All posts by razz-ma-tazz

How’d They Know $PrivateDetails ?

THE SCENARIO

Today a friend and colleague of mine shared that he got a really really good gmail login phish purporting to come from his home owners association president. Immediately my brain spins up because this is my friend and I asked some critical questions.

1) How did the phisher know who the HOA President was?
2) How did they get that individual’s email?
3) How did they know my friend was in that specific HOA?
4) How did they know my friend’s personal email?

Of course the list of questions can go on and on, but the plot thickens when he says the email was sent to his gmail address attempting to get his gmail creds, but that he does not use his gmail account to converse with the HOA President, nor does he remember EVER using his gmail to contact him.

And there we have it, a spearphish executed on a non-work resource.

TELL SOMEBODY?

Now my friend is in Information Security, so naturally he avoided the compromise, discarded the email and is going to take the necessary follow-up steps, but do you know what they are?

So YAY he’s not a victim, but what’s next? Discard them email of course, however the train doesn’t stop there and it shouldn’t. This kind of incident, although on a private email address that was (most likely) accessed from a home computer, still needs to be reported to your Information Security Department **making sure the information makes it all the way to your SOC & Threat Intelligence Teams**. After all, this was a spearphish, not a generic blast-all phish hoping for a random victim. CONGRATS YOU ARE A WALKING PIECE OF INTELLIGENCE! Finally, a “reminder to be vigilant” with details on the spearphish should go out to key leaders. Why? Well let’s play the what-if game.

WHAT IF

What if….my friend’s wife had gotten the email, on a shared family computer, fell victim to it, and a key logger (or other malware) was installed? Someone went to great lengths to find all this information out about my friend, they obviously don’t mind investing time into a target.

What if….another non-security-savvy key leader, who reuses work passwords at home (cuz that never happens), has gotten a similar email on a personal email at home, and s/he fell victim to it? Getting the “be vigilant” reminder may have him pressing the ZOMG button and in turn report that s/he got something like that as well.

What if….the email appeared to be from your children’s school, regarding grades/bad behavior/parent event/free ice cream etc. and it was sent to the child?

What if….the email appeared to be from your child/spouse’s $hobby group (that is publicly plastered all over social media)?

Remember, someone went to the length to figure out where my friend lived, what the name of the HOA was, who the president of it was, the president’s email address, and my friend’s email address. That is a lot of effort to just get gmail credentials. This likely indicates they’re probably after something bigger.

A STEP FURTHER

Now something I don’t see or hear a lot of companies doing is having security awareness training for spouses and family members. People laugh, but I remember when the Iraq war broke out and family members were plastering all over social media tons of pictures of everyone gathered in a gym preparing to leave saying “Gonna miss my husband so much! God bless the $military unit” or “My husband is finally coming home! They should be landing at $YYMMDD:HH:mm:ss.” We would sit back and say “Dear spouse, please stop helping the bad guys determine our troop strength and travel plans!” There hasn’t been a #facepalm meme invented yet that could accurately depict the military commanders.

So for the non-military folks out there here’s an idea. Put together a a “fun day”, invite out the spouses and the children, and teach them about phishing (and the various specific forms, phone, spear, social media etc) and OPSEC! Sure you might be the security person in the home, and you have your personal firewall all tightly locked down, your wifi is wrapped up nice with strong passwords, MAC filtering, SSID broadcast shut off blah blah blah, but what about your spouse/children’s phones and their social media activities? Security is a BEHAVIOR or a STATE OF MIND if you will, not just technology. Educating the family is just as important as educating the employee.

SUMMARY

If you are in security you are a target. While my friend holds a significant role at his employer, the risk would be no less if he was a “lowly” systems administrator (I say that with sarcasm cuz pffft it’s only domain admin creds at stake). Your family is a target, ensure you take the time to educate them and grow a security-minded culture at home as well as at work. If you find yourself spearphished, using personal non-work information you need to be asking yourself “How’d they know that?” and possibly have a conversation with the entity that was impersonated or review how much private data you are sharing.

Report spearphishing whether it is at work or at home, you or your family etc. as this is precious intelligence that any intelligence team needs. Finally, DO NOT do work on a non-work computer especially one you share with the family, be vigilant, remind your co-workers regularly to be vigilant, and share what you know with others.

