Remaining Vigilant: External threat detection with OSINT
For all the benefits that the internet has provided to businesses, from cloud computing giving you anytime, anywhere access to your information to robust data analysis at the click of a button, there are also increased risks of cyberattacks that take advantage of security vulnerabilities in the networks, devices, and applications used by these organizations.
Constant vigilance of every possible source of a security breach to your company’s systems can be difficult, if not impossible, to maintain. This blog discusses some techniques companies use to mitigate these risks.
What is your attack surface?
Every internet-facing entry point your organization uses, such as services and applications, email servers, and network devices, constitutes your attack surface. This attack surface extends beyond the organization itself to include devices used by remote workers. Every point of entry has the potential of having a security vulnerability that bad actors can exploit to gain access to your network.
Security vulnerabilities can be unintentional – an OS or application manufacturer might inadvertently introduce a command that can be exploited. Once discovered, these vulnerabilities are usually corrected in a security update. The only problem is that it might take months before the vulnerability is discovered and the subsequent fix released – and even then, many organizations don’t install security updates promptly, leaving them open to attack, even though the remedy has already been given to them.
The point is, as a company’s attack surface grows, there are more and more opportunities for bad actors to find a source of entry and cause irreparable harm, and they only need to find one.
Identifying external threats with Open Source Intelligence (OSINT)
Every organization must remain vigilant of its attack surface to identify potential threats and mitigate them as soon as possible.
But, as the phrase goes, “You don’t know what you don’t know.” Security teams must first identify what threats are present before taking steps to mitigate them.
One technique many organizations adopt to monitor potential threats is using Open Source Intelligence (OSINT). OSINT uses publicly available information to identify, analyze, and report potential security vulnerabilities. Public information, whether free or purchased, can be obtained from any legally available source, including the internet, social media sites, public records, publications such as magazines and newspapers, blogs, forums, corporate websites, and even the dark web.
How OSINT is used to protect against threats
OSINT helps security teams stay current on the latest cybersecurity threats and trends by collecting information on vulnerabilities and tactics and acts as an early warning system.
- Third-party risk and vulnerability management – OSINT can gather information on security incidents and breaches and identify disclosed vulnerabilities so the security team can prioritize patching and mitigation efforts based on how severe and relevant those vulnerabilities are. Security teams use this information to make informed decisions about the organization’s relationships with these third parties. Without them, the team may never know the threats even exist.
- Proactive threat hunting – Real-time threat detection and containment of threats, including the latest phishing and social engineering playbooks as well as malicious domains and email addresses.
- Dark Web monitoring – Security teams can monitor underground forums for mentions of the company’s brand, employee emails, usernames, credentials, accounts, and corporate entry points. This helps the team identify who is attacking and the typical attack patterns employed, which allows the team to take proactive measures to secure exposed information.
- Brand protection – OSINT can also be used to look for company mentions. Bad actors sometimes masquerade as company representatives, creating posts that could damage the company’s brand.
- Test for potential threats – Penetration testers can use OSINT data to uncover additional risks, including data leaks (inadvertent exposure of personally identifiable information), unpatched software, and open ports.
OSINT can be used for good…or evil
Because OSINT information is available to everyone, bad actors have access to it as well. That means that, whether you are monitoring it or not, they are. And they are using OSINT data for malicious reasons, including:
- Targeted identification – Bad actors gather information about an individual using email surveillance and social media profiling to target the person with personalized phishing and social engineering scams. The bad actor might pose as a legitimate software vendor known to be used by the target, or they might impersonate the target’s boss in a text message.
- Exploit publicly known vulnerabilities – While security teams use OSINT data to discover known vulnerabilities of platforms and applications to reduce their attack surfaces, threat actors use the same information to hunt for and exploit unpatched systems.
- Dark Web data – Threat actors can search the dark web for mentions of the company’s brand, employee emails, usernames, credentials, accounts, and corporate entry points to leverage in a targeted attack. They can even purchase previously compromised user credentials.
While it is possible to conduct OSINT research independently, the task is both labor- and time-consuming. The good news is that several tools can help you search, consolidate, analyze, and leverage the data. Some of these tools are free; others require a subscription. Many provide APIs so you can use the information in your other cybersecurity tools. Below are a few of the popular tools to help you get started.
- Maltego – Collects information from websites, dark web forums, social media, and other online sources and maps the data into a visual format, making it easier to spot vulnerability patterns.
- Shodan – Monitors all your organization’s devices and networks accessible from the internet and helps you find potential security threats.
- theHarvester – Gathers information from OSINT sources to identify any information that can be seen about the organization, such as emails, sub-domains, employee names, open ports, etc.
- Recon-ng – Reduces the time it takes to consolidate information from OSINT sources, including websites, social media, DNS records, and the dark web.