ZOMG OSINT Heaven - What?! No Magic Button?!?!

839fc2503083a6d6bff4aebdf87a5e1d?s=47 Tazz
October 12, 2015

ZOMG OSINT Heaven - What?! No Magic Button?!?!

This talk expands significantly on the BSLV presentation (also posted to speakerdeck) and focuses on OSINT techniques and walks throgh taking bytes from data to threat intel. It discusses what OSINT is NOT, what OSINT is, and walk through a case study showing various brute force (manual) OSINT techniques. This talk also discusses business decisions, requirements, data gathering techniques and the progression from data to actionable intelligence. Both managers and analysts should attend the talk on 24 Oct 2015 at ToorCon SanDiego.



October 12, 2015


  1. { ZOMG It’s OSINT Heaven WHAT?! No Magic Button ?!?!

  2. ❧ Intro ❧ Acknowledgements ❧ Before OSINT ❧ OSINT ❧

    What OSINT is Not ❧ What OSINT is ❧ The Multiplier - OSINTernet ❧ Case Study (w/ OSINT Techniques) ❧ Summary/Questions Overview
  3. ❧ Tazz ❧ Not representing any employer ❧ Love, Fight

    & Play Hard ❧ Not politically correct ❧ Twitter: @GRC_Ninja ❧ Blog: https://www.osint.fail Intro
  4. Acknowledgements Thank you for your support, encouragement and contributions to

    the OSINT/Threat Intel Community @achillean (John Matherly) @spridel11 (Justin Brown) @iiamit (Ian Amit) @alexhutton (Alex Hutton) @IntelTechniques (Michael Bazzell) https://inteltechniques.com/intel/links.html
  5. This Talk ❧ Why: ❧ Because someone said “we don’t

    need threat intel here.” and took it off the org chart ❧ Because your employees are always doing something stupid on the Internet ❧ Because somebody is targeting you ❧ What: ❧ Brute Force OSINT - no automation ❧ Intel Analysts ❧ Technique =! Instinct
  6. UserID Hobbies Official Data Social Media Photos Job/Family A Life:

    it’s really this easy…
  7. {OPSEC FAIL = OSINT HEAVEN Open Source Intelligence

  8. Before you OSINT know... We’re Hunters: You (MGMT) must tell

    us what to go kill ❧ Threat Model $Type-Centric ❧ Software, Asset-Risk, Attacker ❧ Threat Modeling =! Risk Analysis ❧ Control Mapping ❧ What do you want to collect/know ❧ How/Where are you going to to collect it ❧ Define intel data characteristics/parameters ❧ currentness / staleness ❧ uniqueness / progressiveness ❧ reliability - Have you even defined a scoring methodology?
  9. ❧ …Doxing or Stalking someone ❧ …Open Source INTernet (that’s

    just noise) ❧ …Finding the Boogeyman on the Dark Web ❧ …Conducted with a Magic Button ❧ …Something that requires expensive tools ❧ …Something only the Gov’t does ❧ …Something done in 45min - this isn’t Mr. Robot OSINT is NOT…
  10. ❧ Open Source = “free” open data, not JUST websites

    ❧ INTelligence = contextualized & actionable ❧ Finding THE demons keeping C-levels awake at night ❧ Both pre-emptive & reactive ❧ Can be part of counter-intelligence ❧ Something that benefits from investment in tools ❧ Something your enemy is already doing ❧ Something that requires “room to explore” ❧ Methodical on paper and abstract in execution OSINT is …
  11. ❧ Don’t break the law ❧ If you are breaking

    the law STFU about what you do – nobody is going to jail for you ❧ Be Safe – Don’t be a Hero ❧ Capture it the FIRST visit ❧ READ THE FINE PRINT ❧ Immediately involve legal department and/or authorities if you’ve found something criminal WARNINGS & DISCLAIMERS
  12. The Multiplier – “OSINTernet”

  13. The Multiplier – “OSINTernet”

  14. { Case Study From UserID & 1 post - to

    Full Profile
  15. Username Online Tools ❧ NameChk.com ❧ 159 popular social media

    sites (at this time) ❧ *Export list in spreadsheet w/ URLs (*unavilable) ❧ KnowEm.com ❧ 25 most popular sites first ❧ 500+ social brand sites can be checked ❧ Blogging, Bookmarking, Business ❧ Community, Design, Entertainment ❧ Health, Information, Microblogging ❧ Music, News, Photo, Tech, Travel, Video ❧ CheckUsernames.com ❧ 160 popular sites ❧ *Links are right on the page ❧ is powered by KnowEm.com
  16. Google & Usernames 1. “username” 2. site:socialmedia.com “username” 3. url:“username”

