Through robust research, and commercial engagements covering a 10 year period, it may be attested that the element of Open Source Intelligence is not only a major source of exposure, and potential exploitation point for Cyber Attackers; but that it can be the very key to exploitation in the majority of successful Cyber Attacks against both random, and/or selected targets. It is in this area where one piece of work which was produced on this journey to prove the exposures was well documented way back on 12/09/11 under the title ‘Understanding the correlation between data leakage and the security mission’ and outlined some of the areas of potential exploitation which were available to potential attackers. However, to this day in 2019, many organisations not only suffer from data leakage through OSINT unknown portals, but even more worrying, in most cases the insecurity is misunderstood, and in many cases this potential hole in the wall of security is ignored!
It is also of value-add at the juncture to introduce the results of a mini-survey which was conducted recently at an eCrime event, where 80 delegates were asked to confirm if their organisations considered OSINT as a threat, and took steps to mitigate or reduce its impact against the any manifestation of leakage. The response was, only 5% confirming this had been considered as a potential exposure, but they had took no real action to consider the exposure in real-terms, seemingly indicating that we may have a break down in understanding of the actual risk posed to the business by this potential of proffered insecurities!
What is the Threat?
OSINT seeks to leverage what titbits, and data leakage may be occurring through both direct means, and indirect representations where interesting data objects are unintentionally exposed, or say emended within a publication in the form of MetaData – within documents which have been intentionally released into the public domain – and one of the first observations here must be, no matter the deployment of Firewalls, IDS/IPS, or those systems considered to be Silver Bullets in the form of HSM’s, they offer no real protection against this threat.
Like any Military Operation where intelligence may be sought prior to a mission against a target, Cyber Criminals and Adversaries also follow this same model, seeking out intelligence against a target pre launching their attack, and thus so maximising the potential of success for exploitation by identifying areas of interest in the form of locating hidden assets, information, or gateways into the intended target via some third party link, or association – and if they get real lucky, maybe an open Zone Transfer which allow the identification of, supposedly hidden assets – trust me here, I have located, and noticed they are wide open to ease of exploitation, which on one occasion got me in some deep hot water in 2008 when a Third Party had not secured their US Government partners assets. To make it clear however, I never compromised the find as reported – I made the concerned Third Party aware of my discovery so they could secure the exposure before some other actor, with more aggressive intentions located the exposure:
Exposed Builds and Upgrades
Whilst conducting internal examinations of organisational assets, it can soon become clear that the standard build on most corporate assets can be flawed by what are installations of features which offer a high potential for exploitation by both internal, and any external attackers alike who may manage to circumvent the perimeter of security – in these manifestations there are two common areas of additional features which are known in around 90% of Desktop Builds, one of which is a key target for any attacker penetrating the supposed protected environment, to leap over to collocated assets.
There are also potential leakages which are associated with a simple upgrade to Microsoft Office which in one high profile case allowed their internal personnel to export sensitive of data to a selected internet connected private/personal device under the very noises of an expensive deployment of a Data Leakage Prevention Service.
The real point about such misconfigurations was (is) also proven during a Research Project IN Helsinki with AET’s (Advanced Evasion Techniques) where it was demonstrated that by manipulation of the IP Stack, it was possible to circumvent the protection of up-to-date perimeter Firewall and IDS/IPS devices, in order to gain access to a LAN based asset in the form of a server, laptop, or desktop. It was however from this point in the attack operation where one could generate a shell condition with a piece of well-known malware and fire up a resident tool to further infiltrate the protected environment. And just in case you are wondering about the anti-malware protection under employment on some of these selected server targets in some cases, on the internal areas of the network they have been found not to have been provisioned with protection (as by inference, they are not exposed to the Internet), thus old useful malware agents such as Conficker can still work to this day to do their business – even in large UK based PLC’s!
BYOD – [Breach-Your-Own-Deployment]
When it comes to BYOD by intention, or employee driven assault, this is a potential area in which the attacker can gain some considerable leverage to exploit what is, after all on the air potentials for Data Leakage. In one well know example of a London based Insurance Broker, whilst they had deployed an authorised Guest WiFi environment, which was not supported with any policies, or AUP all their employees had access to its valuable features. However, to make matters worse, post any guest being provisioned with access, from that point onward their access was extant, as the WiFi/AP login credential never changed, so simple proximity to the AP accommodates access to the guest environment! However as if that were not enough, the majority of the employees who had gained access to the AP also connected their personal devices to cooperate assets, which in turn allowed them unfettered access to download any information object from the supposed protected environment to their own systems. And don’t forget, here we also have the real potential point of exploitation for cross network interface contaminations from the Red, to the Black side of the network – all in all an environment hosting very high potentials of exploitation – say just find an insecure personal device or asset, possibly hosting an open port 445 feature and, and to coin a phrase, ‘you are in’. But here the most significant worry of all was, the company in question were carrying out Security Assessment for a larger partners – I am only hoping that the acquired information on other surveyed clients was located in a secure repository, or we may be looking at a House-of-Cards scenario which is not a good prospect for any of the associated parties.
When we also consider the aspect for promiscuous environments such as WiFi, please always remember that there are multiples of techniques which can be leveraged against both on campus connected, and walk about devices which can easily selected targets, and gather passwords and logon credential by injection of scripts – again, I can attest this, as in demonstration mode we have achieved compromise of corporate assets leading to obtaining locally device stored sensitive information assets with tools like the WiFi Pineapple!
It is here with external partners in the form of Cloud, and Third Party associates where we really need to put on our thinking caps. It is these areas that offer up some real potentials for compromise by association. In fact at a recent meeting I was asked to qualify my understand of Third Party association, and the potential threat – I was pressed very hard by a company executive on this – which is why I was so very surprised to later discover that his own environment was associated with 4 Malicious Actors, and 1 Blacklisted url!
The upshot here is, just because the Tld organisation is secure, never forget that it may be those other collocated Third Party associations could bring insecurity to the corporate door, unless that it steps have been taken to qualify the level of security (or insecurity) by association any such third party may bring to the table – if such assurances are not met, then one may only anticipate the worst may occur.
We have seen much in the press relating to Cyber-Attacks, compromises, and incursions – and it is now time to take this more seriously – this past times have proven Governance, and Tick-Box Security Standards are simply not working. It is thus time in my humble opinion in which we must all take steps to assure our ‘Cyber Security Skills are lowered’ to respond to the threat! Gasp, yes, that is right – I said ‘lowered’ – which means we move away from the high level view driven out of standards like PCI-DSS, and veneer of the old tag line ‘we follow the spirit of the ISO/IEC 27001, and get back to basics – lower and tone our skill to the level where we understand real nuts-and-bolts security, the associated threats, and the security attributes we may harness to combat the potential incursions before they happen.
I am also equally of the opinion that whilst the age of the Minority Reporting is not yet with us, by self-leverage of offensive OSINT, organisations will be placed in a position in which they gain the Hackers View of their own potential points of exposure in such a way, they may address them to remove such exposures before some other nasty individual locates, and exploits their discoveries to their criminal advantage.