Open Source Intelligence
Open source intelligence (OSINT) is data that is collected from sources that are public, legal and available. It is not classified nor under any property constraints.
In its most simple form, say, for example, you want an address or a telephone number of an organisation, you can enter the name of the organisation into your favourite search engine and you’ll almost certainly be presented with the data you require. This type of freely available information can only be a good thing, right?
Well the answer is both yes and no. Yes, it’s great to have useful information freely available and easily accessible. No, it’s not good if you’re inadvertently sharing information that is sensitive in nature. The type of information that an organisation probably wouldn’t want out in the public domain can include:
• Operating System/Software Versions
• Non-publicly advertised servers
• Internal Server Names / IP Addresses
• Staff job titles
• And much more!
This type of information is extremely valuable to a social engineer who is looking to perform an attack on an organisation in the form of phishing, vishing or even physical infiltration. As with many of the tools that are used in penetration testing, OSINT tools are free to use and don’t require much, if any experience to run them. The amount of this type of data out in the public domain can be called your organisation’s ‘digital footprint’. The smaller your digital footprint is, the less malicious actors can use against you in various types of attacks.
Below is a list of tools which can be used to identify how big (or small) your digital footprint is:
• Bluto (free)
• Theharvester (free)
• Maltego (free and pro versions available)
• Shodan (free and pro versions available)
• Metagoofil (free)
Many of the tools mentioned above also allow attackers to simply enter the domain name of their target organisation and the tool does the rest. They will query Name Servers, Mail Exchange (MX) records, whois information, and perform subdomain brute forcing in an attempt to establish which subdomains may be configured at the target domain which are not publicly listed. This can often include development and test servers which may or may not be patched and secured to a high standard. Shodan can be used to establish which ports/services are present on identified hosts which may form the basis of actual hacking attacks. A benefit of the majority of these tools, that from an attacker’s point of view, they are not actually probing the hosts (using NMAP for example) to gain information. This is especially true for Shodan which helps find vulnerable services in Web servers, allowing results to be filtered by country, port, operating systems, hostnames and even the hosts vulnerability status to issues such as ‘Heartbleed’.
Bluto which is a freely available OSINT tool can also download and scan documents legitimately uploaded into the public domain, corporate whitepapers for example looking for metadata. Document metadata is information attached to files that may not be visible on the face of the document. This can include:
• The name of the author who wrote the document
• The author’s network username
• The author’s manager
• The internal folder location where the document is stored, either workstation or file server
• Software versions used to compose the document
You can start to see how this information can be extremely useful to an attacker by providing them with internal system and staffing details.
Before uploading any documents to the internet, check the file properties for metadata and sanitise where applicable. Remember, it’s not just word documents that contain metadata, Excel, PowerPoint and PDF files do too.
If you must use a company branded email address online, use a generic one, such as ‘firstname.lastname@example.org’ rather than ‘John.email@example.com’. Doing this not only reduces the chances of staff name enumeration but the enumeration of domain usernames which can be used in any identified remote login portals like Outlook Web Access.
Configure externally facing web servers to block traffic from Shodan servers, stopping its ability to fingerprint your assets and serve the information to anyone who asks.
Performing regular external security assessments and digital footprinting exercises from trusted service providers like Commissum can assist in establishing just how much data you’re disclosing.
If you don’t have the time or the skills to feel comfortable finding out exactly what is publicly available from your organisation or staff, call Commissum for a conversation with one of our intelligence analysts. We can provide a report as part of a short piece of work which you can use to remove data on the web or use OSINT to mimic an attack chain as part of a Red Team exercise or Advanced Persistent Threat simulation to find out how your data can be used against you in a real world attack.
Worried about the type of data your organisation is disclosing to the public? Contact us today and speak with one of our intelligence analysts.