****UPDATE****
A reader reached out with a question that made me realize I needed to clarify something above. While I did note that you should delete the spearphish email, the implied task was that you captured it (full header and all contents) BEFORE deleting it as the email along with the report of the spearphishing attempt needs to be provided to the Threat Intelligence team. There can be valuable information in the email header that you do not want to destroy. You can accomplish this by attaching the email to a new email and sending it to the proper team/individual etc. or saving it down and attaching it to an incident report.

Large Foot Prints and Loud Noises

So milling around in some spam while on another research project, I started noticing something strange… how so many seemingly unrelated domains appeared in the Reply To address of the same spam campaign. I began digging into the domains for multiple campaigns and I am currently monitoring the behavior and working on mapping the associations of the bad guys. Granted, there’s nothing glorious about discovering spammers or shutting them down, but uncovering a large enterprise of what appears to be individuals working together kind of intrigues me.

Anyway, while working on this, I found someone that sticks out like a sore thumb. Why, because they are “loud” and have a huge footprint. This individual has registered over 4,000 domains in 11 days. I’m sure he/she has reasons, but none that I’m currently interested in hearing. Not surprisingly, the actor is also associated with over 100K other active domains. I’m not sure what you plan to do about it, but in the mean time, I’m blocking these.

For the record, at this present moment I have only tied this actor to spam (in my resources) and malicious sites as indicated by other research sources, but I have not personally tied them to specific malware.  If I do, I will update this blog with those details provided it doesn’t compromise any other OPSEC.

As a general rule, I’d recommend blocking non standard gTLDs and allowing your users to request an exception.

Here’s a link to the blacklist thanks T-byrd for hosting it. https://www.dropbox.com/s/31c2p85naba08wa/blacklist.txt?dl=0

Check back to that link for future updates.

That’s all for now, if this was helpful to you please let me know.

 

**UPDATE** 2016-03-29 (0446-UTC)

Additional investigation shows the registrant is a Chinese reseller (http://www.wuyumi.com/).  I’ve personally linked many of the domains to spam, and   others are blacklisted by Domain Tools and other resources.   The seller’s page reveals the price they sell domains at is (2.9-3.5 Yuan, take the avg) less than 50 cents (3.27 Yuan = 0.50 USD) and pricing is also per month in many cases.

So let’s math a little here (assuming all his domains are “rented” for the next 12 months at the average rate)

100,135 domains
x 50 cents/mo
x 12 month

$600,810/year gross

Now I’m not sure what their cost is, but let’s assume they bought a .download domain from ALPNAMES for the advertised $0.60 for 1 year.  They just rented it for .50 x 12 = $6.00 – .60 = profit of $5.40

ROI = 5.40/.60 = 9

9 x 100% = 900% return on investment of 60 cents for one domain.

So we have a low cost of entry to do [bad] business (both the folks buying & renting the domain), links to multiple spam campaigns, some with phishing elements, and links to other confirmed spam campaigns.  I don’t care what they are re/selling them for, at that price, nothing good is going to come of it IMHO.  So the list has been made available WITHOUT WARRANTY you may do with it what you wish.

What’s Under that Threshold?

This blog post is meant to be short, sweet and to the point so please forgive the brevity if you were looking for something in depth this time….

*THE LITTLE FISH*

Many of us are trained to get the big fish, find the next cutting edge threat, defend against the big blob of red in the graphic of some ridiculous C-level slide presentation. We sit, eyes locked on some SOC tool waiting for bells & whistles to go off, the emails to start flying, the lights to flash to wake us up because we’ve fallen asleep from boredom all because we’ve place our trust in a tool to tell us on what we should focus our attention. So, how often do you go digging, or lift up the lid on something peeking to see what’s inside? What are you doing about the quiet, smart bad guy who’s tiptoeing in just under your alert criteria? You know, the one who isn’t making a lot of noise on your network, the customer doing the dirtiest of deeds, just under your thresholds for your automated alarms?

*MY GLORIOUS TOOLS*

Well, if you know what your thresholds are for automated alerts, why aren’t YOU looking at what lies beneath it? Is it because you think nobody with malicious intent would take the time to do X in such small quantities because it wouldn’t pay off? Is it because your tool is awesome and perfect *cough*cough*cough*cries*grabs water*? If you answered yes, to the 2nd or 3rd question please allow me to share some good ol’ country advice that has served me well is “He who underestimates his enemy, has lost the first battle in the war.”

