Breach Defense Playbook: Open Source IntelligenceDo you know what information out there is putting you at risk?
The Internet allows for information to be readily available at your fingertips. However, it also allows for the same information to be accessed by malicious threat actors who are targeting your organization with cyberattacks. The recent explosion of social media has only increased the information available, and with it the risks to your corporate data, intellectual property, and brand. Some organizations call the awareness of this risk “threat intelligence,” but we have found that organizations need to focus on more than just current threats. Organizations can leverage an emerging intelligence-gathering capability to determine data leakage, employee misbehavior, or negative brand exposure at a higher level than threat intelligence using Open Source Intelligence, or OSINT.
OSINT is a discipline that pertains to intelligence produced from publicly available information such as data, facts, social messages, or other material published or broadcast for general public consumption. Examples of open sources include websites, social networks, blogs, comments, underground forums, blacklists/whitelists, chat rooms, archives, and numerous other sources.
The mission for an OSINT program is to minimize risk and prevent threats by identifying and assigning credibility to potential cyberthreats, leaked confidential business information, company or customer personally identifiable information, and any sensitive or proprietary data from open sources. Conversely, attackers use open source information to maximize their attack potential. For example, they may execute a passive email phishing campaign by knowing the likes and dislikes of an organization’s employees. In one targeted phishing campaign, attackers knew from social media that IT employees always had lunch at a particular Chinese restaurant, so the attackers posed as the restaurant with a new menu in the form of a malicious PDF file attached to emails.
OSINT is a cycle that requires constant tuning in order to get greater value out of the process. The first step is to develop a set of keywords to serve as the foundation for your custom search criteria. Some examples are names of affiliated companies, IT vendors for software or hardware, internal IP schemes, common naming conventions for network segments, document marking standards, or internal project names.
You then leverage intelligence-gathering tools and techniques to scrape websites and the deep Web for specific information. The team conducting the OSINT analysis should have its own custom database of known malicious groups, sites, blogs, chats, and paste locations that they have built and use while running the program. You should use another set of tools to scan social media sites such as Twitter, Facebook, YouTube, and Google+. Most likely, you will only need to concentrate on current information being discovered and may not need to analyze information that was made public prior to a year ago, unless the information is confidential or potentially damaging to your organization.
Your OSINT program should passively monitor while not actively participating in ongoing communications. For example, you should listen to chat rooms and watch forum posts, but don’t engage, as it would tip the attackers off that you are watching them. If they find out that you are listening to their conversations, then they will “go dark” to where you cannot listen in, and then you will not get any information.
The last step in the OSINT cycle is reporting. The goal of the program is to provide your operational personnel and leadership with the information they need to properly assess and react -- keep in mind that this requires packaging in a way that’s easily “translatable” for those on the leadership team that are further removed from day-to-day security practices. Regardless of whether you found anything of perceived value, a standard periodic report (weekly or monthly) should be prepared and distributed to appropriate stakeholders containing the identification and analysis of your findings so they get in the routine of reviewing and reacting to the data.
If in any situation you find information that could indicate an eminent cyber or physical threat or attack, you should have an emergency escalation plan in place and put it to use. The escalation plan should have appropriate contact information and procedures on whom to call for what type of circumstance. For example, if you find that a hacktivist group is planning to DDOS your public websites, you should inform your Web management team, your third-party website hosting provider, and your infrastructure team.
The third-party website hosting provider can watch for IP addresses that are targeting the website and block them; your infrastructure team can block IP addresses that are putting suspicious stress on routing devices around your Web systems; and the Web management team can have backups of the website ready to push out to new landing pages to replace any defacements if they occur in conjunction with the DDOS.
Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio