Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Leak Hunters

Cyber researchers prowl the Web for evidence of misdoings by employees, hackers, or competitors

Would you know if one of your employees was giving away insider information in a Web chat room? Would you know if a phisher was using your company's email template to fake messages to customers? Or if a competitor or reseller was misusing your company's brand to further their business?

If you're like most companies, you probably answered "no" to all three questions. True, all three of these are activities that take place on the public Internet. But who has time to track all of that Web activity?

Increasingly, the answer is cyberintelligence companies.

For a fee, enterprises can now hire a third-party service provider to do all of the legwork required to investigate the use -- or abuse -- of company information on the Internet. Collecting this sort of data, sometimes called "open source intelligence," can help organizations understand how their data is being used on the Web -- and nip potential security risks in the bud.

"One of the problems with leak prevention is that you don't know what you don't know," said Terry Gudaitis, director of open source intelligence at SAIC, in a presentation at last week's "Defending Against Insider Threats" conference in Arlington, Va. "And you don't always have the resources to find out."

Companies such as SAIC, NetFrameworks, and Cyveillance maintain staffs of researchers trained to find potential security problems by surfing the Web. Some of them focus on tracking the activity of specific individuals, such as employees or prospective hires, while others orient their efforts toward finding any misuse of a company's name or information, including phishing sites or fraudulent endorsements.

The idea isn't a new one. Way back before there were computers, large organizations and military units collected open source intelligence by monitoring radio and local newspapers to help identify potential security leaks or improper publication of confidential data.

With the emergence of the Web, however, there are many more outlets for security leaks, because individuals can publish directly to the Web without a middleman. Less than two years ago, the CIA opened the Open Source Center, where government staffers do data collection and analysis of blogs worldwide.

"A lot of blogs now have become very big on the Internet," noted OSC Director Douglas Naquin in an interview with The Washington Times. "We’re getting a lot of rich information on blogs that are telling us a lot about social perspectives, and everything from what the general feeling is to... people putting information on there that doesn’t exist anywhere else."

SAIC, which offers similar services for large corporations, spends a good deal of time monitoring blogs and chat rooms for misuse of corporate information, Gudaitis says.

"A lot of what we find is completely unintentional," Gudaitis says. For example, teenagers with their own blogs sometimes discuss what they've heard from their parents at the dinner table, and unknowingly give away confidential information. IT people sometimes reveal confidential information while seeking technical assistance on bulletin boards or technology chat rooms. Some employees discuss their activities on social networking sites, not realizing they could be violating company security policies.

No matter what their initial intent, though, such leaks can cause companies to expose themselves to attacks, or even run afoul of government regulations.

"One of the things we can do is find out about the blogging habits of a prospective employee as part of a background check," says Gudaitis. "If a person is giving away information about their company in a blog today, they might not be someone you want to hire tomorrow."

Monitoring blogs can also help warn companies when an employee is about to go over the edge, Gudaitis observes. In one memorable case, SAIC found the following blog written by an employee about its employer: "I don't want to live, and those bastards shouldn't, either. I don't know whether it would be beter [sic] to blow my brains out in front of them, or take them with me -- Friday is good, will trash their fairy weekends." The employee was subsequently approached, and went voluntarily to a treatment facility for depression.

While this type of online research could be valuable to a company's security, though, some experts wonder whether it oversteps the bounds of privacy. "Should somebody in their 30s have to answer for a blog they wrote when they were in their teens?" wondered Brian Contos, CTO of ArcSight and author of Enemy at the Water Cooler. "It's something to think about."

Outside the company, the uses of open source intelligence are less murky. Companies can use the services to find out whether partners, competitors, or phishers are using their data or trademarks illegally, and how that activity might be affecting their brands. "That's information that can help you not only from a security perspective, but from a marketing perspective," Gudaitis says.

It's also information that doesn't come cheap. Open source intelligence services can be expensive, costing in the tens of thousands or hundreds of thousands of dollars, depending on the depth of research and information the client requires. SAIC's open source intelligence customers so far are generally in the Fortune 50, Gudaitis says.

— Tim Wilson, Site Editor, Dark Reading

  • Cyveillance
  • Science Applications International Corp. (SAIC) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    The Problem with Artificial Intelligence in Security
    Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
    10 iOS Security Tips to Lock Down Your iPhone
    Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-13660
    PUBLISHED: 2020-05-28
    CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
    CVE-2020-11079
    PUBLISHED: 2020-05-28
    node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
    CVE-2020-13245
    PUBLISHED: 2020-05-28
    Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
    CVE-2020-4248
    PUBLISHED: 2020-05-28
    IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
    CVE-2020-8329
    PUBLISHED: 2020-05-28
    A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...