*MY CUSTOMER?! NOT _MY_ CUSTOMER*

So without divulging the details to my current research, I’ll share a few things I’ve been noticing lately. First is bad guys doing a little here, a little there regarding purchasing domains. Instead of buying in bulk, they’re buying a few each day at a time. So, if you’re selling domains, maybe you want to take a look at any customers who are buying in quantities just below your “alarm” threshold and who are NOT buying via your bulk discount programs. I mean seriously, what does one individual need with a couple hundred domains, that he/she wouldn’t want to take advantage of bulk discounts? I mean, they could just be a legit business that doesn’t know any better, but I’m gonna guess not. It might be worth checking those domains out using tools such as OpenDNS, Domain Tools, Threat Grid, and Virus Total. Are the domains registered, more than 30 days old and still do not have a websites? What’s the aggregate amount of domains purchased in the last 30 days and how old is the customer account? Does the data on the domain registrations, match that on your customer’s account? Does the data on the domain registration match ANOTHER customer account? If you find that your customer’s domains are popping hot, ya just might want to take a leeeetle-bit closer look at their activities.

Let’s look at another OSINT source you have….customer access logs. The second thing I’ve been noticing is bad guys creating DNS entries a little here, a little there. So you found a guy, flying below the radar (could be a girl, but just go with me here) with the daily number of domains being purchased under your alarm level. Maybe you provide infrastructure not domains, so you offer DNS, and you have a customer flying below the radar making lots of DNS records. Do your tools alert you when a customer logs into his/her account from multiple ASN’s or ASN’s in different countries? I mean if a guy logs in for <5 minutes, makes DNS records, and logs out all from from Romania on Sunday, Russia on Monday, Great Britain on Tues....etc either he's racking up some serious frequent flyer miles or he might be up to no good. AGAIN, there COULD be a perfectly legitimate explanation (none come to mind immediately) but you won't even know unless you go looking. If you're providing website hosting, do you have a customer that has hundreds of completely unrelated domains pointing to a single IP? I once found a guy with over 900 malicious domains all pointing/pointed to a single IP...I wanted to say to the provider "Seriously you don't notice?" *SUMMARY* So the point of today's topic - start looking BELOW your automated thresholds for the really bad guys. Be pro-active, stop waiting for bad guys to wave, shake your hand, and say hello. Thanks again for taking time to read the blog and feel free to share comments, DM me on twitter, or just tag and say hi!

Stop Having Sex for the First Time – part 2

In the first part of this article, I gave some various examples of how InfoSec teams are structured to fail or at the very least function very inefficiently. Next we’ll talk about how to achieve a more effective *INTEL* team – and how it will enable the development of intelligence in the organization.

FIRST: Specialization Without Division –
So, here’s where experience in the bedroom really pans out in this InfoSecsy relationship. You want to get lots of smart people who each excel at one thing but know a little bit about a lot of related things.

Both InfoSec & Intel teams will benefit from this structure, the caveat is that you must also have people with the right personality (nobody likes selfishness in the sheets). In addition to the right mix of talent, you need people that respect each other’s abilities, aren’t afraid to ask for help and will be willing and even eager to share what they find. You don’t need a bunch of multipurpose rock stars, rather you want people who excel at things such as malware reverse engineering, pcap analysis, social engineering, development, data analysis, and even specific application software etc. You also want them to have foundation knowledge in other security realms.

The second part to this is that they are ONE TEAM, they are not divided into divisions with Directors and VPs over specific areas rather they are outside hires or even the internal elite from the network security team, the security operations center, the devops team etc. They will likely have liasion relationships with these functional areas and access to the data from them as well.

In some cases it may make sense to have multiple teams located together across the country, in some cases the company size may support having them co-locate in one physical space, nonetheless the bottom line is that they are all ONE Team. They are your version of a special forces troop, everyone has a job yet they all help each other and are willing to learn what they can about another area to be as effective and helpful as possible when needed.
SECOND: In Failure and Success, in Sickness and in Health ’til Termination Do We Part

This is an InfoSecsy partnership whether you like it or not. If an attack on your organization succeeds or fails, you share the responsibility. If you build something, and it doesn’t work, you share the failure and when it does, you share the success. If you have an idea and it leads nowhere, you mark it off as something tried and eliminated. If you have an idea, try it, if it fails tell everyone WHY/HOW it failed so they don’t waste resources trying the same thing, then move on. If you try something and it succeeds, share so everyone knows WHY/HOW it worked and they can repeat, enhance, and also succeed. [Ask @Ben0xA for his preso on FIAL – it’s awesome]
THIRD: share, Share, SHare, SHAre, SHARe, SHARE, SHARE!!!!!

