First things first: Open Source INTelligence
It’s okay if you didn’t already know the acronym. InfoSec folks love our TLA’s (Three Letter Acronyms), or in this case, FLA’s. We need to speak faster! No time for love, Dr. Jones!
Sorry. Back on topic…
Any penetration tester worth his/her salt absolutely loves OSINT. Why? Because OSINT activity doesn’t show up in the target’s logs. (Well, hardly ever, but I’ll get to that in a minute.)
When an authorized attacker (i.e., pen tester) or an unauthorized attacker (i.e., criminal) turns to OSINT, that attacker scours publicly available information for tasty little tidbits that can be used to stage an attack that’s likely to be both quick and effective.
How, exactly, do they do this? I’m glad you asked.
After profiling the company’s financials, it’s time to start profiling the employees. LinkedIn is an absolute treasure trove of employee info, including names, titles, history with the company, and in the case of many IT employee profiles, a list of the technologies in play on the company’s internal network.
While LinkedIn provides insights into the employees’ lives at work, their lives at home are all over Facebook, Twitter, Pinterest, Tumblr, and Instagram. Info like birthdays, phone numbers, schools attended, family members… in other words, the answers to all their secret questions, are there for the taking.
How well has the company defended themselves against breaches in the past? If the breach has been publicly disclosed, chances are that a summary has been published to the Privacy Rights Clearinghouse. If the company doesn’t know that they’ve been breached yet, then maybe, just maybe, some of the stolen info (i.e., user credentials) has been posted to Pastebin.
Want to know whether or not they do a decent job of protecting encrypted data in transit? Qualys SSL Labs will answer that question for you.
What about web app vulnerabilities? PunkSPIDER will hook you up with the details.
Is their DNS server leaking internal network information? UltraTools Zone File Dump will tell you.
And let’s not forget the mother of all online OSINT tools… SHODAN!!! Details on all the systems the company has connected to the Internet (including open ports), there for you to peruse at your pleasure.
Even if the only thing an attacker knows is your company’s primary Internet domain, that attacker can spend a little time with Netcraft, whois, ARIN, Robtex, and the Hurricane Electric BGP Toolkit, and develop a pretty comprehensive picture of your company’s Internet footprint.
The scariest part? Attackers can gather all of this information… ALL OF IT… without ever touching your network.
So how do we defend against this? The answer is rock simple, folks.
WE DO IT FIRST!
You don’t need to buy anything to gather the exact same OSINT on your own company. Keep in mind you have a key advantage over the attackers: your inside knowledge. Combining that knowledge with your OSINT findings will enable you to close these gaps before an attacker can take advantage of them.
Unauthorized ports open on Shodan? Close them.
Web app vulnerabilities on PunkSPIDER? Fix them.
Zone transfers were successful? Disable them.
Passwords on Pastebin? Change them.
Users oversharing on social media? Train them.
We’re not talking rocket science here, folks. We’re talking InfoSec 101.
Side note: If you want to include some activity that will show up in the logs, toss in a little metadata analysis with FOCA and some Google Hacking, and you’re all set. (It’s still going to look like benign web traffic, but at least it’s a start.)
Another side note: What I’ve outlined here is a brief intro to OSINT, what I consider to be the fundamentals. If you’re hungry for more, head on over to Online Strategies and check out a list of OSINT resources long enough to make your eyes water.)
Take a few minutes, try a few links, and get a feel for what your company looks like from an OSINT perspective. You might be surprised at what you find.