Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/22/2015
01:30 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Open Source Intelligence

Do you know what information out there is putting you at risk?

The Internet allows for information to be readily available at your fingertips. However, it also allows for the same information to be accessed by malicious threat actors who are targeting your organization with cyberattacks. The recent explosion of social media has only increased the information available, and with it the risks to your corporate data, intellectual property, and brand. Some organizations call the awareness of this risk “threat intelligence,” but we have found that organizations need to focus on more than just current threats. Organizations can leverage an emerging intelligence-gathering capability to determine data leakage, employee misbehavior, or negative brand exposure at a higher level than threat intelligence using Open Source Intelligence, or OSINT.

OSINT is a discipline that pertains to intelligence produced from publicly available information such as data, facts, social messages, or other material published or broadcast for general public consumption. Examples of open sources include websites, social networks, blogs, comments, underground forums, blacklists/whitelists, chat rooms, archives, and numerous other sources.

The mission for an OSINT program is to minimize risk and prevent threats by identifying and assigning credibility to potential cyberthreats, leaked confidential business information, company or customer personally identifiable information, and any sensitive or proprietary data from open sources. Conversely, attackers use open source information to maximize their attack potential. For example, they may execute a passive email phishing campaign by knowing the likes and dislikes of an organization’s employees. In one targeted phishing campaign, attackers knew from social media that IT employees always had lunch at a particular Chinese restaurant, so the attackers posed as the restaurant with a new menu in the form of a malicious PDF file attached to emails.

OSINT is a cycle that requires constant tuning in order to get greater value out of the process. The first step is to develop a set of keywords to serve as the foundation for your custom search criteria. Some examples are names of affiliated companies, IT vendors for software or hardware, internal IP schemes, common naming conventions for network segments, document marking standards, or internal project names.

You then leverage intelligence-gathering tools and techniques to scrape websites and the deep Web for specific information. The team conducting the OSINT analysis should have its own custom database of known malicious groups, sites, blogs, chats, and paste locations that they have built and use while running the program. You should use another set of tools to scan social media sites such as Twitter, Facebook, YouTube, and Google+. Most likely, you will only need to concentrate on current information being discovered and may not need to analyze information that was made public prior to a year ago, unless the information is confidential or potentially damaging to your organization.

Passive Monitoring

Your OSINT program should passively monitor while not actively participating in ongoing communications. For example, you should listen to chat rooms and watch forum posts, but don’t engage, as it would tip the attackers off that you are watching them. If they find out that you are listening to their conversations, then they will “go dark” to where you cannot listen in, and then you will not get any information.

The last step in the OSINT cycle is reporting. The goal of the program is to provide your operational personnel and leadership with the information they need to properly assess and react -- keep in mind that this requires packaging in a way that’s easily “translatable” for those on the leadership team that are further removed from day-to-day security practices. Regardless of whether you found anything of perceived value, a standard periodic report (weekly or monthly) should be prepared and distributed to appropriate stakeholders containing the identification and analysis of your findings so they get in the routine of reviewing and reacting to the data.

If in any situation you find information that could indicate an eminent cyber or physical threat or attack, you should have an emergency escalation plan in place and put it to use. The escalation plan should have appropriate contact information and procedures on whom to call for what type of circumstance. For example, if you find that a hacktivist group is planning to DDOS your public websites, you should inform your Web management team, your third-party website hosting provider, and your infrastructure team.

The third-party website hosting provider can watch for IP addresses that are targeting the website and block them; your infrastructure team can block IP addresses that are putting suspicious stress on routing devices around your Web systems; and the Web management team can have backups of the website ready to push out to new landing pages to replace any defacements if they occur in conjunction with the DDOS.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .