ZOMG OSINT Heaven - What?! No Magic Button?!?!

Transcript

1. { ZOMG It’s OSINT Heaven WHAT?! No Magic Button ?!?!

2. ❧ Intro ❧ Acknowledgements ❧ Before OSINT ❧ OSINT ❧

   What OSINT is Not ❧ What OSINT is ❧ The Multiplier - OSINTernet ❧ Case Study (w/ OSINT Techniques) ❧ Summary/Questions Overview

3. ❧ Tazz ❧ Not representing any employer ❧ Love, Fight

   & Play Hard ❧ Not politically correct ❧ Twitter: @GRC_Ninja ❧ Blog: https://www.osint.fail Intro

4. Acknowledgements Thank you for your support, encouragement and contributions to

   the OSINT/Threat Intel Community @achillean (John Matherly) @spridel11 (Justin Brown) @iiamit (Ian Amit) @alexhutton (Alex Hutton) @IntelTechniques (Michael Bazzell) https://inteltechniques.com/intel/links.html

5. This Talk ❧ Why: ❧ Because someone said “we don’t

   need threat intel here.” and took it off the org chart ❧ Because your employees are always doing something stupid on the Internet ❧ Because somebody is targeting you ❧ What: ❧ Brute Force OSINT - no automation ❧ Intel Analysts ❧ Technique =! Instinct

6. UserID Hobbies Official Data Social Media Photos Job/Family A Life:

   it’s really this easy…

7. {OPSEC FAIL = OSINT HEAVEN Open Source Intelligence

8. Before you OSINT know... We’re Hunters: You (MGMT) must tell

   us what to go kill ❧ Threat Model $Type-Centric ❧ Software, Asset-Risk, Attacker ❧ Threat Modeling =! Risk Analysis ❧ Control Mapping ❧ What do you want to collect/know ❧ How/Where are you going to to collect it ❧ Define intel data characteristics/parameters ❧ currentness / staleness ❧ uniqueness / progressiveness ❧ reliability - Have you even defined a scoring methodology?

9. ❧ …Doxing or Stalking someone ❧ …Open Source INTernet (that’s

   just noise) ❧ …Finding the Boogeyman on the Dark Web ❧ …Conducted with a Magic Button ❧ …Something that requires expensive tools ❧ …Something only the Gov’t does ❧ …Something done in 45min - this isn’t Mr. Robot OSINT is NOT…

10. ❧ Open Source = “free” open data, not JUST websites

    ❧ INTelligence = contextualized & actionable ❧ Finding THE demons keeping C-levels awake at night ❧ Both pre-emptive & reactive ❧ Can be part of counter-intelligence ❧ Something that benefits from investment in tools ❧ Something your enemy is already doing ❧ Something that requires “room to explore” ❧ Methodical on paper and abstract in execution OSINT is …

11. ❧ Don’t break the law ❧ If you are breaking

    the law STFU about what you do – nobody is going to jail for you ❧ Be Safe – Don’t be a Hero ❧ Capture it the FIRST visit ❧ READ THE FINE PRINT ❧ Immediately involve legal department and/or authorities if you’ve found something criminal WARNINGS & DISCLAIMERS

12. The Multiplier – “OSINTernet”

13. The Multiplier – “OSINTernet”

14. { Case Study From UserID & 1 post - to

    Full Profile

15. Username Online Tools ❧ NameChk.com ❧ 159 popular social media

    sites (at this time) ❧ *Export list in spreadsheet w/ URLs (*unavilable) ❧ KnowEm.com ❧ 25 most popular sites first ❧ 500+ social brand sites can be checked ❧ Blogging, Bookmarking, Business ❧ Community, Design, Entertainment ❧ Health, Information, Microblogging ❧ Music, News, Photo, Tech, Travel, Video ❧ CheckUsernames.com ❧ 160 popular sites ❧ *Links are right on the page ❧ is powered by KnowEm.com

16. Google & Usernames 1. “username” 2. site:socialmedia.com “username” 3. url:“username”

    4. use the ‘Verbatim’ search instead of ‘Standard’ 5. common files with usernames a. ext:txt OR ext:rtf “username” b. ext:xls OR ext:xlxs OR ext:csv “username” 6. to get the date the content was indexed append: &tbs=1,cdr_min1/1/0 (thx Michael Bazell)

17. UserIDs & Google He! Oh My

18. Men & Their Money – in one forum ☺ Posts

    have M/D/Y & time stamps! ❧ Age ❧ DOB Month & Year (based on DTG stamps) ❧ Single/Dating ❧ Self Employed • Petroleum Landman ❧ Lives in Texas EMPLOYER & GOODIES
19. None

20. DOB = JUL (eom) 19XX AGE = 28 (can u

    math?)