Sharing InfoSecsy knowledge, skills, experience and ideas is only going to enhance your Intel team and company’s security posture. For example, the other day I had someone tell me that an Exchange team was unable to help us identify who clicked on a link while accessing OWA on a machine because everyone shared a generic login on the shared workstation. Having similar experience in a related area, I was able to offer a suggestion to the Exchange Team and the SOC Analyst that allowed the proper syslogs to be identified in their repository and the Exchange Team to liason with the Windows IIS team to pull the data that was later analyzed. Neither of these areas was my responsibility or expertise, but due to their willingness to share the problem and brainstorm, solutions emerged.
Another example, When we had a host that was unable to be found, I got the NOC, SOC and Help Desk all talking and we collectively came up with a non-traditional way to protect the network and find the asset. While I didn’t know the topology I was able to ask questions that spawned conversations that resulted in solutions.

Sometimes the person with the LEAST knowledge in a subject area can ask the simplest question that will light a much needed fire when because of how they processed the information. The bottom line is – get your people together regularly to discuss what has/is happened, known, and is yet to be figured out, and collectively, ideas and solutions will emerge.
FINALLY: Recycle & Re-Use

For this final note, I’ll use a hypothetical incident as an example. A Sales Engineer (SE) gets an email from an individual purportedly representing one if his clients. The individual is asking for assistance in collecting network and netflow data to help him tune his SIEM, a seemingly harmless request. As the conversation progresses the SE thinks the guy is sketchy so he contacts the SOC. The SOC runs a number of checks on the accounts and checks for any relationship to any known incidents, nothing is found. Guidance given is to limit the scope of information given to the individual per the company guidelines. So what’s next? Well, if we abide by the 3rd rule, this information would get shared with the Intel team, and then the 4th rule takes effect, the information is recycled. It is sent through the Intel Team that runs through it with a different filter and they begin to identify that not only is the individual sketchy, he is possibly even an imposter executing a very crafty social engineering attack. So what’s next? Recycle & Re-Use again. Contact the customer that the individual claims to represent and pass the information to them. Let them look at it with a different filter. You never know what puzzle someone else is putting together and what appears to be “nothing to see here” might be a critical piece of information that ties everything together for someone else.

SUMMARY:
The first part of this article discussed how traditional, rigid, corporate sandboxes of responsibility that define various IT functionalities within an InfoSec program have a tendency to do hinder effectiveness when it comes to security. The second part of this article provides some ideas and examples on how to restructure and build teams as well as ideas on when/how share information across specialities. There are a few takeaways I’d like to leave you with:

1. The only right structure, is the one that maximizes and encourages information sharing and meets the organizational needs for security AND intelligence within resource constraints

2. Embrace failures – they are the stepping stones that lead to the door of success

3. Bring your teams (worker bee level) from all disciplines, together regularly to discuss all kinds of security concerns and issues everyone is experiencing – and most of all encourage them to SHARE ideas and experience.

4. Recycle data on security incidents, even concerns of a possible incident. Ensure they are passed amongst your teams via a process that works for your organization, with the end goal of everyone getting a say-so/review of it.

So go forth, do great things, and enjoy the InfoSecsy side of security not just the InfoFail side.

Thank you once again for taking time to read OSINT Heaven’s Blog.

Stop Having Sex for the First Time – part 1

As someone who’s been working on an OSINT project lately, I’ve had many surprises and hurdles because there’s poor organization to our execution and little to no information sharing between security functions in the same department. I recently got access to a very important piece of information/tool that resulted in a huge discovery…..this is Oct, we’ve been working on this since July…. Unfortunately, this problem is not unique to this project, OSINT or InfoSec.

THE EXAMPLE:

The US Army structured a communications battalion with companies, made up of platoons/teams/squads etc.  and basically the personnel all had the same functional training background. One company, 30-100 people, would be folks who operated/maintained satellites, another knew cabling and wiring, another radios, and another of those skilled in networking/network communications. Whenever the battalion would go out to train, they would take a few people from each company throw them together like a patch quilt so as to have someone capable of each required skill for the mission. They’d send these patch quilt teams out to different locations with some training objective (usually to successfully establish a communication link, keep it up, and practice for war).

The teams contained the best of the best, people of varying skill levels, and competent (minus the token derp). Nonetheless, despite these groups being highly trained w/ above average intelligence, their execution was clunky, fluidity was all but present and they flat out struggled every time to meet the objective. Why? A few basic reasons (this list is not exhaustive) – nobody knew each other, we communicated in different ways, we could not anticipate each others needs or actions, there was no rhythm no synchronization. It was like being a virgin having sex for the first time every time, with another virgin. Sure, we got the job done, but it was rarely every “awesome”.

