Organizations have a digital footprint and so do all their employees. These footprints can contain a wealth of sensitive or armed information. OSINT shows you what the hackers can see.
Despite the name, open-source intelligence (OSINT) is not related to open-source software ̵
OSINT can be collected from sources such as the Internet, mass media, social media, research magazines, and state or national government search tools such as California’s Secretary of State Business Search and the United Kingdom’s Companies House Company Search.
OSINT is open to everyone. You are viewing only publicly available information, are not viewing illegal private material, or using an individual’s credentials without their consent. It’s the difference between reviewing their public posts and breaking into their account to read private messages.
OSINT is for the most part free. There are some specialized search tools that use a freemium model, but overall OSINT is low risk, free, and very effective. Not surprisingly, threat actors use OSINT in the exploration phase of planning a cyber attack, such as phishing and social engineering attacks, or other malicious actions such as business or personal blackmail.
To protect yourself, you need to know what can be said about your organization and your employees.
Why Threat Actors Love OSINT
OSINT helps security teams locate and understand the information, clues and other unintentional breadcrumbs your employees leave in their public digital footprint that put your safety at risk.
For example, you have a web developer who has created a profile on LinkedIn. Typically, developer profiles describe the technologies they are familiar with and which technologies they work with. This also tells the world what technologies your website is built on, which in turn provides a guide to the types of vulnerabilities it might be susceptible to.
It is also likely that this person has an administrator account on your website. Other information they post, such as the names of pets, children or their spouse, is often used as the basis for passwords, and this information is also collected by the threat actors.
The Dark Web contains databases with all data breaches that take place. LinkedIn had a data breach in May 2016, which left 164 million e-mail addresses and passwords are displayed. If your developer’s data was caught in that breach and he reused that password on your website, now the threat actors have an easy way to bypass security on your website.
Related: How to Check if Employee Emails Are in Data Breaches
You can also use OSINT
Many organizations use penetration testing to detect vulnerabilities in Internet-facing network assets and services. OSINT can be used in a similar way to detect vulnerabilities caused by information disclosure.
Do you have someone who unknowingly gives away too much information? By the way, how much information is already available that could be beneficial to a threat actor? In fact, most penetration testing and Red Team security teams perform OSINT searches as the first stage of data collection and exploration.
How much can others learn about your organization and your workforce through their digital footprints? The obvious way to find out is to run OSINT searches in your own organization.
Simple OSINT techniques
Whichever tool or technique you use, it’s best to start with a broader search and gradually narrow it down to a narrower focus, guided by the results of the previous searches. Starting with too narrow a focus can cause you to miss information that is only displayed with a more relaxed set of search terms.
Remember that not only your employees have a digital footprint. Your organization has a digital footprint of its own, from non-technical repositories such as business registration records, financial records, to appear in the results of hardware search sites such as Shodan and ZoomEye. Such hardware search sites allow you to search for devices of a certain type, make and model or generic category, such as ‘ip webcams’. You can search for protocols, open ports or attributes such as ‘default password’. Searches can be filtered and refined by geographic region.
Your own website can contain all kinds of useful information for the threat actor. The “Meet the Team” page lists roles and names, and possibly email addresses. If you can see how the e-mail addresses are formed – “first.last name @”, or “initial.last name @”, “last name initial @” without a period, etc. – you can find out what the email address is for everyone in the company as long as you have their name. A list of clients can be found on your testimonials page.
That’s all the threat actor needs to carry out a spear phishing attack. They can send an email to a middle manager in the finance department who appears to be from a senior employee. The email will have a tone of urgency. It will ask for an urgent payment to be made to a named customer as soon as possible. The bank details are of course the bank details of the threat actor.
Photos on social media and blogs should be carefully checked for information captured in the background or on desks. Computer terminals, whiteboards, desk documents, security passes, and ID badges can all reveal useful information to a threat actor.
Floor plans of sensitive buildings have been discovered online in publicly accessible building application portals. Unsecured Git repositories can reveal vulnerabilities in web applications, or allow the threat actors to inject their own backdoor into the source code.
Social media profiles on sites such as LinkedIn, Facebook and Twitter can often reveal a tremendous amount about individuals. Even a Twitter account at work posting a cheery tweet about an employee’s birthday can provide information that can be useful and exploitable. Suppose a Tweet is made about someone named Shirley who turns 21 and is offered a cake at work. Anyone who can see the tweet now has their name and year of birth. Their password may be ‘Shirley1999’ or ‘Shirley99’.
Information on social media is particularly suitable for social engineering. Social engineering is the devious but skillful manipulation of employees to gain unauthorized access to your building, network and company information.
Is this really legal?
Using OSINT methods in the US and UK is legal. In other jurisdictions, you should check your local laws. If the data is not password protected and does not require deception or infiltration to obtain it, it is generally legal to access it. Of course, threat actors don’t care about these points.
The Berkeley Protocol defines a framework of guidelines for conducting OSINT investigations into war crimes and human rights violations. This or similar is a good measure to use as a guide to the legality and ethics of OSINT queries.
These are some of the well-known and commonly used OSINT tools. Kali Linux includes many of these, others are available as downloadable container images, or from GitHub, or as standalone installations. Note that most of these are Linux only. The websites can of course be used anywhere.
- Ghunt: Finds as much information about a person in their Google profile as possible by searching for anything related to their Gmail email address.
- ReNgine: combines and displays a total overview of the results of different OSINT tool scans. ReNgine runs the scans using the other tools and creates a mixed view of the returned information.
- Shodan: A device, protocol and hardware search engine. It is often used to detect unsafe devices, especially Internet of Things devices.
- ZoomEye: an alternative to Shodan.
- Social Mapper: Social Mapper uses facial recognition and names to track goals across multiple social media platforms. It’s free, but you need to register.
- Spiderfoot: an OSINT automation tool, available in open source and commercial versions. In the open source version, some of the advanced features are disabled.
- Sublist3r: Python based subdomain enumerator
- theHarvester: Helps ‘define a company’s external threat landscape on the Internet’ by collecting ’emails, names, subdomains, IPs and URLs’
- Maltgo: Maltego is a search engine that gathers data from many OSINT sources and displays a graphical set of links between the data and individuals.
- Google Dorking: Google Dorking or Google Hacking uses advanced search techniques to find items indexed by Google but not displayed in normal searches, such as configuration files and password lists. Sites like Exploit Database are dedicated to sharing Google dorking search terms.
It’s (mostly) free, so use it
If your security team isn’t already using OSINT, they are really missing a trick. Being able to locate, edit, or delete sensitive public domain information is an excellent way to minimize information-based vulnerabilities so that they are inaccessible to threat actors.