21. LinkedIn Searching ❧ Geographic Location ❧ Job Title ❧ Company

    ❧ Any Key Words ❧ Phone Numbers ❧ Email Address ❧ Alumni ❧ General Search -> Advanced Search

22. ❧ SEARCH BIG ❧ Petroleum Landman ❧ Self employed (keyword

    Independent) ❧ RESULT NARROWING: ❧ X within Y mi of Houston, TX Linked In

23. ❧ Eliminated anyone obviously older than 28 ❧ Eliminated females

    ❧ Eliminated lawyers and business owners (as stated in 20XX posts he was planning on opening a business but was not self employed) ❧ Eliminated anyone “employed by” ❧ Narrowed to “assoicated with” ❧ Narrowed by college data ❧ The 1 post w/ User ID identified his alumni ❧ He’s 28-10yrs, means in college ~200X/Y Linked In – Narrow it Down

24. Official Data Sources ❧ County & Court Records ❧ www.blackbookonline.info/USA-States.aspx

    ❧ publicrecords.onlinesearches.com ❧ publicrecords.searchsystem.net ❧ Others based on ‘official data’ ❧ ssnvalidator.com ❧ birthdatabase.com ❧ legacy.com

25. Name + DOB: JUL ?? 19XX Voter Registration Search =

    Name + DOB 31 tries and BINGO!

26. Online Search Source S for snoop? LinkedIn Name Age/Addy/Name Match

    • Phones! • New Addy = College • Hello FAMILY!

27. Puzzle Piece Source Forum User ID / Handle Twitter Post

    Forums UID + Google & Search Sites Age, Employment, Marital Status, Income, City, State, Sports Teams Forums Name, Current Employer Linked In DOB, Address Voter Registration Records Phone, Family, Former Address Online Search Source ! Haven’t Even Touched Facebook! Put It Together

28. ❧ SEARCH: Name & In Houston ❧ Data Overlap: ❧

    Photos ❧ Family Members ❧ Liked Sites ❧ Travel Dates / Activities ❧ ETC Facebook Comes Last!

29. Facebook A = http://www.facebook.com/search Know their name and want to

    know if they work(ed) somewhere? B = /str/$Name/users-named C = /str/$Company/pages-named/employees/$PastPresent Graph Search URL = A + B + C + “/intersect” Only know what they do and what city they work(ed) in? D = /str/$City/pages-named/residents/$PastPresent E = /str/$Profession/pages-named/employees/$PastPresent Graph Search URL = A + D + E + “/intersect”

30. From User ID to Full Profile

31. Now What? Is this Data? - YES Is this Intel?

    - YES Is this Threat Intel? - MAYBE Is this Actionable Intel? - PROBABLY NOT Will this cause a change in behavior (to reduce risk)?

32. The Bigger Picture Move from Intel to Threat Intel -

    Integrate & Analyze ❧ Intersections with other profiles or data points? ❧ What role does he play? ❧ What kind of threat does he pose, if any? ❧ Monitor the actor, continue to buildout the profile Develop Actionable Intel through continuous intel integration and analysis.
33. None

34. Actionable OSINT: Not So Easy UserID Hobbies Official Data Social

    Media Photos Job/Family Data Intelligence Threat Intelligence Actionable Intelligence
35. None

36. ❧ Have your Threat Model and Framework defined ❧ Clearly

    define OSINT objectives and requirements ❧ Capture it the FIRST visit ❧ You can teach technique you can’t teach instinct ❧ Encourage exploration ❧ Pull one thread at a time - keep pulling ❧ If it won’t change behavior, it isn’t ACTIONABLE OSINT / INTEL Summary / Questions UserID Hobbies Official Data Social Media Job Family Photos Data Intelligence Threat Intelligence Actionable Intelligence