So the heart of the problem – teams, functions and activities were silos, not circles. Instead of being an elegant woven silk tapestry full of vibrant colors, we were a hideous patch quilt.

THE INFOSEC PARALLEL

We have the same problem in “Information Security” teams. There’s the Network Security Team, The Security Operations Center, and if you’re luck there is/are Pen Test, Intel, Forensics, and Malware team(s). So with all this awesomeness under one roof how could we possibly fail?

  1. Leadership Roadblocks – Managers sit in rooms making drug deals over resources and designing processes in vacuums.
  2. Lack of Communication/Sharing – None of the worker bees comes together on a regular with information to share, the “intel” that everyone needs.  Instead, data gets passed around/tracked in one ticketing system from workflow to the next team’s workflow if we’re lucky (and documentation usually sucks).
  3. Pissing Contests – we’ve got the “you will use *MY* ticketing system” mentality
  4. Lack of Integration – Let’s not forget that we’ve got all the awesome teams, and we’ve spent money (millions) on awesome tools and not a dime to integrate them, so “intel” sits hidden or is nearly/impossible to gather.
  5. That’s MINE! – Network “Security” teams don’t let anyone have read access to network logs (and only send silly/useless globs of syslogs to a SIEM), only the Help Desk is allowed to have remote access to a host even when a user contacts a SOC suspecting compromise of their host.
  6. Black Holes – Forensic team takes a compromised drive/image that the SOC quarantined and runs away to their cave never to be seen again, the malware team pops their heads up like a prairie dog when you say malware, you feed them and they run away only to pop out of another hole and say here’s your IoC and scurry down the hole.

Instead of being a highly functioning ecosystem of intelligent wild animals (face it, real InfoSec folks we’re just wild :), we’re a damn zoo and none of the animals get to play together.

OK….hopefully you get the point by now – We ALL play a part in this.

SURPISE! – Not really

So is it any wonder when there’s an attack on your organization that everyone flounders to some degree and for the serious ones you simply have to call someone in? [In all honesty, sometimes that actually IS the best and most responsible thing to do]. Is it any surprise that after the attack, all you do is prepare for the next one and you never really figure out anything behind it?  You never really operate in a preventative or offensive fashion.  You just sit around waiting for the next bully to steal your lunch.

So I ask, do you really want to keep having s3x the first time every time? I mean – practice **IS** supposed to improve performance thus making the experience better and better. Sure you have processes, that’s great & flow charts are awesome, but it only gets you so far. The SOC does it’s own little training on “here’s how we RESPOND to ABC incident” the NetSec-Ops team is doing their own RESPONSE training as is every other team that plays some role in a RESPONSE effort. The funny thing – the Windows/Unix/Server/App teams have a part too, but they’re never part of the training and nobody is invited to participate in the other team’s training.  BTW: where is all the info from your “lessons learned” going and where’s your “intel” sharing so you can start PREVENTING instead of just RESPONDING?

Back to our example….

The Army realized the shortcomings of their structure and began restructuring their communications units. They reorganized so that the groups that would fight together would not only train together, but live and work together. Battalions had companies that consisted of platoons with personnel from all the skills needed to be successful. These soldiers worked together every day, even began to learn about each other’s jobs. Light bulbs started going off, greater understanding and better communication emerged. They began to bond, to learn each other’s likes/dislikes, communication nuances, they began to execute with precision and efficiency. They began looking more like that expensive beautiful tapestry and acting like life long lovers.

So how could a company do this?

Well there is no one cookie-cutter solution that will work for every company, but here’s one novel underlying theme – locate them together physically if possible, gather them virtually at minimum. Granted there needs to be separation of duties and permissions, but that doesn’t mean you must have silos. Let the worker bees ACROSS GROUPS work together to define processes and make suggestions up through management. If that’s not possible, have regular working groups (weekly preferably) where they all get together. Sometimes the meetings will be intense with lots of hot topics/issues, other times they’ll have coffee and just bonding, but get them together

Another idea, Wherever your largest team is, usually the SOC, have seats for a NetSec, Malware, Forensics, and Intel Team members to work. The teams can rotate out who works over there, but have someone over there for 2-4 weeks at a time, let them “live & fight together”. Let them share information, watch the people that are part of your processes begin to work more effectively.

