Many of you have noticed the press about defense locations being detected by analyzing the sport patterns military people release on fitness portals like Fitbit, Strava, Polar, and others. Searching for these patterns in areas where there is no sport activity o a regular base like Mali, Iraq, Afghanistan, Syria, Lybia and others shows not only where military bases are located but also details about daily routines ans behaviors.
This shows how easy it is in a todays world to collect information from public sources, an intelligence tactic which is known in the field as Open Source Intelligence or OSINT. And OSINT plays also a role in the Cybersecurity Perimeter.
OSINT is used by attackers to collect informations about potential victims of social engineering attacks. Because the more you know about somebody, the easier it is to build the trust to force these victims into actions or the release of confidential informations.
OSINT is used by attackers to collect information about targeted organisations and their systems. These informations coming from different sources: 404 error web pages which reveal informations about OS, software & release levels, in depth analysis of email headers, public whois information, document informations in published pdfs and more. These informations help significantly to identify the most promising attack vectors and to reduce work and frustration for the attacker.
OSINT is used by attackers to collect informations about vulnerabilities of systems and successfull realised attacks. These informations will help to build an individual attack, mostly a combination of specialised social engineering and individual malware.
Check your enterprise:
A very simple check to see how exposed your organisation is to OSINT: Enter the following text into a google search box:
„Company Confidential“ filetype:pdf site:yourOrganisation.com
YourOrganisation.com should be replaced by the domainname of your organization. This query uses google to search all pdfs (filetype:pdf) which contains a typical confidentiality string and limits the results to those of your organizations domain. You will be astonished, I bet.
What can you do agains OSINT?
In fact, there nothing what can be done to prevent attackers from using OSINT to gather informations. The counter OSINT strategies are:
- Limit the amount of unnecessary technical information published into the internet.
All information which will be shown or distributed should be as frugal as possible. This does not refer to content, but to error messages, status informations, document informations, source code comments in webpages and more. This is not an technical issue, thats simply a configuration and awareness task. In addition an onion- or segmentation-based approach to data security decreases the risk of accidentially exposed information.
- Reduce the effects malware and social engineering attacks are creating in your systems infrastructure.
Most malware is calling back to Command & Control server, loading additional software or getting information about what to do. Intercepting this chain reduces the damage malware can create and identifies compromised systems.
- Setup an infrastructure which allows you to detect atypical information flows and specialized attacks.
Seeing whats happening in your network, identifying anormal user behavior is a key to identify penetrated systems and malicious users to start appropriate countermeasures.
- Make the IT-Infrastructure flexible to isolate compromised subsystems and to respond to attacks individually.
Compromised systems need to be isolated as soon as possible to prevent further penetration of the IT-Infrastructure. An automated environment increases the reaction speed and ensures the minimation of the attack surface,
These four countermeasures are working independently but – as in every systems engineering approach – integration enables savings. These savings include implementation cost (by reduced planning), operational cost (by reduced training and effort) as well as total cost of ownership (by optimized license models). They also increase security by minimized friction between subsystems and faster and error-reduced communication between system components.
Please feel free to comment!
P.S. This Video shows an example, how simple OSINT can be used to prepare an individual ransomware attack…