    4. use the ‘Verbatim’ search instead of ‘Standard’ 5. common files with usernames a. ext:txt OR ext:rtf “username” b. ext:xls OR ext:xlxs OR ext:csv “username” 6. to get the date the content was indexed append: &tbs=1,cdr_min1/1/0 (thx Michael Bazell)
  17. UserIDs & Google He! Oh My

  18. Men & Their Money – in one forum ☺ Posts

    have M/D/Y & time stamps! ❧ Age ❧ DOB Month & Year (based on DTG stamps) ❧ Single/Dating ❧ Self Employed • Petroleum Landman ❧ Lives in Texas EMPLOYER & GOODIES
  19. None
  20. DOB = JUL (eom) 19XX AGE = 28 (can u

  21. LinkedIn Searching ❧ Geographic Location ❧ Job Title ❧ Company

    ❧ Any Key Words ❧ Phone Numbers ❧ Email Address ❧ Alumni ❧ General Search -> Advanced Search
  22. ❧ SEARCH BIG ❧ Petroleum Landman ❧ Self employed (keyword

    Independent) ❧ RESULT NARROWING: ❧ X within Y mi of Houston, TX Linked In
  23. ❧ Eliminated anyone obviously older than 28 ❧ Eliminated females

    ❧ Eliminated lawyers and business owners (as stated in 20XX posts he was planning on opening a business but was not self employed) ❧ Eliminated anyone “employed by” ❧ Narrowed to “assoicated with” ❧ Narrowed by college data ❧ The 1 post w/ User ID identified his alumni ❧ He’s 28-10yrs, means in college ~200X/Y Linked In – Narrow it Down
  24. Official Data Sources ❧ County & Court Records ❧ www.blackbookonline.info/USA-States.aspx

    ❧ publicrecords.onlinesearches.com ❧ publicrecords.searchsystem.net ❧ Others based on ‘official data’ ❧ ssnvalidator.com ❧ birthdatabase.com ❧ legacy.com
  25. Name + DOB: JUL ?? 19XX Voter Registration Search =

    Name + DOB 31 tries and BINGO!
  26. Online Search Source S for snoop? LinkedIn Name Age/Addy/Name Match

    • Phones! • New Addy = College • Hello FAMILY!
  27. Puzzle Piece Source Forum User ID / Handle Twitter Post

    Forums UID + Google & Search Sites Age, Employment, Marital Status, Income, City, State, Sports Teams Forums Name, Current Employer Linked In DOB, Address Voter Registration Records Phone, Family, Former Address Online Search Source ! Haven’t Even Touched Facebook! Put It Together
  28. ❧ SEARCH: Name & In Houston ❧ Data Overlap: ❧

    Photos ❧ Family Members ❧ Liked Sites ❧ Travel Dates / Activities ❧ ETC Facebook Comes Last!
  29. Facebook A = http://www.facebook.com/search Know their name and want to

    know if they work(ed) somewhere? B = /str/$Name/users-named C = /str/$Company/pages-named/employees/$PastPresent Graph Search URL = A + B + C + “/intersect” Only know what they do and what city they work(ed) in? D = /str/$City/pages-named/residents/$PastPresent E = /str/$Profession/pages-named/employees/$PastPresent Graph Search URL = A + D + E + “/intersect”
  30. From User ID to Full Profile

  31. Now What? Is this Data? - YES Is this Intel?

    - YES Is this Threat Intel? - MAYBE Is this Actionable Intel? - PROBABLY NOT Will this cause a change in behavior (to reduce risk)?
  32. The Bigger Picture Move from Intel to Threat Intel -

    Integrate & Analyze ❧ Intersections with other profiles or data points? ❧ What role does he play? ❧ What kind of threat does he pose, if any? ❧ Monitor the actor, continue to buildout the profile Develop Actionable Intel through continuous intel integration and analysis.
  33. None
  34. Actionable OSINT: Not So Easy UserID Hobbies Official Data Social

    Media Photos Job/Family Data Intelligence Threat Intelligence Actionable Intelligence
  35. None
  36. ❧ Have your Threat Model and Framework defined ❧ Clearly

    define OSINT objectives and requirements ❧ Capture it the FIRST visit ❧ You can teach technique you can’t teach instinct ❧ Encourage exploration ❧ Pull one thread at a time - keep pulling ❧ If it won’t change behavior, it isn’t ACTIONABLE OSINT / INTEL Summary / Questions UserID Hobbies Official Data Social Media Job Family Photos Data Intelligence Threat Intelligence Actionable Intelligence