, enterprises can now hire a third-party service provider to do all of the legwork required to investigate the use -- or abuse -- of company information on the Internet. Collecting this sort of data, sometimes called "open source intelligence," can help organizations understand how their data is being used on the Web -- and nip potential security risks in the bud.

"One of the problems with leak prevention is that you don't know what you don't know," said Terry Gudaitis, director of open source intelligence at SAIC, in a presentation at last week's "Defending Against Insider Threats" conference in Arlington, Va. "And you don't always have the resources to find out."

Companies such as SAIC, NetFrameworks, and Cyveillance maintain staffs of researchers trained to find potential security problems by surfing the Web. Some of them focus on tracking the activity of specific individuals, such as employees or prospective hires, while others orient their efforts toward finding any misuse of a company's name or information, including phishing sites or fraudulent endorsements.

The idea isn't a new one. Way back before there were computers, large organizations and military units collected open source intelligence by monitoring radio and local newspapers to help identify potential security leaks or improper publication of confidential data.

With the emergence of the Web, however, there are many more outlets for security leaks, because individuals can publish directly to the Web without a middleman. Less than two years ago, the CIA opened the Open Source Center, where government staffers do data collection and analysis of blogs worldwide.

"A lot of blogs now have become very big on the Internet," noted OSC Director Douglas Naquin in an interview with The Washington Times. "We’re getting a lot of rich information on blogs that are telling us a lot about social perspectives, and everything from what the general feeling is to... people putting information on there that doesn’t exist anywhere else."

SAIC, which offers similar services for large corporations, spends a good deal of time monitoring blogs and chat rooms for misuse of corporate information, Gudaitis says.

"A lot of what we find is completely unintentional," Gudaitis says. For example, teenagers with their own blogs sometimes discuss what they've heard from their parents at the dinner table, and unknowingly give away confidential information. IT people sometimes reveal confidential information while seeking technical assistance on bulletin boards or technology chat rooms. Some employees discuss their activities on social networking sites, not realizing they could be violating company security policies.

No matter what their initial intent, though, such leaks can cause companies to expose themselves to attacks, or even run afoul of government regulations.

"One of the things we can do is find out about the blogging habits of a prospective employee as part of a background check," says Gudaitis. "If a person is giving away information about their company in a blog today, they might not be someone you want to hire tomorrow."

Monitoring blogs can also help warn companies when an employee is about to go over the edge, Gudaitis observes. In one memorable case, SAIC found the following blog written by an employee about its employer: "I don't want to live, and those bastards shouldn't, either. I don't know whether it would be beter [sic] to blow my brains out in front of them, or take them with me -- Friday is good, will trash their fairy weekends." The employee was subsequently approached, and went voluntarily to a treatment facility for depression.

While this type of online research could be valuable to a company's security, though, some experts wonder whether it oversteps the bounds of privacy. "Should somebody in their 30s have to answer for a blog they wrote when they were in their teens?" wondered Brian Contos, CTO of ArcSight and author of Enemy at the Water Cooler. "It's something to think about."

Outside the company, the uses of open source intelligence are less murky. Companies can use the services to find out whether partners, competitors, or phishers are using their data or trademarks illegally, and how that activity might be affecting their brands. "That's information that can help you not only from a security perspective, but from a marketing perspective," Gudaitis says.

It's also information that doesn't come cheap. Open source intelligence services can be expensive, costing in the tens of thousands or hundreds of thousands of dollars, depending on the depth of research and information the client requires. SAIC's open source intelligence customers so far are generally in the Fortune 50, Gudaitis says.

— Tim Wilson, Site Editor, Dark Reading

  • Cyveillance
  • Science Applications International Corp. (SAIC) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-01-27
    The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
    PUBLISHED: 2021-01-27
    A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to
    PUBLISHED: 2021-01-27
    Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to
    PUBLISHED: 2021-01-27
    Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to
    PUBLISHED: 2021-01-27
    ** DISPUTED ** scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data.