The initial stage of a penetration test requires the testers to gather information about the target organization and its IT infrastructure. This is also similar to what the attackers do in planning their attacks: attempt to gather as much as information possible to plan a successful attack. There are many mechanisms to gather intelligence secretly, but it begins with finding data from publicly available sources. Given that we have a plethora of online platforms available, plenty of open-source intelligence is readily available. In our engagements over the years, we have understood that sufficient information about organizations is available in the public domain that we can use to craft targeted attacks. This article explores what open-source intelligence is, what it entails, various types, approaches, and how it helps us in security testing exercises.
LIFARS Cyber Resiliency Program is a subscription-based program that provides the manpower and expertise to immediately respond and remediate cyber incidents and breaches, in addition to providing full array of services to increase your company’s cyber resiliency.
What is OSINT?
Open-source intelligence refers to gathering data from freely accessible and available sources for a variety of purposes. In other words, open-source intelligence includes any data that you collect lawfully from publicly available sources about organizations or individuals. Law enforcement agencies, cybersecurity professionals, as well as attackers, utilize OSINT techniques to siphon through the massive pile of data and find relevant information.
It is possible that a penetration testing team can find information about an organization that they do not comprehend is publicly available. To improve an organization’s security posture, security teams are increasingly relying on OSINT techniques to expand the scope of their defensive measures. OSINT can include information in any form available on the internet. This can include videos, images, webinars, online courses, articles, books, etc. It can range from a web search for IP addresses to legislative records or court records maintained by the governments and courts respectively.
Tools utilized for OSINT exercises may not be necessarily open-source. There are commercial tools available in the market that help you in finding the relevant information. Moreover, in some cases, you may not even need dedicated tools to gather and extract data. OSINT is limited to information gathering and does not involve unauthorized access to employees’ social media accounts and similar activities. OSINT information must not be drawn from the restrictive or limited access.
Why is OSINT important?
Security teams are adopting OSINT techniques to adopt attacker-like approaches to implement defensive security measures for their organizations. Some of the common reasons that we come across as to why organizations pursue OSINT are:
- Identifying unintentional leakage of sensitive data through social media networks and other publicly available platforms
- Finding insecure devices connect to the organizational network with open network ports
- Obsolete or updated software and application packages
- Leakage of highly confidential information such as trade secrets and source code
As threats continue to grow in sophistication, it becomes harder for security teams to keep a continuous check on the entire IT infrastructure. While there are automated tools and technologies minimizing the burden, OSINT can contribute to security operations by providing information about attack tactics and techniques. While the information gathered from OSINT sources is often unstructured, security teams are expected to establish a relationship between various data points.
OSINT Methodologies and Approaches
Individuals and organizations have been using OSINT for the longest possible time, without even knowing it. For example, marketing companies collect data about their potential customers to boost their conversion rate. In the cybersecurity industry, adopting a practical approach for OSINT turns out to be a boon. For any security program, recognizing and mitigating existing risks are a primary concern. An organization needs to utilize all possible resources to put their best foot forward. In such a situation, there does not appear to be any reasonable cause as to why organizations avoid deriving the benefits of OSINT.
While there are no strictly defined methodologies for organizations to choose from, the onus lies on organizations to determine their objectives from OSINT exercises. For example, an organization may seek to find:
- Scope of personal and professional information available in the public domain
- Relevant search queries for organization, its technical infrastructure, and components thereof
- Employee activity on online discussion forums and the nature of information shared therein
- Contact information (corporate as well as employees’) available on the internet
- Using relevant keywords to check the availability of confidentiality information
- Using open-source for satellite images for obtaining topographical pictures of a location
Your organization’s OSINT methodology will evolve with time, and the return-on-investment (ROI) will start getting visible. While there is no hard and fast methodology, your organization can either adopt either an offensive or defensive approach.
1. Offensive/active approach
When your team establishes contact with individuals for gathering information, it is referred to as the offensive approach. However, targeted individuals may be able to identify the team members involved in the exercise. In some cases, we have observed that as soon as an individual becomes aware of the team’s actual motives, they are likely to avoid any communication with the victim. Scanning a website using a vulnerability scanning tool will be an example of offensive open-source intelligence exercise. Although, some targeted individuals may identify the team members and make an attempt to trace them.
2. Passive/inactive approach
In terms of visibility, this approach is comparatively better than the previous one. It relies on gathering information hosted by third-party sources and archival platforms. When instantaneous information is not readily available, third-party sources prove to be crucial. Given that the information may be outdated or incorrect, a team must not rely on every piece of information they encounter with absolute surety. For better handling and analysis of collected information, analysts commonly use machine learning tools in large scale OSINT operations.
Threats associated with OSINT exercises
- Identification threat: This threat is evident in exercises involving dynamic OSINT approach. As you are establlishing direct communication with the targeted individual, it may reveal one or more team members’ identity.
- Data loss threat: If a targeted individual becomes aware that someone is tracking their digital footprints, they may undertake the required efforts to eradicate their imprints. In some cases, it is even possible that the relevant pieces of content are taken down altogether.
- Victim threat: It is possible that your organization ends up on the other side of an OSINT assessment. OSINT teams shall not disclose Organization-specific information at any point in time, and they must prefer trusted utilities such as VPN, proxies, and APIs, among others.
While discussing open-source intelligence techniques and how they can be useful, one cannot deny the fact that it is a double-edged sword. Just like your team will collect information about your organization, the attackers can do the same. Modern-day attackers invest sufficient time and resources to plan their attacks carefully. Gathering information about their potential target is a vital component in their preparation process. Attackers may use social engineering techniques like phishing and vishing to trick individuals into sharing sensitive information. This information will likely form the base of their attack. On the other hand, organizations can utilize OSINT techniques to minimize the information available in the public domain about their business operations. For any organization that seeks to utilize OSINT exercises, they must do so within the boundaries of the relevant laws.