Light Dark
July 24, 2018 By Marcelo Ribeiro
Mike Silverman
4 min read
Threat Intelligence
Intelligence & Analytics
Incident Response
Security Services

Imagine you’re an analyst working in a security operations center (SOC). An endpoint glows red on your dashboard, indicating that it’s trying to communicate with an unknown IP address. You check its running processes and see a binary that you don’t recognize, but the user may have installed it.

It could be nothing, but you’re not sure. You’ve only been in the job for six months, but on a Sunday afternoon, you’re the most senior person in the room. Your boss is at a wedding and told you not to disturb him unless there is an extreme emergency. What should you do?

If this scenario sounds familiar, it’s time to consider investing in open source intelligence (OSINT).

Break Down the Open Source Intelligence Knowledge Stack

OSINT is a component of any good threat intelligence operation. It’s essentially a collection of indicators that point to heightened risk and provide information about a particular threat. This data is key to helping security leaders recognize danger and make informed decisions about their next steps. OSINT can come from many sources in the public domain, which is why experts refer to it as open source.

Just as we think about computing technology stacks, we can think of threat intelligence as a knowledge stack. At the bottom are the low-level atomic indicators. These are discrete data points, such as IP and domain addresses, user agent strings and email addresses that might show up in system logs.

These indicators complement computed data in the form of malware hashes. A file’s hash can be a smoking gun for a forensics team if it matches hash data gathered from attacks against other organizations. Security professionals can find each of these data types in the public domain — if they know where to look.

Moving further up the stack, we can connect these indicators with behavioral ones. Attackers often have a playbook of go-to procedures they favor when compromising a target. By understanding these tactics and knowing what type of behavior to look for, security teams can more easily distinguish an ongoing attack from an innocuous series of unrelated network events.

Analysts can move into the realm of threat intelligence by combining this information, watching it play out over several attacks and adding data from other sources, such as news articles and reports. This strategy is a rarefied world where analysts collate attack data and outcomes to find out more about threat actors. In many cases, you can find detailed intelligence in published security reports from vendors and consulting firms.

Effective analysis of all this OSINT produces clearer insights into attackers’ techniques and the tools they commonly use to achieve their goals. It can also point to their intent: Some attackers may simply be out to steal personal data for sale on the black market, for example, while others may aim to lurk on networks and sabotage company processes.

Where to Find Open Source Intelligence

Good open-source intelligence comes from various sources. Magazine and online articles from trusted outlets are good places to start, as are videos from respected security conferences.

Other sources include specialist cybersecurity mailing lists, such as the SANS Institute’s Digital Forensics & Incident Response (DFIR) list (although some of these can be difficult to access). Many vertical sectors also have information sharing and analysis centers (ISACs), which are excellent sources of information, as are sector-independent fora like Facebook’s ThreatExchange and AlienVault’s Open Threat Exchange. The IBM X-Force Exchange also provides an extensive threat database that is searchable by a range of parameters, including application name, IP and URL.

Other sites dedicated to compiling information about indicators from the atomic to the behavioral include:

  • Team Cymru’s Community Services portal: This portal includes IP reputation lookup and malware hash analysis.
  • Threatminer: Search by domains, hashes, user-agent strings and registry entries.
  • Threatcrowd: Look for information on domains, IP addresses, emails and organizations.
  • URLQuery: This site profiles URLs for web-based malware.
  • InfoByIP: This site finds the domain, location, internet service provider (ISP) and autonomous system number (ASN) for IPs or domains — which is good for bulk queries.
  • Cymon: Input IPs, domains or hashes and get activity and malware reports.
  • Shodan: This site helps analysts determine which devices are publicly connected to the internet.
  • ATT&ACK: This is MITRE’s collection of attack techniques and tactics.

Open Source Intelligence in Action

How might this information be useful in practice? Imagine a harried SOC analyst staring at a strange IP address and uncertain what to do about it. He or she could use OSINT resources like these to research the IP address and file binary, as well as registration entries and any other appropriate data points.

The analysts will then be able to make an informed decision about how to triage the event, whether that means dismissing it if it doesn’t crop up in OSINT records or escalating it if the address matches a known bad actor. If the file hash correlates to malware, the analyst can quickly learn what the malware does and what indicators of compromise (IoCs) to look for. If the analyst has to call his or her boss, after all, he or she will be able to explain the problem thoroughly and recommend actions to take.

These countermeasures could include restricting or forwarding traffic from a specific IP block, disrupting it using application sandboxing or actively degrading it by redirecting an IP address to a honeypot, for example. The analyst’s specific actions would depend on what he or she knows about the attackers.

Sometimes, OSINT can help you to spot things that may not show up on your dashboard at all. Today’s attackers are sophisticated enough to avoid leaving obvious signs. Instead, they live off the land, exploiting existing legitimate tools to achieve their goals.

A fileless malware attack may use PowerShell to download a script from a command-and-control (C&C) server and move laterally through the network, contacting other machines, pilfering information from each one that it finds and circumventing your application whitelist protection in the process. Your network monitoring software might pick up the encrypted traffic stream, but what does it mean? If you’re aware of this attack technique thanks to your public domain reading, you may be able to notice it and understand it better.

The Public Domain Is a Battleground

In cybersecurity, knowledge is power, which is why it’s essential to use OSINT to its full advantage. You can be sure that intruders are already doing that — probing everything from your networks to your personnel structure to find a way inside. They’re using OSINT to gain every advantage they can, and they only have to be successful once (whereas you face the daunting task of being successful every time).

With OSINT tools and insights at your disposal, you can stay one step ahead of these attackers and keep your networks safe from evolving threats.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human

 |  |  |  |  | 
Marcelo Ribeiro
Incident Response Consultant on IBM X-Force Incident Response and Intelligence Services (IRIS)
Mike Silverman
Senior Consultant, IBM X-Force IR

More from Threat Intelligence
November 12, 2024

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

October 16, 2024

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature