OSINT -- the security technique you might never have heard of [Q&A]
Traditionally used by intelligence agencies and the military, the OSINT technique is used to gather information about people, organisations or companies from freely accessible sources, then analyse the data obtained and draw useful conclusions and information from it.
But IT security experts can also benefit from the technique to discover potential vulnerabilities and remediate them before they're exploited by attackers.
We talked to Etay Maor, senior director of security strategy at Cato Networks to find out how.
BN: What is OSINT?
EM: Open Source Intelligence (OSINT) is a technology used by intelligence agencies and the military. In principle, however, anyone can use it, including private individuals. The idea is to gather information about people, organizations or companies from freely accessible sources. OSINT tools then analyze the data obtained and draw useful conclusions and information from it. But OSINT can also be used to identify vulnerabilities on network devices.
The recovered data is used in social engineering attacks, locating people, gathering detailed information about people or companies, and last but not least, hacking networks.
In many cases, the publicly accessible information also shows a movement profile of people, which can also be used for attacks or provides further security-relevant information. This way, interactive maps with movement profiles can be created or login information for websites, cloud services or network devices with a web interface can be found. This makes it possible to identify security vulnerabilities in networks quickly. A fact that attackers exploit to the full. This is precisely why OSINT is also interesting for security managers in companies if they want to better protect their own network against publicly known security vulnerabilities.”
BN: Why should organizations be exploiting the potential of open-source intelligence to better prepare themselves for a potential attack?
EM: With OSINT, organizations can gather and sift through their own publicly accessible digital traces, and there are quite a few. In addition to compromised credentials and passwords, these include internal company information that has accidentally ended up on the net, as well as data on domains and servers, but also data from the dark net and even information that has already been deleted.
In almost all cases of successful attacks, the perpetrators do not have to hack anything at all; they simply login. The necessary login data can often be found on the darknet or through social engineering based on OSINT. And that is exactly what needs to be prevented.
Security teams should actively search for gaps in the network. For example, by searching for themselves and their own devices on the sites mentioned. The data must be examined from an attacker's point of view to take appropriate measures to protect the network and individual users. Of course, this includes fixing the identified vulnerabilities as quickly as possible. This at least rules out the possibility of public data being used by attackers in successful hacks.
BN: What are the publicly-available sources OSINT uses to identify vulnerabilities?
EM: These sources include social networks such as Facebook, Twitter, LinkedIn or Instagram. Many users have several profiles on different platforms. As a result, data from various sources can be read and correlated. Comments, check-ins, locations, posts, likes and much more data are publicly accessible here and easy to exploit.
Experts refer to this as 'oversharing.' That is, significantly more information is publicly available than most social network users realize. But dating apps and health trackers are also a popular information medium for OSINT tools, as is searching on GitHub. Here you can find tons of data on databases or connection information of programs.
In addition to the numerous data sources, there are websites, linked data on the Internet, DNS data and numerous other pieces of information that can be used to attack networks, but also to defend them. Once the various pieces of information have been compiled, intelligent OSINT tools quickly recognize the correlations, which the user can use for his own benefit. Attackers use the information for attacks. Security officers recognize gaps and can close or defuse potential attack scenarios in time. For example, by better protecting publicly accessible data or, under certain circumstances, deleting it altogether.
At this point, not only sources from the Internet are interesting, but also data from radio, TV or newspapers. Here, for example, information is hidden in the background of a video. In addition, there is WiFi information, Bluetooth connections and wireless networks, which also publicly share information that flows into analyses.
BN: How can OSINT be used as a powerful part of the IT and security team's armoury?
EM: OSINT can be used easily and without risk. You can easily pull information from the Internet or other sources. In addition, the tools are inexpensive and the data is available completely free of charge. Finally, the research is simple: various websites provide an easy-to-use interface and OSINT apps import additional data via API if needed. In addition, it's simply hard to track or control who uses OSINT, when and where.
Thanks to these advantages, governments, intelligence agencies, authorities, the military, but also companies are interested in exploiting the potential of OSINT. So are hackers and criminals. So, the question is not why OSINT should be used, but rather why not. And last but not least, private individuals are also using OSINT, we have already listed some examples.
In addition to those already described, there are extended OSINT functions, for example, active scanning of ports on firewalls or routers. This allows a user to gather and use the data himself. Information about standard devices can be found very quickly on the Internet, such as the default IP address, the default login name of the administrator and the password set at delivery. Many users fail to change this default data, which allows attackers to gain quick and easy access. Data that can be found with OSINT and little research effort.
Google offers numerous options to restrict searches. This is also not uninteresting for OSINT, since it allows better filtering of security-relevant information. Examples are entitled: "web client:login", intitle: "Printer Status" AND inurl:"/PrinterStatus.html". These are just two of many search terms that show login pages or data about publicly available printers. In combination with other Google options, large amounts of information can be easily collected. With options like "site:" it is possible to filter search results on individual pages. Google offers numerous easy-to-use operators for this purpose.
BN: Is OSINT the best tool to protect networks?
EM: For security professionals, it is definitely worth taking a closer look at the various OSINT tools and the information gathering capabilities to protect their networks. In most cases, this does not even require high investments and licenses: Many tools are available for free as open source. The OSINT Framework offers various collections of tools to start with that not only facilitate the search but also form an important basis for closing security gaps.
Maybe one word of caution about OSINT -- one must know local laws in order to do OSINT properly and not get in trouble. Some companies and countries would consider port knocking/scanning an attack. Similarly, searching for printers is one thing, but clicking on it and accessing a company's resources is another. Although OSINT is a helpful tool, you need to tread carefully not to get yourself into trouble.
Hackers use OSINT to bypass security measures and prepare attacks. Why shouldn't companies themselves exploit the potential of open-source intelligence to better prepare themselves for hacker attacks?
Image credit: artursz/depositphotos.com