Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team engagement, as threat actor scenarios are created using publicly available information.
Bearing that in mind it makes sense to review your organisation in the same light, with OpSec (Operations Security). It is widely used in cyber security, but has its roots firmly in the military where it is used to identify information that may be beneficial to an adversary.
OpSec is:
…a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence.
In a cyber security context understanding and being aware of your OpSec is all about defending your company from attack. This led to terms such as “that’s bad OpSec” and “knowing your OpSec”. But what does that all mean, and what can you do about it?
This is a term commonly used when someone accidentally (or carelessly) reveals something about themselves or their company without realising the security implications. Some obvious examples could include an employee publishing production code with passwords in to Github repository or a photo of an ID card that could be used in a social engineering attack. This could lead to attackers gaining trivial access to internal resources.
Naturally we want to avoid ‘bad OpSec’, this is much easier said than done though. We perform assessments on behalf of clients to review their OpSec and it is common to find things you simply would not want on the public internet e.g. detailed photos of staff ID badges, sensitive classified documents and countless other issues.
So to avoid bad OpSec we need to first know your OpSec.
So where do you start when it comes to knowing your OpSec? Remember in this context it is about understanding what an adversary would be able to obtain about you and your company. How would they do that? OSINT.
So what does that look like? OSINT is often termed a way of life, and this is really because it takes time and skill to perform well. However, there are countless tools and techniques available for attackers to use accelerate the process of gathering information on you and your company.
Knowing our OpSec really comes from thinking about what an attacker would find interesting. What would an attacker need to know to attack you? The most obvious examples include:
Some key tools I would suggest getting familiar with are:
Your WHOIS records are often revealing. This could give away other domains you use. Maybe you have a different domain for staff access tools, the old mindset of “security through obscurity”. Domains using the same registrant information may hold other secrets, this could then give them more subdomains and IPs to look at!
Also of interest are breached credentials, signing up to Troy Hunt’s brilliant haveibeenpwned.com domain monitoring is a must. There are plenty of other services online where you can view the breached data, but I won’t link to those here.
One of the most useful tools in your arsenal is good old Google Fu. Knowing some key Google Dorks will really help you. Some I find useful:
This will show you other subdomains or content on domains that do not use www as a subdomain.
This will show all the PDFs your own domain is hosting, you can also use other file types such as doc/docx/xls/xlsx. You can even combine it with your protective marking keywords – e.g. “confidential” using “site:_domain _filetype:pdf intext:confidential”
This will show you if your company name is on any slides on slideshare. I have found internal staff presentations on public slide shares before, you can combine searches with (site:slideshare.net | site:trello.com | site:another)
There are a multitude of tools available to help you, most are simple python scripts, I’ll talk more about these in future blogs, but these are my favourites right now:
Performing this will put us in the mindset of an adversary and help us get better at good OpSec. So what is ‘good OpSec’? That is really complex question to answer. It’s a little like saying what is a good hairstyle. We all know what bad hair looks like, but a hair style is personal, what you may think is average others may think is amazing.
OpSec is very similar. This process though will help you consider what others see about you and your company allowing you to take a more balanced risk-based approach to what you share. It may be that you are happy to share certain pieces of information.
On the other hand knowing what has to be shared, such as DNS records, can allow you to consider any additional monitoring of those services, alternatively it may help you spot a configuration error that has now made a service publicly accessible when you really didn’t want it to be.
OpSec investigations can take time so make sure you allow yourself time to do this task. Yes, you can quickly recover lower hanging fruit in a few hours, but more detailed searching takes time and a lot of reading!
Read more about OpSec in Red Teaming here.
If you’d like any help, do reach out, I’d happily give you some pointers: @tonygee.
The post Security Blog first appeared on Pen Test Partners.