In the end, the goal is to have your team execute like they’ve been giving it to each other their whole life, not fumbling through sex like virgins for the first time, every time you need to respond to an incident. Then comes the next step, pillow talk the morning after – or sharing coffee and a bagel if you prefer.

Stay tuned for Part 2 where I’ll be talking about how to maximize this architecture for an intel team.

Shodan – A Boogeyman’s BFF

If you’ve ever heard me talk on OSINT one of the points I drive home is one I learned early from a colleague, Ian Amit (@iiamit) that if what you present doesn’t cause a change in behavior, it isn’t threat intel, it is intel/information.  Here’s a story on how I used OSINT techniques on my own organization in multiple ways, to cause a change in behavior.

Once upon a time in a land far far far away….there were device administrators that secured their devices properly….

/me wakes up disappointed

During my governance, risk and compliance days, before OSINT was a buzz word in the industry, one of the things organizations wanted to know (without hiring/contracting a pen-tester) was how vulnerable they were to “hackers” [I use that word sparingly as it has a very evil connotation to the ignorant masses].   Knowing they just asked me to boil the ocean, I worked to get them to narrow it down, and identify three things:

  1.  WHAT are you worried about being attacked (i.e. specific assets)

And let me be the first to say that if the org doesn’t have a decent Asset and Data Classification Policy that’s actually implemented HA! sucks to be you.

2.  WHICH attack vectors concern you the most

3.  HOW do you want me to answer you (reporting format)

So after getting those nailed down,  I decided to finally put all the hours of education to good use so I felt less guilty about spending all that money getting a degree just to get past the HR gremlins that eat resumes.

We didn’t exactly have a threat model, and being in the “Risk Department”  (pfft!) they weren’t going to listen to me tell them they needed one.  [BTW Risk Analysis != Threat Modeling] Nonetheless, I realized the scope of concern they had included threats to network assets [as opposed to software, people, places etc].  Thus I went forth to identify vulnerabilities that c/would be exploited, and immediately went to a wonderful sight called Shodan 

screen capture from https://www.shodan.io/explore/popular
Shodan most popular searches

that will tell you all kind of “wonderful” things about an organization’s threat vectors.  Leveraging a little knowledge of SQL and URL hacking I began running queries to check for some basic vulnerabilities that were not only available for my own perusal, but they were equally available for every other evil derp that didn’t like “us”.    I proceeded to exclaim rather loudly in the office “Are you Fuc41n6 Kidding ME?!” as I saw the results pour in.  So – now I knew it was not just bad…it was like Satan just gave a free pass on the bullet train straight to hell and you could hear him laughing like it was a carnival ride.

I hung my head in dismay, thinking – how am I going to communicate to “Management” just how bad this is?  Afterall they get vulnerability scans quarterly, monthly, weekly and in some cases daily – and they STILL don’t think the problem is “that bad.”  Technically, the Shodan results are nothing more than another data set reflecting vulnerabilities.

Then I remembered some very wise words

The supreme art of war is to subdue the enemy without fighting -Sun Tzu

So I put together an initial OSINT report of generic threat actor profiles that would like (and probably already were) exploiting that exposed via Shodan, but I didn’t send it. Instead, first I took what I learned in Shodan and I created a “How to Sho-Dan” (pun on a C-levles name)  slide deck.  I mean, nobody is ever going to believe my report, I’ll be lucky if 1/3rd of them click on a single link and even luckier if 1/10th of them even understand what they’re reading/clicking on.

Then, I OSINT’d (ummm yeah that’s a word now just roll with me here) so I OSINT’d my fellow employees.  I read their social media profiles, eavesdropped at the water cooler, socially engineered (SE’d) them over coffee to figure out what were 1) their favorite & most hated places for work-hosted events 2) their favorite conference room 3) their idea of “fun” learning at work was.  Then I SE’d my boss into spending money, used his corporate credit card (with his approval), and set up a Lunch & Learn for non-security IT people including devs, netops team, help desk etc.  With food & drink in hand, and a promise of a prize for anyone who could tell me what the query revealed we began learning How To Sho-Dan.

EUREKA!

When it was all over they realized some very critical things:

  1. NONE of them had to even create an account to run a query…wut?! this is Open Source?!
  2. They didn’t have to know SQL or URL hacking, they only had to know key words and use the search boxes
  3. If they did have an account, they could get even more comprehensive reports

THE SINGLE MOST IMPORTANT LESSON:  If they could do it – so could bad guys, and there were definitely some serious boogeymen in the world.

