Imagine you’re an analyst working in a security operations center (SOC). An endpoint glows red on your dashboard, indicating that it’s trying to communicate with an unknown IP address. You check its running processes and see a binary that you don’t recognize, but the user may have installed it.
It could be nothing, but you’re not sure. You’ve only been in the job for six months, but on a Sunday afternoon, you’re the most senior person in the room. Your boss is at a wedding and told you not to disturb him unless there is an extreme emergency. What should you do?
If this scenario sounds familiar, it’s time to consider investing in open source intelligence (OSINT).
Break Down the Open Source Intelligence Knowledge Stack
OSINT is a component of any good threat intelligence operation. It’s essentially a collection of indicators that point to heightened risk and provide information about a particular threat. This data is key to helping security leaders recognize danger and make informed decisions about their next steps. OSINT can come from many sources in the public domain, which is why experts refer to it as open source.
Just as we think about computing technology stacks, we can think of threat intelligence as a knowledge stack. At the bottom are the low-level atomic indicators. These are discrete data points, such as IP and domain addresses, user agent strings and email addresses that might show up in system logs.
These indicators complement computed data in the form of malware hashes. A file’s hash can be a smoking gun for a forensics team if it matches hash data gathered from attacks against other organizations. Security professionals can find each of these data types in the public domain — if they know where to look.
Moving further up the stack, we can connect these indicators with behavioral ones. Attackers often have a playbook of go-to procedures they favor when compromising a target. By understanding these tactics and knowing what type of behavior to look for, security teams can more easily distinguish an ongoing attack from an innocuous series of unrelated network events.
Analysts can move into the realm of threat intelligence by combining this information, watching it play out over several attacks and adding data from other sources, such as news articles and reports. This strategy is a rarefied world where analysts collate attack data and outcomes to find out more about threat actors. In many cases, you can find detailed intelligence in published security reports from vendors and consulting firms.
Effective analysis of all this OSINT produces clearer insights into attackers’ techniques and the tools they commonly use to achieve their goals. It can also point to their intent: Some attackers may simply be out to steal personal data for sale on the black market, for example, while others may aim to lurk on networks and sabotage company processes.
Where to Find Open Source Intelligence
Good open-source intelligence comes from various sources. Magazine and online articles from trusted outlets are good places to start, as are videos from respected security conferences.
Other sources include specialist cybersecurity mailing lists, such as the SANS Institute’s Digital Forensics & Incident Response (DFIR) list (although some of these can be difficult to access). Many vertical sectors also have information sharing and analysis centers (ISACs), which are excellent sources of information, as are sector-independent fora like Facebook’s ThreatExchange and AlienVault’s Open Threat Exchange. The IBM X-Force Exchange also provides an extensive threat database that is searchable by a range of parameters, including application name, IP and URL.
Other sites dedicated to compiling information about indicators from the atomic to the behavioral include:
- Team Cymru’s Community Services portal: This portal includes IP reputation lookup and malware hash analysis.
- Threatminer: Search by domains, hashes, user-agent strings and registry entries.
- Threatcrowd: Look for information on domains, IP addresses, emails and organizations.
- URLQuery: This site profiles URLs for web-based malware.
- InfoByIP: This site finds the domain, location, internet service provider (ISP) and autonomous system number (ASN) for IPs or domains — which is good for bulk queries.
- Cymon: Input IPs, domains or hashes and get activity and malware reports.
- Shodan: This site helps analysts determine which devices are publicly connected to the internet.
- ATT&ACK: This is MITRE’s collection of attack techniques and tactics.
Open Source Intelligence in Action
How might this information be useful in practice? Imagine a harried SOC analyst staring at a strange IP address and uncertain what to do about it. He or she could use OSINT resources like these to research the IP address and file binary, as well as registration entries and any other appropriate data points.
The analysts will then be able to make an informed decision about how to triage the event, whether that means dismissing it if it doesn’t crop up in OSINT records or escalating it if the address matches a known bad actor. If the file hash correlates to malware, the analyst can quickly learn what the malware does and what indicators of compromise (IoCs) to look for. If the analyst has to call his or her boss, after all, he or she will be able to explain the problem thoroughly and recommend actions to take.
These countermeasures could include restricting or forwarding traffic from a specific IP block, disrupting it using application sandboxing or actively degrading it by redirecting an IP address to a honeypot, for example. The analyst’s specific actions would depend on what he or she knows about the attackers.
Sometimes, OSINT can help you to spot things that may not show up on your dashboard at all. Today’s attackers are sophisticated enough to avoid leaving obvious signs. Instead, they live off the land, exploiting existing legitimate tools to achieve their goals.
A fileless malware attack may use PowerShell to download a script from a command-and-control (C&C) server and move laterally through the network, contacting other machines, pilfering information from each one that it finds and circumventing your application whitelist protection in the process. Your network monitoring software might pick up the encrypted traffic stream, but what does it mean? If you’re aware of this attack technique thanks to your public domain reading, you may be able to notice it and understand it better.
The Public Domain Is a Battleground
In cybersecurity, knowledge is power, which is why it’s essential to use OSINT to its full advantage. You can be sure that intruders are already doing that — probing everything from your networks to your personnel structure to find a way inside. They’re using OSINT to gain every advantage they can, and they only have to be successful once (whereas you face the daunting task of being successful every time).
With OSINT tools and insights at your disposal, you can stay one step ahead of these attackers and keep your networks safe from evolving threats.