Why Secureworks Adversary Group Uses OSINT — and Why You Should CareOne employee’s LinkedIn resume can be a threat actor’s treasure trove of OSINT intelligence used to compromise your organization. By: Eric Escobar, Secureworks Adversary Group
Open source intelligence (OSINT) refers to data collected from publicly accessible sources for intelligence purposes. The term was originally coined to contrast OSINT from the other types of intelligence — such as human (HUMINT), signals (SIGINT) and geospatial (GEOINT) used by national security, law enforcement and business intelligence organizations. But if you’ve ever used a search engine to do research about a prospective client, employer, or persona of romantic interest to you, you’ve done OSINT.
OSINT has also become very important to threat actors. When threat actors gather OSINT on a target organization, they can gather all kinds of intelligence that provides useful information for an attack. Here at the Secureworks® Adversary Group (SwAG), we generally organize that useful intelligence into three categories:
- People: LinkedIn and other social media are a rich source of intelligence about individuals and their roles in your organization. This intelligence is extremely useful for social engineering — since we can often determine who works for whom, who has what level of authorization, who’s working the IT help desk and which executive’s name carries the most clout.
We can also identify high-value target employees and create positive feedback loops of information collection. We can even reference our vast in-house database of previous breaches to pinpoint opportunities for password reuse. Some users found in data breach have even become our “virtual accomplices” without knowing we exist!
- Technology: LinkedIn profiles and job postings are also a rich source of intelligence regarding the technologies your organization uses. This technology intelligence is obviously very useful in mounting an attack, since it can tell us what kinds of databases you’re using, which cloud platforms you’re using for your critical business applications and what operating systems you’re running on your endpoints. If we get lucky, employees may even be leaking the type of security solutions used within an organization.
Many people in technical fields now use LinkedIn as their CV — so they include even richer information on their profiles. And the more the people at your organization tell us about their skills, the clearer picture we can get of the technologies we’re up against.
- Assets: Above and beyond a generalized picture of the technologies your organization is using, we love getting our hands on intelligence about the specific assets you own. Free tools such as Shodan and Censys enable us to obtain this intelligence without sending a single probe to your endpoints.
This OSINT often enables us to identify web applications that we can target for attacks. We may find that organizations are running sensitive services — such as remote desktop, LDAP, or even SQL database — facing externally.
Believe it or not, by scouring public code repositories, we’ve even found multiple cases where someone was hard-coding passwords in public scripts. Those discoveries almost invariably lead to the opportunity to pull off a major enterprise-wide compromise.
There’s lots of other OSINT intelligence to be found online: industry and corporate vernacular that we can use for social engineering, images of corporate badges that we can use to compromise a facility’s physical security and personal information (like mothers’ maiden names, elementary schools and favorite vacation spots) that we can use to guess passwords and security questions.
Social media is simply a treasure trove for OSINT intelligence. Besides, once information appears on social media, it will most likely stay there for us to use forever.
Why you should care
Most organizations think of adversarial testing primarily in terms of technical penetration testing (pentesting). They may want to know if they’ve configured their firewalls correctly, if they have unpatched software vulnerabilities and if shared admin-level privileges will allow a threat actor to move laterally across their environment once their perimeter has been compromised.
But adversarial testing is much more than that. You hire us because you want to subject your organization to exactly the same kinds of malicious behaviors that a real cybercriminal or state actor would attempt against you. That way, you’re able to determine exactly where your defenses are as strong as you’d hoped they’d be — and where you’ve got exposures that you need to address.
And our expert use of OSINT is essential for ensuring that our attack simulation replicates exactly what a smart, skilled threat actor would do.
We understand how threat actors use OSINT. In fact, we think we’re better at it than most of them are. And we often dig deeper than they would—because, being opportunists, they often move on to another target if they can’t find what they want to know quickly and easily. But you’ve engaged us to give our attack our 100% best effort. So we look for every scrap of useful OSINT we can find.
Plus, we combine our OSINT expertise with all our other world-class hacking skills. So you’ll learn about all the specific factors that contribute to your most egregious cybersecurity risks: OSINT, software vulnerabilities, improper configurations, lax permissions controls, your employees’ bad digital habits and more.
How can you protect yourself against OSINT?
Given how useful OSINT can be to attackers, there are several steps you should take to mitigate OSINT-related risk factors.
One of those steps is to educate your employees about the dangers social media content pose to your organization’s security. Most people already understand that they shouldn’t post specifics about their employer’s inner workings, but few realize just how useful some of the types of information can be to a potential attacker.
You’ll also want to reduce your OSINT exposure by avoiding common errors — such as using an employee’s mother’s maiden name to authenticate a password reset. Using that kind of personal information for that kind of purpose places the organization at risk for an OSINT-based attack.
But your best move is to engage with SwAG. Our pentesting and Red Teaming engagements are ideal for discovering where threat actors can leverage these OSINT techniques to compromise your organization — and exactly how an attacker could use existing OSINT to wreak havoc with your environment.
No matter how “locked down” you think your organization is, there’s OSINT out there that could hurt you. It’s time to find out what that OSINT is so you can protect yourself from its potentially significant harms.