IN THE END

I had successfully moved from data to information to intel to threat intel because the Lunch & Learn, combined with the OSINT report I provided caused a change in behavior, otherwise it was just intel and more vulnerability data.

I sent the OSINT report to the managers that had signed up for (even those that didn’t attend) the Lunch & Learn, and now with them empowered with context and a better understanding of the threat vectors,  I watched change explode.

  1. The vulnerability remediation tickets started getting a lot more love by all departments.
  2. The network team implemented changes to their firewall approval process, patching firmware, and network architecture.
  3. The developers began reconsidering what ports they really needed
  4. The server team modified their provisioning process to include a security review/approval milestone that was a show stopper.
  5. I even convinced C-levels to plan for an internal pen-testing team.

TAKEAWAYS:

  1. If minimally tech savvy people can do/google/youtube it then so can the bad guys
  2. OSINT on your own team is not evil 🙂
  3. Sometimes an OSINT report is far less valuable than an OSINT hands-on

 

BONUS
If you want to see a very hilarious and scary presentation go watch my colleague Dan Tentler’s (@Viss) talk from #DEFCON2015 as he exposes ridiculously huge #Fail of things accessible via the Internet.

Below are a list of the (sterilized) Shodan Queries that I used during the training and to generate a report on an OSINT tool that could/was being leveraged by threat actors targeting the organization.

  1. Hosts found w/ banner details stating “230 – Any Password will work”
    https://www.shodan.io/search?query=-421+-fe_sendauth+-invalid+-401+-530+%22password%22+org%3A%22Company_Name%22+%22230+Any%22
  2. Hosts found with banner stating “Use ‘passwd’ to set your login password this will disable telnet and enable SSH”
    https://www.shodan.io/search?query=-421+-fe_sendauth+-invalid+-401+-530+%22password%22+org%3A%22Company_Name%22+%22passwd%22
  3. Hosts found with banner stating “230 Anonymous access granted, restrictions apply”
    https://www.shodan.io/search?query=”230+Anonymous”+”root”+org%3A”Company_Name”
  4. FTP Servers reflected as allowing Anonymous access
    https://www.shodan.io/search?query=-534+-530+port%3A21+org%3A%22Company_Name%22
  5. Anything Company_Name
    https://www.shodan.io/search?query=org%3A”Company_Name”
  6. Company_Name & Default Passwords
    https://www.shodan.io/search?query=%22default+password%22+org%3A%22Company_Name%22
  7. Company_Name, Password
    https://www.shodan.io/search?query=-530+%22password%22+org%3A%22Company_Name%22
  8. Company_Name and OpenSSH Ports
    https://www.shodan.io/search?query=openssh+port%3A22+org%3A%22Company_Name%22
  9. Company_Name and Splunk on port 8089
    https://www.shodan.io/search?query=port%3A8089+splunkd+org%3A%22Company_Name%22
  10. Company_Name, MySQL on port 3306
    https://www.shodan.io/search?query=port%3A3306+org%3A%22Company_Name%22+product%3A%22MySQL%22
  11. Company_Name, “200 OK”, “Set-Cookie expires 2016”
    https://www.shodan.io/search?query=%22Set-Cookie+expires+2016%22+%22200+OK%22+org%3A%22Company_Name%22

For use with the Search Box if you don’t like the URLs

  • city:”$city”
  • country:$country
  • geo:$lat,$lon
  • os:$operatingSystem
  • net:$ipRange/$cidr
  • org:”$OrgName”
  • product:”$product name in here”
  • isp:”$ISP Name Here”
  • asn:”AS######”
  • devicetype:”firewall”
  • ports:80, 443

Words Matter

One of the single most important techniques/activities when gathering intelligence (i.e. intel) from open source repositories is analytic reading. The second is properly presenting data/intel with relevant context.

ANALYTIC READING

This isn’t the kind of reading you do in the summer with a children’s book and litter of rug rats gathered at your feet, this is the kind of reading one does where you look for hints or clues about a person based on phrasing or word choice. Now you don’t need to have a degree in psychology or grammar to do this, you simply have to pay attention, take notes, and apply a little common sense.

