You never know who's on the case
The SANS ISC originally started as a place to share threat intelligence and analysis, partly based on DShield data and partly based on near-real-time input from the wider network security community. These days, it principally acts as a network security blog with little connection to active threat intel, though it does highlight patch releases.
Earlier in the week, an ISC post on OSINT tactics grabbed my attention. While we await the imminent release of the new version of Maltego (and CaseFile), other tools can help as well. FOCA (Spanish-language site) handles metadata parsing from local documents and simplifies using Google for finding interesting documents on a site, aka “Google hacking“. Apparently, it can also try some direct connections (like HTTP brute-forcing and DNS enumeration).
On a related note, as seen in the comments on that post, Cryptome released a DHS document this year entitled “Publicly Available Social Media Monitoring and Situational Awareness Initiative Update“. This really just lists a lot of publicly available social media sites, tools, and aggregators. What you need might not exist, though, and it’s worth understanding APIs like what Twitter provides. Unfortunately, the Google Social Graph API will go away this spring. I don’t know of any good replacements, but I’d love to find one.
While I have a few concerns related to civil liberties about DHS trolling through all of these, that doesn’t change the fact that your adversaries, regardless of affiliation or organization, will go about this. So while you should think about monitoring your own organization proactively, also consider the possibility and appropriateness of engaging in OSINT against them. Krypt3ia has explained this use of OSINT, though he’s not teaching you to find jihadists. That doesn’t mean, of course, that an intelligent, motivated analyst can’t research techniques and data on his own.
But this can include areas other than getting involved in geopolitical controversy. Perhaps you’re working on an investigation where you have at least some information on the attacker. In some cases, you may choose to take the additional step of gathering further data. (You also might want to consult with your legal counsel, depending on what you choose to do.) I have worked in the past on situations where we identified the attacker in great detail before notifying law enforcement. And because his OPSEC frankly sucked, we could do this through entirely legal and open methods. This distinguishes itself from “hacking back” by restraining itself to gathering information through public data sources only, rather than engaging in any vulnerability exploitation or accessing unauthorized systems and data.
Alternately, consider the uses for other types of investigations. Perhaps you’ve taken an interest in suspicions of local corruption, or you have some reason to believe that somebody on the Internet (e.g. a site, company, or ^W evangelist / expert) has some dirty laundry that needs washing in the open air.
The world has changed, and we can either change with it or hide from it. If you’re already working in network security, only one choice makes any sense.
Posted on 2012-02-05 |