Currently, almost every malicious cyberattack involves open-source intelligence or OSINT. This refers to the collection and analysis of data gathered from open or overt and publicly-available sources to produce actionable intelligence.
The concept of OSINT was initially used to address matters of national security. In the United States, for example, the process of gathering OSINT falls within the ambit of Department of Defence and the State Department.
OSINT is defined by political scientist Jeffrey Richelson as the process of “procuring verbal, written or electronically-transmitted material that can be obtained legally”.
The emphasis on the legal gathering of OSINT is obvious when studying the six categories of information flow that are formally identified as OSINT sources:
1. Conventional media such as newspapers, magazines and radio/TV broadcasts.
2. Online publications, blogs and discussion groups as well as YouTube, Facebook, Twitter,
Instagram and other social media websites.
3. Public government data contained in reports, budgets, hearings, telephone directories,
press conferences, websites and speeches.
4. Professional and academic publications as well as data acquired conferences,
symposia, academic papers, dissertations and theses.
5. Commercial data, including imagery, financial and industrial assessments and
databases.
6 Grey literature, including technical reports, working papers, unpublished works
and newsletters.
When did OSINT gain its nefarious image?
OSINT is distinguished from research in that it applies the process of intelligence-gathering to “create tailored knowledge supportive of a specific decision by a specific individual or group”.
In recent times individual hackers and groups of cybercriminals have increasingly used OSINT to support targeted and often highly effective attacks on companies and individuals worldwide. The favoured weapons are phishing emails designed to establish a foundation for the launch of company-wide ransomware attacks.
While there are many intelligence-gathering tools and techniques used by cybercriminals, the preferred choice is Google. So much so, that “Google dorking” and “Google hacking” are part of the criminals’ lexicon.
Google hacking involves the use of cleverly-crafted queries to find or “mine” specific information that will seldom appear in a regular Google search.
According to YouTuber Craig Hays, adding in search operators such as “inurl” and “filetype” along with sensitive keywords such as “password”, “secret” or “confidential” can return interesting results.
In an online article, he lists two examples of his own work as a penetration tester.
“I’ve shown leaked password files both on Amazon’s S3 simple storage service and on a traditional website. Below that I’ve done a search on the code hosting site github.com for the phrases ‘BEGIN RSA PRVATE KEY’ and ‘AWS_SECRET’. The credentials you can see give you VPN access into someone’s corporate network and API access to someone’s Amazon web services account.”
He goes on to explain how he used Shodan, a search engine for Internet-connected devices, to find RDP (Remote Desktop Protocol) servers that are publicly accessible from the Internet.
“Once they [cybercriminals] get in they’ll have a foothold on a network to start poking around, elevating their level of access, stealing data and installing ransomware on anything they can see,” he says.
This begs the questions: What information can be found on the Internet about your company and employees? Could confidential data on emails be found by web crawlers or could key metadata attached to documents and images be used to gain insight into the internal structures of your organisation?
As we’ve noted, apparently innocent online data may be used by hackers to exploit vulnerabilities within your company. For example, the advertising of job vacancies may present attentive hackers with opportunities. If you are hiring SQL database engineers, for instance, hackers will realise that there are SQL servers that could be hacked within your company.
If information finds its way on to the Internet about the hobbies or interests of senior executives, it may be used by hackers to launch phishing attacks. Perhaps a CFO has a penchant for water-skiing. He or she may be asked to click on bogus websites featuring the latest boating and skiing equipment – with disastrous results.
Securing a company’s secrets is the task of experienced professionals who are trained to look at apparently-harmless company data through the eyes of the cybercriminal and use knowledge gained through the study and evaluation of countless security breaches to protect and fortify your organisation.