Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
01:30 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Open Source Intelligence

Do you know what information out there is putting you at risk?

The Internet allows for information to be readily available at your fingertips. However, it also allows for the same information to be accessed by malicious threat actors who are targeting your organization with cyberattacks. The recent explosion of social media has only increased the information available, and with it the risks to your corporate data, intellectual property, and brand. Some organizations call the awareness of this risk “threat intelligence,” but we have found that organizations need to focus on more than just current threats. Organizations can leverage an emerging intelligence-gathering capability to determine data leakage, employee misbehavior, or negative brand exposure at a higher level than threat intelligence using Open Source Intelligence, or OSINT.

OSINT is a discipline that pertains to intelligence produced from publicly available information such as data, facts, social messages, or other material published or broadcast for general public consumption. Examples of open sources include websites, social networks, blogs, comments, underground forums, blacklists/whitelists, chat rooms, archives, and numerous other sources.

The mission for an OSINT program is to minimize risk and prevent threats by identifying and assigning credibility to potential cyberthreats, leaked confidential business information, company or customer personally identifiable information, and any sensitive or proprietary data from open sources. Conversely, attackers use open source information to maximize their attack potential. For example, they may execute a passive email phishing campaign by knowing the likes and dislikes of an organization’s employees. In one targeted phishing campaign, attackers knew from social media that IT employees always had lunch at a particular Chinese restaurant, so the attackers posed as the restaurant with a new menu in the form of a malicious PDF file attached to emails.

OSINT is a cycle that requires constant tuning in order to get greater value out of the process. The first step is to develop a set of keywords to serve as the foundation for your custom search criteria. Some examples are names of affiliated companies, IT vendors for software or hardware, internal IP schemes, common naming conventions for network segments, document marking standards, or internal project names.

You then leverage intelligence-gathering tools and techniques to scrape websites and the deep Web for specific information. The team conducting the OSINT analysis should have its own custom database of known malicious groups, sites, blogs, chats, and paste locations that they have built and use while running the program. You should use another set of tools to scan social media sites such as Twitter, Facebook, YouTube, and Google+. Most likely, you will only need to concentrate on current information being discovered and may not need to analyze information that was made public prior to a year ago, unless the information is confidential or potentially damaging to your organization.

Passive Monitoring

Your OSINT program should passively monitor while not actively participating in ongoing communications. For example, you should listen to chat rooms and watch forum posts, but don’t engage, as it would tip the attackers off that you are watching them. If they find out that you are listening to their conversations, then they will “go dark” to where you cannot listen in, and then you will not get any information.

The last step in the OSINT cycle is reporting. The goal of the program is to provide your operational personnel and leadership with the information they need to properly assess and react -- keep in mind that this requires packaging in a way that’s easily “translatable” for those on the leadership team that are further removed from day-to-day security practices. Regardless of whether you found anything of perceived value, a standard periodic report (weekly or monthly) should be prepared and distributed to appropriate stakeholders containing the identification and analysis of your findings so they get in the routine of reviewing and reacting to the data.

If in any situation you find information that could indicate an eminent cyber or physical threat or attack, you should have an emergency escalation plan in place and put it to use. The escalation plan should have appropriate contact information and procedures on whom to call for what type of circumstance. For example, if you find that a hacktivist group is planning to DDOS your public websites, you should inform your Web management team, your third-party website hosting provider, and your infrastructure team.

The third-party website hosting provider can watch for IP addresses that are targeting the website and block them; your infrastructure team can block IP addresses that are putting suspicious stress on routing devices around your Web systems; and the Web management team can have backups of the website ready to push out to new landing pages to replace any defacements if they occur in conjunction with the DDOS.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-17
Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors.
PUBLISHED: 2021-09-17
Improper control of program execution vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to execute an arbitrary command or code via unspecified vectors.
PUBLISHED: 2021-09-17
Improper access control vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to bypass access restriction and to exchange unauthorized files between the local environment and the isolated environment or settings of the web browser via unspecified vectors.
PUBLISHED: 2021-09-17
Cross-site scripting vulnerability in List (order management) item change plug-in (for EC-CUBE 3.0 series) Ver.1.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.