September 14, 2013

Behind the GrrCon OSINT workshop - Requirements

Data analysis
Data analysis (Photo credit: Wikipedia)
Friday, September 06, 2013
Contributed By:
Steven Fox, CISSP, QSA

Blending the principles of Open Source Intelligence (OSINT) with a Capture the Flag (CTF) contest, my September 12 GrrCon workshop will challenge attendees’ abilities to translate data into actionable recommendations.  The intelligence process will frame the investigation of a fictional company whose Internet presence reveals much – perhaps excessive – information for analysis.
OSINT is similar to other means of intelligence operations in terms of its goal.  Teams employing this process gather information from various sources and analyze it for patterns.  OSINT is defined by the open availability of sources employed.   This approach also capitalizes on the human and corporate need for self-promotion and social connection. 
The associated behaviors project this brand into a digital medium for the perusal of all.
While OSINT investigators enjoy using free or low-cost information sources, they are challenged to validate their accuracy and voracity.  The intelligence process aids by applying a disciplined and rigorous methodology.  This installment focuses on a phase that many aspiring tradecraft and intelligence practitioners skip – the specification of requirements.
Step 1 – Requirements Definition
You’re probably wondering why this is the first step of an OSINT campaign.  Can’t we just launch a tool like Maltego, execute Google queries, or run Twitter account profilers to discover the secrets our targets protect?
Yeah, you could do that.  While some of your initial search parameters and queries may lead to good data, you will lack the contextual and situational awareness to recognize its value.  As the hours pass, you will have complicated relationship diagrams that have greater value as refrigerator art than as a useful data analysis artifact.
The volume of information available via the Internet and other sources is formidable.  An investigation will grind to a halt if the data collection activities have no focus.  This is among the hardest lessons for investigator to accept- data without context is just noise.  Below is an example of how the workshop attendees may approach this challenge of understanding the targets context and determine the type of data they will search for.
Workshop attendees will target Cloudy Pineapple Big Data Widgets LLC, a fictional security services company whose colorful staff mirrors their storied history.  Advocates of an unconventional approach to information assurance, they help clients through their suite of both defensive and offensive offerings.  Many of their services are veiled versions of well-known hacker exploits, a fact defended in their marketing collateral as staying abreast of the threat landscape.
These case facts suggest that collecting data on their service offerings may reveal patterns in the types of clients they’ve had and they recent engagement stories.  Data on the executives and staff of this company is also in scope, particularly their social interactions on sites like Facebook or Twitter.  Data of particular interest may include discussion of recent clients, business development efforts, or general discussion of daily business.  Connecting these facts with other acquaintances will enhance the contextual significance of that data.
This fiction’s artifice is layered, providing paths for participants to follow; some of which are dead-ends.  Student will have to determine what type of data required to reveal the machinations associated with Cloudy Pineapple’s social media activity.   Once determined, the students will need to organize a plan of attack in the form of milestones and OSINT strategy.  This occurs in the second step of the intelligence lifecycle – Planning and Direction.  We will explore this phase in the next installment.

Enhanced by Zemanta