adam's notes

Open-source Intelligence (OSINT)

Open-source intelligence (OSINT) describes collecting and analyzing publicly available information and using it to support decision-making.

  • E.g., job postings and public records
  • one of the primary sources of information on which to base social engineering attacks
  • enables an attacker to develop strategies for compromising a target

Reconnaissance is the actions taken to gather information about an individual or organization’s computer systems and software.

  • often a precursor to more direct attacks
  • typically involves collecting information such as:
    • the types of systems and software used
    • user account information
    • data types
    • and network configuration
  • Understanding reconnaissance techniques and applying to your own organization can help reveal how much useful information is being unintentionally provided to threat groups
  • can use as a counterintelligence tool
    • build profiles of adversaries

Tip

The OSINT Framework is a useful resource designed to help locate and organize tools used to perform open-source intelligence.

Sources of OSINT

  • Publicly available information
    • attacker can harvest information from public repositories and web searches
    • e.g.,
      • IP addresses of an organization’s DNS servers
      • the range of addresses assigned to the organization
      • names, email addresses, and phone numbers of contacts within the organization
      • and the organization’s physical address
  • Social media
    •  can use social media sites to find an organization’s information
    • may find posts or user profiles that give away sensitive information
  • Resumes and job postings
  • Google hacking
  • File Metadata
    • can run metadata scans on publicly available documents
      • using a tool like Fingerprinting Organizations with Collected Archives (FOCA)
  • HTML code
    • code of an organization’s web page can provide information, such as:
      • IP addresses and names of web servers
      • operating system versions
      • file paths
      • and names of developers or administrators
    • layout and organization of the code can reveal development practices, capabilities, and level of security awareness
  • Blogs and forums

Defensive OSINT

Defensive OSINT is a type of intelligence gathering that focuses on identifying threats before they occur.

  • helps create a strategy to minimize the impact of an attack before it occurs
  • most critical component of defensive cybersecurity OSINT:
    • identifying potential attackers and their attack methods beforehand

Sources of Defensive OSINT

  • Government bulletins
    • gov publishes a wide variety of information and advice regarding observed threats
  • CERT
    • goal of a computer emergency response team (CERT) is to mitigate cybercrime and minimize damage by responding to incidents quickly
    • work with local law enforcement, federal agencies, and other organizations to help prevent cyberattacks
    • coordinate responses to major events like natural disasters or terrorist attacks
    • can provide knowledge and information regarding trending and observed attacks
  • CSIRT
    • computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems
    • typically consists of information security professionals, network administrators, system administrators, legal representatives, and other stakeholders
    • goal is to respond to security incidents quickly and effectively while minimizing the impact to the organization
  • Deep/Dark Web
    • Threat actors utilize the dark web to organize their efforts and sell products
    • Observing this activity can provide insight to:
      • threat actor activities
      • future attacks
      • information regarding current tactics
      • and evidence of previously undiscovered breaches
  • Internal sources
    • consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the environment being protected
    • Activity logs are a goldmine of information

Tools For OSINT

  • can use OSINT tools to automatically collect and analyze this information
  • Shodan
    • for investigating Internet-connected devices
  • Maltego
    • for visualizing complex networks of information,
  • Recon-ng
    • for web-based reconnaissance activities
  • theHarvester
    • for gathering emails, subdomains, hosts, and employee names from different public sources

Graph View

Backlinks