Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:44 PM

Tech Insight: Better Defense Through Open-Source Intelligence

Corporate defenders can use the same publicly available information sources that attackers do, but to better secure their data

The ease in which attackers are compromising users through client-side and social-engineering attacks, plus the onslaught of BYOD efforts, are clear indicators that perimeter security is not enough to protect enterprise data. That's not to say there isn't value in beefing up an enterprise's perimeter defenses. Definitely not. However, security strategies need to be updated to meet the changing threat landscape and devolution of the perimeter.

The nature of today's corporate computer use has changed the perimeter to be the user's desktops and mobile devices. End users' constant interactions with cloud-based services and social networking sites are making traditional defense moot. To adapt, security professionals must meet new security challenges head-on by considering their defensive measures as an attacker might.

How? By putting on their offensive hat.

When we take a look at the typical attack process, it includes reconnaissance, scanning, exploitation, maintaining access, and cleaning up. For attackers to be successful, they have two choices. They can go for the target of opportunity that's easy and doesn't require much preparation to attack (sometimes something they simply stumble on). Or they can go for a targeted attack that requires research and, often, patience.

Reconnaissance, while commonly overlooked and discounted, is a key phase providing successful targeted attackers (and penetration testers) with information about the target, the target's server and application technologies in use, employees, location, and much more. Often called OSINT, or open-source intelligence because it uses publicly available sources, the recon phase is anything that can help the attacker obtain his goal. Security pros can leverage the same tools and techniques as the attackers to identify unintentionally exposed devices on the Internet and users leaking sensitive information via social networking sites, and address those issues before they're used during an actual attack.

Where to start? The simplest starting point is Internet search engines like Google, Bing, and Yahoo. Searches for company name, key file names, employee numbers, and other unique information can turn up leaked files, dumped data on Pastebin, or plans to attack the company in the coming weeks. Over the years, I've seen searches turn up everything from accidental disclosures of personal patient and employee information on company sites, to evidence of compromises by user credentials and server names in an online bulletin board.

It's important to note that using search engines is not a one-shot deal because the content changes over time. Maybe the search engine's crawler hasn't found and indexed the website hosting the content, or it could be the content hasn't been published yet. Either way, this isn't a quick few hours of work and you're done forever, which is why researchers from Stach & Liu have developed a suite of tools called "Search Diggity" to help security professionals with better, more targeted searches that can be automated.

Social networking sites have contributed quite a bit to the change in the perimeter and the ability for employees to post revealing information and interact with practically anyone, including attackers, around the world. Some of the interesting things include co-workers' names, office locations, pictures inside of company buildings (like data centers), and personal information (i.e., birthday, spouse, kid names). Attackers can then use that information to social-engineer users into giving up passwords over the phone or get past the questions required to reset an account password.

Tim Tomes, senior security consultant at Black Hills Information Security, spoke about the recon process during his talk, "Next Generation Reconnaissance," at Hack3rCon 2012. During the discussion, he released Push Pin, a recon tool that specifically targets information posted on social networking sites Twitter, YouTube, Flickr, Picasa, Instagram, and Oodle.

The more fascinating aspect about PushPin is that it searches those sites not for a specific search term, but by location. Want to look up information potentially posted by employees at a particular office location? Plug in the GPS coordinates of the office, and out comes posts to Twitter, pictures on Flickr and Instagram, and videos on YouTube. Tim has made the Python-based tool freely available here.

Other sources of data include DNS and network information published on sites like Robtex where IP addresses, network ranges, and domain names can be searched. There's also the excellent Shodan computer search engine that contains service banners from Internet-accessible servers all over the world. Security pros can find all sorts of juicy information, like internal network and host names exposed through DNS, or unintentionally exposed services that Shodan has found without scanning or touching the target network.

Besides the Web interfaces to those sites, several tools exist to make queries faster and scriptable. Dnsrecon is an excellent example for DNS research, and the PushPin tool also queries Shodan based on location information. Additionally, there is the shodan_search module in Metasploit (written by yours truly), and an iOS app developed by Erran Carey.

Just as all of these resources can be used for evil, enterprise security teams should be taking advantage of them to help secure their networks. Information published on social networking sites can often be removed quickly and the responsible person identified and counseled on the proper use of such sites. Exposed services found through Shodan can quickly be taken down or blocked with a quick firewall change.

These resources are out there and being used by attackers and penetration testers. Why not do the same and use them before they're used against you?

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...