Open-Source Intelligence – Valuable source of information for IT specialists as well as attackers

OSINT provides a great opportunity for IT security teams to use publicly available sources to identify information about their company, its IT security posture and other data. It helps them track down internal data that should not be public –  including, for example, open ports and networked devices  – and take steps to remedy the situation.

The problem is, that while OSINT is a great data and information source for IT admins and other professionals who oversee the company’s IT security, it also helps cybercriminals. They can use this public, open-source intelligence to gain information in an attempt to attack the company. 

Nowadays, hacker groups are more sophisticated than ever before, due to the enormous financial and human resources at their disposal. Still, before proceeding to the actual attack, they have to do their “homework,” spying on their victims and gathering as much information as possible so that they’re able to identify the target’s weak spots. The easiest way to do that? Going through the world’s biggest information source, the World Wide Web.

From mass media and social media channels to public data such as government reports, commercial data or information easily searchable by search engines, there are plenty of places for attackers to gain intel on almost any topic. The internet is a near infinite source that cybercriminals can easily take advantage of.

Although the purpose, legal framework and intention of use differ, thanks to OSINT both IT security specialists and cybercriminals often use the same information sources. If we turn this fact into a metaphor, open-source intelligence is roughly comparable to a weapons cache where both police officers and gangsters procure their weapons.

Which OSINT tools are on the market and for what purpose can they be used?

• Shodan can be used to detect IoT devices, OT (operational technology) systems and open ports.
• Maltego helps you identify hidden relationships between people, domains, companies, document owners and other entities. The information is then visualized via an intuitive user interface.
• Metagoofil, a tool to extract metadata from publicly available documents, provides you with crucial information about IT systems (usernames, software versions, MAC addresses, etc.).
• TheHarvester, one of the most widely used and easy to use OSINT tools, allows you to see what an attacker can see about your organization, including subdomains, hosts, emails and open ports. TheHarvester not only analyzes Google and Bing, but also lesser-known search engines such as DNSDumpster or the metadata search engine Exalead.
  
  

Most importantly for defenders, no matter what tool is used to gather information about and test your defenses, it is critical to always follow the penetration testing policy of your organization and of those whose services you may be contracting.

Is OSINT legal?

As already explained, OSINT can identify public and freely accessible information. From that point of view, it is completely legal in most western countries. However, you should be cautious when it comes to data protection requirements. These two examples illustrate that point: 

1) Gathering password-protected or any other non-public data is illegal.

2) The use of information from social networks violates the terms of use of most of the platforms.

How exactly do attackers use OSINT in their attacks?

Cybercriminals try to identify relevant data sources in order to develop corresponding attack methods – ideally, without leaving any traces. It is not uncommon for cybercriminals to leverage modern information and communication technologies that automate these tasks.

Example 1: Spear-Phishing

Search engines like Google excel at using the internet to search for personal and professional information about people. So do career-oriented social networks such as LinkedIn.

But other social media channels also offer useful details (such as names of pets and relatives) which can be used to crack passwords. Data obtained in this manner can be used to identify valuable targets such as employees with access to confidential company  information.

Example 2: Security vulnerabilities

With the help of OSINT, attackers search for security gaps, such as unpatched devices, open ports, poorly configured cloud storage or even accidentally published information, in order to identify potential targets.

How do IT specialists use OSINT to secure the company?

When using OSINT, corporate security teams are primarily aiming to become aware of the publicly accessible information about their own IT systems, with the purpose of closing security gaps. These include:

• Open ports and insecure networked devices
• Unpatched software
• Information about the devices and software they use, such as software versions, device names, networks and IP addresses

OSINT is also useful for IT managers, helping them to identify public information outside the company, such as content on websites and on social media. In addition, they can obtain information from non-indexed websites and files, which are also referred to as the deep web. Even though they do not appear in the search results, they are technically public and therefore accessible via OSINT tools.

If you want to use OSINT as part of your cyber-risk management, you should define a clear strategy in advance and deal with the following questions:

• Would you like to identify network and software vulnerabilities?

• Would you like to identify publicly available assets that can be used by hackers to select appropriate attack vectors?

• Would you like to find out if there are any risks associated with the posts employees share on social media?

In addition to important endpoint protection measures such as using an antivirus solution, firewall or cloud sandboxing as well as regular training for all employees in the company, strategies related to OSINT can add a valuable layer of security to your organization.