Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/22/2015
01:30 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Open Source Intelligence

Do you know what information out there is putting you at risk?

The Internet allows for information to be readily available at your fingertips. However, it also allows for the same information to be accessed by malicious threat actors who are targeting your organization with cyberattacks. The recent explosion of social media has only increased the information available, and with it the risks to your corporate data, intellectual property, and brand. Some organizations call the awareness of this risk “threat intelligence,” but we have found that organizations need to focus on more than just current threats. Organizations can leverage an emerging intelligence-gathering capability to determine data leakage, employee misbehavior, or negative brand exposure at a higher level than threat intelligence using Open Source Intelligence, or OSINT.

OSINT is a discipline that pertains to intelligence produced from publicly available information such as data, facts, social messages, or other material published or broadcast for general public consumption. Examples of open sources include websites, social networks, blogs, comments, underground forums, blacklists/whitelists, chat rooms, archives, and numerous other sources.

The mission for an OSINT program is to minimize risk and prevent threats by identifying and assigning credibility to potential cyberthreats, leaked confidential business information, company or customer personally identifiable information, and any sensitive or proprietary data from open sources. Conversely, attackers use open source information to maximize their attack potential. For example, they may execute a passive email phishing campaign by knowing the likes and dislikes of an organization’s employees. In one targeted phishing campaign, attackers knew from social media that IT employees always had lunch at a particular Chinese restaurant, so the attackers posed as the restaurant with a new menu in the form of a malicious PDF file attached to emails.

OSINT is a cycle that requires constant tuning in order to get greater value out of the process. The first step is to develop a set of keywords to serve as the foundation for your custom search criteria. Some examples are names of affiliated companies, IT vendors for software or hardware, internal IP schemes, common naming conventions for network segments, document marking standards, or internal project names.

You then leverage intelligence-gathering tools and techniques to scrape websites and the deep Web for specific information. The team conducting the OSINT analysis should have its own custom database of known malicious groups, sites, blogs, chats, and paste locations that they have built and use while running the program. You should use another set of tools to scan social media sites such as Twitter, Facebook, YouTube, and Google+. Most likely, you will only need to concentrate on current information being discovered and may not need to analyze information that was made public prior to a year ago, unless the information is confidential or potentially damaging to your organization.

Passive Monitoring

Your OSINT program should passively monitor while not actively participating in ongoing communications. For example, you should listen to chat rooms and watch forum posts, but don’t engage, as it would tip the attackers off that you are watching them. If they find out that you are listening to their conversations, then they will “go dark” to where you cannot listen in, and then you will not get any information.

The last step in the OSINT cycle is reporting. The goal of the program is to provide your operational personnel and leadership with the information they need to properly assess and react -- keep in mind that this requires packaging in a way that’s easily “translatable” for those on the leadership team that are further removed from day-to-day security practices. Regardless of whether you found anything of perceived value, a standard periodic report (weekly or monthly) should be prepared and distributed to appropriate stakeholders containing the identification and analysis of your findings so they get in the routine of reviewing and reacting to the data.

If in any situation you find information that could indicate an eminent cyber or physical threat or attack, you should have an emergency escalation plan in place and put it to use. The escalation plan should have appropriate contact information and procedures on whom to call for what type of circumstance. For example, if you find that a hacktivist group is planning to DDOS your public websites, you should inform your Web management team, your third-party website hosting provider, and your infrastructure team.

The third-party website hosting provider can watch for IP addresses that are targeting the website and block them; your infrastructure team can block IP addresses that are putting suspicious stress on routing devices around your Web systems; and the Web management team can have backups of the website ready to push out to new landing pages to replace any defacements if they occur in conjunction with the DDOS.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.