Today, we’re going to dive into open-source intelligence (OSINT), and how it can be used by attackers to gain information about your organization to aid them in penetrating your systems. OSINT is a great tool in the hackers toolbelt, because they can use it to passively gain information about your organization’s key employees, networks and systems. This allows them to plan out the early stages of their attacks, all without you being able to detect their attempts at probing into your organization.
We all know that there is way too much personal data and other sensitive information on the Internet. In some cases, it’s freely available, while there are also various tools and data brokers through which we can access far more valuable data.
Often, even people who are conscious of security and privacy may unwittingly post information that’s invaluable to hackers. Let’s give you an example where hackers are targeting example.com. One common way to begin their OSINT hunt is to go straight to LinkedIn and look up the company’s employees. An attacker can infer a lot about a company’s systems just by looking up who is working for them and what technologies the employees are experienced in.
Once an attacker knows who works for a company, another technique they may use it to seek out the employees’ online handles. Through usernames and email addresses, they may be able to link posts from tech support forums and other websites back to the employee.
Let’s say that one of the engineers working for example.com is named John Smith. If John Smith regularly uses the handle jsmith across a bunch of websites, the attackers may be lucky enough to track down a recent post where John Smith is asking about some server configuration issues he is experiencing. If the attackers have found the right John Smith, this could be incredibly useful information—this post could include details about example.com’s servers that may be useful in their attack.
If someone like John Smith is prolific on a site like Stack Exchange, they could have left behind a ton of breadcrumbs for the attackers that give all kinds of useful information about example.com’s systems. With all of this information on hand, this can help the attackers devise the best ways to penetrate into example.com’s systems. Since much of this can be done passively, example.com may have no idea that an attacker has already figured out so much information.
On top of these types of techniques, attackers can also use OSINT to figure out information like who to target in their phishing campaigns, and which methods may be most effective. LinkedIn is often a good source for this as well, because it can give a rough map of who key employees are. Once the attackers decide who they wish to target, they could even use information from other employee profiles to make their phishing attempts more believable. An attacker may be able to figure out who John Smith’s boss is and use this knowledge to create even more pressure in the phishing attempt.
How to limit potential harms from OSINT
If hackers are using open-source intelligence, then your security team needs to be using it as well. If you use the same techniques that the hackers use, you may potentially find the sensitive information first, allowing you to either take it down, or come up with mitigations that can help to limit some of the ramifications from this information being publicly available.
Some tools that can be helpful for OSINT include:
- HaveIBeenPwned – A service that shows whether usernames and passwords have been impacted in data breaches.
- Shodan – A monitoring solution that can be used to find information about devices connected to the Internet.
- Spiderfoot – A tool for scanning email addresses, usernames, phone numbers, IP addresses, hostnames and more.