Find out how one analyst used social media to collect enough intel in five hours to breach a Fortune 500 company.
What is open-source intelligence (OSINT)? Quite simply, its intelligence collected from publically available information such as Facebook, LinkedIn and even the dark web. Are you using information available from these sources? Adversaries are!
The statistics on publically available information are mind boggling. There are over 500 million tweets and 1 billion Facebook posts per day. LinkedIn has over 400 million users and 2 new users are signing up every second. That means that by the time you’re done reading this blog, over 700 professionals will have signed up for LinkedIn!
Your employees, from the CEO to the Systems Administrator, are leveraging social media to share information with peers. They are sharing this information both for the advancement of a company, group or cause and for the betterment of themselves. However, there can be negative impact.
The aggregation of publically available information may expose your company’s vulnerability landscape. Adversaries are leveraging this intelligence to carry out extremely targeted attacks.
At Leidos, we leverage our big data analytics technology, Open-source Intelligence (OSINT), and world-class intelligence analysts to collect, process and analyze this information. We are able to monitor our customer’s online cyber footprint and provide clients with actionable intelligence so that they can mitigate their exposure.
Making it Real: 1 Analyst. 5 Hours.
I’m sure you’re thinking, “He just threw out a lot of buzz words…’big data’, ‘actionable intelligence’… but what does this really mean?” Let me tell you a story of how I demonstrated the power of OSINT while speaking at a recent cybersecurity conference in London.
Prior to the conference, I gave one Leidos intelligence analyst five hours to use our OSINT technology to uncover intelligence on the companies in attendance. I wanted to “make it real” for the audience by showing how publically available information posted by their employees can expose their companies to adversaries.
Attendees were shocked that the aggregation of information could paint such a rich map of their company’s assets, people and cyber programs. This is just what adversaries want– a detailed view of their targets. Jaws dropped and follow-on conversations ensued indicating we had struck a nerve. In case you were wondering how I managed to walk safely out of the auditorium after revealing so much, I did sanitize the results as to not expose any single individual or company in the room.
LinkedIn Profiles Leak The Cybersecurity Strategy
I first focused on what OSINT could reveal about the cybersecurity strategies of the companies in the room by sharing three LinkedIn posts.
The first two LinkedIn posts were shared to promote the individuals skills and achievements of individuals at company. The third post was from the HR department of the company, in this case, promoting a recruitment drive for analysts to join the SOC based out of London. On their own, they seem innocuous, but together they begin to provide real insight into the strategies of the company. However, when the intelligence analyst dug deeper, they were able to uncover numerous mentions of the items highlighted in yellow posted by other employees of the same company. The final picture not only revealed the companies’ strategies, but also the associated budget, timeframe and physical locations of the projects.
“… so you know my strategy, how does this expose my company?”
We all know the saying “knowledge is power” and this couldn’t be more true for your adversaries. Take the example of the human resources employee’s post for a security operations center (SOC) manager. From this post and others found (including posts from current SOC analysts on staff), the adversary knows your SOC is going through a 2 year, £15 million SOC transformation. This tells the adversary that your SOC is likely in a reactive/firefighting mode and it will be some time before you reach a proactive security posture. Additionally, the intelligence analyst was able to determine that this company only operates one SOC, which is located in London, and is rarely staffed 24/7. This tells the adversary to attack outside of the hours of 9:00 am – 5:00 pm UTC. By connecting the dots, the adversary can start to paint a revealing picture of where you are vulnerable.
The example I used focused on just three posts from companies in the audience. Many of our clients have thousands of professionals signaling their experience with various technologies and programs within their company’s environment. All of this data can provide the adversary with a very clear picture of your company’s cybersecurity strategy which they will use to stay one step ahead.
LinkedIn Profiles Expose your Cybersecurity Technologies
After proving that it is possible to uncover an organization’s cybersecurity strategy from LinkedIn, I turned the focus to how our OSINT research exposed the technologies that the companies in the room were using to defend their enterprise. Cyber defenders are proud of what they do and the skills they have; and rightly so. Unfortunately, in their zeal and enthusiasm, they often tell too much.
Again, using posts from LinkedIn, I flashed up on the screen dozens of defensive technologies the companies in the room had implemented across their enterprise. There were a lot of half smiles and raised eyebrows starring back at me. But things got even more interesting when I progressed further and showed the entire defensive stack that certain companies were running (e.g. Firewalls - Palo Alto and Juniper SRX; Load Balancers - F5 LTM and GTM; External Proxies - BlueCoat 5G; IDS & IPS – TippingPoint; Antivirus and Endpoint Protection – FireEye WebMPS; Emails – McAfee Endpoint Protection Suite; SIEM – ArcSight; Routers and Switches – Cisco Nexus).
“… so you know what defensive technologies I’ve deployed,
how does this expose my company?”
We all know that the best defenders are those who can think like the adversary. Taking this approach, imagine you are an adversary (or a team of adversaries) sitting in a basement or WAR room planning out your attack on ACME Corporation. You have conducted OSINT reconnaissance and laid out the entire defensive stack of the enterprise; from perimeter firewalls to endpoints and everywhere in between. You have built a simulated environment which incorporates all of ACME’s defensive technologies and have tested out your attack, numerous times, to ensure any malicious payload will penetrate through each layer of ACME’s defensive stack. By the time you are ready to carry out the actual attack, you have an extremely high level of confidence that it will be a success.
As a good defender, you practice defense in depth; however, this is greatly discounted if the adversary knows each layer of your defense and has the ability to test their attack against it. Putting yourself in the adversary’s shoes, where will you get the most return on investment (ROI) for your attack? Company A, where you only know 3 or 4 of their defensive technologies? Or Company B (i.e. ACME Corporation), where you have laid out their entire defensive stack?
The examples I have just ran through were obtained by one of our intelligence analysts in only five hours. It isn’t hard to imagine the full depth and breadth of intelligence adversaries can gain by leveraging OSINT if your company is their primary focus.
“… I now understand the power of OSINT and how it can be leveraged by my adversaries, but what can my company do to mitigate the exposure.”
There are a few simply steps you can take which will enable your company to continue to obtain value from social media while ensuring your employees are not exposing your vulnerability landscape:
- Develop a social media policy for employees. Focus on what they should and should not be posting on their LinkedIn and other social medial accounts.
- Educate employees on the risks of social media and what it means to the business and their own personal security.
- Designate a team to actively track and coach employees on how to bring profiles and information on accounts back to policy.
- Use a technology, like our OSINT technology, to actively search for words that could trigger the release of sensitive information but also analyze information so that you have an understanding of the complete enterprise risk.