August 09, 2011

OSINT on Military Cyberspace

TCP/IP stack operating on two hosts connected ...
Image via Wikipedia
UPDATE 2011-08-08: From a post on Cryptome in 2001 we already heard about funny names below the domain. Now take a look at these 64612 subdomains (that's not necessarily all of them) below the domain... some of the labels are valid-but-uncommon Dutch, such as "rolvormige", "uitgestoft", "koormaatschappijen" and "leerrijk". Sounds like a challenge from the Puzzle Palace! (or at least a tasty red herring, or an observation of an attempt to make-more-difficult hostname guessing, or none of the above)
Out of curiosity I collected some data on military-assigned parts of cyberspace. Using open sources (, DNS and IP-to-ASN mapping) and no cybercrime, I enumerated for ~790k 800k hosts a combination of IP address + FQDN (hostname) + AS-number + network description. "Intelligence" evidently is too big a word(*), but IMHO there is some interesting stuff going on in there. The current list includes 799674 IP addresses (+ FQDN) in 141 Autonomous Systems w/94 different descriptions, with AS3146 DMSSC - Scientific Application International Corp. (SAIC) being, by number of .mil/.gov/.int hosts, the largest non-govt AS in the current list (8891 .mil hosts). Here is the complete list in CSV-format:
Don't use it for evil - use it to learn, e.g. to train yourself in cyber intelligence (whatever that is).
Enrich it with GeoIP data, for example, and see whether you can find unexpected mappings between cyberspace and the 'real' world.
Obviously, in military context, (especially) open sources are used to disseminate disinformation and red herrings - so you know what to expect. Assume data to be inaccurate until you have sufficiently reliable clues to believe otherwise.
(*) Though I imagine that this data collection could, theoretically, count as the 'counterintelligence activities' meant in United States DoD Directive 5240.06, May 17, 2011, on Counterintelligence Awareness and Reporting (CIAR) (.pdf) which I blogged about here.
Sunday, August 7, 2011  Posted by mrkoot at 9:46 AM
Read more:
Enhanced by Zemanta