Are you a fan of fitness-focused social networking apps such as Strava? You’re not alone. Even military personnel enjoy tracking and sharing their runs. It sounds great, except that all activity and GPS data the Strava app collects and publishes invariably exposes the precise location of military bases.
You might be surprised to see the kind of information that’s publicly available on the Internet today. But it shouldn’t be a surprise, given how we live in the days of oversharing. We announce on Twitter and email auto-responses about our vacation plans, essentially inviting robbers. Security professionals call it OSINT (open source intelligence), and attackers use it all the time to identify and exploit vulnerabilities in processes, technologies, and people. OSINT data is usually easy to collect, and the process is invisible to the target. (Hence why military intelligence uses it along with other OSINT tools like HUMIT, ELINT, and SATINT.)
The good news? You can tap OSINT to protect your users. But first you’ll have to understand how attackers exploit OSINT to sufficiently evaluate the scope of your attack surface and bolster your defenses accordingly.
OSINT is an age-old concept. Traditionally, open source intelligence was gathered through TV, radio, and newspapers. Today, such information exists all across the Internet, including:
· Social and professional networks like Facebook, Instagram, and LinkedIn
· Public profiles on dating apps
· Interactive maps
· Health and fitness trackers
· OSINT tools like Censys and Shodan
All this publicly available information helps people share adventures with friends, find obscure locations, keep track of medications, and find dream jobs and even soulmates. But there’s another side to it as well. Unbeknownst to potential targets, this information is just as conveniently available to scammers and cybercriminals.
For instance, the same ADS-B Exchange app that you use to keep track of your loved one’s flights in real-time can be exploited by malicious actors to locate their targets and craft nefarious plans.
Understanding the Different Applications of OSINT
Open source information isn’t just available to those it is intended for. Anyone can access and utilize it, including government and law enforcement agencies. Despite being cheap and easily accessible, nation-states and their intelligence agencies use OSINT because it provides good intelligence when done right. And since it’s all freely available information, it’s very hard to attribute access and utilization to a single entity.
Extremist organizations and terrorists can weaponize the same open source information to collect as much data about their targets as possible. Cybercriminals also use OSINT to craft highly targeted social engineering and spear phishing attacks.
Businesses use open source information to analyze competition, predict market trends, and identify new opportunities. But even individuals perform OSINT at some point and for a variety of reasons. Whether it’s Googling an old friend or a favorite celebrity, it’s all OSINT.
How to Use Multiple OSINT Techniques
The shift to work-from-home was inevitable, but the entire process had to be expedited when COVID-19 hit. Finding vulnerabilities and data against people working from home, outside the traditional security perimeter of organizations, is sometimes just a quick online search away.
Social networking sites: Cybercriminals can gather data like personal interests, past achievements, family details, and current and even future locations of employees, VPs, and executives of their target organizations. They can later use this to craft spear-phishing messages, calls, and emails.
Google: Malicious users can Google information such as the default passwords for specific brands and models of IT equipment and IoT devices like routers, security cameras, and home thermostats.
GitHub: A few naive searches on GitHub can reveal credentials, master keys, encryption keys, and authentication tokens for apps, services, and cloud resources in shared, open source code. The infamous Capital One breach is a prime example of such an attack.
Google hacking: Also known as Google dorking, this OSINT technique lets cybercriminals use advanced Google search techniques to find security vulnerabilities in apps, specific information about individuals, files containing user credentials, and more.
Shodan and Censys: Shodan and Censys are search platforms for Internet-connected devices and industrial control systems and platforms. Search queries can be refined to find specific devices with known vulnerabilities, accessible elastic search databases, and more.
Applications of OSINT for Defense Practices
Businesses that are already using OSINT to identify opportunities and study competitors need to widen their application of OSINT to cybersecurity.
OSINT Framework, a collection of OSINT tools, is a good starting point for enterprises to harness the power of OSINT. It helps penetration testers and security researchers discover and collect freely available and potentially exploitable data.
Tools like Censys and Shodan are primarily designed for pen-testing, too. They allow enterprises to identify and secure their Internet-connected assets.
Oversharing personal data is problematic for individuals and the organizations they work for. Enterprises should educate employees about safe and responsible social media use.
Employee cybersecurity awareness training should be, at the very least, a semi-annual undertaking. Unannounced cyberattacks and phishing simulations must be part of these training workshops.