1. Open Source Intelligence
Open source intelligence, also known as OSINT, refers to the gathering of information from publicly available sources, such as social media, company websites, and news articles. There is a great deal of information that can be gathered about a company or person through open source intelligence.
1.1 OSINT Techniques
In a cybersecurity context, OSINT can be used to recon a target before performing a penetration test or to generate a report of the information a company is leaking through public sources. Cyber criminals use OSINT to collect information on a target before attacking; also, OSINT can be used to help guess a user’s password. Many people use passwords that relate to themselves. For example, a common password creation method is to use the name of your favorite pet followed by the year you were born. This is a very poor password creation technique because this information is easy for a malicious user to obtain from openly available sources, such as your social media accounts. In addition to possible password information, OSINT can reveal information about a company’s internal computer network. For example, a company’s promotional website may include pictures of employees working. These pictures may reveal information about the company’s innerworkings, such as internal website URLs and private documents. OSINT can also be used to create a phony, malicious email targeting a company or individual; these phony emails are referred to as “phishing” emails.
1.2 OSINT Attack Example
The following is an example of a company press release and a phishing email created using information from the press release:
Company XYZ
Recently Company XYZ has been making astounding progress on a new project. We have been working with many of the finest software engineers to develop a new internet browser with voice control capabilities. A special thanks goes out to John Smith from Software ABC Corp. for his assistance with this project (more information can be found at softwareabccorp.com). The expected release date is early 2021.
Company XYZ,
Speaking is the future!
Using the information in the above press release, an attacker could form the following phishing email:
To: ceo@companyxyz.com
From: jsmith@softwareabccorp.co
Subject: New Research About Voice Control
Dear Company XYZ CEO,
Here is a link to my new research paper about voice control technologies: Softwarecorp.co/newpaper.pdf.
Due to our recent collaboration on your new internet browser, I know this paper will interest you greatly. Please read it and give me your thoughts.
Thank you,
John Smith
Software ABC Corp.
The attacker would send the above email to the CEO in hopes she would click on the link and unknowingly download the attacker’s malicious file containing a computer virus.
The attacker created this email using information gleamed from Company XYZ’s press release. The attacker registered a website and email at “softwareabccorp.co,” notice the “.co” instead of the “.com” at the end of the address. Also, the name of the researcher connected to the project, John Smith, was mention in the press release and was used by the attacker to add believability to his phishing email. Finally, the attacker’s link to a supposed “research paper” that would be of interest to the targeted CEO. In a malicious phishing email, this link would lead to a computer virus and infect the CEO’s computer.
2. OSINT Defensive Techniques
OSINT can also be used in a defensive manner. Open source intel can be used to keep up with cybersecurity trends and the techniques cyber criminals are using right now. There are many websites that provide OSINT about cyber attack trends reported by cybersecurity professionals. Also, when a company is receiving unusual internet traffic, OSINT can be used to determine if the usual traffic is coming from a known malicious IP address (An IP address is a four part number that identifies the source of a network connect).
The following are just a few of the thousands of IP addresses that originate from China:
Using information from public sources about IP address origins, a cyber defender can better analyze unusual internet traffic.
For example, if the network administrator at an organization notices a high volume of internet traffic causing the organization’s website to be overloaded, he can analyze the origins of the internet traffic and determine if the traffic is likely malicious. By using OSINT to research the IP addresses of the internet traffic, a cybersecurity specialist can determine if the traffic is originating from known malicious IP addresses.
| Chinese IP Addresses |
|---|
| 36.37.36.114 |
| 36.37.39.204 |
| 42.1.128.64 |
Using information from public sources about IP address origins, a cyber defender can better analyze unusual internet traffic.
For example, if the network administrator at an organization notices a high volume of internet traffic causing the organization’s website to be overloaded, he can analyze the origins of the internet traffic and determine if the traffic is likely malicious. By using OSINT to research the IP addresses of the internet traffic, a cybersecurity specialist can determine if the traffic is originating from known malicious IP addresses.