OSINT & Tactical Information Retrieval
Many companies and organizations are unaware of how much information about them is publicly available and can be used by attackers to harm them and prepare attacks. In fact, there is often a wealth of information in public sources (OSINT – Open Source Intelligence) that can be used to create comprehensive profiles about organizations from which attack strategies or even vulnerabilities can be deduced. Professional attackers often research potential targets in preparation – without scanning their targets directly. This lets them remain undetected by the radar and they can use OSINT to create extensive inventories, maps and databases of all systems and other assets owned by an organization. All of these assets make up the attack surface and define the attack strategies.
NSIDE conducts the same attack-preparatory tactical intelligence gathering, also known as OSINT analysis. We use it to show companies how much security-critical and attack-preparatory information can be determined about them from public sources. This allows companies to take countermeasures, remove public information, and preemptively prepare for future threats.
These OSINT analyses can be performed either as a separate service or in preparation for a Red Team Exercise. This also applies to Red Teaming according to the TIBER framework (TIBER-EU or TIBER-DE, the European and German framework for Red Teaming in the financial sector for banks, insurance companies and other financial market players. In TIBER, testing consists of two phases: A Targeted Threat Intelligence phase and a Red Teaming phase, where the former provides the basis for the latter. Therefore, the tests here are performed in a slightly modified manner).
Examples of performed analyses and results
Analyses of the target organization and its assets (‘Target Intelligence’):
- Inventory and Footprinting: Which digital and non-digital assets belong to an organization?
- Attack Surface Mapping: What attack surface does an organization present?
- Exposure of shadow IT
- Technology profiling: Which technologies are used by an organization?
- Attack Scenario Creation
- OSINT: Dangerous public information about an organization from various sources
- WEBINT: Analysis of web data (Internet)
- Supply Chain Attacks: Identification of supply chain risks
- SOCMINT: Analysis of information leaks (information leaks) from social media channels
- GEOINT: Site identification and detection of vulnerabilities for physical intrusion
- Use of public and closed databases as information sources
- Utilization and analysis of network scan results obtained from third parties
- and much more
Analysis of existing specific threats and ongoing attacker activities (‘OSINT Threat Intelligence’ or Open Source Threat Intelligence):
- Publicly known vulnerabilities that are distributed or traded online.
- Analysis of dark net and deep web sources
- Analysis of marketplaces and non-public forums
- Monitoring of paste sites
- Scanning of published leaks and dumps of past hacks, primarily for leaked credentials
- Analysis of threat intelligence feeds
- Detection of infected systems via indicators of malware activity