Have you ever wondered how someone 7,300 miles away without legitimate access to a network can learn more about an organisation than its own employees?
It's pretty easy, given the right skills and a lot of patience. I recently gave a presentation about open source intelligence (OSINT). Prior to the workshop, I gathered OSINT on the attendees.
I created name tags and a note card specific to each person. I asked everyone to read the note card that featured their complete biography and profile, including first/last name, date of birth/place of birth, maiden name, parents' names, kids' names, schools attended, address history, phone numbers, job history, etc.
The point was to illustrate how easy it is for someone like me, who doesn't work for a government intelligence agency, to obtain this information.
What is OSINT?
Open source intelligence refers to finding and analysing publicly available information. The intelligence community has been doing it for decades: as businesses have become increasingly competitive, companies began using the internet to gather intelligence on competitors.
Then we learned nation states were using OSINT for nefarious purposes, with some having entire teams devoted to conducting reconnaissance on companies and governments for use in relentless hacking operations.
The eye opener
I used the OSINT I gathered to show the C-level executives in the audience how easily they could be targeted by a phishing or other social engineering attack. I started my presentation with infrastructural reconnaissance, which focuses on gathering information on an organisation such as email addresses, DNS records, IP addresses, MX servers, files and anything else that would be useful to an attacker.
I received permission from the executives to use them and their companies as targets for my two-part demo. The first part illustrated how much material on them and their companies I could uncover using only their domain name. Part two used those results to obtain additional information that could be used in subsequent attacks.
In part one, I used Maltego to search for the domain. In under a minute the canvas was filled with a striking display of DNS names, domains, MX records, IP addresses, phone numbers, URLs, email addresses, etc. Maltego, as the ethical hacker network describes it, is ‘an open source intelligence and forensics application that allows for the mining and gathering of information as well as the representation of this information in a meaningful way. Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them'.
I explained the results to the audience and focused in on one of the several email addresses returned, which just happened to belong to an exec sitting in the front row. Now that I had his email address and actual email server, I was more than halfway there.
I next logged into LinkedIn using an unassuming account and searched for the company. The search returned a list of people identifying themselves as employees of this company. That list included this executive, so now I had his full name, title, complete description of his position, and a list of his co-workers and information about their positions. Since I only had an hour, I stopped part one and explained how the rest of the process might play out with an attacker using this information for a phishing email.
I then took the data I obtained in part one and enumerated the network using FOCA 3.2, a free fingerprinting and information-gathering tool that can search for servers, domains, URLs and public documents and that outputs everything into a network tree.
This part of my demo was even more eye opening because it showed the audience just how exposed their assets are. Within three minutes I had obtained a comprehensive listing of their systems, complete with IP net blocks, DNS servers, exchanges server, webmail, Microsoft Lync server, customer-facing portals and a lot more.
In less than 20 minutes I gathered enough information for a mass spear phishing attack or network intrusion. I also uncovered information that could have been useful for another attack vector. These tools and techniques can be used for good or evil and unfortunately, most of the time OSINT is used maliciously.
However, security professionals can leverage the same tactics, techniques and procedures to identify weaknesses before cyber criminals exploit them. OSINT is also useful for incident response and forensics consultants investigating advanced threats. There is no single right or all-encompassing security solution, but a security stack is a way to go and OSINT is a valuable layer in that stack.
Marc Bleicher is a senior incident response consultant for Bit9