Reconnaissance is where most cyber attacks start. Open-source intelligence (OSINT) is a powerful, free, and common way for cybercriminals to conduct reconnaissance.
In a 2021 interview with the YouTube channel Russian OSINT, a member of the ransomware group LockBit 2.0 alluded to using OSINT tools and techniques throughout their attacks. We also know that the now-defunct Conti group invested heavily in OSINT for intelligence gathering.
Although OSINT is a fundamental tool in all forms of cyber attacks, it is particularly important in social engineering. Speaking to DarkReading, TrendMicro’s vice president of threat intelligence Jon Clay said:
“The actors investigate their victims using open source intelligence to obtain lots of information about their victim [and] craft very realistic phishing emails to get them to click a URL, open an attachment, or simply do what the email tells them to do, like in the case of business e-mail compromise (BEC) attacks.”
Many security teams already use OSINT tools to do penetration testing against their own systems to identify potential gaps and vulnerabilities a real-world hacker might be able to exploit. This helps them reduce their attack surface.
However, few cybersecurity professionals audit employee personal data available on the open web as part of measuring or mitigating social engineering risk. According to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches recorded in 2021 involved some form of social engineering, with phishing via email accounting for more than 60% of breaches.
There are numerous guides on using OSINT tools to gather intelligence and create convincing social engineering campaigns. Most specifically mention free data brokers and people search sites.
By reducing the amount of publicly available information about employees on people search sites, security teams can cut off important OSINT pathways and reduce their organization’s visibility to cyber criminals.
Open-source intelligence, or OSINT for short, is the act of passively gathering intelligence from publicly available sources and tools.
These might include:
A popular OSINT methodology for finding free OSINT techniques (public records, data brokers, search engines, forums, blogs, social networks, WHOIS, the dark web, etc.) and OSINT data is the OSINT framework.
As noted in a KnowBe4 webinar, “A Look Behind The Curtain: Open Source Intelligence (OSINT) Hacking Data Sources That Bad Guys Use,” finding exploitable sensitive information via OSINT is a trial and error process.
While some public sources offer up-to-date intel, others might host data that is outdated, old, or simply wrong. As a result, attackers will try to connect data points to see what’s likely and what is misinformation.
For example, if you wanted to verify the information on a people search site, you might see if an address they list for an individual is correct by comparing it to an address that appears on a property record database.
Any social engineering attack, whether it’s phishing or pretexting, starts with the attacker finding out information about the target organization.
Questions like:
Knowing the answers to these questions gives cybercriminals a fairly good idea of who has access to what systems, what context would make sense to a target, and whom the email/text message should come from.
For example, according to the OSINT Curious Project, organizations that are more conservative and have stronger hierarchies might be easier to phish using an authoritarian pretext because they tend to have a “do and don’t ask” culture.
Attackers frequently use LinkedIn and an organization’s website to discover this kind of information. Other useful resources include Corporate Governance Reports (for company structure), employee review websites like Glassdoor and Indeed (company culture), partner company/service providers’ case studies (to identify whom to impersonate), and people search sites (to find out a target’s interests and other relevant data that would make the social engineering campaign appear more believable).
Once threat actors know whom they want to go after, they will try to figure out their targets’ contact details, i.e., their email addresses and phone numbers. After all, if an attacker can’t reach their target, they can’t attack them.
There are many ways for cybercriminals to find out someone’s email address or phone number. Using people search sites/data brokers is one of them. Data brokers like Spokeo have both personal and professional phone numbers and emails. They pull the latter from business directories.
Unsurprisingly, ransomware groups like Conti have been proven to use data broker sites like ZoomInfo and SignalHire to gather information on targets, including contact information and contacts to “name drop” within phishing campaigns to make them look more legitimate.
Data brokers are a particularly valuable OSINT tool because:
What would you discover if you were to use open-source intelligence tools and techniques to look for human targets within your organization? An employee’s phone number? That your colleague is into gourmet coffee? The name of the CEO’s spouse and children?
Whatever information you find, threat actors can also see it. With attacks becoming more personalized, companies must remove as much public data about their employees as possible.
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.
© 2023 Abine, Inc. All rights reserved.