Open-Source Intelligence (OSINT) - Why it matters.
Digital based infrastructure is regularly under threat and day in, day out, within the Stripe OLT SOC team, we spend our time responding to these threats. The most concerning incidents we face are dedicated campaigns against a particular individual or corporate entity. These dedicated campaigns are often built upon a foundation of Open-Source Intelligence (OSINT) Gathering.
What is OSINT?
OSINT is defined as “publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the Internet, commercial databases, and videos, graphics, and drawings.”. For many individuals’ vast quantities of information have already been documented within the publicly accessible digital space. Be it through social media accounts, ancestry websites, government documents or information leaked during data breaches, and much of this data is only a few Google searches away.
By utilising this information, those with malicious intentions can leverage various avenues of exploitation to gain access where they shouldn’t. The most common tactic is using gathered intelligence combined with social engineering.
The following scenario details just how personal information online can provide threat actors with the leverage they so desperately seek. This scenario is based on a real-world OSINT case, with key information being obfuscated to provide adequate anonymity.
Real World Scenario
A malicious actor has been searching for a way to exploit a respected financial company, let’s call them, Layton & Blues. But due to a tight security posture enforced by the Layton & Blues IT team, there is very little access that can be gained through remote means. Phishing campaigns and targeted brute force password attacks have yielded no results.
From reviewing the Layton & Blues LinkedIn page, the threat actor uncovers that Amanda Tims (we shall call her) is the IT manager. A few Google searches and the threat actor has discovered Amanda’s Facebook social media account. Said account has some security settings in place, hiding information such as her phone number, email, and photo albums. However, her profile photo and posts are publicly available to view, allowing the threat actor to validate Amandas identity against her LinkedIn profile photo and snoop through Amanda’s posted content carefree.
It would appear that Amanda has posted a link to Rightmove on her Facebook page. She is in the process of selling her house and is welcoming friends and family to share the post to promote the house sale. The Rightmove property listing shows quality pictures, detailing the bedrooms, living rooms, kitchen, and office. The office pictures show a spacious, well decorated room with a single desk and- oh what luck, a desktop computer underneath it.
As with many different corporations in recent years, Layton & Blues have adopted a hybrid working policy (their marketing team created a great post about it on their website), which means that Amanda spends a lot of her time working from home. As the IT manager, she makes use of her personal high-spec desktop PC which has been properly adopted into her employer’s digital environment.
The malicious actor now has a very clear avenue of attack. All that is required is technical knowhow, the correct tools, and nerve.
Our threat actor contacts Rightmove and poses as a potentially interested cash buyer for Amanda’s property, under a fake name of course. The estate agent handling the sale is extremely helpful in arranging for a viewing at the earliest convenience. The threat actor has leveraged the property listing to build a position of trust and gain access to Amanda’s home address.
For those of you who haven’t attended a house viewing before, estate agents are often more than happy for you to wander around the property unattended. Such an event in this case provides ample opportunity to enter the office and plug a USB tool into the back of Amanda’s desktop.
The next time Amanda boots her computer any number of malicious attacks could be completed on her device. Be it Traffic Sniffers, Keyloggers, or Backdoor remote access capabilities, providing they have been clever enough to circumvent any local device security controls that are in place. The malicious actor now has explicit access to the IT managers device and Layton & Blues data.
How can you defend against Open-Source intelligence?
There are a number of steps within that scenario where the threat actor would have been blocked had Amanda been more aware of her online presence and the fact that she was a high value target for malicious actors targeting her employer. Enforcing stricter social media security controls in her case would have prevented any information being easily exposed. Using a personal device or allowing pictures to be posted of her device online was another key weakness.
Regarding defending against OSINT, awareness is everything. Understanding what information is available about you online can go a long way towards preventing those with devious intent from exploiting it. Professional Digital Footprint Assessments expose an individual’s digital footprint from the eyes of someone with the skills and tools utilised by malicious actors. Once you’re aware of exploitable data, the next step is remediation. Removing said data or tightening security controls to prevent public access.
We are seeing increasing examples of OSINT being exploited in the wild. As tools and techniques develop the threat will increase. OSINT is often overlooked in terms of corporate security posture, it’s crucial that we recognise that criminal elements have and will continue to utilise OSINT alongside classic ‘hacker’ tactics.
As the digital working environment evolves it is our responsibility to be aware of our publicly accessible data, and to safeguard it against those that would seek to exploit it.