Organizations have a digital footprint and all their staff do, too. These footprints can contain a wealth of sensitive or weaponizable information. OSINT lets you see what the hackers can see.
Despite the name open-source intelligence (OSINT) is not related to open-source software—although there are many open-source software tools that can help you in gathering open-source intelligence. OSINT is intelligence gathered from publicly available sources. There’s no cybercrime required to obtain this information, it is readily available if you know where to look and how to search.
OSINT can be gathered from sources such as the internet, mass media, social media, research journals, and state or national government search tools such as California’s Secretary of State Business Search and the United Kingdom’s Companies House Company Search.
OSINT is open to anyone. You’re only viewing publicly available information, not illegally viewing private material or using a person’s login credentials without their permission. It’s the difference between reviewing their public posts and breaking into their account to read private direct messages.
For the most part, OSINT is free. There are some specialist search tools that use a freemium model, but generally, OSINT is low risk, free, and highly effective. Not surprisingly, threat actors use OSINT in the reconnaissance phase of planning a cyber-attack such as phishing attacks and social engineering attacks, or other damaging actions such as corporate or personal blackmail.
To protect yourself, you need to know what is out there about your organization and your staff.
Why Threat Actors Love OSINT
OSINT helps security teams locate and understand the information, clues, and other inadvertent breadcrumbs your employees leave in their public digital footprint that compromises your security.
For example, you might have a web developer who has created a profile on LinkedIn. Developers’ profiles commonly include a description of what technologies they are proficient with and which technologies they’re working on. This also tells the world what technologies your website is built on which, in turn, gives guidance on the kind of vulnerabilities it may be susceptible to.
It’s also likely that this individual has an administrative account on your web site. Other information they post such as the names of pets, kids, or their significant other are often used as the basis of passwords, and this information will be harvested by the threat actors too.
The Dark Web holds databases of all the data breaches that occur. LinkedIn had a data breach in May 2016 which left 164 million email addresses and passwords exposed. If your developer’s details were caught up in that breach and he has reused that password on your website, the threat actors now have an easy way to sidestep the security on your website.
You Can Use OSINT Too
Many organizations use penetration testing to detect vulnerabilities in internet-facing network assets and services. OSINT can be used in a similar way to detect vulnerabilities that are being created by the release of information.
Do you have someone who is unknowingly giving away too much information? For that matter, how much information is already out there that could be beneficial to a threat actor? In fact, most penetration testing and Red Team security teams perform OSINT searches as the first phase of data gathering and reconnaissance.
How much can others find out about your organization and your staff from their digital footprints? The obvious way to find out is to have OSINT searches performed on your own organization.
Simple OSINT Techniques
Whichever tool or technique you use it is best to start with a wider search and progressively refine it to a narrower focus, guided by the results of the preceding searches. Starting with too narrow a focus can lead to you missing information that only shows up with a more relaxed set of search terms.
Remember, it isn’t just your employees that have a digital footprint. Your organization itself has a digital footprint, from non-technical repositories such as business registration records, financial filings, to appear in the results of hardware search sites like Shodan and ZoomEye. Hardware search sites like these allow you to search for devices of a certain type, make, and model or generic category such as “ip webcams.” You can search for protocols, open ports, or characteristics such as “default password.” Searches can be filtered and refined by geographical region.
Your own website can hold all sorts of useful information for the threat actor. The “Meet the Team” page gives roles and names, and possibly email addresses. If you can see how the email addresses are formed—“firstname.lastname@”, or “initial.lastname@”, “lastnameinitial@” with no dot, etc.—you can work out what the email address is for anyone in the company as long as you have their name. A list of clients can be obtained from your testimonials page.
That’s all the threat actor needs to perform a spear-phishing attack. They can send an email to a middle-ranking person in the finance department that appears to come from a senior member of staff. The email will have a tone of urgency. It will ask that an urgent payment to a named customer be made as soon as possible. Of course, the bank details are the threat actor’s bank details.
Photographs on social media and blogs need to be carefully vetted for information that is captured in the background or on desks. Computer terminals, whiteboards, documents on desks, security passes, and identity badges can all reveal useful information for a threat actor.
Floor plans of sensitive buildings have been discovered online in publicly accessible planning application portals. Unprotected Git repositories may reveal vulnerabilities in web applications, or allow the threat actors to inject their own backdoor into the source code.
Social media profiles on sites such as LinkedIn, Facebook, and Twitter can often reveal a huge amount about individuals. Even a workplace Twitter account that posts a cheery tweet about a member of staff’s birthday can yield information that may be useful and exploitable. Suppose a Tweet is made about someone called Shirley turning 21 and getting a cake presented at work. Anyone who can see the tweet now has their name and year of birth. Is their password possibly “Shirley1999” or “Shirley99.”
Information found on social media is particularly suited to social engineering. Social engineering is the devious but skillful manipulation of staff members in order to gain unauthorized access to your building, network, and company information.
Is This Really Legal?
Using OSINT methods n the US and the UK is legal. In other jurisdictions, you ought to check your local legislation. Generally, if the data is not password-protected and requires no deception or infiltration to acquire it, then it is legal to access it. Threat actors don’t care about these points, of course.
The Berkeley Protocol defines a framework of guidance for conducting OSINT investigations into war crimes and human rights violations. This or something similar is a good benchmark to use for guidance on the legality and ethics of OSINT searches.
These are some of the well-known and well-used OSINT tools. Kali Linux has many of these included within it, others are available as downloadable container images, or from GitHub, or as stand-alone installs. Note that most of these are Linux only. The web sites can be used from anywhere, of course.
- Ghunt: Finds as much information about an individual from their Google profile as it can by searching for anything related to their Gmail email address.
- ReNgine: Combines and displays an aggregate view of the results from various OSINT tool scans. ReNgine performs the scans using the other tools, and creates a blended view of the returned information.
- Shodan: A device, protocol, and hardware search engine. It is commonly used to detect insecure devices, particularly Internet of Things devices.
- ZoomEye: An alternative to Shodan.
- Social Mapper: Social Mapper uses facial recognition and names to track targets across multiple social media platforms. It’s free, but you need to register.
- Spiderfoot: An OSINT automation tool, available in open source and commercial versions. The open source version has some of the high-end features disabled.
- Sublist3r: Python-based sub-domain enumerator
- theHarvester: Helps to “determine a company’s external threat landscape on the internet” by gathering “emails, names, subdomains, IPs and URLs”
- Maltgo: Maltego is a search tool that collects data from many OSINT sources and displays a graphical set of links between the data and individuals.
- Google Dorking: Google dorking or Google hacking uses advanced search techniques to find items that have been indexed by Google yet don’t show up in normal searches, such as configuration files and password lists. Sites like Exploit Database are dedicated to sharing Google dorking search terms.
It’s (Mainly) Free, So Use It
If your security team is not already using OSINT they’re really missing a trick. Being able to locate, edit, or remove sensitive information from the public domain is a great way to minimize information-based vulnerabilities from being accessed by threat actors.