In an age when everyone is connected, many businesses are forced to interact with the public via the internet. People are carrying small computers (phones) in their pockets with more homes having computers than generations before us. According to the U.S. Census Bureau’s 2015 Computer and Internet Use in the United States: American Community Survey Reports, “Among all households, 78 percent had a desktop or laptop, 75 percent had a handheld computer such as a smartphone or other handheld wireless computer, and 77 percent had a broadband Internet subscription.”
This provides businesses with more opportunities than ever to interact with customers and potential customers via ads and information on the company websites. Businesses are encouraged to make data relevant to the customer available as part of many sales and marketing strategies. Unfortunately, organizations sometimes overshare data or do not sanitize the materials published. This makes the information desirable to criminals seeking to attack these organizations publicly available. This publicly available data is colloquially referred to by the information security and government intelligence communities as “Open Source Intelligence,” or “OSINT.”
The information that is provided is typically capable of being found using mostly standardized OSINT tools and techniques. This is no different than a burglar looking under your doormat for a key before they attempt to break into your home. I have performed this type of reconnaissance on a professional and a competitive level. Companies paid my employer at the time to perform penetration testing (another phrase for ethical hacking that aims to simulate a malicious adversary).
I won the inaugural DerbyCon VII Social Engineering Capture the Flag (SECTF) and was awarded a “Black Badge,” which affords free admission to DerbyCon for life then I competed in the same competition at DEFCON 26 in Las Vegas, NV. The only difference between work and play was the time constraints and the intended outcome. For work, I was provided information from the company to coerce the employees into performing an action or providing me with information. In the SECTF, it is mostly information gathering, with a single flag for navigating to a benign website to demonstrate the vulnerability.
In both scenarios, it was my job to snoop through my target company’s (client or assigned target) public facing internet presence and adjacent sources of OSINT to find information that could be used to compromise them. With the information, I collect, I submit them to the competition or the company for scoring or informational purposes. In later phases, this information was used to vish (a pun on voice phishing; a social engineering technique that leverages phones for delivering the phishing payload of collecting information vice email) employees of the target company. Doing this for work afforded me between 8 and 20 hours to perform the OSINT, the phishing and the vishing. In the SECTF, contestants have between 3 and 4 weeks to collect the OSINT (flags) at their own pace and then are afforded 20 minutes in a booth in front of the SE Village attendees to perform the vishing. There are no phishing or physical (on-site) elements to the SECTF.
Bear in mind, I had proper authorization from my target company for work and the SECTF has been vetted by law enforcement to ensure no laws are broken.
To provide some context around what information that is generally accepted as relevant OSINT, think of the following. People admit where they work on LinkedIn. Many salespeople share their work email addresses publicly. After corroborating several salespeople, the syntax of the email, also known as the recipe, can be ascertained and attackers can build an email list from LinkedIn with additional inputs from resume sites, data breaches, other social media and the company website.
The Google dork below can yield all email addresses on the website. If the email syntax is replaced with filetype:pdf or filetype:doc, the search will provide all documents on the company website available for download.
site:<company domain> “@company.domain”
Do you use the same username across all websites to which you have accounts? Chances are, the answer is yes or mostly yes. As an OSINT researcher, when I see your username on your personal Facebook, I can use it to find the accounts on websites you use for work, not to mention all the information on each platform. If I see your work email in a data breach from HaveIBeenPwned, I am adding it to my dossier of how employees use and/or abuse their work emails. I keep this in mind when I develop my pretext (character or persona for contact) that I will use in my authorized attack.
In conclusion, some of the information on the internet is necessary and will be weaponized as OSINT. This is inevitable. My aim in this series is to make businesses aware of the information collection and to provide mitigation strategies for each data type as well as the potential attack outcome.