If you’ve ever heard me talk on OSINT one of the points I drive home is one I learned early from a colleague, Ian Amit (@iiamit) that if what you present doesn’t cause a change in behavior, it isn’t threat intel, it is intel/information. Here’s a story on how I used OSINT techniques on my own organization in multiple ways, to cause a change in behavior.
Once upon a time in a land far far far away….there were device administrators that secured their devices properly….
/me wakes up disappointed
During my governance, risk and compliance days, before OSINT was a buzz word in the industry, one of the things organizations wanted to know (without hiring/contracting a pen-tester) was how vulnerable they were to “hackers” [I use that word sparingly as it has a very evil connotation to the ignorant masses]. Knowing they just asked me to boil the ocean, I worked to get them to narrow it down, and identify three things:
- WHAT are you worried about being attacked (i.e. specific assets)
And let me be the first to say that if the org doesn’t have a decent Asset and Data Classification Policy that’s actually implemented HA! sucks to be you.
2. WHICH attack vectors concern you the most
3. HOW do you want me to answer you (reporting format)
So after getting those nailed down, I decided to finally put all the hours of education to good use so I felt less guilty about spending all that money getting a degree just to get past the HR gremlins that eat resumes.
We didn’t exactly have a threat model, and being in the “Risk Department” (pfft!) they weren’t going to listen to me tell them they needed one. [BTW Risk Analysis != Threat Modeling] Nonetheless, I realized the scope of concern they had included threats to network assets [as opposed to software, people, places etc]. Thus I went forth to identify vulnerabilities that c/would be exploited, and immediately went to a wonderful sight called Shodan
that will tell you all kind of “wonderful” things about an organization’s threat vectors. Leveraging a little knowledge of SQL and URL hacking I began running queries to check for some basic vulnerabilities that were not only available for my own perusal, but they were equally available for every other evil derp that didn’t like “us”. I proceeded to exclaim rather loudly in the office “Are you Fuc41n6 Kidding ME?!” as I saw the results pour in. So – now I knew it was not just bad…it was like Satan just gave a free pass on the bullet train straight to hell and you could hear him laughing like it was a carnival ride.
I hung my head in dismay, thinking – how am I going to communicate to “Management” just how bad this is? Afterall they get vulnerability scans quarterly, monthly, weekly and in some cases daily – and they STILL don’t think the problem is “that bad.” Technically, the Shodan results are nothing more than another data set reflecting vulnerabilities.
Then I remembered some very wise words
The supreme art of war is to subdue the enemy without fighting -Sun Tzu
So I put together an initial OSINT report of generic threat actor profiles that would like (and probably already were) exploiting that exposed via Shodan, but I didn’t send it. Instead, first I took what I learned in Shodan and I created a “How to Sho-Dan” (pun on a C-levles name) slide deck. I mean, nobody is ever going to believe my report, I’ll be lucky if 1/3rd of them click on a single link and even luckier if 1/10th of them even understand what they’re reading/clicking on.
Then, I OSINT’d (ummm yeah that’s a word now just roll with me here) so I OSINT’d my fellow employees. I read their social media profiles, eavesdropped at the water cooler, socially engineered (SE’d) them over coffee to figure out what were 1) their favorite & most hated places for work-hosted events 2) their favorite conference room 3) their idea of “fun” learning at work was. Then I SE’d my boss into spending money, used his corporate credit card (with his approval), and set up a Lunch & Learn for non-security IT people including devs, netops team, help desk etc. With food & drink in hand, and a promise of a prize for anyone who could tell me what the query revealed we began learning How To Sho-Dan.
When it was all over they realized some very critical things:
- NONE of them had to even create an account to run a query…wut?! this is Open Source?!
- They didn’t have to know SQL or URL hacking, they only had to know key words and use the search boxes
- If they did have an account, they could get even more comprehensive reports
THE SINGLE MOST IMPORTANT LESSON: If they could do it – so could bad guys, and there were definitely some serious boogeymen in the world.
IN THE END
I had successfully moved from data to information to intel to threat intel because the Lunch & Learn, combined with the OSINT report I provided caused a change in behavior, otherwise it was just intel and more vulnerability data.
I sent the OSINT report to the managers that had signed up for (even those that didn’t attend) the Lunch & Learn, and now with them empowered with context and a better understanding of the threat vectors, I watched change explode.
- The vulnerability remediation tickets started getting a lot more love by all departments.
- The network team implemented changes to their firewall approval process, patching firmware, and network architecture.
- The developers began reconsidering what ports they really needed
- The server team modified their provisioning process to include a security review/approval milestone that was a show stopper.
- I even convinced C-levels to plan for an internal pen-testing team.
- If minimally tech savvy people can do/google/youtube it then so can the bad guys
- OSINT on your own team is not evil 🙂
- Sometimes an OSINT report is far less valuable than an OSINT hands-on
If you want to see a very hilarious and scary presentation go watch my colleague Dan Tentler’s (@Viss) talk from #DEFCON2015 as he exposes ridiculously huge #Fail of things accessible via the Internet.
Below are a list of the (sterilized) Shodan Queries that I used during the training and to generate a report on an OSINT tool that could/was being leveraged by threat actors targeting the organization.
- Hosts found w/ banner details stating “230 – Any Password will work”
- Hosts found with banner stating “Use ‘passwd’ to set your login password this will disable telnet and enable SSH”
- Hosts found with banner stating “230 Anonymous access granted, restrictions apply”
- FTP Servers reflected as allowing Anonymous access
- Anything Company_Name
- Company_Name & Default Passwords
- Company_Name, Password
- Company_Name and OpenSSH Ports
- Company_Name and Splunk on port 8089
- Company_Name, MySQL on port 3306
- Company_Name, “200 OK”, “Set-Cookie expires 2016”
For use with the Search Box if you don’t like the URLs
- product:”$product name in here”
- isp:”$ISP Name Here”
- ports:80, 443