Let’s take my request for help from the #InfoSecFam on ideas for my first blog. Here were the responses I got (thank you to the brave souls who dare support me) :p

  1. Well, you could start with those lovely examples of people posting pics of credit cards…
  2. Then folks posting about going on vacation on their facebooks…
  3. Maybe some military types posting pics with intact exif?
  4. <graphic> #internetfeds
  5. google hacking is still incredibly viable, and it’s a huge OSINT fail.
  6. specifically anonymous FTP servers indexed by google.
  7. <graphic> bad admins everywhere. Really bad. Ive seen some sh1t man
  8. Boarding passes are now a big thing… “I Know Where You LIve: all the sh*t that people post”
  9. You could do reviews of OSINT web-tools
  10. ok, an oldie being forgotten, ‘don’t run with admin/root’.

Just a Little Intel…

So, let’s analyze what we’ve read. [Note this example is very trivial, however the principles presented are not.]

  • Q1: What’s the culture/industry of the authors here?
    • A1: #InfoSec
  • Q2: What are underlying characteristics of this group’s communication styles?
    • A2:  InfoSec culture is heavily sarcastic
  • Q3:  Are there clues to anyone’s profession/hobby listed in these comments?
    • A3:  Yes – acronym and word choice: FTP, intact exif, bad admins everywhere, ‘admin/root’
  • Q4:  Any clues to age or experience?
    • A4: Yes –  still incredibly viable, oldie but goodieI

The list of questions above is a trivial example of how to glean the not-so-obvious intel that is implied.  Nonetheless, the questions asked and answered, should be driven by a few things, two at minimum: a profile template and a threat model [otherwise you’re out there going all Willy Nilly and traipsing through minefields of soggy cow patties.]  SO! Before you even start gathering Intel, your leadership should have identified WHAT they want to know (identified in the threat model) and HOW you will collect it (defined in the documentation standards and profile template).  So as you do answer these very valuable questions, you’re looking for the same data points, all the time, essentially filling in the pieces of a puzzle one at a time.  Keep in mind, they may not all be present, but at least you’re looking for them.  As you get them, you should be capturing them in a profile template.

The list of questions could go on and on depending on how much of the ocean you’re planning on boiling, and tools such as the IBM Tone Analyzer (demo link here) or the IBM Personality Analyzer can offer valuable insight as well, but tools are no replacement for instinct.  While these tools may enhance or even expedite the analysis process, they cannot replace an Analyst’s instinct and skills of discernment as they read something and decide what “box” to put it in, if it is relevant, indicates personality traits, warrants in/exclusion or is a thread that needs to be pulled to see what else unravels.

Takeaway:  Read closely, carefully, and never under estimate the human factors at work.  Read between the letters AND the lines.  You may find clues you need when building a profile or finding a target simply by the nuances in their tiniest commentary.

RELEVANT CONTEXT

So let’s talk about the biggest mistake with the list…. It’s in numerical order! If you were only reading this an OSINT report, you might think these came from 10 different people or one person provided 10 ideas. So, by creating a pure LIST of comments rather than a LIST with logical grouping, we lose context because multiple comments were made by some of the same individuals,

Let’s fix that….

P1-1. Well, you could start with those lovely examples of people posting pics of credit cards…
P1-2. Then folks posting about going on vacation on their facebooks…
P1-3. Maybe some military types posting pics with intact exif?

P2-1. <graphic of chat> #internetfeds
P2-2. <graphic of man hiding in a chair> bad admins everywhere. Really bad. Ive seen some sh1t man (BTW @MyTinehNimjeh I <3 u man LOL)

P3-1. google hacking is still incredibly viable, and it’s a huge OSINT fail.
P3-2. specifically anonymous FTP servers indexed by google.

P4-1. Boarding passes are now a big thing… “I Know Where You LIve: all the sh*t that people post”
P5-1. You could do reviews of OSINT web-tools
P6-1. ok, an oldie being forgotten, ‘don’t run with admin/root’.

Now you see there were actually 6, not 10 people who replied (P# meaning Person 1, Person 2, Person 3…-1, -2 being the comment number they made).

Additionally, this context represents something else taken for granted by the statisticians an API monkeys – it isn’t always the total volume that matters, sometimes it’s the volume of one person, or even the lack of replies to others who may have forked a conversation thread.  If this thread were listed as a statistic, stating that there were 10 comments, that too would also be incorrect.  There were actually a few different forks, some took a humorous path, others were simply “neutral” suggestions, AND there were more than a total of 10 interactions.  This list however, only represented those comments that were actually relevant to the request for help with ideas which were extracted and placed in this article.  Again, in your OSINT reports, ensure you represent relevant intel accurately, and provide the reader proper context through commentary and presentation.

Takeaway – ensure that HOW you present data in a report represents it with as much relevant context as possible.